OpenBSD, Tor and the The Fourteen Eyes



H ello people, got a good Saturday? Ready to open tons of bottles tomorrow? I 'm not...this year specially, i'm not ready. I will return on the street without any doubt, but this the another story.

So in our hands there's the nightmare of the security cannibals, the fish more difficult to take. There's OpenBSD. He (yes, it's a person, it's my best friend ) is a pure BSD 4.4 based Unix that never fail to his customer, respecting rules that, i'm my opinion, are fundamental blocks of great secures peaces of software:

  1. Clean and clear code.
  2. Default install with the necessary, no less no more.
  3. Very easy to use for a new customer.

Yes, the point three will open yours eyes i know, you will be accuse my to be insane....Well for sure... i'm totally insane but OpenBSD it's very clear and simple to manage. The secret it's to follow simple rules very easy to understand for the new and semi-new customer. OpenBSD don't use strange, absurd and long explication or vocabulary to explain the things. He will do it in simple way.

Remember, where you will find tons of code, many times there some fantastic genius that have done it to take you away from the source code. Adding complexity and time to understand basics procedure it's absolutely not a sign of great knowledge, it's a medieval procedure to maintain people away from the real purpose, that in this case will be obtain the keys to an extreme powerful, secure and clear Unix: OpenBSD.

I love Linux, but nowadays something, someone, or whatever the name you will use are totally destroy it. Millions of lines of code and complexity that have grow up a lot at low level code. For low class customer can use it with nice visual effects..

It's not difficult to understand, think about the new systemd, adopted for A LOT of great Linux distribution. Here are some links that will help you thing and OPEN your mind.

And this only the first thing that i've got in my mind when a speak about the beautiful but terribly fucked Linux, that it's NOT secure by default.



T or in computer science, that is what i'm speaking about with some Baroque embellishments, is the state of the art to theoretically preserve privacy of a Internet user. Remember very well, it was not designed to act like a security machine but like a privacy ensure. Is an open source software that enable anonymous communication in Internet. It can be stacked with other technologies, like vpn or i2p, to try conceal our real ip address and geo point of source.

Th or mythologically speaking, was son of Odin, dedicated to the protection of mankind and of the fortress of Asgard.

But..¿Was or is T [h]or really dedicated to the protection of the truth or does it complain also with other more obscures functions? A great question with a very difficult reply without a lot of sentiment and passion. I'm trying to do it better that i can but i really appreciate T [h]or. Really.

In real world, ou the binary system, Tor also open to the user, the man who navigate the Internet ocean, the access to the subterranean Internet, the (in)famous #deepweb, or Deep Internet. And like all the things that we know, deep can be deeper and deeper and deeper and so on. Many people think that #deepinternet is many times bigger than the Internet, is this true? Nobody, that i know ... ¿you know? know the answer. Like the deepest ocean in nature, i cannot explain to you what is the deepest Internet and who is the owner of that obscure site.

So it's normal that sometimes i was thinking about T[h]or more like Χάρων

Here you are some URI to try to do some light more on that themes:



But let's start together configuring those two fantastic open source project, and remember that Tor is not simple and easy like OpenBSD is.

Simply search and install tor and a good manager in nvcurse and gtk to admin it, we find in the classic port tree of OpenBSD:

$pkg_info -Q tor arm $pkg_add -U tor arm

Arm is the the next Nyx.

We will use it like a foreground program, without launch it from rc. In this first and simple configuration it will act like a SOCKS proxy, configure only some kind of nation like good jump in our tor path to the Internet and little more.

We will use Arm with the same preinstaller _tor user that use OpenBSD package. So:

$doas chown -R _tor ~/.arm $ doas cat > ~/.arm/.torrc << EOF DataDirectory /home/taglio/.arm/tor_data # location to store runtime data Log notice file /home/taglio/.arm/tor_log # location to log notices, warnings, and errors ControlPort 9051 # port controllers can connect to CookieAuthentication 1 # method for controller authentication ExitNodes {RO},{CH} ExcludeNodes {AU},{CA},{US},{NZ},{UK} EntryNodes {BE},{DE},{IT},{NL} StrictNodes 1 SocksPort 9900 EOF

We're now interested in initialize arm configure and explain what the hell are those {}

Only the acronym is obscure yet. UKUSA

Read with your eyes what the hell is this democratic right abuse and masochism. Here up in those links.

So in torrc we can indicate to our Tor how to don't pass through one nation that remiss to "The Fourteen Eyes" .

I use to enter in this example Belgium or German or Italy or Holland, and after an unknown jump i will leave the Tor network passing or for Romania or for Swiss.

No only the correct launch for the same Tor and we can go to sleep :P

$doas -u _tor tor -f toorrc $doas -u _tor arm

Explore the deepest that you can, but remember the more deep you arrive more pressure and less oxygen you will find.

OpenBSD, Tor transparent local proxy.


Just in the case that you've missed our last article we're speaking about OpenBSD , the most secure open source system operative in the world, and Tor , a free software for enabling anonymous communication. In our first post we have done an introduction and a first configuration creating a tor service with only one local socks port opened for a static user configuration. We've also introduced the concept of FVEY that we will continue to analyze as soon as possible. What we don't touch last time is the important fact that this two fabulous softwares have got a strange difficult history of interoperability between them. OpenBSD is in ours life from middle of the nineteen and Tor, the onion router project, from September 2002.

Tor daemon in a OpenBSD system

Starting from a clean OpenBSD install we will install Tor from packages:

$ doas pkg_add -U tor $ doas pkg_add -U arm # ncurse control tool

To see what files were added to our operative system with the install of those two packages simply use (package tor in the example ):

$ pkg_info -L tor Information for inst:tor- Files: /usr/local/bin/tor /usr/local/bin/tor-gencert /usr/local/bin/tor-resolve /usr/local/man/man1/tor-gencert.1 /usr/local/man/man1/tor-resolve.1 /usr/local/man/man1/tor.1 /usr/local/share/doc/tor/tor-gencert.html /usr/local/share/doc/tor/tor-resolve.html /usr/local/share/doc/tor/tor.html /usr/local/share/examples/tor/torrc.sample /usr/local/share/tor/geoip /usr/local/share/tor/geoip6 /etc/rc.d/tor

The torrc file

tor network

Now we have to configure the torrc file in /etc/tor/torrc :

$ doas cat /etc/tor/torrc User _tor RunAsDaemon 1 AvoidDiskWrites 1 GeoIPFile /usr/local/share/tor/geoip GeoIPv6File /usr/local/share/tor/geoip6 VirtualAddrNetwork AutomapHostsOnResolve 1 TransPort DNSPort DataDirectory /var/tor Log notice file /var/log/tor_log ControlPort CookieAuthentication 1 ExcludeNodes {AU}, {CA}, {US}, {NZ}, {GB}, {DK}, {FR}, {NL}, {NO}, {BE}, {DE}, {IT}, {ES}, {SE} NodeFamily {AU}, {CA}, {US}, {NZ}, {GB}, {DK}, {FR}, {NL}, {NO}, {BE}, {DE}, {IT}, {ES}, {SE} StrictNodes 1 GeoIPExcludeUnknown 1 SocksPort PathsNeededToBuildCircuits 0.95

Prepare the environment:

$ doas mkdir /var/tor $ doas chown -R _tor:_tor /var/tor $ doas chown _tor:_tor /dev/pf $ doas touch /var/log/tor_log $ doas chown _tor:_tor /var/log/tor_log

Let's explain every option in the torrc :

  1. User: after open the sockets the daemon will work under the UID of.
  2. RunAsDaemon: to launch or not the daemon in the background.
  3. AvoidDiskWrites: try to write to disk less frequently.
  4. GeoIpFile: where is in the fs tree.
  5. GeoIpv6File: where is in the fs tree.
  6. VirtualAddrNetwork: will try to explain later .
  7. AutomapHostsOnResolve: control VirtualAddrNetwork.
  8. TransPort: transparent proxy port where tor communicate with pf.
  9. DnsPort: port where tor dns resolver accept queries.
  10. DataDirectory: where tor put his session stuff.
  11. Log notice file: log file (don't know why accept spaces here ).
  12. ControlPort: port where arm or others have to connect to control tor.
  13. CookieAuthentication: bool to indicate the authentication mode in control port.
  14. ExcludeNodes: where we don't want to go in ours tor circuits using ISO 3166 country code.
  15. NodeFamily: build a unique family with those codes.
  16. StrictNodes: strictly respect our ExcludeNodes list.
  17. GeoIPExcludeUnknown: if it don't know where is the tor relay simply don't use it.
  18. SocksPort: static port socks 4/5 listener (will deepen later ).
  19. PathsNeededToBuildCircuits: tor won’t build circuits until it has enough descriptors or microdescriptors to construct that fraction of possible paths.

Now we've to be sure that dhclient will not rewrite /etc/resolv.conf . In OpenBSD we've to add this to /etc/dhcpclient.conf :

$ doas cat <<EOF >> /etc/dhclient.conf supersede domain-name-servers; EOF $ doas sh /etc/netstart

The pf.conf file

the pf firewall

OpenBSD was the first system operative to use one of the most powerful firewall, pf. In others POST we will better analyze how to properly use this monster, but for now simply use this pf.conf to create a transparent firewall in an OpenBSD system newer than the 4.7 version. We create another loopback interface in our system to play a little with internal routing:

$ doas ifconfig lo1 create up $ doas cat <<EOF >> /etc/hostname.lo1 inet EOF

And use those directives in our pf.conf :

$ doas cat <> /etc/pf.conf destinations you don't want routed through Tor non_tor = "{ }" Tor's TransPort trans_port = "9040" match in all scrub (no-df random-id reassemble tcp) antispoof for egress inet block return log on egress all pass in quick on lo1 inet proto tcp all flags S/SA modulate state rdr-to port $trans_port pass in quick on lo1 inet proto udp to port domain rdr-to port domain pass quick on { lo0 lo1 } pass out quick inet proto tcp user tor flags S/SA modulate state pass out quick inet proto udp to port domain route-to lo1 pass out quick inet to $nontor pass out inet proto tcp all route-to lo1 EOF

Here you are some examples on how to use the pf firewall:

Start tor at boot

Last configuration is to activate tor at start. ¿Will you use this daemon to protect your privacy or to access to the #deepinternet?

$ doas rcctl enable tor $ doas reboot

stay tuned for more OpenBSD, tor and deep Internet posts, i love you.

OpenBSD, Tor, 14 applications example. PART 1

Fourteen application, the first three are browsers

First of all sorry for the delay, but i was busy with real life and i cannot go on with our series. Let's start to analyze every step necessary to configure use of the TCP/IP socks sockets that we opened in our last article.


Firefox tor sockv5 configuration

Like we can see in the image:

  1. open about:preferences#advanced
  2. click on network tab
  3. click on Settings
  4. check Manual proxy configuration
  5. write on SOCKS Host the local ip and Port 9900
  6. write on No proxy for localhost,,,, that are privates network as RFC1918.


As default chromium has no simple option to set a proxy server different from the system wide proxy. But we've done a little hack .

$ which chrome /usr/local/bin/chrome $ file /usr/local/bin/chrome /usr/local/bin/chrome: Bourne shell script text executable

So here we can appreciate that chrome in our OpenBSD workstation is not an executable but is a shell script, here is a cat:

·$ cat /usr/local/bin/chrome !/bin/sh $OpenBSD: chrome,v 1.14 2016/06/02 21:03:38 sthen Exp $ DATASIZE="716800" OPENFILES="400" xm_log() { echo -n "$@\nDo you want to run Chromium anyway?\n\ (If you don't increase these limits, Chromium might fail to work properly.)" | \ /usr/X11R6/bin/xmessage -file - -center -buttons yes:0,no:1 -default no } if [ $(ulimit -Sd) -lt ${DATASIZE} ]; then ulimit -Sd ${DATASIZE} || \ xm_log "Cannot increase datasize-cur to at least ${DATASIZE}" [ $? -eq 0 ] || exit fi if [ $(ulimit -Sn) -lt ${OPENFILES} ]; then ulimit -Sn ${OPENFILES} || \ xm_log "Cannot increase openfiles-cur to at least ${OPENFILES}" [ $? -eq 0 ] || exit fi if ! mount | grep df -h /usr/local | tail -1 | awk '{print $6}' | grep -q wxallowed; then echo "Filesystem containing /usr/local must have the 'wxallowed' flag" | /usr/X11R6/bin/xmessage -file - -center -buttons exit:0 -default exit exit fi # Temporary workaround for the case when chromium crashes and leaves the SingletonLock, which prevents chromium to start up. # if [ -h ${HOME}/.config/chromium/SingletonLock ]; then pid=readlink ${HOME}/.config/chromium/SingletonLock | cut -d '-' -f 2 kill -0 ${pid} 2>/dev/null if [ $? -gt 0 ]; then rm ${HOME}/.config/chromium/SingletonLock fi fi # Issue #395446 # [ -z ${LANG} ] && l=enUS.UTF-8 || _l=${LANG} LANG=${_l} exec "/usr/local/chrome/chrome" "${@}" "--proxy-server="socks5://""

How you can see int last line of the script there is the real exec of the binary that in OpenBSD is located in /usr/local/chrome/chrome . Simply concat in the same line of the var LANG the string "--proxy-server="socks5://" and close the sentence with a " that we've previously remove from the old sentence (the last one that you will find doing a cat ). You can appreciate that for chrome we use socksv5 port 9901 .

Tor browser

Tor browser is an open source fork of Firefox. It's maintained by the torproject folks. You can find the binaries here in github. But remember that we're using OpenBSD and the Tor browser bundle is available in the ports tree. To download the binary for OpenBSD do:

$ doas pkg_add -U tor-browser

But tor-browser have got a tor daemon included that control via the tor button that we can launch via the onion icon on the left of the navigation bar. The first time that we execute this browser simply accept the default settings waiting to connect on the window that appear. But next:

Tor browser onion button first window

This is the first sub window if we click on the onion button . Let's assume that we will use tor browser with the most deep navigation in the web. So click on security settingsand:

Tor browser security settings

Use the High position to garantized the best shields for this new adventure . Next return to the previous window and click on Tor network settings

Tor browser network settings
  1. Check This computer need to use a local proxy to access the Internet
  2. Select for Proxy Type the option SOCKS 5
  3. Write in Address and in Port 9902

Now...there's some post on the web that does not recommend concatenate Tor over Tor, like this; but there is no exact explication so i really don't think so.

Remember that we have banned ALL the fourteens eyes country in our last configuration. I quoted the explication from :

The UKUSA Agreement is an agreement between the United Kingdom, United States, Australia, Canada, and New Zealand to cooperatively collect, analyze, and share intelligence. Members of this group, known as the Five Eyes, focus on gathering and analyzing intelligence from different parts of the world. While Five Eyes countries have agreed to not spy on each other as adversaries, leaks by Snowden have revealed that some Five Eyes members monitor each other’s citizens and share intelligence to avoid breaking domestic laws that prohibit them from spying on their own citizens. The Five Eyes alliance also cooperates with groups of third party countries to share intelligence (forming the Nine Eyes and Fourteen Eyes), however Five Eyes and third party countries can and do spy on each other.

In the configuration of the tor daemon that came with tor browser we force tor to use the countries of the nine eyes group that will be the first three hops of ours jumps in the tor network. Doing so we will use six hops to navigate the Internet. This are the files shipped with tor launcher (a sub packet of tor browser ):

$ pkg_info -L tor-launcher Information for inst:tor-launcher- Files: /usr/local/lib/tor-browser-7.0.5/browser/extensions/ /usr/local/share/tor-browser/torrc-defaults

Open torrc-defaults with your favorite text editor and add:

ExcludeNodes {AD},{AE},{AF},{AG},{AI},{AL},{AM},{AO},{AQ},{AR},{AS},{AT},{AU},{AW},{AX},{AZ},{BA},{BB},{BD},{BE},{BF},{BG},{BH},{BI},{BJ},{BL},{BM},{BN},{BO},{BQ},{BR},{BS},{BT},{BV},{BW},{BY},{BZ},{CA},{CC},{CD},{CF},{CG},{CH},{CI},{CK},{CL},{CM},{CN},{CO},{CR},{CU},{CV},{CW},{CX},{CY},{CZ},{DE},{DJ},{DM},{DO},{DZ},{EC},{EE},{EG},{EH},{ER},{ES},{ET},{FI},{FJ},{FK},{FM},{FO},{GA},{GB},{GD},{GE},{GF},{GG},{GH},{GI},{GL},{GM},{GN},{GP},{GQ},{GR},{GS},{GT},{GU},{GW},{GY},{HK},{HM},{HN},{HR},{HT},{HU},{ID},{IE},{IL},{IM},{IN},{IO},{IQ},{IR},{IS},{IT},{JE},{JM},{JO},{JP},{KE},{KG},{KH},{KI},{KM},{KN},{KP},{KR},{KW},{KY},{KZ},{LA},{LB},{LC},{LI},{LK},{LR},{LS},{LT},{LU},{LV},{LY},{MA},{MC},{MD},{ME},{MF},{MG},{MH},{MK},{ML},{MM},{MN},{MO},{MP},{MQ},{MR},{MS},{MT},{MU},{MV},{MW},{MX},{MY},{MZ},{NA},{NC},{NE},{NF},{NG},{NI},{NP},{NR},{NU},{NZ},{OM},{PA},{PE},{PF},{PG},{PH},{PK},{PL},{PM},{PN},{PR},{PS},{PT},{PW},{PY},{QA},{RE},{RO},{RS},{RU},{RW},{SA},{SB},{SC},{SD},{SE},{SG},{SH},{SI},{SJ},{SK},{SL},{SM},{SN},{SO},{SR},{SS},{ST},{SV},{SX},{SY},{SZ},{TC},{TD},{TF},{TG},{TH},{TJ},{TK},{TL},{TM},{TN},{TO},{TR},{TT},{TV},{TW},{TZ},{UA},{UG},{UM},{US},{UY},{UZ},{VA},{VC},{VE},{VG},{VI},{VN},{VU},{WF},{WS},{YE},{YT},{ZA},{ZM},{ZW} NodeFamily {AD},{AE},{AF},{AG},{AI},{AL},{AM},{AO},{AQ},{AR},{AS},{AT},{AU},{AW},{AX},{AZ},{BA},{BB},{BD},{BE},{BF},{BG},{BH},{BI},{BJ},{BL},{BM},{BN},{BO},{BQ},{BR},{BS},{BT},{BV},{BW},{BY},{BZ},{CA},{CC},{CD},{CF},{CG},{CH},{CI},{CK},{CL},{CM},{CN},{CO},{CR},{CU},{CV},{CW},{CX},{CY},{CZ},{DE},{DJ},{DM},{DO},{DZ},{EC},{EE},{EG},{EH},{ER},{ES},{ET},{FI},{FJ},{FK},{FM},{FO},{GA},{GB},{GD},{GE},{GF},{GG},{GH},{GI},{GL},{GM},{GN},{GP},{GQ},{GR},{GS},{GT},{GU},{GW},{GY},{HK},{HM},{HN},{HR},{HT},{HU},{ID},{IE},{IL},{IM},{IN},{IO},{IQ},{IR},{IS},{IT},{JE},{JM},{JO},{JP},{KE},{KG},{KH},{KI},{KM},{KN},{KP},{KR},{KW},{KY},{KZ},{LA},{LB},{LC},{LI},{LK},{LR},{LS},{LT},{LU},{LV},{LY},{MA},{MC},{MD},{ME},{MF},{MG},{MH},{MK},{ML},{MM},{MN},{MO},{MP},{MQ},{MR},{MS},{MT},{MU},{MV},{MW},{MX},{MY},{MZ},{NA},{NC},{NE},{NF},{NG},{NI},{NP},{NR},{NU},{NZ},{OM},{PA},{PE},{PF},{PG},{PH},{PK},{PL},{PM},{PN},{PR},{PS},{PT},{PW},{PY},{QA},{RE},{RO},{RS},{RU},{RW},{SA},{SB},{SC},{SD},{SE},{SG},{SH},{SI},{SJ},{SK},{SL},{SM},{SN},{SO},{SR},{SS},{ST},{SV},{SX},{SY},{SZ},{TC},{TD},{TF},{TG},{TH},{TJ},{TK},{TL},{TM},{TN},{TO},{TR},{TT},{TV},{TW},{TZ},{UA},{UG},{UM},{US},{UY},{UZ},{VA},{VC},{VE},{VG},{VI},{VN},{VU},{WF},{WS},{YE},{YT},{ZA},{ZM},{ZW} StrictNodes 1 GeoIPExcludeUnknown 1

You find all the country codes ISO 3166 in this sheet

Openbsd, Tor, Privoxy and the browsers.

Privoxy, add a new friend to the battle.

So, we've got now three browsers using three differents socks port to access the Tor network, and the last of ours browsers building a special doble circuit in the tor network combining different countries (this is not bad at all ). Remember, we were here . But...the situation is so difficult...we've to protect us with more layers.

Let's introduce the layer 7 firewall Privoxy.

What is a layer 7 firewall? It's a firewall that work at the last layer of the ISO/OSI network stack, that in no technical user speaking is the URI,, ...

Matryoshka are sexis

Russian Matrioska

We like Russia , and we like матрёшка.

In this case we're doing the exact thing, encapsulate layer after layer our information to protect it from the privacy cannibals . Our dolls start from the navigator, go through privoxy and the will be routed to the Tor network. Let install privoxy from the OpenBSD precompiled packages with a simple command:

$ doas pkg_add -U privoxy

It will install those files and binaries:

$ pkg_info -L privoxy Information for inst:privoxy-3.0.26 Files: /usr/local/bin/ /usr/local/bin/ /usr/local/bin/ /usr/local/bin/ /usr/local/man/man1/privoxy.1 /usr/local/sbin/privoxy /usr/local/share/doc/privoxy/AUTHORS /usr/local/share/doc/privoxy/ChangeLog /usr/local/share/doc/privoxy/LICENSE /usr/local/share/doc/privoxy/README /usr/local/share/examples/privoxy/config /usr/local/share/examples/privoxy/default.action /usr/local/share/examples/privoxy/default.filter /usr/local/share/examples/privoxy/match-all.action /usr/local/share/examples/privoxy/regression-tests.action /usr/local/share/examples/privoxy/templates/blocked /usr/local/share/examples/privoxy/templates/cgi-error-404 /usr/local/share/examples/privoxy/templates/cgi-error-bad-param /usr/local/share/examples/privoxy/templates/cgi-error-disabled /usr/local/share/examples/privoxy/templates/cgi-error-file /usr/local/share/examples/privoxy/templates/cgi-error-file-read-only /usr/local/share/examples/privoxy/templates/cgi-error-modified /usr/local/share/examples/privoxy/templates/cgi-error-parse /usr/local/share/examples/privoxy/templates/cgi-style.css /usr/local/share/examples/privoxy/templates/client-tags /usr/local/share/examples/privoxy/templates/connect-failed /usr/local/share/examples/privoxy/templates/connection-timeout /usr/local/share/examples/privoxy/templates/default /usr/local/share/examples/privoxy/templates/edit-actions-add-url-form /usr/local/share/examples/privoxy/templates/edit-actions-for-url /usr/local/share/examples/privoxy/templates/edit-actions-for-url-filter /usr/local/share/examples/privoxy/templates/edit-actions-list /usr/local/share/examples/privoxy/templates/edit-actions-list-button /usr/local/share/examples/privoxy/templates/edit-actions-list-section /usr/local/share/examples/privoxy/templates/edit-actions-list-url /usr/local/share/examples/privoxy/templates/edit-actions-remove-url-form /usr/local/share/examples/privoxy/templates/edit-actions-url-form /usr/local/share/examples/privoxy/templates/forwarding-failed /usr/local/share/examples/privoxy/templates/mod-local-help /usr/local/share/examples/privoxy/templates/mod-support-and-service /usr/local/share/examples/privoxy/templates/mod-title /usr/local/share/examples/privoxy/templates/mod-unstable-warning /usr/local/share/examples/privoxy/templates/no-server-data /usr/local/share/examples/privoxy/templates/no-such-domain /usr/local/share/examples/privoxy/templates/show-request /usr/local/share/examples/privoxy/templates/show-status /usr/local/share/examples/privoxy/templates/show-status-file /usr/local/share/examples/privoxy/templates/show-url-info /usr/local/share/examples/privoxy/templates/show-version /usr/local/share/examples/privoxy/templates/toggle /usr/local/share/examples/privoxy/templates/toggle-mini /usr/local/share/examples/privoxy/templates/untrusted /usr/local/share/examples/privoxy/templates/url-info-osd.xml /usr/local/share/examples/privoxy/user.action /usr/local/share/examples/privoxy/user.filter /etc/rc.d/privoxy

We've only a little problem respect to Tor with privoxy. To concatenate three privoxy ports to three Tor ports we've to launch three different privoxy instances. But with OpenBSD and to his clearness this is very simple. Let's go deep in the configuration:

Ok all it's simple and without complications. Good, i love OpenBSD . The privoxy main configuration file is full of options and you have to dedicate a couple of ours to understand all the voices, or to simply read it. For now we use this basic configuration (in ours next chapters probably we will do some changes to it). Let's see together the one that will be used in the firefox environment:

$ cat /etc/privoxy/firefox # $Id: config,v 1.112 2016/08/26 13:14:18 fabiankeil Exp $ # Copyright (C) 2001-2016 Privoxy Developers # user-manual trust-info-url admin-address config guide proxy-info-url confdir /etc/privoxy templdir /etc/privoxy/templates logdir /var/log/privoxy actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on. actionsfile default.action # Main actions file actionsfile user.action # User customizations filterfile default.filter filterfile user.filter # User customizations logfile privoxyfirefox.log if set all deny but the ones listed on [use ~ like *] trustfile trust # debug 1 # Log the destination for each request Privoxy let through. See also debug 1024 debug 2 # show each connection status debug 4 # show I/O status debug 8 # show header parsing debug 16 # log all data written to the network debug 32 # debug force feature debug 64 # debug regular expression filters debug 128 # debug redirects debug 256 # debug GIF de-animation debug 512 # Common Log Format debug 1024 # Log the destination for requests Privoxy didn't let through, and the reason why. debug 2048 # CGI user interface debug 4096 # Startup banner and warnings. debug 8192 # Non-fatal errors debug 32768 # log all data read from the network debug 65536 # Log the applying actions debug 1 # Log the destination for each request Privoxy let through. See also debug 1024. debug 1024 # Actions that are applied to all sites and maybe overruled later on. debug 4096 # Startup banner and warnings debug 8192 # Non-fatal errors single-threaded 0 hostname Lutetia.unknown_domain listen-address filter mode toggle 1 enable-remote-toggle 0 filter by X-filter http header enable-remote-http-toggle 0 enable-edit-actions 0 enforce-blocks 1 srcaddr[:port][/srcmasklen] [dstaddr[:port][/dstmasklen]] permit-access buffer-limit 8192 enable if there's a parent proxy enable-proxy-authentication-forwarding 0 forward-socks5 / . forwarded-connect-retries 0 transparent proxy accept-intercepted-requests 0 # allow-cgi-request-crunching 0 split-large-forms 0 grow up to 300 (if browser hang stop) keep-alive-timeout 5 disable if problems tolerate-pipelining 1 default-server-timeout 60 connection-sharing 0 try to reduce to 5 sec socket-timeout 300 max-client-connections 256 handle-as-empty-doc-returns-ok 0 enable-compression 1 compression-level 3 client-header-order Host \ Accept \ Accept-Language \ Accept-Encoding \ Proxy-Connection \ Referer \ Cookie \ DNT \ If-Modified-Since \ Cache-Control \ Content-Length \ Content-Type # client-specific-tag circumvent-blocks Overrule blocks but do not affect other actions disable-content-filters Disable content-filters but do not affect other actions # # client-tag-lifetime 180 # IP address with a X-Forwarded-For header. trust-x-forwarded-for 1

Ok simply change admin-addressand hostname with the yours. Privoxy send in every configuration file the http proxy port to a distinct socks port. To create the others two execute this command:

sed s/privoxyfirefox/privoxychrome/g privoxyfirefox | sed s/9900/9901/g > privoxychrome sed s/privoxychrome/privoxytorbrowser/g privoxychrome | sed s/9901/9902/g > privoxytorbrowser

Now create the missing logs files with:

$ doas touch /var/log/privoxy/privoxyfirefox.log $ doas touch /var/log/privoxy/privoxychrome.log $ doas touch /var/log/privoxy/privoxytorbrowser.log

And enable all the three at boot:

$ doas rcctl enable privoxyfirefox $ doas rcctl set privoxyfirefox user _privoxy $ doas rcctl set privoxyfirefox flags /etc/privoxy/firefox $ doas rcctl enable privoxychrome $ doas rcctl set privoxychrome user _privoxy $ doas rcctl set privoxychrome flags /etc/privoxy/chrome $ doas rcctl enable privoxytorbrowser $ doas rcctl set privoxytorbrowser user _privoxy $ doas rcctl set privoxytorbrowser flags /etc/privoxy/torbrowser

At last start the three daemons:

$ doas rcctl start privoxyfirefox $ doas rcctl start privoxychrome $ doas rcctl start privoxytorbrowser

Browsers configurations

browsers configuration with privoxy

Now we've got the correct setup of privoxy, but remember without any rule of layer 7 firewalling, that we will see in our next chapter. We've to change the configuration of the three browsers to use privoxy and not directly the tor socks.

  1. Firefox: Firefox privoxy
  2. Chrome: simply change --proxy-server="socks5://" with -proxy-server=""
  3. Torbrowser: Tor browser privoxy

Preparing the chicken soup

chicken soup

Ok, the cooking is started, but one last little hack to disturb our favorites cannibals . Let's eliminate the HTTP header Refer:

cat >> /etc/privoxy/user.filter << EOF { +crunch-client-header{Referer:} } / EOF
"Perchè signori si nasce, non si diventa"--Antonio de Curtis