This is something that just has to be written! Even if very messy and unpolished. I literally googled for hours, tried everything and still came up short of my goal. If you don't have any Linux/PC skills this will be hard. If you just want a solid Tor operating system try Liberte linux, the whonix system, tails linux or Tor gateway. Liberte and whonix being the most robust against attack. This semi-guide is about setting up a PC or rather a switch or WIFI router in your network that will route all traffic into the Tor network.
This isn't a complete guide but a better starting place than I had by far so good luck and I hope this helps. I used crunchbang linux btw. Also this setup requires 2 Ethernet ports /cards installed in the Tor box.
First we have https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy which comes close to giving you everything you need to get tor setup correctly (half the battle).
sudo apt-get install tor
That might work depending on your OS might not https://www.torproject.org/docs/debian.html.en
What you need to do is add torproject.org to your repository, just google a bit. Then run sudo apt-get install tor again and if you added it correctly it will install.
Local Redirection and Anonymizing Middlebox
To enable the transparent proxy and the DNS proxy, add the following to your torrc. Found at /etc/tor/torrc use sudo nano nano is editor
Configure your system's DNS resolver to use Tor's DNSPort on the loopback interface by modifying /etc/resolv.conf edit this after tor is up and running
If you want to make the iptables rules permanent you have to make sure they are executed at start up time, for example by adding a script in the right directory. On Debian/Ubuntu you can do something like this:
sudo touch /etc/init.d/anonuser
sudo chmod 0755 /etc/init.d/anonuser
sudo nano /etc/init.d/anonuser
Nano is a text editor that you can use to put the following in the file... I've made changes that made my two interface setup work. Might need to have tor running first if it wont go after changes.
# destinations you don't want routed through Tor
# the UID Tor runs as
# Tor's TransPort
# your internal interface
#your interface you hook a switch to so you can connect computers into your proxy
iptables -t nat -F
iptables -t nat -A OUTPUT -o lo -j RETURN
iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
for NET in $NON_TOR; do
iptables -t nat -A OUTPUT -d $NET -j RETURN
iptables -t nat -A PREROUTING -i $INT_IF -d $NET -j RETURN
iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT
iptables -t nat -A PREROUTING -i $EXT_IF -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -i $EXT_IF -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
for NET in $NON_TOR 127.0.0.0/8; do
iptables -A OUTPUT -d $NET -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
iptables -A OUTPUT -j REJECT
You may need to use 'sudo bash anonuser' to run the script you just created. Check it has correct permissions to run 'ls -l anonuser' will show the permissions. You may have to copy it to your home folder to and then make it run, use cp anonuser ~/ or something similar. Check sudo iptables --list that should show rules in iptables!! If not read above.
B4 you try to run everything you need to setup your proxy interface correctly (eth1)
It needs to be static edit sudo nano /etc/networking/interfaces
sudo /etc/init.d/networking restart this restarts the network, you might need this, maybe it will give you an error like it did me? Ignore move on. and or sudo ifconfig eth1 192.168.1.1 up
Setup dnsmasq by sudo apt-get install dnsmasq this is a DHCP server for ur proxy interface. edit sudo nano /etc/dnsmasq.conf then sudo /etc/init.d/dnsmasq restart
if you have more interfaces add them
interface=eth2 .... and ranges and so on
I used a switch to connect the two PC's lost about an hour playing with a router trying to make it work... my setup is as follows, internet >> proxy server >> anon pc I didn't do anything to the anon pc its just stock.
I'm sure I missed some things but thats what google is for and just remember this project is really two things getting tor setup and getting your PC's talking to each other correctly. If you have a router make sure to disable dhcp and firewalls on it and plug all into the lan not wan/internet hub.
Good article, thanks for sharing.
I've written a guide to some privacy/anonymity apps here.
To answer some questions, what this setup allows you to do is have a WIFI network that routes all traffic through the Tor network. This way you can leave your WIFI unencrypted so anyone can use it and you don't have to worry about what they are doing (for the most part). If you don't want to run a WIFI you can just have a switch that you plug computers into and route the traffic through Tor that way. No configuring of the computers being plugged into the Tor switch or WIFI is required.
This setup requires 2 Ethernet connections on the Tor proxy server.
I would caution that the Tor exits can see your unencrypted traffic just be aware of that and I recommend installing the "https everywhere" plugin for your browser. Don't use services on Tor that are unencrypted like email as the Tor exit can read everything if it is not encrypted with https ...
You can if you wish solve the Tor exit problem by using a VPN but this slows your connection further vpnbook.com is free.
Wait. THere is one problem with that. If you run all of your internet traffic through TOR without changing online behavior, you have undermined the usefulness of TOR.
Any online account you use that could personally identify you (email,banking,bill pay, etc.) should NOT be run through TOR. It doesn't matter how many anonymous loops you go through if you are still going to be connecting to services that can be used to identify you.
Keep this in mind...no amount of tools can keep you safe (online or offline) if you don't use them properly!
Thanks for the discussion.
Very true it all depends on what your situation is and what your trying to do. For most people they just want to blind their ISP and government from seeing their traffic. This video spells out how to operate if you really want to be anonymous http://12160.info/video/the-grugq-opsec-when-you-want-real-anonymity