mirror of
https://github.com/opnsense/docs
synced 2024-11-18 21:28:29 +00:00
bdf836911e
This small edit clarifies that a Tor exit node is a certain kind of relay. The implication in the current documentation is that all relays are exit nodes. (See: https://www.grammarly.com/blog/which-vs-that/.)
309 lines
11 KiB
ReStructuredText
309 lines
11 KiB
ReStructuredText
=================
|
|
Tor Configuration
|
|
=================
|
|
|
|
.. Note::
|
|
Saving changes in modal dialogs does not apply the settings.
|
|
To apply them, you have to click the "Reload Service" button.
|
|
|
|
------------
|
|
Installation
|
|
------------
|
|
|
|
First of all, install the tor plugin (os-tor) from the plugins view.
|
|
|
|
.. image:: ../images/menu_plugins.png
|
|
|
|
|
|
After a page reload you will get a new menu entry under services for Tor.
|
|
Open the menu and choose "Configuration" to configure the plugin.
|
|
|
|
----------------
|
|
General Settings
|
|
----------------
|
|
|
|
This section controls how Tor behaves in general as well as forward proxying.
|
|
|
|
Global Settings
|
|
===============
|
|
|
|
.. image:: images/tor_general.png
|
|
|
|
Tor Service Settings
|
|
--------------------
|
|
|
|
:Enable:
|
|
Controls if the service should be running. If it is enabled,
|
|
it will also be enabled at boot time.
|
|
:Control Port:
|
|
The control port is used for control communication with the Tor daemon.
|
|
This Port requires a password, which will not be disclosed to the GUI but
|
|
can be queried via the API. This setting is available for you to handle
|
|
Port conflicts, so you can change this port.
|
|
:Create a logfile, Send log messges to syslog:
|
|
Enable this checkbox if you want some logging. Please note that a detailed
|
|
log may lead to privacy issues.
|
|
:Logfile, Syslog level:
|
|
If the corresponding checkbox is enabled, this will be the minimum severity
|
|
for sending or writing log messges.
|
|
:Fascist Mode:
|
|
If internet access is filtered, you can try this option.
|
|
Please note that this is not compatible with other features like "Hidden Services".
|
|
:Fascist Firewall Ports:
|
|
These are the unfiltered ports of the firewall. The defaults of 80 and 443 are
|
|
choosen, because they are commonly open.
|
|
|
|
Forward Proxy
|
|
-------------
|
|
|
|
.. Note::
|
|
The SOCKS proxy is only useable from localhost (127.0.0.1 and ::1)
|
|
unless an ACL is added in the "SOCKS Proxy ACL" section.
|
|
|
|
:Listen Interfaces:
|
|
Add one or multiple interfaces, on which Tor should listen additionally
|
|
to the loopback interface. This is required if you want to use Tor from
|
|
other computers than the appliance itself. Tor will bind on the
|
|
statically configured IP address from your interface configuration.
|
|
If the interface has no static IP configured, it will be ignored.
|
|
:SOCKS Port Number:
|
|
The port which should be used for the SOCKS server.
|
|
|
|
Transparent Forward Proxy
|
|
-------------------------
|
|
|
|
:Transparent Port:
|
|
This port is the target for your NAT rule.
|
|
Please create a rule for this port in the "Port Forward" section of the firewall.
|
|
:Transparent DNS Port:
|
|
If you are using Tor transparently, you can resolve .onion addresses
|
|
to IPs of the given pool for example. This also allows to keep DNS secret.
|
|
:Transparent IP Pool:
|
|
This is used to provide an IP pool to Tor, which can be used for host mapping.
|
|
This needs to be a /16 network at minimum.
|
|
:Map Host To IP Pool:
|
|
This option will assign IP addresses to resolved .onion domains by the
|
|
Tor DNS service. Checking this box is recommend but a transparent IP
|
|
pool is required
|
|
|
|
SOCKS ACL
|
|
=========
|
|
|
|
.. WARNING::
|
|
If untrusted devices have access to the SOCKS proxy,
|
|
private information may be leaked.
|
|
Please be careful with the networks you allow here.
|
|
|
|
.. image:: images/tor_socks_acl.png
|
|
|
|
In this example, you can see that all Hosts of the
|
|
192.168.0.0/16 network have access to the Tor Proxy.
|
|
By default, connections are forbidden.
|
|
|
|
Creating a new entry is quite easy. Just click the `+` and
|
|
fill out the form:
|
|
|
|
.. image:: images/tor_socks_acl_edit.png
|
|
|
|
:Enable:
|
|
The entry will be added to the configuration file.
|
|
If this checkbox is unckecked, the entry is ignored.
|
|
:Protocol:
|
|
Select the protocol in use for this ACL.
|
|
You can choose between IPv4 and IPv6.
|
|
By default, IPv6 is selected.
|
|
:Network:
|
|
In this field, you have to add the network,
|
|
on which this ACL should be applied in CIDR notation.
|
|
:Action:
|
|
Select if the traffic should be accepted or rejected.
|
|
|
|
----------------
|
|
Hidden Services
|
|
----------------
|
|
|
|
A hidden service is an open TCP port, which is hosted in the Tor network
|
|
and therefore the origin of the service is hard to trace.
|
|
For example, you can host a website in Tor by running a webserver in your
|
|
network and forwarding a hidden service port to this webserver.
|
|
|
|
.. WARNING::
|
|
This does not work with every protocol as there are protocols
|
|
which open arbitrary ports. An example for that is FTP.
|
|
You may work around this issue by limiting the usable ports
|
|
of such services (for example 10 ports) and forward those to the server.
|
|
|
|
If you want to host a hidden service,
|
|
you need to open the hidden service tab and click the `+` button.
|
|
|
|
.. image:: images/tor_hidden_services.png
|
|
|
|
The following dialog will open and you can enter a name.
|
|
|
|
.. image:: images/tor_hidden_services_edit.png
|
|
|
|
You are allowed to add any alphanumeric name here.
|
|
For example, you can call your service sampleservice.
|
|
|
|
Click "Save changes" and your service is saved to the
|
|
configuration file but not saved to the Tor configuration file.
|
|
|
|
Switch to the "Hidden Service Routing" tab:
|
|
|
|
.. image:: images/tor_hidden_services_routing.png
|
|
|
|
For any port you want to forward, you have to click `+` and fill out the form:
|
|
|
|
.. image:: images/tor_hidden_services_route_edit.png
|
|
|
|
:Hidden Service:
|
|
The service on which the port forward applies.
|
|
The entries in this list are the services created in the previous step.
|
|
:Port:
|
|
The virtual Port in the Tor network.
|
|
:Target Host:
|
|
The host, on which the real service is running.
|
|
:Target Port:
|
|
The real port of the service. Please note that
|
|
this does not need to match the `Port` field but some
|
|
services may act strange on mismatch.
|
|
|
|
The sample in the screenshot would forward traffic from the virtual host
|
|
in the Tor network it gets on port 80 to 127.0.0.1:8080
|
|
|
|
.. Warning::
|
|
When using local connections like `127.0.0.1` or `::1`, your application
|
|
may think this connection is trusted (localhost is not from the internet).
|
|
Be careful when forwarding traffic to localhost.
|
|
|
|
|
|
In addition to regular onion services, the services can be protected even more
|
|
by requireing the client to know a secret cookie.
|
|
|
|
This setting needs to be configured on both ends. On the server hosting the
|
|
onion service, you need to configure it on the configuration tab for the onion
|
|
service.
|
|
|
|
For example, if you want to have a stealth service (undetectable without knowing
|
|
the key), you can configure it like the following:
|
|
|
|
.. image:: images/tor_hidden_services_edit_very_hidden.png
|
|
|
|
:Authorization Type:
|
|
Can be `Stealth` or `Basic`. Basic means that multiple clients can use the
|
|
entry point and it is still visible but unauthorized hosts can not connect.
|
|
:Authorized Clients:
|
|
You can choose some names for your clients. Each client gets a authorization
|
|
cookie assigned so they can connect to it. If you set this value, this onion
|
|
service will not be available to the public anymore.
|
|
|
|
Now as this service will need to be configured to the client side as well,
|
|
you will need to add the secret to the configuration page. To configure a
|
|
authorization cookie for a service, you can open the
|
|
`Onion Service Authentication` tab and fill out the form like on the screenshot:
|
|
|
|
.. image:: images/tor_hidden_servicesvery_hidden_credentials.png
|
|
|
|
You need to configure the hostname and the authorization cookie you will get.
|
|
|
|
:Host Name:
|
|
Enter the .onion address of the onion service.
|
|
:Authentication Cookie:
|
|
This is the authentication code you will get from the maintainer of the
|
|
onion service. Enter it into this field.
|
|
|
|
When you are done, save the settings and reload the service. After that, you should
|
|
be able to reach the service.
|
|
|
|
|
|
------
|
|
Relays
|
|
------
|
|
|
|
A Tor relay is a host which forwards traffic for other Tor nodes.
|
|
A relay that allows traffic to pass outside of the Tor network
|
|
is called an "Exit Node". If the relay is configured only for you
|
|
(not for public access), it is called a bridge.
|
|
Bridges are used to circumvent filtering of public entry nodes based
|
|
on IP/Port basis as the existence of bridges is usually unknown.
|
|
|
|
Relays And Bridges
|
|
==================
|
|
|
|
.. image:: images/tor_relay.png
|
|
|
|
.. Note::
|
|
To be a relay, your host must have a public
|
|
available port. With relaying, you will increase the anonymity
|
|
of Tor and it is less risky than an exit node.
|
|
|
|
:Enable:
|
|
Enable this checkbox if you want to relay traffic (forward
|
|
foreign traffic).
|
|
:Host:
|
|
This is the host to bind the relay port to. This can be the public IP
|
|
address. This setting is optional and may be omitted.
|
|
:Port:
|
|
This is the public port used. Do not forget to add a firewall rule
|
|
to pass traffic to this port. Otherwise it will not work.
|
|
:Address:
|
|
You can enter the FQDN or the WAN IP of this Firewall.
|
|
:Nickname:
|
|
A nickname can be used to identify your network but it must only
|
|
consist of alphanumeric characters.
|
|
:Bandwith Rate:
|
|
You can limit the bandwith Tor will use. By default, Tor will use the
|
|
maximum amount of bandwith available.
|
|
The value must be at least 72 kilobits per second.
|
|
:Bandwith Burst:
|
|
See Bandwith Rate.
|
|
:Directory Port:
|
|
If you have a lot of bandwith, you can also configure a directory port.
|
|
You should not enable this port if your bandwith is small.
|
|
:Reject Private IPs:
|
|
**IMPORTANT** DO NOT DISABLE UNLESS YOU KNOW WHAT YOU ARE DOING.
|
|
This option blocks access to RFC1918 addresses regardless of the
|
|
configured policy. If you disable this option, somebody can invade
|
|
your network.
|
|
:Bridge:
|
|
Enable this setting, if you want to be a bridge.
|
|
:Publish Server Descriptor:
|
|
If this is disabled, Tor will not publish descriptors. If you don't
|
|
want to be in a directory (for example for testing reasons),
|
|
uncheck this option.
|
|
|
|
Exit Nodes
|
|
==========
|
|
|
|
.. Warning::
|
|
Providing an exit node can lead to legal issues. It may be a good idea to
|
|
consult a lawyer before setting up one as you might be made responsible for
|
|
traffic, which originates from a malicious Tor user.
|
|
|
|
If you have relaying enabled, you can also become an exit node.
|
|
To allow outgoing connections, you have to open to the "Exit Node ACL" tab.
|
|
|
|
.. image:: images/tor_exit.png
|
|
|
|
Click on `+` to add a new ACL.
|
|
|
|
.. image:: images/tor_exit_acl_entry.png
|
|
|
|
:Enable:
|
|
If it is checked, the ACL will be used by Tor,
|
|
otherwise the line is ignored.
|
|
:Protocol:
|
|
Select the protocol, on which this ACL applies.
|
|
You can select IPv4 and IPv6 here. IPv6 is the default.
|
|
:Network:
|
|
You can enter a target network in CIDR notation or an IP
|
|
address here. If no IP is given, any IP will match.
|
|
:Start Port, End Port:
|
|
This match is the target port of a connection.
|
|
You can provide only a start port if you want to match a single port.
|
|
If you provide both, a port range will be used.
|
|
:Action:
|
|
If you select "Reject", no exit node traffic will be sent to this host
|
|
and it will not be forwarded. If you choose "Accept", your host may
|
|
be choosen as an exit node in a circuit.
|