Only connection via Tor for the entire operating system

Hi everyone, I was wondering if you could set the entire operating system (Arch Linux, in my case) so that it only uses and exclusively the Tor network to connect to the Internet, and not only with Tor Browser (so all too Its installed applications, etc.).
Especially if this can be done by simply setting it from the operating system, so without having to enable a router specifically for the purpose.
Thank you in advance!

Have you looked at Tails? Tails is a Debian-based operating system which is configured in a way that it routes all your traffic through Tor.
If you plan to emulate this on a different operating system do note that routing all OS traffic through Tor is a very involved process, because of the overall complexity of operating systems anyway and certain limitations of Tor (for instance, Tor doesn’t support non-TCP traffic).

5 Likes

Hi,

Tails doesn’t force all traffic through Tor, it blocks all traffic except Tor.

To achieve tor-only-clearnet-blocked, which is what i do (only tested on debian), one can:

  • enable DNSPort in torrc
  • enable SocksProxy in torrc
  • have systemd use this DNSPort for DNS resolution
  • have a firewall that blocks everything going out, and only allows traffic from user debian-tor (the user that runs tor on Debian)
  • manually configure all apps to use the Tor socks proxy (apt/pacman, tor browser, torsocks, etc)
  • add exceptions to the firewall for clearnet activities (I have a few ssh hosts i can connect through clearnet and use them as another socks proxy, for clearnet traffic still not revealing my location)

Cheers!

I think this (configuring debian to only connect through tor) deserves a howto. it would be ideal for the dev portal but we are not ready yet with it.

maybe on the tor wiki for now?

1 Like

We have some docs about Transparent Proxy, but it’s very risky as it could leak your real IP address, for example.

You can find some old threads about this:

Unfortunately, if you just route all your traffic through Tor,
you’re only solving half the problem: all the application-level issues
remain. First this is a problem when you use your Chrome over Tor and
then wonder how websites are able to recognize you anyway (remember
all the protections that Tor Browser adds over vanilla Firefox). And
second, as you say in your post here, it’s a problem because of all the
chatter that comes from background applications, update attempts, printer
notifications, and so on that most systems do by default these days.

1 Like

I guess I could do that, but I have no time for it yet :frowning:


Yes, I should have stated what my threat model is for this setup, and also stated that browsing the web with anything else than the Tor Browser doesn’t protect against fingerprinting and other issues. Thanks for bringing it here!

I remember this article from a few years back, on how to set up a Raspberry Pi as a network router that channels everything through Tor.

The advantage to any solution locally on the OS is that you don’t have to trust your OS at all, everything gets routed through an external router that handles the Tor proxying.

I don’t know if this is relevant today or how secure it is, but here you go anyway :slight_smile:

1 Like

The architecture idea is similar to that of Whonix, which offloads the “route everything through tor” task to a secondary machine - a VM in this case

2 Likes

First of all thanks a lot to everyone for your suggestions, explanations and for the links you shared me.
In light of this I believe that for now I will let lose what concerns the original intent of the thread, both due to the related security problems that would implicate, and due to my poor preparation.
I therefore ask you what you think if instead I set the only two applications I use on my computer so that they use the Tor network: is it advisable? It is feasible? Are there any applications that don’t allow it? What would the proceedings be?

Very interesting also the solution with Raspberry Pi: is it too complex for a neophyte?

I think it depends on your threat model.
If you want these apps to go through Tor because your ISP blocks usage of this app but wont charge you if you do, then you should be fine. I mean that if your ISP would pursue you if they find out you use this app, then you should probably find another, more robust solution.

It is definitely feasible, but very hard to explain without having more details, such as:

  • what is you OS ?
  • how did you install the tor software? (only Tor Browser? a system tor?)
  • what threat model answers your wish to use Tor? (this is to make sure it fits, without asking too much details)
  • what kind of traffic your apps need? (tcp, udp, what ports?)

Usual solutions involve, on Linux, torsocks.
On all systems (at least Linux and macOS) you should be able to use “socks5” proxy. Tor starts its own, but we need more details to help you better !

Hi, I recommend you read this WIkihow article by Travis Boylls, it should help you with what you want to do! :star:

simply setting it from the operating system

It isn’t that simple unless you are familiar with iptables or its equivalents. Could also be quite vulnerable to updates, bugs or even typos in your config files.

This applies to enforcing tor on either 1 or 2 or all programs.

If you don’t want to set up another physical machine such as Pi. I’d check out Whonix mentioned earlier or look into creating something similar yourself if you are familiar enough with virtualization tools.

So, I have documented a little and thank everyone again for your help, but all the procedures have definitely seem to me outside my few capacities.
These days, however, I will try to install WHONIX and see if it can be done for me.
Thanks again!

whonix or openwrt in virtualbox

On mobile, formatting will be kinda shitty.
But I was searching for a solution like this not long ago without having to use a different machine or OS. This thing is sort of hit and miss, but with a bit of creative finagling, it works.

I can personally confirm it works on Ubuntu 22.04 KDE, FreeBSD 13.0, and macOS12.5 and macOS10.14