Set Up a Tor Proxy Server on pfSense

How to Set Up a Tor Proxy Server on pfSense

Updated on October 16, 2014

Why You Should Use Tor

Anyone looking to protect their identity and location should route their internet traffic through the Tor network.

Once an internet request leaves your computer it passes through multiple different networks. At any time this data can be intercepted by any of these intermediate points without you ever knowing your data was compromised.

When internet traffic passes through Tor it is automatically encrypted and decrypted as it passes through multiple randomly selected relays.

The final relay, or exit node, decrypts the final layer of encryption and transmits the original data to the intended destination.

Since the data is protected through encryption during transit your information is protected from prying eyes.

By setting up a Tor proxy on pfSense you can easliy allow multiple users on your home or business network to transmit data securely.

Download and Install the Tor Package

Since Tor isn't an officially supported pfSense package it cannot be installed through the pfSense package manager. Instead it must be manually installed using the pkg_add command.

This command can be ran through an SSH terminal, or through the diagnostics\command prompt page in the web interface.

pkg_add -r ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/Latest/tor-devel.tbz

A successful installation will display the message seen in the image below.

Installing the Tor package using the pkg_add command through the command prompt.

Libevent Error Messages

You may receive a warning message if the installer detects a conflicting version of libevent on the system. Some pfSense packages such as ntop install a version of libevent that will cause Tor to fail to start.

In order for Tor to work correctly you will need to remove any existing version of libevent , then reinstall the Tor package.

To list any versions of libevent installed on the system:

pkg_info | grep libevent

libevent-1.4.14b_1 Provides an API to execute callback functions on certain ev
libevent-1.4.14b_2 Provides an API to execute callback functions on certain ev
libevent2-2.0.16 API for executing callback functions on events or timeouts

If any conflicting versions are detected, remove them with these commands:

pkg_delete libevent-1.4.14b_1

pkg_delete libevent-1.4.14b_2

pkg_delete libevent2-2.0.16

If you see an error message stating the package cannot be deinstalled and is required by other packages you must remove the packages that depend on it.

pkg_delete: package 'libevent-1.4.14b_1' is required by these other packages
and may not be deinstalled:
ntop-5.0.1

pkg_delete ntop-5.0.1

Create the Required Directories and Log File

Tor requires the creation of two directories before it can be started, run the commands below to create them.

mkdir /var/db/tor
mkdir /var/run/tor

Tor also requires the creation of a log file before it will start.

touch /var/log/tor

Finally we must set the the Tor user as the owner of both directories and the log file.

chown -R _tor /var/db/tor/
chown -R _tor /var/log/tor
chown _tor /var/run/tor

Edit the Config File

The Tor package includes a default config file that can be used as a good starting point for most users.

The command below will create a copy of the default config file called torrc in the same directory as the sample.

cp /usr/local/etc/tor/torrc.sample /usr/local/etc/tor/torrc

There are a couple of lines in the config file that need to be modified.

You can make these changes through the command line using the Vi editor but I find it much easier to use the file editor in the web gui located in the diagnostics menu.

In the /usr/local/etc/tor/torrc file uncomment both of the lines below by removing the # sign at the beginning of the lines. Modify the ip address in the second line to reflect the LAN IP address of the pfSense router.

SocksListenAddress 127.0.0.1:9100

SocksListenAddress 192.168.0.1:9100

In order for Tor to run in daemon mode you'll need to uncomment the following line as well.

RunAsDaemon 1

Editing the Tor configuration file using the text editor in the web interface.

Edit the rc.conf File

Tor will fail to start and display an error message unless tor_enable is set to 'yes' in the rc.conf file. The command below will add the required entry to the bottom of the rc.conf file.

echo "tor_enable=yes" >> /etc/defaults/rc.conf

Creating the Tor Startup Script

When pfSense boots the system will automatically run any scripts with a .sh file extension located in /usr/local/etc/rc.d. To allow Tor to run at boot time the script must be created, and the permissions must be modified to make it executable.

The commands below will create create the tor.sh startup script, and make the script executable.

touch /usr/local/etc/rc.d/tor.sh

chmod +x /usr/local/etc/rc.d/tor.sh

After creating the script copy and paste the contents in the code section below into the file and save it.

This step can be completed using either the vi text editor (vi /usr/local/etc/rc.d/tor.sh) , or the web based file editor.

Tor.sh

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

#!/bin/sh rc_start() {            /usr/local/etc/rc.d/tor tart } rc_stop() {            /usr/local/etc/rc.d/tor stop } case $1 in         start)                 rc_start                 ;;         stop)                 rc_stop                 ;;         restart)                 rc_stop                 rc_start                 ;; esac

Starting the Tor Service

At this point all of the pieces are in place to start the Tor service. Run the init script created in the previous step with the 'start' parameter to start Tor.

/usr/local/etc/rc.d/tor.sh start

If the Tor daemon successfully start you'll see a message similar to the one below. If you don't see this message you may receive an error message that will provide a clue of why Tor is unable to start.

[notice] Opening Socks listener on 192.168.10.254:9100

Starting the Tor service using the startup script.

Tor is not an HTTP proxy error message.

Setting up a Proxy Server

At this point the Tor daemon should be up and running but we're not quite finished yet.

If you attempt to configure he IP and port of the server as a proxy in you web browser you'll receive a message that states "Tor is not an HTTP Proxy".

Since Tor is a SOCKS proxy it operates at a lower level then most web proxy servers which makes it necessary to run a separate web proxy server in addition to the Tor daemon.

Unfortunately the popular Squid proxy server does not support the SOCKS protocol unless it is recompiled from source. Instead of recompiling Squid I recommend installing the Polipo caching proxy service.

Polipo is a very fast, lightweight proxy service with native support for SOCKS and some other really cool features such as HTTP piplining and partial object caching.

Configuring Tor as an Upstream Proxy for Polipo

After installing Polipo it must be configured to use the Tor daemon as a parent proxy server. Edit the Polipo configuration file (/usr/local/etc/polipo/config) and uncomment both of the lines below.

socksParentProxy = "localhost:9100"

socksProxyType = socks5

Save the changes to this file once the edits have been made.

Editing the Polipo configuration file to support an upstream Tor proxy.

After the changes to the config file have been modified the Polipo service must be restarted to apply the changes.

/usr/local/etc/rc.d/polipo.sh restart

Testing the Tor Proxy

Now that Tor is running and Polipo has been configured to use Tor as a parent proxy everything is in place for testing!

If you haven't already done so configure your browser to point to the LAN IP address of pfSense on port 8123 (the default port for Polipo)

To confirm your internet traffic is being forwarded through the Tor network visithttps://check.torproject.org/. This page will run a test on your connection to determine if it is using the Tor network. If your traffic is going through Tor successfully you'll see the message below displayed.

Confirming Tor is working using the online test page.

Contributing to Tor

Since the Tor network is operated by volunteers the best way you can contribute to the project is to operate your own Tor relay.

Anyone with a reliable internet connection can operate a relay by running Tor in relay mode. Additional Tor relays add to the speed and reliability of the entire Tor network.

Setup a Wireless Tor Access Point with the Raspberry Pi

Further Protect Your Identity With Bitcoin

Once you've starting using Tor for anonymity you may want to consider protecting your financial information by making purchases with Bitcoin.

You can easily purchase Bitcoins (or mine your own) making it possible to make anonymous purchases.

Bitcoins spend like cash but can be transmitted over the internet instantly to any location in the world.