How to redirect all traffic through the Tor network

This article is about the capabilities and limitations of the Tor network, as well as about several programs that will increase your anonymity by hiding the real IP. This article is recommended for reading even if you use a Linux distribution that can enable anonymous mode with a couple clicks.

How to use Tor as a transparent proxy

The Tor network is primarily intended to ensure anonymity of users when accessing the Internet by hiding their real IP address. The data transmitted over the network is encrypted, but on the exit node that makes a direct request to the site and receives a response from it, the traffic is in its original state (that is, the traffic that is encrypted by third-party means, for example, HTTPS, it is encrypted, and the traffic transmitted in plain text, available for the exit node in plain text).

The Tor network is primarily designed to access websites, for this reason, and also to avoid collecting user fingerprints (for example, the version of the operating system by the features of network packets), the Tor network supports a very limited set of transmitted traffic. For example, through the Tor network, you can make a request to a website (TCP protocol), but it is impossible to transmit UDP packets or raw packets (everything is forbidden except for a full connection to websites).

The Tor network is suitable for:

  • hiding IP from a website you are connecting to
  • site blocking bypass
  • DNS queries through Tor (DNS is needed to obtain the IP addresses of websites – your browser and system constantly send these queries). In this case, UDP packets are not used, and the data is transmitted in encrypted form
  • for scanning open ports by creating a full connection (slower and more noticeable compared to the half-open connection method)

For this reason, when we say “redirect all traffic through Tor” we really mean “redirect all traffic supported by this network through Tor”.

A significant part of the traffic simply cannot be sent through the Tor network, for example, ping, some traceroute methods, scanning with half-open connections, DNS queries via UDP protocol, etc. Based on this, another question arises – what to do with traffic that cannot be transmitted through Tor network: send to the target host bypassing the Tor network or block?

Proxies or iptables for traffic redirection

When configuring the system to use Tor, you can choose different implementation options: proxies or iptables.

When setting up a proxy, you need to remember that Tor works as a SOCKS proxy – not all programs support this protocol. But the most unpleasant thing may be that if system-wide proxy settings are set, then some programs can ignore these settings and connect to remote hosts directly, bypassing proxies and Tor.

In this sense, the iptables program is a more reliable and universal option, which, if configured correctly, will ensure that a particular type of traffic cannot exit the system except through the Tor network, or it will be blocked.

Programs to redirect all traffic through Tor

So, as we already learned, we need to solve a number of problems for working correctly with Tor:

  • redirect traffic correctly
  • block network packets that cannot be forwarded through Tor
  • configure the lookup of DNS queries through Tor
  • take care of IPv6 traffic or block it
  • quickly restore the system to its original state, since the Tor network is slow and not always needed

For this reason, there are many programs from different authors that implement the described functionality.

Services for finding IP address leaks

The main criteria for choosing a tool to ensure the anonymity of your operating system is the functionality and quality of ensuring anonymity (reliability of redirecting and blocking traffic). You can rate the level of anonymity using the following services:

To check the IPv6 address on the command line and whether IPv6 protocol is blocked:

curl -6 suip.biz/ip/

To check your IP address on the command line:

curl suip.biz/ip/

To check the DNS server used:

dig suip.biz | grep SERVER

orjail

Although all the programs discussed below are slightly different, let's start with the most unusual of them. It is called orjail. The program at the time of launch creates its own network environment for the program to be launched, and in this environment the program can access the Internet only through the Tor network.

Install orjail on Kali Linux

sudo apt install tor bc firejail
git clone https://github.com/orjail/orjail
cd orjail
sed -i 's/USERHOME=$(getent passwd les | cut -d: -f 6)/USERHOME=$(getent passwd $USER | cut -d: -f 6)/' ./usr/sbin/orjail
sed -i 's/chown "$USERNAME" "$TORCONFIGFILE"/#chown "$USERNAME" "$TORCONFIGFILE"/' ./usr/sbin/orjail
sudo make install

Install orjail on BlackArch

sudo pacman -S orjail
sudo sed -i 's/chown "$USERNAME" "$TORCONFIGFILE"/#chown "$USERNAME" "$TORCONFIGFILE"/' /usr/bin/orjail

If you want the PROGRAM to go online through Tor, then run a command of the form:

sudo orjail PROGRAM OPTIONS

For example, the following command shows the external IP of your computer:

curl suip.biz/ip/

Now run the same command with orjail:

sudo orjail curl suip.biz/ip/

Note that the Tor service does not have to be running. The orjail program itself creates virtual network interfaces, starts a new instance of the Tor service itself, and when the main program exits, it stops Tor and removes the temporary network interfaces.

To see this clearly, view information about your network interfaces:

ip a

Now look at what programs launched with orjail see:

sudo orjail ip a

They are in a completely different environment!

You can run programs with a graphical user interface:

sudo orjail firefox -P /tmp/tmpprofile

But be careful with web browsers: orjail is rather a super fast solution when you need to bypass web sites blocking or change your IP. In more serious situations, use Tor Browser – this is safer.

If you run orjail with the -v option, you can see all the processes in progress:

sudo orjail -v curl suip.biz/ip/

Please note that orjail is not able to work with the IPv6 protocol! The fact is that only IP addresses are assigned to the temporary network interfaces that are created. I think adding support for IPv6 is not difficult, but at the moment IPv6 traffic just does not go anywhere.

As we already know, it is impossible to transmit UDP protocol packets through Tor, however, orjail can perform DNS queries:

sudo orjail dig suip.biz

Server from which the DNS response is received is something like:

10.200.194.2#53

That is, DNS queries are processed on the Tor network.

orjail Troubleshooting

Error ‘User root: invalid name or no home directory.’

You may encounter an error:

User root: invalid name or no home directory.

where instead of “root” will be your username.

So the error looks when displaying debugging information:

User root: invalid name or no home directory.
[Error] in command: exit 1
 * Remove Tor temporary configuration
 * Killing Tor process 
 * Killed 
 * Remove Tor DataDirectory: /tmp/orjail-orjail
 * Remove in-orjail network interface
Cannot find device "in-orjail"
 * Delete network namespace orjail
Cannot remove namespace file "/run/netns/orjail": No such file or directory
 * Cleaning up iptables rules...

To fix, open the orjail file (if you have already installed it, this file is located on the path /usr/sbin/orjail), find the line there

USERHOME=$(getent passwd les | cut -d: -f 6)

And replace with:

USERHOME=$(getent passwd $USER | cut -d: -f 6)

Error ‘./usr/sbin/orjail: line 563: /tmp/torpVKzn4: Access denied’

Error example:

sudo ./usr/sbin/orjail curl suip.biz/ip/
./usr/sbin/orjail: строка 563: /tmp/torpVKzn4: Access denied
[Error] in command: cat >> "$TORCONFIGFILE" <<EOF
  DataDirectory /tmp/orjail-${NAME}
  AutomapHostsSuffixes .onion,.exit
  AutomapHostsOnResolve 1
  PidFile      /tmp/orjail-${NAME}/pid
  User         ${USERNAME}
  VirtualAddrNetworkIPv4 ${IPNETNS}/16
  TransPort ${IPHOST}:${TRANSPORT}
  DNSPort ${IPHOST}:${DNSPORT}
  SOCKSPort 0
  RunAsDaemon 1
EOF

[Error] Enable verbose mode to debug (using -v)

Instead of /tmp/torpVKzn4 there can be any arbitrary name.

To fix, open the orjail file again (if you have already installed it, this file is located on the path /usr/sbin/orjail), find the line there

chown "$USERNAME" "$TORCONFIGFILE"

and replace with

#chown "$USERNAME" "$TORCONFIGFILE"

torctl

Further programs are very similar, they all use Tor + iptables, but everything is slightly different.

Let's start with the most versatile torctl program.

This program is written for BlackArch, but it is quite easy to port to other distributions.

Install torctl on Kali Linux

sudo apt install tor macchanger secure-delete
git clone https://github.com/BlackArch/torctl
cd torctl
sudo mv service/* /etc/systemd/system/
sudo mv bash-completion/torctl /usr/share/bash-completion/completions/torctl
sed -i 's/start_service iptables//' torctl
sed -i 's/TOR_UID="tor"/TOR_UID="debian-tor"/' torctl
sudo mv torctl /usr/bin/torctl
cd .. && rm -rf torctl/
torctl --help

Install torctl in BlackArch

sudo pacman -S torctl

To find out your current IP, do:

torctl ip

To start Tor as a transparent proxy:

sudo torctl start

To check the status of services:

torctl status

If you want to change the IP on the Tor network:

sudo torctl chngid

To work with the Internet directly, without Tor, run:

sudo torctl stop

To change the MAC address on all network interfaces, run the command:

sudo torctl chngmac

To recover the original MAC addresses:

sudo torctl rvmac

The following command will add the torctl service to startup, that is, immediately after turning on the computer, all traffic will be sent through Tor:

sudo systemctl enable torctl-autostart.service

To remove a service from startup, do:

sudo systemctl disable torctl-autostart.service

You can also enable automatic memory cleaning every time you turn off the computer:

sudo systemctl enable torctl-autowipe.service

To disable this function:

sudo systemctl disable torctl-autowipe.service

This script knows about the existence of IPv6 traffic and successfully blocks it. DNS queries are redirected through Tor.

Anonsurf

If you are familiar with Parrot Linux, then AnonSurf should also be familiar to you - it enables anonymity mode in the system. AnonSurf optionally closes programs that can compromise anonymity, redirects traffic and DNS queries through Tor, and blocks IPv6.

AnonSurf is too integrated in Parrot Linux and on other systems I would recommend choosing some other option, fortunately, there is a choice. I also don’t like the fact that the program tries to start/stop some services without checking their availability and displays errors if they are missing – because of the excess of unnecessary information, you can skip something really important. However, the following shows how to install AnonSurf on Kali Linux. Most of the functionality has been saved, but the “dns - Replacing Your DNS with OpenNIC DNS Servers” command will not work!

Install AnonSurf on Kali Linux

sudo apt install tor
git clone https://github.com/ParrotSec/anonsurf
cd anonsurf
sudo make install
sudo mkdir -p /etc/resolvconf/run/
sudo cp /etc/resolv.conf /etc/resolvconf/run/resolv.conf
sudo mv /etc/tor/torrc /etc/tor/torrc.back
sed 's/9061/53/' /etc/tor/torrc.back > /etc/tor/torrc
sed 's/9051/9040/' /etc/tor/torrc.back > /etc/tor/torrc
sed -i 's/ln -s \/etc\/resolvconf\/run\/resolv.conf \/etc\/resolv.conf || true//' /usr/bin/anonsurf
sed -i 's/rm \/etc\/resolv.conf || true/mv \/etc\/resolv.conf.bak \/etc\/resolv.conf || true/' /usr/bin/anonsurf
sed -i 's/\/usr\/sbin\/service tor stop/systemctl stop tor/' /usr/bin/anonsurf
anonsurf --help

Display your external IP address:

sudo anonsurf myip

Redirecting all traffic through the Tor network:

sudo anonsurf start

Stopping traffic redirect through Tor:

sudo anonsurf stop

Nipe

Nipe is a script that makes the Tor network your default gateway.

This Perl script allows you to directly send all your traffic from your computer to the Tor network, through which you can anonymously access the Internet, without worrying that your IP will be monitored IP or your identity will be revealed.

Nipe currently only supports IPv4, but work is underway to add support for IPv6.

TOR Router

TOR Router allows you to use the Tor network as a transparent proxy and send all your traffic, including DNS queries, through Tor. The Tor network will become the default gateway for all Internet connections, which will increase privacy/anonymity with minimal effort. The script will work on any system using systemd (if you want to use this tool as a service) and tor.

TOR Router does not change system files, as other tools for routing your traffic, due to minimal impact on the system, in the case of a mistake in the TOR Router service or after uninstalling this tool, your Internet connection will not be affected.

Currently, Tor-router only supports IPv4 traffic, but the author plans to add support for IPv6.

TorIptables2

TorIptables2 script is an anonymizer that configures iptables and tor to redirect all services and traffic, including DNS, through the Tor network.

I already talked about this script in more detail in the article “Free easy way to hide IP in Linux”.

I would not recommend using the last three scripts until IPv6 is added to them, otherwise you can accidentally mess up a lot…

autovpn

This program is added as a bonus – autovpn also allows you to quickly change the IP address, but instead of Tor uses a random public OpenVPN from the specified country. More details in the article “Free easy way to hide IP in Linux”.

Let's look at a few more uses for the Tor network.

Tor browser

Tor Browser is a fully configured and portable browser for browsing websites through the Tor network. The advantages of this option are additional measures for anonymity.

Cons follow from the pros: the more measures for anonymity, the more inconvenient to use.

Tutorials for setting up and using Tor

An article on fine-tuning Tor is also being prepared. Thanks to fine-tuning, you can, for example, exclude nodes from certain countries from the traffic path, or vice versa to make the exit node always located in a specific country or countries – thanks to this, you can make sure that you always have the IP of the desired country.

Recommended for you:

2 Comments to How to redirect all traffic through the Tor network

  1. otamakare says:

    Such a good article. I have been mindlessly surfing the internet grinding my teeth as to why there is no tor based vpn for desktop. You have very clearly and comprehensively written all the information in one place. Great work (:

    • mpprogram6771 says:

      I completely agree, this is by far the only article i could find on the topic that is both detailed and easy to understand. Great work!

Leave a Reply to mpprogram6771 Cancel reply

Your email address will not be published. Required fields are marked *