TOR howto: Using TOR through a ssh-tunnel

作者:Alexander W. Janssen 来源:Blog of too many things

TOR logoI’m a fan of TOR, the anonymizing network. It let’s me access the Internet anonymously and I don’t need to fear that anyone might use the data from their big Lawful Interception Points against me. It also prevents evil companies from correlating my web-surfing behaviour and connecting it to my IP-address.

I ain’t no criminal, i just don’t like it when people assume by default that I’m maybe a criminal, become one in the future, or use data which show my personal surfing-habits. I support the TOR-network actively trough a small monthly donation and through running my own TOR-server. I’m also willing to tell anyone how to use TOR effectively.

A posting on the or-talk mailinglist from today asked a simple question:

“There are 2 hosts.
Host 1 is at home (Debian-testing).
Host 2 is at my workplace (WindowsXP Pro)

I use Tor with Privoxy at home (host 1). Firefox with Torbutton plugin
works fine. So it seems everything ok.

At my workplace I use (WindowsXP, host 2) SSH port forwarding (with
Putyy) for webbrowsing. At Firefox in preferences, in connection tab I
had to set Socks host: localhost, port: 1080, using Socksv5.

I would like to use the Tor network from the host2 over SSH
portforwarding using my Debian host(2) at home.
Is it possible? If so, how can I do it?”

Yes, it’s possible without much hassle. First, you need a little bit of software on your client:

  1. putty or openssh
  2. for your convenience, the Firefox Switchproxy Plugin - it’s not actively supported anymore but IMHO nicer than Torbutton.

Next, check if TOR uses the default port and listen-address, open /etc/tor/torrc (or where your torrc is):
SocksPort 9050

Now it all depends on if you’re using openssh or putty. With openssh it’s very simple. Open a terminal and log in to the remote-host:
host2$ ssh -L 9050: user@host1

Log in, the tunnel is now active; that means, if you connect to localhost:9050 - a local connection on host2 - you get redirected to host1:9050 (more precise: on host1) through the encrypted ssh-tunnel.

With putty it’s the same, but more clicky-click. Open putty, load you configuration on go straight to “Connection -> SSH -> Tunnels“; enter 9050 for “Source port” and “” for “Destination” - leave everything else as it is. After pressing the “Add”-button you should see:
Putty Screenshot 2
Now it would be a good time to save your session, otherwise you’d have to enter the same information over and over again the next time you want to use the tunnel. Open the connection, voil´! There’s your tunnel.

Now for Firefox; i assume you already installed the Switchproxy-Plugin, now add a new proxy; leaving everything empty but SOCKS - fill in and Port 9050:

Switchproxy Screenshot

Now something really important; Firefox uses, by default, the local DNS, even if you use SOCKS. That leads to the situation, that information leaks from you. Imagine you’d like to check out - Firefox will ask your DNS (your employer’s DNS in the worst case!) for the IP-address of the host But that’s not necessary: You can just tell Firefox to request everything through SOCKS.

In order to do that just open a new Tab in Firefox, and enter “about:config” as the URL. You’ll see lot’s of different settings which affects the behaviour of Firefox. In the “Filter”-field enter “network.proxy.socks_remote_dns” - if “value” isn’t set to “true“, set it to “true” by double-clicking the line. Beware: If you don’t know what you’re doing don’t change any other value! You might totally screw up Firefox’s behaviour.

To check if the proxy is really active, open a connection to the website - it does the same like the usual TOR-test page at serifos, but seems to be more reliable:

Firefox Screenshot

That’s it, fairly easy - you can even configure Putty that it uses a local http-Proxy to establish the ssh-connection through it, resulting in the chain “http over SOCKS over SSH over http over TOR”. Additionally to this i also installed a normal SOCKS5-server on my server, i used danted (shipped with Debian Sarge); this is the configuration I’m using:

logoutput: syslog
internal: port = 9051
method: none
clientmethod: none
user.privileged: proxy
user.notprivileged: nobody
user.libwrap: nobody
compatibility: sameport
client pass {
from: port 1-65535 to:
method: none
block {
from: to:
command: bind
log: connect error
pass {
from: to:
protocol: tcp udp

So what I’m doing is not only using the TOR-SOCKS running 9050 but also the danted-SOCKS running on 9051; I applied both settings to my Putty-configuration and now i can choose if I want to surf anonymously or not anonymously (for everything which needs passwords and stuff) - and all goes via a normal web-proxy.

Reclaim your privacy and anonymity! Purge all personal data before and after using TOR through “CTRL+SHIFT+Del”!

And stay human.