About me: My name is Solène Rapenne, pronouns she/her. I like learning and sharing knowledge. Hobbies: '(BSD OpenBSD Qubes OS Lisp cmdline gaming security QubesOS internet-stuff). I love percent and lambda characters. OpenBSD developer solene@. No AI is involved in this blog.

Contact me: solene at dataswamp dot org or @solene@bsd.network (mastodon).

You can sponsor my work financially if you want to help me writing this blog and contributing to Free Software as my daily job.

OpenBSD full Tor setup

Written by Solène, on 25 July 2021.
Tags: #openbsd #tor #privacy #security

Comments on Fediverse/Mastodon

1. Introduction §

If for some reasons you want to block all your traffic except traffic going through Tor, here is how to proceed on OpenBSD.

The setup is simple and consists at installing Tor, running the service and configure the firewall to block every requests that doesn't come from the user _tor used by Tor daemon.

2. Setup §

Modify /etc/pf.conf to make it look like the following:

set skip on lo

# block OUT traffic
block out

# block IN traffic and allow response to our OUT requests
block return

# allow TCP requests made by _tor user
pass out on egress proto tcp user _tor

If you forgot to save your pf.conf file, the default file is available in /etc/examples/pf.conf if you want to go back to a standard PF configuration.

Here are the commands to type as root to install tor and reload PF:

pkg_add tor
rcctl enable tor
rcctl start tor
pfctl -f /etc/pf.conf

Configure your programs to use the proxy SOCKS5 localhost:9050, if you need to reach a remote server / service of yours, you will need to have a server running tor and define HiddenServices to access them through Tor.

3. Privacy considerations in the local area network §

Please consider that if you are using DHCP to obtain an IP on the network the hostname of your system is shared and also its MAC address.

As for the MAC address, you can use "lladdr random" in your interface configuration file to have a new random MAC address on every boot.

As for the hostname, I didn't test it but it should work, rewrite your /etc/myname file with a new value at each boot, meaning the next boot you will have a new value. To do so, you could run an /etc/rc.local with this script:

#!/bin/sh

grep -v ^# /usr/share/misc/airport | cut -d ':' -f 1 | sort -R | head -n 1 > /etc/myname

The script will take a random name out of the 2000+ entries of the airport list (every airport in the list has been visited by OpenBSD developed before it is added). This still mean you have 1/2000 chance to have the same name upon reboot, if you prefer more entropy you can make a script generating a long random string.

4. Privacy considerations on the Web §

You shouldn't use Tor for anything, this may leak your IP address depending on the software used, it may not be built with privacy in mind. The Tor Browser (modified Firefox including Tor and privacy settings) can be fully trusted to only share/send what is required and not more.

The point of this setup is to block leaking programs and only allow Tor to reach the Internet, then it's up to you to use Tor wisely. I recommend reading Tor documentation to understand how it works.

Tor project documentation

5. Potential issues §

The only issue I can imagine right now is connecting on a network with a captive portal to reach the Internet, you would have to disable the PF rule (or entire PF) at the risk of some programs leaking data.

6. Same setup with I2P §

If you prefer using i2p only to reach external services, replace _tor by _i2p or _i2pd in the pf.conf rule, depending on which implementation you used.

7. Conclusion §

I'm not a huge Tor user but for the people who need to be sure non-Tor traffic can't go out, this is a simple setup to make.