About me: My name is Solène Rapenne, pronouns she/her. I like learning and sharing knowledge. Hobbies: '(BSD OpenBSD Lisp cmdline gaming internet-stuff). I love percent and lambda characters. OpenBSD developer solene@.

Contact me: solene on libera.chat, solene+www at dataswamp dot org or @solene@bsd.network (mastodon). If for some reason you want to support my work, this is my paypal address: donate@perso.pw.

How to use Tor only for onion addresses in a web browser

Written by Solène, on 12 June 2021.
Tags: #tor #openbsd #network #security #privacy

Comments on Mastodon

Introduction §

A while ago I published about Tor and Tor hidden services. As a quick reminder, hidden services are TCP ports exposed into the Tor network using a long .onion address and that doesn't go through an exit node (it never leaves the Tor network).

If you want to browse .onion websites, you should use Tor, but you may not want to use Tor for everything, so here are two solutions to use Tor for specific domains. Note that I use Tor but this method works for any Socks proxy (including ssh dynamic tunneling with ssh -D).

I assume you have tor running and listening on port 127.0.0.1:9050 ready to accept connections.

Firefox extension §

The easiest way is to use a web browser extension (I personally use Firefox) that will allow defining rules based on URL to choose a proxy (or no proxy). I found FoxyProxy to do the job, but there are certainly other extensions that propose the same features.

FoxyProxy for Firefox

Install that extension, configure it:

- add a proxy of type SOCKS5 on ip 127.0.0.1 and port 9050 (adapt if you have a non standard setup), enable "Send DNS through SOCKS5 proxy" and give it a name like "Tor"

- click on Save and edit patterns

- Replace "*" by "*.onion" and save

In Firefox, click on the extension icon and enable "Proxies by pattern and order" and visit a .onion URL, you should see the extension icon to display the proxy name. Done!

Using privoxy §

Privoxy is a fantastic tool that I forgot over the time, it's an HTTP proxy with built-in filtering to protect users privacy. Marcin Cieślak shared his setup using privoxy to dispatch between Tor or no proxy depending on the url.

The setup is quite easy, install privoxy and edit its main configuration file, on OpenBSD it's /etc/privoxy/config, and add the following line at the end of the file:

forward-socks4a   .onion               127.0.0.1:9050 .

Enable the service and start/reload/restart it.

Configure your web browser to use the HTTP proxy 127.0.0.1:8080 for every protocol (on Firefox you need to check a box to also use the proxy for HTTPS and FTP) and you are done.

Marcin Cieślak mastodon account (thanks for the idea!).

Conclusion §

We have seen two ways to use a proxy depending on the location, this can be quite useful for Tor but also for some other use cases. I may write about privoxy in the future but it has many options and this will take time to dig that topic.

Going further §

Duckduck Go official Tor hidden service access

Check if you use Tor, this is a simple but handy service when you play with proxies

Official Duckduck Go about their Tor hidden service

TL;DR on OpenBSD §

If you are lazy, here are instructions as root to setup tor and privoxy on OpenBSD.

pkg_add privoxy tor
echo "forward-socks4a   .onion               127.0.0.1:9050 ." >> /etc/privoxy/config
rcctl enable privoxy tor
rcctl start privoxy tor

Tor may take a few minutes the first time to build a circuit (finding other nodes).