RNMnetwork/opensource_guides/openbsd_tor_privoxy.md
Riccardo Giuntoli 52869ace38 3
2020-06-03 07:33:49 +02:00

35 KiB
Raw Blame History

OpenBSD, Tor and the The Fourteen Eyes

img

INTRODUCTION TO THE FACTS

Hello people, got a good Saturday? Ready to open tons of bottles tomorrow? I'm not...this year specially, i'm not ready. I will return on the street without any doubt, but this the another story.

So in our hands there's the nightmare of the security cannibals, the fish more difficult to take. There's OpenBSD. He (yes, it's a person, it's my best friend) is a pure BSD 4.4 based Unix that never fail to his customer, respecting rules that, i'm my opinion, are fundamental blocks of great secures peaces of software:

  1. Clean and clear code.
  2. Default install with the necessary, no less no more.
  3. Very easy to use for a new customer.

Yes, the point three will open yours eyes i know, you will be accuse my to be insane....Well for sure... i'm totally insane but OpenBSD it's very clear and simple to manage. The secret it's to follow simple rules very easy to understand for the new and semi-new customer. OpenBSD don't use strange, absurd and long explication or vocabulary to explain the things. He will do it in simple way.

Remember, where you will find tons of code, many times there some fantastic genius that have done it to take you away from the source code. Adding complexity and time to understand basics procedure it's absolutely not a sign of great knowledge, it's a medieval procedure to maintain people away from the real purpose, that in this case will be obtain the keys to an extreme powerful, secure and clear Unix: OpenBSD.

I love Linux, but nowadays something, someone, or whatever the name you will use are totally destroy it. Millions of lines of code and complexity that have grow up a lot at low level code. For low class customer can use it with nice visual effects..

It's not difficult to understand, think about the new systemd, adopted for A LOT of great Linux distribution. Here are some links that will help you thing and OPEN your mind.

And this only the first thing that i've got in my mind when a speak about the beautiful but terribly fucked Linux, that it's NOT secure by default.

TOR, ONE GOD OR ONE IMPOSTOR (IT DON'T HAVE THE 'H')

img

Tor in computer science, that is what i'm speaking about with some Baroque embellishments, is the state of the art to theoretically preserve privacy of a Internet user. Remember very well, it was not designed to act like a security machine but like a privacy ensure. Is an open source software that enable anonymous communication in Internet. It can be stacked with other technologies, like vpn or i2p, to try conceal our real ip address and geo point of source.

Thor mythologically speaking, was son of Odin, dedicated to the protection of mankind and of the fortress of Asgard.

But..¿Was or is T**[h]or really dedicated to the protection of the truth or does it complain also with other more obscures functions? A great question with a very difficult reply without a lot of sentiment and passion. I'm trying to do it better that i can but i really appreciate T[h]**or. Really.

In real world, ou Jesus..real...in the binary system, Tor also open to the user, the man who navigate the Internet ocean, the access to the subterranean Internet, the (in)famous #deepweb, or Deep Internet. And like all the things that we know, deep can be deeper and deeper and deeper and so on. Many people think that #deepinternet is many times bigger than the Internet, is this true? Nobody, that i know ... ¿you know? know the answer. Like the deepest ocean in nature, i cannot explain to you what is the deepest Internet and who is the owner of that obscure site.

So it's normal that sometimes i was thinking about T[h]or more like Χάρων

Here you are some URI to try to do some light more on that themes:

THE FOURTEEN EYES

img

But let's start together configuring those two fantastic open source project, and remember that Tor is not simple and easy like OpenBSD is.

Simply search and install tor and a good manager in nvcurse and gtk to admin it, we find in the classic port tree of OpenBSD:

$pkg_info -Q tor arm
$pkg_add -U tor arm

Arm is the the next Nyx.

We will use it like a foreground program, without launch it from rc. In this first and simple configuration it will act like a SOCKS proxy, configure only some kind of nation like good jump in our tor path to the Internet and little more.

We will use Arm with the same preinstaller _tor user that use OpenBSD package. So:

$doas chown -R _tor ~/.arm
$ doas cat > ~/.arm/.torrc << EOF 
DataDirectory /home/taglio/.arm/tor_data # location to store runtime data
Log notice file /home/taglio/.arm/tor_log # location to log notices, warnings, and errors
ControlPort 9051      # port controllers can connect to
CookieAuthentication 1     # method for controller authentication
ExitNodes {RO},{CH}
ExcludeNodes {AU},{CA},{US},{NZ},{UK}
EntryNodes {BE},{DE},{IT},{NL}
StrictNodes 1
SocksPort 9900
EOF

We're now interested in initialize arm configure and explain what the hell are those {}

https://en.wikipedia.org/wiki/UKUSA_Agreement

https://www.privacytools.io/#ukusa

Only the acronym is obscure yet. UKUSA

Read with your eyes what the hell is this democratic right abuse and masochism. Here up in those links.

So in torrc we can indicate to our Tor how to don't pass through one nation that remiss to "The Fourteen Eyes".

I use to enter in this example Belgium or German or Italy or Holland, and after an unknown jump i will leave the Tor network passing or for Romania or for Swiss.

No only the correct launch for the same Tor and we can go to sleep :P

$doas -u _tor tor -f toorrc
$doas -u _tor arm

Explore the deepest that you can, but remember the more deep you arrive more pressure and less oxygen you will find.

OpenBSD, Tor transparent local proxy.

Background


Just in the case that you've missed our last article we're speaking about OpenBSD, the most secure open source system operative in the world, and Tor, a free software for enabling anonymous communication. In our first post we have done an introduction and a first configuration creating a tor service with only one local socks port opened for a static user configuration. We've also introduced the concept of FVEY that we will continue to analyze as soon as possible. What we don't touch last time is the important fact that this two fabulous softwares have got a strange difficult history of interoperability between them. OpenBSD is in ours life from middle of the nineteen and Tor, the onion router project, from September 2002. torbsd proyect But only with the birth of the torbsd proyect the configuration of the anonymizing daemon is something simple and easy as it have to be. We can study read and fork the work of the torbsd fellows at github.

Tor daemon in a OpenBSD system


Starting from a clean OpenBSD install we will install Tor from packages:

$ doas pkg_add -U tor
$ doas pkg_add -U arm # ncurse control tool

To see what files were added to our operative system with the install of those two packages simply use (package tor in the example):

$ pkg_info -L tor
Information for inst:tor-0.3.0.10
Files:
/usr/local/bin/tor
/usr/local/bin/tor-gencert
/usr/local/bin/tor-resolve
/usr/local/man/man1/tor-gencert.1
/usr/local/man/man1/tor-resolve.1
/usr/local/man/man1/tor.1
/usr/local/share/doc/tor/tor-gencert.html
/usr/local/share/doc/tor/tor-resolve.html
/usr/local/share/doc/tor/tor.html
/usr/local/share/examples/tor/torrc.sample
/usr/local/share/tor/geoip
/usr/local/share/tor/geoip6
/etc/rc.d/tor

The torrc file


tor network

Now we have to configure the torrc file in /etc/tor/torrc :

$ doas cat <<EOF >> /etc/tor/torrc
User _tor
RunAsDaemon 1
AvoidDiskWrites 1
GeoIPFile /usr/local/share/tor/geoip
GeoIPv6File /usr/local/share/tor/geoip6
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 127.0.0.1:9040
DNSPort 127.0.0.1:53
DataDirectory /var/tor 
Log notice file /var/log/tor_log 
ControlPort 127.0.0.1:9051           
CookieAuthentication 1        
ExcludeNodes {AU}, {CA}, {US}, {NZ}, {GB}, {DK}, {FR}, {NL}, {NO}, {BE}, {DE}, {IT}, {ES}, {SE}
NodeFamily {AU}, {CA}, {US}, {NZ}, {GB}, {DK}, {FR}, {NL}, {NO}, {BE}, {DE}, {IT}, {ES}, {SE}
StrictNodes 1
GeoIPExcludeUnknown 1
SocksPort 127.0.0.1:9900
PathsNeededToBuildCircuits 0.95
EOF

Prepare the environment:

$ doas mkdir /var/tor
$ doas chown -R _tor:_tor /var/tor
$ doas chown _tor:_tor /dev/pf
$ doas touch /var/log/tor_log
$ doas chown _tor:_tor /var/log/tor_log

Let's explain every option in the torrc :

  1. User: after open the sockets the daemon will work under the UID of.
  2. RunAsDaemon: to launch or not the daemon in the background.
  3. AvoidDiskWrites: try to write to disk less frequently.
  4. GeoIpFile: where is in the fs tree.
  5. GeoIpv6File: where is in the fs tree.
  6. VirtualAddrNetwork: will try to explain later.
  7. AutomapHostsOnResolve: control VirtualAddrNetwork.
  8. TransPort: transparent proxy port where tor communicate with pf.
  9. DnsPort: port where tor dns resolver accept queries.
  10. DataDirectory: where tor put his session stuff.
  11. Log notice file: log file (don't know why accept spaces here).
  12. ControlPort: port where arm or others have to connect to control tor.
  13. CookieAuthentication: bool to indicate the authentication mode in control port.
  14. ExcludeNodes: where we don't want to go in ours tor circuits using ISO 3166 country code.
  15. NodeFamily: build a unique family with those codes.
  16. StrictNodes: strictly respect our ExcludeNodes list.
  17. GeoIPExcludeUnknown: if it don't know where is the tor relay simply don't use it.
  18. SocksPort: static port socks 4/5 listener (will deepen later).
  19. PathsNeededToBuildCircuits: tor wont build circuits until it has enough descriptors or microdescriptors to construct that fraction of possible paths.

Now we've to be sure that dhclientwill not rewrite /etc/resolv.conf. In OpenBSD we've to add this to /etc/dhcpclient.conf:

$ doas cat <<EOF >> /etc/dhclient.conf
    supersede domain-name-servers 127.0.0.1;
EOF
$ doas sh /etc/netstart

The pf.conf file


the pf firewall

OpenBSD was the first system operative to use one of the most powerful firewall, pf. In others POST we will better analyze how to properly use this monster, but for now simply use this pf.conf to create a transparent firewall in an OpenBSD system newer than the 4.7 version. We create another loopback interface in our system to play a little with internal routing:

$ doas ifconfig lo1 create up 127.0.0.2
$ doas cat <<EOF >> /etc/hostname.lo1
inet 127.0.0.2
EOF

And use those directives in our pf.conf :

$ doas cat <<EOF >> /etc/pf.conf
# destinations you don't want routed through Tor
non_tor = "{ 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 }"
# Tor's TransPort
trans_port = "9040"

match in all scrub (no-df random-id reassemble tcp)
antispoof for egress inet
block return log on egress all

pass in quick on lo1 inet proto tcp all flags S/SA modulate state rdr-to 127.0.0.1 port $trans_port
pass in quick on lo1 inet proto udp to port domain rdr-to 127.0.0.1 port domain

pass quick on { lo0 lo1 }

pass out quick inet proto tcp user _tor flags S/SA modulate state
pass out quick inet proto udp to port domain route-to lo1
pass out quick inet to $non_tor
pass out inet proto tcp all route-to lo1
EOF

Here you are some examples on how to use the pf firewall:

  • pfctl -e (enable)

  • pfctl -d (disable)

  • pfctl -f /etc/pf.conf (load rules)

  • pfctl -nf /etc/pf.conf (parse file, don't load)

  • pfctl -sr (show current ruleset)

  • pfctl -ss (show current state table)

  • pfctl -si (show filter stats and counters)

  • pftcl -sa (show all)

  • pfctl -t table -T flush (flush table)

  • pfctl -k 192.168.1.80 (kill connections for host 80)

  • pfctl -t

    -T expire 86400 -flush table (entries added in last 24 hours)

  • add -vv to any for more info

Start tor at boot


Last configuration is to activate tor at start. ¿Will you use this daemon to protect your privacy or to access to the #deepinternet?

$ doas rcctl enable tor
$ doas reboot

stay tuned for more OpenBSD, tor and deep Internet posts, i love you.

OpenBSD, Tor, 14 applications example. PART 1

Fourteen application, the first three are browsers


First of all sorry for the delay, but i was busy with real life and i cannot go on with our series. Let's start to analyze every step necessary to configure use of the TCP/IP socks sockets that we opened in our last article.

Firefox


Firefox tor sockv5 configuration

Like we can see in the image:

  1. open about:preferences#advanced
  2. click on network tab
  3. click on Settings
  4. check Manual proxy configuration
  5. write on SOCKS Hostthe local ip 127.0.0.1 and Port 9900
  6. write on No proxy for localhost, 127.0.0.1, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 that are privates network as RFC1918.

Chromium


As default chromium has no simple option to set a proxy server different from the system wide proxy. But we've done a little hack.

$ which chrome
/usr/local/bin/chrome
$ file /usr/local/bin/chrome
/usr/local/bin/chrome: Bourne shell script text executable

So here we can appreciate that chrome in our OpenBSD workstation is not an executable but is a shell script, here is a cat:

·$ cat /usr/local/bin/chrome
#!/bin/sh
# $OpenBSD: chrome,v 1.14 2016/06/02 21:03:38 sthen Exp $

DATASIZE="716800"
OPENFILES="400"

xm_log() {
        echo -n "$@\nDo you want to run Chromium anyway?\n\
(If you don't increase these limits, Chromium might fail to work properly.)" | \
                /usr/X11R6/bin/xmessage -file - -center -buttons yes:0,no:1 -default no
}

if [ $(ulimit -Sd) -lt ${DATASIZE} ]; then
        ulimit -Sd ${DATASIZE} || \
                xm_log "Cannot increase datasize-cur to at least ${DATASIZE}"
                [ $? -eq 0 ] || exit
fi

if [ $(ulimit -Sn) -lt ${OPENFILES} ]; then
        ulimit -Sn ${OPENFILES} || \
                xm_log "Cannot increase openfiles-cur to at least ${OPENFILES}"
                [ $? -eq 0 ] || exit
fi

if ! mount | grep `df -h /usr/local | tail -1 | awk '{print $6}'` | 
        grep -q wxallowed; then 
        echo "Filesystem containing /usr/local must have the 'wxallowed' flag" | 
            /usr/X11R6/bin/xmessage -file - -center -buttons exit:0 -default exit
        exit
fi

#
# Temporary workaround for the case when chromium crashes and leaves
# the SingletonLock, which prevents chromium to start up.
#
if [ -h ${HOME}/.config/chromium/SingletonLock ]; then
        _pid=`readlink ${HOME}/.config/chromium/SingletonLock | cut -d '-' -f 2`
        kill -0 ${_pid} 2>/dev/null
        if [ $? -gt 0 ]; then
                rm ${HOME}/.config/chromium/SingletonLock
        fi
fi

#
# Issue #395446
# https://code.google.com/p/chromium/issues/detail?id=395446
#
[ -z ${LANG} ] && _l=en_US.UTF-8 || _l=${LANG}

LANG=${_l} exec "/usr/local/chrome/chrome" "${@}" "--proxy-server="socks5://127.0.0.1:9901""

How you can see int last line of the script there is the real execof the binary that in OpenBSD is located in /usr/local/chrome/chrome . Simply concat in the same line of the var LANG the string "--proxy-server="socks5://127.0.0.1:9901"and close the sentence with a "that we've previously remove from the old sentence (the last one that you will find doing a cat). You can appreciate that for chromewe use socksv5 port 9901.

Tor browser


Tor browser is an open source fork of Firefox. It's maintained by the torproject folks. You can find the binaries here in github. But remember that we're using OpenBSD and the Tor browser bundle is available in the ports tree. To download the binary for OpenBSD do:

$ doas pkg_add -U tor-browser

But tor-browserhave got a tor daemon included that control via the tor button that we can launch via the onion icon on the left of the navigation bar. The first time that we execute this browser simply accept the default settings waiting to connecton the window that appear. But next:

Tor browser onion button first window

This is the first sub window if we click on the onion button. Let's assume that we will use tor browserwith the most deep navigation in the web. So click on security settings and:

Tor browser security settings

Use the High position to garantized the best shields for this new adventure . Next return to the previous window and click on Tor network settings

Tor browser network settings

  1. Check This computer need to use a local proxy to access the Internet
  2. Select for Proxy Typethe option SOCKS 5
  3. Write in Address 127.0.0.1 and in Port 9902

Now...there's some post on the web that does not recommend concatenate Tor over Tor, like this; but there is no exact explication so i really don't think so.

Remember that we have banned ALL the fourteens eyes country in our last configuration. I quoted the explication from privacytools.io :

The UKUSA Agreement is an agreement between the United Kingdom, United States, Australia, Canada, and New Zealand to cooperatively collect, analyze, and share intelligence. Members of this group, known as the Five Eyes, focus on gathering and analyzing intelligence from different parts of the world. While Five Eyes countries have agreed to not spy on each other as adversaries, leaks by Snowden have revealed that some Five Eyes members monitor each others citizens and share intelligence to avoid breaking domestic laws that prohibit them from spying on their own citizens. The Five Eyes alliance also cooperates with groups of third party countries to share intelligence (forming the Nine Eyes and Fourteen Eyes), however Five Eyes and third party countries can and do spy on each other.

In the configuration of the tor daemonthat came with tor browserwe force tor to use the countries of the nine eyes group that will be the first three hops of ours jumps in the tor network. Doing so we will use six hops to navigate the Internet. This are the files shipped with tor launcher (a sub packet of tor browser):

$ pkg_info -L tor-launcher
Information for inst:tor-launcher-0.2.12.3p0

Files:
/usr/local/lib/tor-browser-7.0.5/browser/extensions/tor-launcher@torproject.org.xpi
/usr/local/share/tor-browser/torrc-defaults

Open torrc-defaults with your favorite text editor and add:

ExcludeNodes {AD},{AE},{AF},{AG},{AI},{AL},{AM},{AO},{AQ},{AR},{AS},{AT},{AU},{AW},{AX},{AZ},{BA},{BB},{BD},{BE},{BF},{BG},{BH},{BI},{BJ},{BL},{BM},{BN},{BO},{BQ},{BR},{BS},{BT},{BV},{BW},{BY},{BZ},{CA},{CC},{CD},{CF},{CG},{CH},{CI},{CK},{CL},{CM},{CN},{CO},{CR},{CU},{CV},{CW},{CX},{CY},{CZ},{DE},{DJ},{DM},{DO},{DZ},{EC},{EE},{EG},{EH},{ER},{ES},{ET},{FI},{FJ},{FK},{FM},{FO},{GA},{GB},{GD},{GE},{GF},{GG},{GH},{GI},{GL},{GM},{GN},{GP},{GQ},{GR},{GS},{GT},{GU},{GW},{GY},{HK},{HM},{HN},{HR},{HT},{HU},{ID},{IE},{IL},{IM},{IN},{IO},{IQ},{IR},{IS},{IT},{JE},{JM},{JO},{JP},{KE},{KG},{KH},{KI},{KM},{KN},{KP},{KR},{KW},{KY},{KZ},{LA},{LB},{LC},{LI},{LK},{LR},{LS},{LT},{LU},{LV},{LY},{MA},{MC},{MD},{ME},{MF},{MG},{MH},{MK},{ML},{MM},{MN},{MO},{MP},{MQ},{MR},{MS},{MT},{MU},{MV},{MW},{MX},{MY},{MZ},{NA},{NC},{NE},{NF},{NG},{NI},{NP},{NR},{NU},{NZ},{OM},{PA},{PE},{PF},{PG},{PH},{PK},{PL},{PM},{PN},{PR},{PS},{PT},{PW},{PY},{QA},{RE},{RO},{RS},{RU},{RW},{SA},{SB},{SC},{SD},{SE},{SG},{SH},{SI},{SJ},{SK},{SL},{SM},{SN},{SO},{SR},{SS},{ST},{SV},{SX},{SY},{SZ},{TC},{TD},{TF},{TG},{TH},{TJ},{TK},{TL},{TM},{TN},{TO},{TR},{TT},{TV},{TW},{TZ},{UA},{UG},{UM},{US},{UY},{UZ},{VA},{VC},{VE},{VG},{VI},{VN},{VU},{WF},{WS},{YE},{YT},{ZA},{ZM},{ZW}
NodeFamily {AD},{AE},{AF},{AG},{AI},{AL},{AM},{AO},{AQ},{AR},{AS},{AT},{AU},{AW},{AX},{AZ},{BA},{BB},{BD},{BE},{BF},{BG},{BH},{BI},{BJ},{BL},{BM},{BN},{BO},{BQ},{BR},{BS},{BT},{BV},{BW},{BY},{BZ},{CA},{CC},{CD},{CF},{CG},{CH},{CI},{CK},{CL},{CM},{CN},{CO},{CR},{CU},{CV},{CW},{CX},{CY},{CZ},{DE},{DJ},{DM},{DO},{DZ},{EC},{EE},{EG},{EH},{ER},{ES},{ET},{FI},{FJ},{FK},{FM},{FO},{GA},{GB},{GD},{GE},{GF},{GG},{GH},{GI},{GL},{GM},{GN},{GP},{GQ},{GR},{GS},{GT},{GU},{GW},{GY},{HK},{HM},{HN},{HR},{HT},{HU},{ID},{IE},{IL},{IM},{IN},{IO},{IQ},{IR},{IS},{IT},{JE},{JM},{JO},{JP},{KE},{KG},{KH},{KI},{KM},{KN},{KP},{KR},{KW},{KY},{KZ},{LA},{LB},{LC},{LI},{LK},{LR},{LS},{LT},{LU},{LV},{LY},{MA},{MC},{MD},{ME},{MF},{MG},{MH},{MK},{ML},{MM},{MN},{MO},{MP},{MQ},{MR},{MS},{MT},{MU},{MV},{MW},{MX},{MY},{MZ},{NA},{NC},{NE},{NF},{NG},{NI},{NP},{NR},{NU},{NZ},{OM},{PA},{PE},{PF},{PG},{PH},{PK},{PL},{PM},{PN},{PR},{PS},{PT},{PW},{PY},{QA},{RE},{RO},{RS},{RU},{RW},{SA},{SB},{SC},{SD},{SE},{SG},{SH},{SI},{SJ},{SK},{SL},{SM},{SN},{SO},{SR},{SS},{ST},{SV},{SX},{SY},{SZ},{TC},{TD},{TF},{TG},{TH},{TJ},{TK},{TL},{TM},{TN},{TO},{TR},{TT},{TV},{TW},{TZ},{UA},{UG},{UM},{US},{UY},{UZ},{VA},{VC},{VE},{VG},{VI},{VN},{VU},{WF},{WS},{YE},{YT},{ZA},{ZM},{ZW}
StrictNodes 1
GeoIPExcludeUnknown 1

You find all the country codes ISO 3166 in this sheet

Openbsd, Tor, Privoxy and the browsers.

Privoxy, add a new friend to the battle.

So, we've got now three browsers using three differents socks port to access the Tor network, and the last of ours browsers building a special doble circuit in the tor network combining different countries (this is not bad at all). Remember, we were here . But...the situation is so difficult...we've to protect us with more layers.

Let's introduce the layer 7 firewall Privoxy.

What is a layer 7 firewall? It's a firewall that work at the last layer of the ISO/OSI network stack, that in no technical user speaking is the URI, www.facebook.com, steemit.com/@npna ...

Matryoshka are sexis

Russian Matrioska.

We like Russia, and we like матрёшка.

In this case we're doing the exact thing, encapsulate layer after layer our information to protect it from the privacy cannibals. Our dolls start from the navigator, go through privoxy and the will be routed to the Tor network. Let install privoxy from the OpenBSD precompiled packages with a simple command:

$ doas pkg_add -U privoxy

It will install those files and binaries:

$ pkg_info -L privoxy
Information for inst:privoxy-3.0.26
Files:
/usr/local/bin/privoxy-log-parser.pl
/usr/local/bin/privoxy-regression-test.pl
/usr/local/bin/uagen.pl
/usr/local/bin/url-pattern-translator.pl
/usr/local/man/man1/privoxy.1
/usr/local/sbin/privoxy
/usr/local/share/doc/privoxy/AUTHORS
/usr/local/share/doc/privoxy/ChangeLog
/usr/local/share/doc/privoxy/LICENSE
/usr/local/share/doc/privoxy/README
/usr/local/share/examples/privoxy/config
/usr/local/share/examples/privoxy/default.action
/usr/local/share/examples/privoxy/default.filter
/usr/local/share/examples/privoxy/match-all.action
/usr/local/share/examples/privoxy/regression-tests.action
/usr/local/share/examples/privoxy/templates/blocked
/usr/local/share/examples/privoxy/templates/cgi-error-404
/usr/local/share/examples/privoxy/templates/cgi-error-bad-param
/usr/local/share/examples/privoxy/templates/cgi-error-disabled
/usr/local/share/examples/privoxy/templates/cgi-error-file
/usr/local/share/examples/privoxy/templates/cgi-error-file-read-only
/usr/local/share/examples/privoxy/templates/cgi-error-modified
/usr/local/share/examples/privoxy/templates/cgi-error-parse
/usr/local/share/examples/privoxy/templates/cgi-style.css
/usr/local/share/examples/privoxy/templates/client-tags
/usr/local/share/examples/privoxy/templates/connect-failed
/usr/local/share/examples/privoxy/templates/connection-timeout
/usr/local/share/examples/privoxy/templates/default
/usr/local/share/examples/privoxy/templates/edit-actions-add-url-form
/usr/local/share/examples/privoxy/templates/edit-actions-for-url
/usr/local/share/examples/privoxy/templates/edit-actions-for-url-filter
/usr/local/share/examples/privoxy/templates/edit-actions-list
/usr/local/share/examples/privoxy/templates/edit-actions-list-button
/usr/local/share/examples/privoxy/templates/edit-actions-list-section
/usr/local/share/examples/privoxy/templates/edit-actions-list-url
/usr/local/share/examples/privoxy/templates/edit-actions-remove-url-form
/usr/local/share/examples/privoxy/templates/edit-actions-url-form
/usr/local/share/examples/privoxy/templates/forwarding-failed
/usr/local/share/examples/privoxy/templates/mod-local-help
/usr/local/share/examples/privoxy/templates/mod-support-and-service
/usr/local/share/examples/privoxy/templates/mod-title
/usr/local/share/examples/privoxy/templates/mod-unstable-warning
/usr/local/share/examples/privoxy/templates/no-server-data
/usr/local/share/examples/privoxy/templates/no-such-domain
/usr/local/share/examples/privoxy/templates/show-request
/usr/local/share/examples/privoxy/templates/show-status
/usr/local/share/examples/privoxy/templates/show-status-file
/usr/local/share/examples/privoxy/templates/show-url-info
/usr/local/share/examples/privoxy/templates/show-version
/usr/local/share/examples/privoxy/templates/toggle
/usr/local/share/examples/privoxy/templates/toggle-mini
/usr/local/share/examples/privoxy/templates/untrusted
/usr/local/share/examples/privoxy/templates/url-info-osd.xml
/usr/local/share/examples/privoxy/user.action
/usr/local/share/examples/privoxy/user.filter
/etc/rc.d/privoxy

We've only a little problem respect to Tor with privoxy. To concatenate three privoxy ports to three Tor ports we've to launch three different privoxy instances. But with OpenBSD and to his clearness this is very simple. Let's go deep in the configuration:

  • cd to the privoxy configuration directory:
    • $ cd /etc/privoxy
  • copy default config file into three different:
    • $ doas cp config firefox && doas cp config chrome && doas cp config torbrowser
  • go to the OpenBSD rc.d directory:
    • $ cd /etc/rc.d
  • copy the default privoxy init script in three different:
    • $ doas cp privoxy privoxyfirefox && doas cp privoxy privoxychrome && doas cp privoxy privoxytorbrowser

Ok all it's simple and without complications. Good, i love OpenBSD. The privoxy main configuration file is full of options and you have to dedicate a couple of ours to understand all the voices, or to simply read it. For now we use this basic configuration (in ours next chapters probably we will do some changes to it). Let's see together the one that will be used in the firefox environment:

$ cat /etc/privoxy/firefox
#
# $Id: config,v 1.112 2016/08/26 13:14:18 fabiankeil Exp $
#
# Copyright (C) 2001-2016 Privoxy Developers https://www.privoxy.org/
#



user-manual https://www.privoxy.org/user-manual/
trust-info-url https://learn.canva.com/wp-content/uploads/2015/06/50-Of-The-Most-Creative-404-Pages-On-The-Web-01.png
admin-address r.giuntoli@protonmail.ch
#config guide
#proxy-info-url http://www.example.com/proxy-service.html
confdir /etc/privoxy
templdir /etc/privoxy/templates
logdir /var/log/privoxy
actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
actionsfile default.action   # Main actions file
actionsfile user.action      # User customizations
filterfile default.filter
filterfile user.filter      # User customizations
logfile privoxyfirefox.log
#if set all deny but the ones listed on [use ~ like *]
#trustfile trust
#
#        debug     1 # Log the destination for each request Privoxy let through. See also debug 1024
#        debug     2 # show each connection status
#        debug     4 # show I/O status
#        debug     8 # show header parsing
#        debug    16 # log all data written to the network
#        debug    32 # debug force feature
#        debug    64 # debug regular expression filters
#        debug   128 # debug redirects
#        debug   256 # debug GIF de-animation
#        debug   512 # Common Log Format
#        debug  1024 # Log the destination for requests Privoxy didn't let through, and the reason why.
#        debug  2048 # CGI user interface
#        debug  4096 # Startup banner and warnings.
#        debug  8192 # Non-fatal errors
#        debug 32768 # log all data read from the network
#        debug 65536 # Log the applying actions
debug     1 # Log the destination for each request Privoxy let through. See also debug 1024.
#debug  1024 # Actions that are applied to all sites and maybe overruled later on.
#debug  4096 # Startup banner and warnings
#debug  8192 # Non-fatal errors
single-threaded 0
hostname Lutetia.unknown_domain
listen-address  127.0.0.1:8800
#filter mode
toggle  1
enable-remote-toggle  0
#filter by X-filter http header
enable-remote-http-toggle  0
enable-edit-actions 0
enforce-blocks 1
#      src_addr[:port][/src_masklen] [dst_addr[:port][/dst_masklen]]
permit-access  127.0.0.1
buffer-limit 8192
#enable if there's a parent proxy
enable-proxy-authentication-forwarding 0
forward-socks5 / 127.0.0.1:9900 .
forwarded-connect-retries  0
#transparent proxy
accept-intercepted-requests 0
#
allow-cgi-request-crunching 0
split-large-forms 0
# grow up to 300 (if browser hang stop)
keep-alive-timeout 5
# disable if problems
tolerate-pipelining 1
#default-server-timeout 60
connection-sharing 0
# try to reduce to 5 sec
socket-timeout 300
#max-client-connections 256
handle-as-empty-doc-returns-ok 0
#enable-compression 1
#compression-level 3
#client-header-order Host \
#   Accept \
#   Accept-Language \
#   Accept-Encoding \
#   Proxy-Connection \
#   Referer \
#   Cookie \
#   DNT \
#   If-Modified-Since \
#   Cache-Control \
#   Content-Length \
#   Content-Type
#
#client-specific-tag circumvent-blocks Overrule blocks but do not affect other actions
#          disable-content-filters Disable content-filters but do not affect other actions
#
#
#            client-tag-lifetime 180
#            # IP address with a X-Forwarded-For header.
#            trust-x-forwarded-for 1

Ok simply change admin-addressand hostname with the yours. Privoxy send in every configuration file the http proxy port to a distinct socks port. To create the others two execute this command:

# sed s/privoxyfirefox/privoxychrome/g privoxyfirefox | sed s/9900/9901/g > privoxychrome
# sed s/privoxychrome/privoxytorbrowser/g privoxychrome | sed s/9901/9902/g > privoxytorbrowser    

Now create the missing logs files with:

$ doas touch /var/log/privoxy/privoxyfirefox.log
$ doas touch /var/log/privoxy/privoxychrome.log
$ doas touch /var/log/privoxy/privoxytorbrowser.log

And enable all the three at boot:

$ doas rcctl enable privoxyfirefox
$ doas rcctl set privoxyfirefox user _privoxy
$ doas rcctl set privoxyfirefox flags /etc/privoxy/firefox
$ doas rcctl enable privoxychrome
$ doas rcctl set privoxychrome user _privoxy
$ doas rcctl set privoxychrome flags /etc/privoxy/chrome
$ doas rcctl enable privoxytorbrowser
$ doas rcctl set privoxytorbrowser user _privoxy
$ doas rcctl set privoxytorbrowser flags /etc/privoxy/torbrowser

At last start the three daemons:

$ doas rcctl start privoxyfirefox
$ doas rcctl start privoxychrome
$ doas rcctl start privoxytorbrowser

Browsers configurations

browsers configuration with privoxy Now we've got the correct setup of privoxy, but remember without any rule of layer 7 firewalling, that we will see in our next chapter. We've to change the configuration of the three browsers to use privoxy and not directly the tor socks.

  1. Firefox: Firefox privoxy
  2. Chrome: simply change --proxy-server="socks5://127.0.0.1:9901"with -proxy-server="http://127.0.0.1:8801"
  3. Torbrowser: Tor browser privoxy

Preparing the chicken soup

chicken soup Ok, the cooking is started, but one last little hackto disturb our favorites cannibals. Let's eliminate the HTTP header Refer:

# cat  >> /etc/privoxy/user.filter << EOF
{ +crunch-client-header{Referer:} }
/
EOF