How to setup Tor as a Transparent Proxy on Ubuntu Linux

Details

Tor is a great product to help protect your anonymity online. The Tor Project website can be used to gather more information about its use and how it works. Tor does not create complete anonymity but helps by encrypting and then bouncing your traffic around to other Tor relays before it exits an exit-node onto the Internet unencrypted. A benefit of encryption is that it is not normally analyzed by network filters and therefor bypasses.

Proxies are frequently used to mask the real location of a user, log traffic coming in and out of a network, circumvent network filtering, or in some cases to gain access to network resources that are local to the proxy but separated by a firewall or not directly available from a remote location. Traditionally proxy configurations must be set in every software package you with to use the proxy server (in most circumstances this is a web browser usually by means of specified port and/or username and password). Transparent Proxies are proxies that do not need to be configured by an end-user in order to function.

In many cases it is the interest of users to do more than tunnel just web browsing traffic. This guide will assist in configuring Tor as a transparent proxy and configure firewall rules to forward all network traffic regardless of TCP/UDP port through the Tor proxy. By doing this all network traffic leaving your local network will exit encrypted and then sent through the Tor Network.

 

In the case of this tutorial we will assume that a new Ubuntu Linux Server must be installed to the network. This guide can likely be used to configure Tor on other versions of Linux. It is not suggested that this Ubuntu Linux Server be used for any other purposes other than Transparent Proxying of the Tor Network.

The things you will need before starting:

  • Access to a new server or new virtual machine with permission to install a new Linux OS
  • An available static IP address for this new installation.
  • Access to a desktop intended for client access.

Install Ubuntu Linux Server 12.04 or 14.04.

  1. Insert the ISO in the Virtual CDROM or burn a copy of Ubuntu server ISO and insert the CD in the CDROM of the machine.
  2. Choose "Install Ubuntu Server" from the boot menu.
  3. Select the regional settings specific to your area.
  4. Set a Hostname.
  5. Create a new user account for administration of the server.
  6. Set a password for the new user account created in the previous step.
  7. Choose whether to "Encrypt your home directory".
  8. Select the time zone.
  9. Select your partitioning method (It is likely safe to assume the defaults - Don't forget to "Write the changes to disk".
  10. Leave the HTTP proxy information blank.
  11. Choose the update method (it's usually a good idea to manage updates "manually" - choose "No automatic updates").
  12. Choose to install "OpenSSH server".
  13. Install the GRUB boot loader.
  14. Once Linux Server is installed you will be asked to remove the CD and "Continue to reboot".
  15. Follow the guide How to set Static IP Address on Debian-based Linux to set a static IP.
    For the sake of this tutorial I will assume the Gateway is 192.168.1.1 and the IP address of the new server will be 192.168.1.2.

Install and configure Tor Transparent Proxy.

  1. Log in as either root or a user with sudo access
  2. Run the following commands:
    sudo apt-get update (update listing of available packages)
    sudo apt-get upgrade (make sure all packages are up-to-date)
  3. Install Tor:
    sudo apt-get install tor
  4. Edit the torrc config file:
    sudo vi /etc/tor/torrc
  5. Add configuration lines:
    Find the line (should be around line 13):
    ## https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#torrc
    Then add the following lines under it:
    Log notice file /var/log/tor/notices.log
    VirtualAddrNetwork 10.192.0.0/10
    AutomapHostsSuffixes .onion,.exit
    AutomapHostsOnResolve 1
    TransPort 9040
    TransListenAddress 192.168.1.2 #(assuming this is the static IP address of the server)
    DNSPort 53
    DNSListenAddress 192.168.1.2 #(assuming this is the static IP address of the server)
    Then save and close the file.
  6. Start the tor server:
    sudo /etc/init.d/tor start
  7. Start tor upon reboot
    sudo update-rc.d tor enable
  8. Configure iptables:
    The following commands flush the firewall rules so that they are empty.
    sudo iptables -F
    sudo iptables -t nat -F
    The following command allow us to continue to SSH to the server after setting up iptables.
    sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j REDIRECT --to-ports 22
    The following command allows the tor proxy to resolve DNS names (especially important when accessing tor hidden sites).
    sudo iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j REDIRECT --to-ports 53
    The following command collects all traffic and forwards to port 9040 (which is our Transarent Proxy Port).
    sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --syn -j REDIRECT --to-ports 9040
    The following command displays our current firewall rules.
    sudo iptables -t nat -L
    If this was successful they should look similar to this:
    Chain PREROUTING (policy ACCEPT)
    target     prot opt source               destination
    REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:ssh redir ports 22
    REDIRECT   udp  --  anywhere             anywhere             udp dpt:domain redir ports 53
    REDIRECT   tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN redir ports 9040
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    Chain POSTROUTING (policy ACCEPT)
    target     prot opt source               destination
    Finally, save your firewall configuration with the following command:
    sudo sh -c "iptables-save > /etc/iptables.rules"
  9. Restore iptables.rules after restart:
    Create a script that starts before networking starts:
    sudo vi /etc/network/if-pre-up.d/iptables
    Enter the following script into the file:
    #!/bin/bash
    /sbin/iptables-restore < /etc/iptables.rules
    Save and close the file.
    Then make the file executable.
    sudo chomod +x /etc/network/if-pre-up.d/iptables
    Issue a reboot to reinitialize all of the configurations
    sudo reboot

Configure a workstation

  1. Linux:
    Follow the guide How to set Static IP Address on Debian-based Linux to set a static IP.
    Be sure to point your workstation "gateway" and "dns-nameservers" to the IP address of the Tor Transparent Proxy.
  2. Windows:
    Set a static IP address on your network adapter
    Be sure to point your workstation's "Default gateway" and "Preferred DNS server" to the IP address of the Tor Transparent Proxy.
  3. DNS/DHCP Server:
    For optimal performance and ease of configuration it would be wise to configure the DHCP to point the network Gateway and DNS server to the Tor Transparent Proxy. In this configuration, all dynamically assigned computers would exit the local network through the Tor Transparent Proxy, but would allow direct access to the real Default gateway for manually configured static IP addresses such as servers.
    If there is a local DNS server which resolve hostnames for the local network, the DNS server can be setup to forward all requests to the Tor Transparent Proxy for domain names not configured in the local DNS Server.

Control which Exit Nodes to use by specifying Country Codes

By default Tor uses all countries to exit. This can cause confusion if you frequent some sites that begin rendering in a foreign language. Also, some sites block traffic from some countries due to abuse.
Open and edit the file /etc/tor/torrc and add a line:
ExitNodes {us},{uk}(enter the 2 letter country code(s) which are the desired countries to exit the Tor Network) http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2
Once the file has been edited, restart the tor daemon.
sudo /etc/init.d/tor restart