TOR howto: Using TOR through a ssh-tunnel

TOR logoNote: This posting is heavily outdated. Please use the Tor Browser Bundle!
I’m a fan of TOR, the anonymizing network. It let’s me access the Internet anonymously and I don’t need to fear that anyone might use the data from their big Lawful Interception Points against me. It also prevents evil companies from correlating my web-surfing behaviour and connecting it to my IP-address.

I ain’t no criminal, i just don’t like it when people assume by default that I’m maybe a criminal, become one in the future, or use data which show my personal surfing-habits. I support the TOR-network actively trough a small monthly donation and through running my own TOR-server. I’m also willing to tell anyone how to use TOR effectively.

A posting on the or-talk mailinglist from today asked a simple question:

“There are 2 hosts.
Host 1 is at home (Debian-testing).
Host 2 is at my workplace (WindowsXP Pro)

I use Tor with Privoxy at home (host 1). Firefox with Torbutton plugin
works fine. So it seems everything ok.

At my workplace I use (WindowsXP, host 2) SSH port forwarding (with
Putyy) for webbrowsing. At Firefox in preferences, in connection tab I
had to set Socks host: localhost, port: 1080, using Socksv5.

I would like to use the Tor network from the host2 over SSH
portforwarding using my Debian host(2) at home.
Is it possible? If so, how can I do it?”

Yes, it’s possible without much hassle. First, you need a little bit of software on your client:

  1. putty or openssh
  2. for your convenience, the Firefox Switchproxy Plugin – it’s not actively supported anymore but IMHO nicer than Torbutton.

Next, check if TOR uses the default port and listen-address, open /etc/tor/torrc (or where your torrc is):
SocksPort 9050
SocksBindAddress 127.0.0.1

Now it all depends on if you’re using openssh or putty. With openssh it’s very simple. Open a terminal and log in to the remote-host:
host2$ ssh -L 9050:127.0.0.1:9050 user@host1

Log in, the tunnel is now active; that means, if you connect to localhost:9050 – a local connection on host2 – you get redirected to host1:9050 (more precise: 127.0.0.1:9050 on host1) through the encrypted ssh-tunnel.

With putty it’s the same, but more clicky-click. Open putty, load you configuration on go straight to “Connection -> SSH -> Tunnels“; enter 9050 for “Source port” and “127.0.0.1:9050” for “Destination” – leave everything else as it is. After pressing the “Add”-button you should see:
Putty Screenshot 2
Now it would be a good time to save your session, otherwise you’d have to enter the same information over and over again the next time you want to use the tunnel. Open the connection, voil´! There’s your tunnel.

Now for Firefox; i assume you already installed the Switchproxy-Plugin, now add a new proxy; leaving everything empty but SOCKS – fill in 127.0.0.1 and Port 9050:

Switchproxy Screenshot

Now something really important; Firefox uses, by default, the local DNS, even if you use SOCKS. That leads to the situation, that information leaks from you. Imagine you’d like to check out http://some.big.boo.bs/ – Firefox will ask your DNS (your employer’s DNS in the worst case!) for the IP-address of the host some.big.boo.bs. But that’s not necessary: You can just tell Firefox to request everything through SOCKS.

In order to do that just open a new Tab in Firefox, and enter “about:config” as the URL. You’ll see lot’s of different settings which affects the behaviour of Firefox. In the “Filter”-field enter “network.proxy.socks_remote_dns” – if “value” isn’t set to “true“, set it to “true” by double-clicking the line. Beware: If you don’t know what you’re doing don’t change any other value! You might totally screw up Firefox’s behaviour.

To check if the proxy is really active, open a connection to the website http://www.showmyip.com/ – it does the same like the usual TOR-test page at serifos, but seems to be more reliable:

Firefox Screenshot

That’s it, fairly easy – you can even configure Putty that it uses a local http-Proxy to establish the ssh-connection through it, resulting in the chain “http over SOCKS over SSH over http over TOR”. Additionally to this i also installed a normal SOCKS5-server on my server, i used danted (shipped with Debian Sarge); this is the configuration I’m using:

logoutput: syslog
internal: 127.0.0.1 port = 9051
external: 84.19.183.23
method: none
clientmethod: none
user.privileged: proxy
user.notprivileged: nobody
user.libwrap: nobody
compatibility: sameport
client pass {
from: 127.0.0.1/32 port 1-65535 to: 127.0.0.1/32
method: none
}
block {
from: 0.0.0.0/0 to: 0.0.0.0/0
command: bind
log: connect error
}
pass {
from: 127.0.0.1/32 to: 0.0.0.0/0
protocol: tcp udp
}

So what I’m doing is not only using the TOR-SOCKS running 9050 but also the danted-SOCKS running on 9051; I applied both settings to my Putty-configuration and now i can choose if I want to surf anonymously or not anonymously (for everything which needs passwords and stuff) – and all goes via a normal web-proxy.

Reclaim your privacy and anonymity! Purge all personal data before and after using TOR through “CTRL+SHIFT+Del”!

And stay human.


Creative Commons License
This work is licensed under a Creative Commons Attribution 2.5 License.


Tech Tags:

27 Responses to TOR howto: Using TOR through a ssh-tunnel

  1. D00d awesome post!

    3 things

    1. Does this run any faster than TOR and Privoxy alone?

    2. For some reason FoxyProxy has just crapped out on me. I reinstalled it. I reintsalled FireFox, then reinstalled the extension. No luck. The extension is there but it doesn’t do anything. So I’m forced to use Torbutton or torpark (I want the defined patterns waaaaaaaaaaaaah).

    3. I wrote a post on surviving IT lockdown. And a blogger named sledgehbk, has some questions about IT departments detecting TOR on a work PC. I think I answered right but you seem a little better suited to answer his questions. I’m not in IT. I’m a grey hat who like to help out noobs. I though you might actually work in IT so maybe you could take a look? (BTW – His quiestions are in the comments)

  2. […] TOR howto: Using TOR through a ssh-tunnel [via] IT, life and me […]

  3. therealdonquixote:
    1) Running everything through the ssh-tunnel adds a certain level of protocol-overhead, so basically it’s a bit slower. However, SOCKS is a bit faster than Privoxy. Privoxy on the other hand removes scary, dodgy and unnecessary HTML-crap to improve your level of privacy. It’s a tradeoff.
    2) I don’t know FoxyProxy; haven’t tried it yet, i might give it a try later. But the website says: “*** UPGRADING TO 2.0 *** IF YOU HAVE PROBLEMS AFTER UPGRADING TO 2.0, DELETE FOXYPROXY.XML AND RESTART FIREFOX.” Maybe deleting that XML-file might help you? It’s worth a try.
    3) I’ll have a look.
    Thanks for your feedback!

  4. trung says:

    I am using Tor at the moment, but I find it to be extremely slow. I think adding SSH layer on top of it will make it even slower.

  5. Trung: It depends on the circuit you get. Your connection is always over three different Tor-Nodes and the total bandwidth is that of the slowest nodes. Waiting for some time until your current circuit expires usually helps.
    However, there are tools like Vidalia where you can force a new circuit.
    Alex.

  6. Skeletor says:

    Great job. Here I have a similar request. I am behind an ISA firewall so I need to use NTLMAPS to get through. My ISP have started to block TOR Servers to prevent anyone to connect through them. Yet I know I can access those servers through any free proxy already existing on the Internet, provided it can use SSL connections. It would be nice if I could point my TOR client to any of these proxies before it would connect to the TOR servers which are blocked. I know TOR allows for an HTTP proxy, but that one I have used to point to the NTLMAPS proxy.
    Do I stand any chance to beat my ISP? I only need TOR to acces the circuit initially throgh an existing HTTP server. Should my ISP detect the HTTP server and block it, what the hell there are zillions more to connect to. :)

  7. […] fire fox tunnel Well, not sure, but I posted some howtos about how setup a tunnel through proxies to use a remote Tor-client […]

  8. […] when the intarweb-connection (da tubez) is crippled, I just fire up some ssh-connection and use SOCKS over that ssh-connection tunneled through that ssh-connection. In that case I can tell all my local applications to use a […]

  9. sham says:

    Im new to Tor but like many of you i am not comfortable with the idea of someone else using my details or anyone elses details for there own personal gain. I am IT literate and have been in the trade for about 15 years though i must say i am very new to Tor, i have a question that i hope someone can help me out on…..

    Is there a way to setup Microsoft Isa Server 2006 to use a Tor sever (running localy) as its proxy? what i am asking is is there a way to run the isa server via a Tor Proxy server and if so how can it be done please.
    Looking forward to hearing back from anyone that can point me in the right direction.

  10. William says:

    FoxyProxy is a newer firefox plugin. It’s great, but the default Tor settings don’t work. Use the directions above and FoxyProxy to switch between proxy settings.

  11. William says:

    Awesome guide! I found FoxyProxy which is an updated proxy switch extension. For my laptop I have 3 proxies, work->workproxy->web, work->home->tor->web, anywhereelse->tor->web. I can use all 3 proxy setting at the same time depending on what website i’m browsing, my company intranet, the web, or home intranet.

  12. Dr Small says:

    Excellent article.
    I am going to have to try this out for openssh :)

    Dr Small

  13. foxyproxy says:

    therealdonquixote:
    “2. For some reason FoxyProxy has just crapped out on me…”

    I was having the same problem, solved it by make a new firefoxprofile
    (close ff, start->run: firefox -P) and then it all worked just fine

  14. Yu says:

    Hello!

    Would you find some time for me? It would be great!

    Now: I work on Ubuntu 7.10 and I have a well functioning bundle consisting of torbutton,
    FoxyProxy and Tor.

    I find myself comfortable make things working out via terminal…

    Nevertheless, I believe that I miss a lot of basics, say ‘know-how’ regarding ‘what to do’
    and ‘where to do it’.

    My aims:
    * install a Tor server and becoming a contributor
    * do the above steps (I have openssh-client installed and… is it required a second
    computer?) but really I need a further explanation of the step-by-step procedure
    you indicated.

    Hope to hear from you soon.

    Regards.

  15. Natty says:

    Hi need some help. here are the basics

    1: windows XP pro
    2: running cygwin Openssh
    3: running Tor with Tor Button
    4: firefox 3
    5: Putty

    Am trying to connect to my Openssh via putty on the same pc if i do succeed redirect my firefox settings to use socks settings to access the web thus encripting my web traffic.

    Problem I can not get putty to work i get the error Server unexpectedly closed network connection. { i have tried different ports still same results }

    Am wondering if Tor is conflicting with cygwin Openssh cousing putty to fault. ?

    Do you have any suggestions ?

    I also tried on a next pc installed freesshd and created a domain with dns updater and pointed my putty to the user@com and am getting connection denied. any takes ?

    Am simply trying to secure my web browsing via ssl. I have no linux boxes

  16. @Yu:

    Yes, you need a second computer. What is described in my procedure is the following: Imagine you’re at work and you want access the Tor-network which is running on your computer at home.

    What you would do is setting up an SSH-server at home on the machine where Tor is running. You at work would “dig a tunnel” to that machine and service using the above mentioned procedure using putty on Windows.

    To answer your other question, if you want to install Tor, there’s quite a good tutorial on the Tor website at: http://www.torproject.org/docs/tor-doc-unix.html.en
    If you still have problems, drop me a line.

    Good luck!
    Alex.

  17. @Natty:

    OK, I understood your problem like this:
    You have Tor running locally on the same machine.
    You have a local OpenSSH-server in cygwin.
    You have a local Putty which you wanna connect to this OpenSSH-server.
    You want your Firefox3/Torbutton to use Putty to get access to the tunnel, resulting in a connection to the Tor-network.

    Is that right? I don’t really understand why you’re doing this, because this Howto is intended for people who have their Tor-server running elsewhere on the Internet and who are behind a proxy.

    If yes, you need to follow a special procedure.
    What happens in your case is that
    1) Tor runs on port 9050
    2) OpenSSH-server runs on port 22
    3) Putty connects to 22
    4) Putty wants a portforwarding from the remote port 9050 (which is local) and open a NEW port named 9050 on the same machine

    You cannot have the same port assigned to Tor (which is running anyway) and then to putty, to create a new port!

    You need to do the following:
    5) Choose an interims-port, like 9060, and let it connect to 9050
    6) Start putty with that config
    7) Let Firefox point to 9060

    => Firefox sends to 9060 (putty), putty redirects to ssh (22), ssh redirects to Tor (9050).

    HOWTO DO:
    8) Go to the config-panel and to Connection -> SSH -> Tunnels
    9) Set “Source Port” to 9060 (that’s where Firefox should connect to)
    10) Set “Destination” to “127.0.0.1:9050” – 127.0.0.1 is your local machine, 9050 the port where Tor is locally listening on. If that’s different, adapt it.
    11) Check the “Local” radio-button
    12) Press “Add”
    13) Don’t forget to save…

    That’s pretty much it.

    Anyways, from all the comments I really need to adapt this Howto. I might be doing it this weekend. In the meanwhile, if you need further assistance, contact me via email (got the the “About” page on this blog).

    Good luck!
    Alex.

  18. poop says:

    creative commons sucks, just put a c notice up and let the leeches steal it.. lol cuz they will anyway.the worse smart you sound the least they steal i notice…

  19. kain says:

    Hi, very useful post, but my situation is quiet different, I need to connect to my machine at home (ssh port, 8181 and others) and my workplace have a proxy for web and I can’t connect except to the web server, so the question is: Can I connect to my home machine with TOR u other program?

    machines
    home: Debian
    Office: WinXP (putty, CRT, etc)

  20. DumbAss says:

    Hi, is it possible to set up a tor server behind a firewall and use SSH tunnel to bypass it so the tor server would be reachable?

    • No, not if you want to run a server. The Tor-software in server-mode need to open up a bunch of ports which have to be accessible. Somthing a ssh-tunnel can’t provide.

      Sorry! Alex.

      ………what about UNPN-patches to Tor – and UPNP-patches to OpenSSH? :-) Gosh, that’d be awesome and quite frightening at the same time.

  21. […] these tools can now be combined with all sorts of other tunneling tools.  For example, you could tunnel TOR traffic within SSH and then forward it across a DNS tunnel in order to bypass most content filters established on the networks to which you might be […]

  22. […] home VPN server which goes through Tor. My setup is similar to the one explained in this blog title Tor on SSH. Its not very difficult to build an SSH tunnel yourself. [g] SSHing over Tor is very […]

  23. Melanie says:

    Having read this I thought it was rather enlightening. I appreciate you finding the time and energy to put this information together.
    I once again find myself spending a significant amount of time both reading and leaving comments.
    But so what, it was still worthwhile!

  24. JapaneseKIT says:

    Yay! I’m writing this >>THANKS<< message to you using tor over ssh!
    Thank you very much! GOD BLESS you