Tor Proxy & Bridge on Ubuntu 16.10

The tor project is a collection of software designed as an Internet layer/protocol that enables users send/receive network traffic of all kinds while making it difficult for a third party observer to  conduct surveillance of the traffic. The project attempts to accomplish this by bouncing the user’s network traffic around a world wide network of relays. All of this traffic bouncing make the traffic difficult to observe and difficult for the computer systems your attempt to reach by way of the tor network to know your true physical location or ip address.

The network is operated by numerous volunteers who are willing to share some of their bandwidth and a little CPU power with the rest of the network. Most participants in the network feel that this technology is an extremely important component in the mix of available technologies that can help users maintain their privacy.

As with all technology the tor network can be used for the greater good or for less noble purposes. Examples of this usage dichotomy might include helping those who live in dangerous part of the world or under the rule of oppressive regimes communicate with the rest of the world or enabling end users to attain the intellectual property of others illegally. But, I suspect most users just want to maintain their privacy.

Below is a recipe you can use to install the tor software on your computer thereby creating a node or extra hop in the network to allow or assist in the bouncing of data around the tor network helping others maintain their privacy. The software is available for several platforms but we are going to focus on installing the software on an Ubuntu 16.10 Server.

Our configuration will allow our server to act as a proxy on the LAN so that other computers on your local area network can make use of the tor proxy we are setting up and hence have their traffic relayed and obfuscated over the tor network. This recipe will also allow our server to act as a “bridge” or specialized tor relay node that is “unpublished” and known (for discussion purposes)  by only a few other nodes on the network. Each bridge node increase the opacity of the network. So, even if your node isn’t a “exit” node it is a meaningful contribution to the operation of the network.

Installing the basic software…

We are going to elevate to root, add a few repository addresses at the tor project to ensure we are getting the latest and greatest versions of the software, we’ll update our local db of available software and install the required packages.

$ sudo -s
# vi (or your favorite editor) /etc/apt/sources.list.d/tor.list

Add the lines:

deb xenial main
deb-src xenial main
deb obfs4proxy main

Note: We are installing on Ubuntu 16.10 “Yakkety” but two of the entries above are for Ubuntu 16.04 “Xenial.” It’s OK. It seems that the required packages on the tor Xenial repository site are more up to date than those found in the official Ubuntu 16.04 Xenial repositories and they run just fine on Ubuntu 16.10 Yakkety release. I don’t know if the tor project will have a specific Ubuntu 16.10 Yakkety repository but for now the entries above will get the job done. This of course also begs the question why aren’t the most current stable versions of the tor packages already in the main Ubuntu repository? I don’t know the reason for this either. I suspect it’s probably a timing isssue of the when the software is added to the “upstream” Debian project from which Ubuntu draws many software packages. But, I am unsure if this supposition is correct.

Next we need to download and add the gpg key for the tor project repository so that we can be sure our standard apt tools to read from the repository and ensure that the packages are indeed those published by the project.

# gpg –keyserver –recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
# gpg –export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add –

Now let’s update and install the software:

# apt-get install aptitude (my preferred apt tool)
# aptitude update
# aptitude install –with-recommends tor obfs4proxy tor-arm

Before we go any further there is a bit of a glitch/typo in one of the apparmor (firewall) files that is a part of the Ubuntu 16.10 distribution. We need to edit this file and fix the glitch/typo before we continue with the configuration of tor on our server.

# vi /etc/apparmor.d/abstractions/tor

Change 2 entries/lines in this file from:

/usr/bin/obfsproxy PUx,
/usr/bin/obfs4proxy PUx,


 /usr/bin/obfsproxy ix,
/usr/bin/obfs4proxy ix,

After editing and saving the updated file issue the command:

# apparmor_parser -r /etc/apparmor.d/system_tor

Now that we’ve addressed the apparmor glitch/typo let’s start configuring tor. There are two files we need to address. In the first file of interest is the “default” file used by the tor init.d script. We just want to make a quick tweak and this step is optional.

# vi /etc/default/tor

Uncomment and alter the line:

# NICE=”–nicelevel 5″


NICE=”–nicelevel 15″ (We removed the # and changed 5 to 15)

The impact of the above edit was to change the priority that the operating system will give to the tor proxy when it runs. 15 is actually a LOW priority so we know that tor won’t be intrusive on other items we have running on our server. Again, the above is optional and not critical.

Next, we’re going to clear out the default main configuration file for tor and just put in our own entries. But, we’ll back up the original file first just in case we need the file for reference later.

# cp /etc/tor/torrc /etc/tor/torrc.orig (back this file up just in case)
# vi /etc/tor/torrc

Make the following entries in the file. Of course, change to the address of your server. Change the SOCKSPolicy network/mask to match your network. Update the Address and Nickname values to meet your needs.

SOCKSPort 9050 # Default: Bind to localhost:9050 for local connections.
SOCKSPort # Bind to this address:port so available to the LAN
SOCKSPort # Bind to this address:port so available to the LAN

SOCKSPolicy accept # Allow any device on the LAN to use the proxy
SOCKSPolicy accept6 FC00::/7 # Allow any IP6 device on the LAN to use the proxy
SOCKSPolicy reject * # Deny anything else

Log notice file /var/log/tor/notices.log # Log all notices from the proxy
#Log debug file /var/log/tor/debug.log # Uncomment this line only if you really need it

RunAsDaemon 0 # init.d script is already running tor as daemon
DataDirectory /var/lib/tor # Default value
ControlPort 9051 # Default value
HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C # Probably should hash a new password and replace this default control password

HiddenServiceStatistics 1 # Default Value

ORPort 443 # Default value is actually 9001
#DirPort 80 # Commented out because we are configuring as a bridge
#DirPortFrontPage /etc/tor/tor-exit-notice.html # Commented out because we are configuring as a bridge
Address # Change to suit
Nickname yourNodeNickName # Change to suit
OutboundBindAddress # Change to suit
DisableDebuggerAttachment 0

AccountingMax 40 GB # Increase if you can be more generous per month (e.g 100 GB)
AccountingStart month 1 00:00 # Start counting the 40 GBytes above on 1st of month
RelayBandwidthRate 100 KB # Increase if you can be more generous (e.g. 2 MB)
RelayBandwidthBurst 200 KB # Increase if you can be more generous (e.g. 4 MB)

ContactInfo Your Name <> # Just in case network operators need to reach your

ExitPolicy reject *:* # no exits allowed
BridgeRelay 1 # Yes, our node is to operate as a bridge
PublishServerDescriptor 0 # Don’t let the world know I’m here

ServerTransportPlugin obfs3,obfs4 exec /usr/bin/obfs4proxy managed # Obfuscate Traffic

All done setting configuring tor. Restart the tor service.

# service tor restart

Now, one interesting thing above. Tor usually runs on port 9001 but we are going to run it on port 443 (https) which is a very common port for secure Internet traffic and so is less likely to draw attention. Feel free to stick with port 9001 if you already have services or server on this system using port 443. Use of port 443 in this example is just a preference of mine.

A second interesting point is that we are using the obfs4proxy (which is also backwards compatible with more widely deployed version 3 obfs3proxy) which endeavors to make our traffic to/from our node less obvious so a third party observer.

Thirdly, we are setup as a “proxy” on your local area network. So, any PC or Program (web browser, irc, chat, etc.) that can make use of a proxy can use (or really the actual address of your server on your LAN) on either port 9050 or port 9100.

Finally, it is important to know that all the above if for naught if you can’t connect to the tor network and the network can’t connect to your server. So you will need to make sure your Internet firewall/router is set to port forward incoming traffic on port 443 to your internal server on port 443 of the server that we just setup for proxy & bridge above.

You can monitor the activity of your node using the “arm” command which is kind of like top/htop for your tor node. And of course you can always see what is generally going on with your node by tailing the /var/log/tor/notices.log

# tail -f /var/log/tor/notices.log
# arm

To learn more about tor, alternative configuration options and other software from the tor project check out

One thought on “Tor Proxy & Bridge on Ubuntu 16.10

  1. Thanks! The edits on apparmor config file help me to solve this syslog message

    kernel: [56978.358464] audit: type=1400 audit(1495631687.338:2): apparmor=”DENIED” operation=”change_onexec” info=”label not found” error=-2 profile=”unconfined” name=”system_tor” pid=3388 comm=”(tor)”


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s