Title: OpenBSD full Tor setup | |
Author: Solène | |
Date: 25 July 2021 | |
Tags: openbsd tor privacy security | |
Description: | |
# Introduction | |
If for some reasons you want to block all your traffic except traffic | |
going through Tor, here is how to proceed on OpenBSD. | |
The setup is simple and consists at installing Tor, running the service | |
and configure the firewall to block every requests that doesn't come | |
from the user _tor used by Tor daemon. | |
# Setup | |
Modify /etc/pf.conf to make it look like the following: | |
```file configuration content for /etc/pf.conf | |
set skip on lo | |
# block OUT traffic | |
block out | |
# block IN traffic and allow response to our OUT requests | |
block return | |
# allow TCP requests made by _tor user | |
pass out on egress proto tcp user _tor | |
``` | |
If you forgot to save your pf.conf file, the default file is available | |
in /etc/examples/pf.conf if you want to go back to a standard PF | |
configuration. | |
Here are the commands to type as root to install tor and reload PF: | |
```shell commands | |
pkg_add tor | |
rcctl enable tor | |
rcctl start tor | |
pfctl -f /etc/pf.conf | |
``` | |
Configure your programs to use the proxy SOCKS5 localhost:9050, if you | |
need to reach a remote server / service of yours, you will need to have | |
a server running tor and define HiddenServices to access them through | |
Tor. | |
# Privacy considerations in the local area network | |
Please consider that if you are using DHCP to obtain an IP on the | |
network the hostname of your system is shared and also its MAC address. | |
As for the MAC address, you can use "lladdr random" in your interface | |
configuration file to have a new random MAC address on every boot. | |
As for the hostname, I didn't test it but it should work, rewrite your | |
/etc/myname file with a new value at each boot, meaning the next boot | |
you will have a new value. To do so, you could run an /etc/rc.local | |
with this script: | |
```shell script | |
#!/bin/sh | |
grep -v ^# /usr/share/misc/airport | cut -d ':' -f 1 | sort -R | head -n 1 > /e… | |
``` | |
The script will take a random name out of the 2000+ entries of the | |
airport list (every airport in the list has been visited by OpenBSD | |
developed before it is added). This still mean you have 1/2000 chance | |
to have the same name upon reboot, if you prefer more entropy you can | |
make a script generating a long random string. | |
# Privacy considerations on the Web | |
You shouldn't use Tor for anything, this may leak your IP address | |
depending on the software used, it may not be built with privacy in | |
mind. The Tor Browser (modified Firefox including Tor and privacy | |
settings) can be fully trusted to only share/send what is required and | |
not more. | |
The point of this setup is to block leaking programs and only allow Tor | |
to reach the Internet, then it's up to you to use Tor wisely. I | |
recommend reading Tor documentation to understand how it works. | |
Tor project documentation | |
# Potential issues | |
The only issue I can imagine right now is connecting on a network with | |
a captive portal to reach the Internet, you would have to disable the | |
PF rule (or entire PF) at the risk of some programs leaking data. | |
# Same setup with I2P | |
If you prefer using i2p only to reach external services, replace _tor | |
by _i2p or _i2pd in the pf.conf rule, depending on which implementation | |
you used. | |
# Conclusion | |
I'm not a huge Tor user but for the people who need to be sure non-Tor | |
traffic can't go out, this is a simple setup to make. |