 |
Title: OpenBSD full Tor setup |
|
Author: Solène |
|
Date: 25 July 2021 |
|
Tags: openbsd tor privacy security |
|
Description: |
|
|
|
# Introduction |
|
|
|
If for some reasons you want to block all your traffic except traffic |
|
going through Tor, here is how to proceed on OpenBSD. |
|
|
|
The setup is simple and consists at installing Tor, running the service |
|
and configure the firewall to block every requests that doesn't come |
|
from the user _tor used by Tor daemon. |
|
|
|
# Setup |
|
|
|
Modify /etc/pf.conf to make it look like the following: |
|
|
|
```file configuration content for /etc/pf.conf |
|
set skip on lo |
|
|
|
# block OUT traffic |
|
block out |
|
|
|
# block IN traffic and allow response to our OUT requests |
|
block return |
|
|
|
# allow TCP requests made by _tor user |
|
pass out on egress proto tcp user _tor |
|
``` |
|
|
|
If you forgot to save your pf.conf file, the default file is available |
|
in /etc/examples/pf.conf if you want to go back to a standard PF |
|
configuration. |
|
|
|
Here are the commands to type as root to install tor and reload PF: |
|
|
|
```shell commands |
|
pkg_add tor |
|
rcctl enable tor |
|
rcctl start tor |
|
pfctl -f /etc/pf.conf |
|
``` |
|
|
|
Configure your programs to use the proxy SOCKS5 localhost:9050, if you |
|
need to reach a remote server / service of yours, you will need to have |
|
a server running tor and define HiddenServices to access them through |
|
Tor. |
|
|
|
# Privacy considerations in the local area network |
|
|
|
Please consider that if you are using DHCP to obtain an IP on the |
|
network the hostname of your system is shared and also its MAC address. |
|
|
|
As for the MAC address, you can use "lladdr random" in your interface |
|
configuration file to have a new random MAC address on every boot. |
|
|
|
As for the hostname, I didn't test it but it should work, rewrite your |
|
/etc/myname file with a new value at each boot, meaning the next boot |
|
you will have a new value. To do so, you could run an /etc/rc.local |
|
with this script: |
|
|
|
```shell script |
|
#!/bin/sh |
|
|
|
grep -v ^# /usr/share/misc/airport | cut -d ':' -f 1 | sort -R | head -n 1 > /e… |
|
``` |
|
|
|
The script will take a random name out of the 2000+ entries of the |
|
airport list (every airport in the list has been visited by OpenBSD |
|
developed before it is added). This still mean you have 1/2000 chance |
|
to have the same name upon reboot, if you prefer more entropy you can |
|
make a script generating a long random string. |
|
|
|
# Privacy considerations on the Web |
|
|
|
You shouldn't use Tor for anything, this may leak your IP address |
|
depending on the software used, it may not be built with privacy in |
|
mind. The Tor Browser (modified Firefox including Tor and privacy |
|
settings) can be fully trusted to only share/send what is required and |
|
not more. |
|
|
|
The point of this setup is to block leaking programs and only allow Tor |
|
to reach the Internet, then it's up to you to use Tor wisely. I |
|
recommend reading Tor documentation to understand how it works. |
|
|
 |
Tor project documentation |
|
|
|
# Potential issues |
|
|
|
The only issue I can imagine right now is connecting on a network with |
|
a captive portal to reach the Internet, you would have to disable the |
|
PF rule (or entire PF) at the risk of some programs leaking data. |
|
|
|
# Same setup with I2P |
|
|
|
If you prefer using i2p only to reach external services, replace _tor |
|
by _i2p or _i2pd in the pf.conf rule, depending on which implementation |
|
you used. |
|
|
|
# Conclusion |
|
|
|
I'm not a huge Tor user but for the people who need to be sure non-Tor |
|
traffic can't go out, this is a simple setup to make. |
