Title: OpenBSD full Tor setup
Author: Solène
Date: 25 July 2021
Tags: openbsd tor privacy security
Description:
# Introduction
If for some reasons you want to block all your traffic except traffic
going through Tor, here is how to proceed on OpenBSD.
The setup is simple and consists at installing Tor, running the service
and configure the firewall to block every requests that doesn't come
from the user _tor used by Tor daemon.
# Setup
Modify /etc/pf.conf to make it look like the following:
```file configuration content for /etc/pf.conf
set skip on lo
# block OUT traffic
block out
# block IN traffic and allow response to our OUT requests
block return
# allow TCP requests made by _tor user
pass out on egress proto tcp user _tor
```
If you forgot to save your pf.conf file, the default file is available
in /etc/examples/pf.conf if you want to go back to a standard PF
configuration.
Here are the commands to type as root to install tor and reload PF:
```shell commands
pkg_add tor
rcctl enable tor
rcctl start tor
pfctl -f /etc/pf.conf
```
Configure your programs to use the proxy SOCKS5 localhost:9050, if you
need to reach a remote server / service of yours, you will need to have
a server running tor and define HiddenServices to access them through
Tor.
# Privacy considerations in the local area network
Please consider that if you are using DHCP to obtain an IP on the
network the hostname of your system is shared and also its MAC address.
As for the MAC address, you can use "lladdr random" in your interface
configuration file to have a new random MAC address on every boot.
As for the hostname, I didn't test it but it should work, rewrite your
/etc/myname file with a new value at each boot, meaning the next boot
you will have a new value. To do so, you could run an /etc/rc.local
with this script:
```shell script
#!/bin/sh
grep -v ^# /usr/share/misc/airport | cut -d ':' -f 1 | sort -R | head -n 1 > /etc/myname
```
The script will take a random name out of the 2000+ entries of the
airport list (every airport in the list has been visited by OpenBSD
developed before it is added). This still mean you have 1/2000 chance
to have the same name upon reboot, if you prefer more entropy you can
make a script generating a long random string.
# Privacy considerations on the Web
You shouldn't use Tor for anything, this may leak your IP address
depending on the software used, it may not be built with privacy in
mind. The Tor Browser (modified Firefox including Tor and privacy
settings) can be fully trusted to only share/send what is required and
not more.
The point of this setup is to block leaking programs and only allow Tor
to reach the Internet, then it's up to you to use Tor wisely. I
recommend reading Tor documentation to understand how it works.
(HTM) Tor project documentation
# Potential issues
The only issue I can imagine right now is connecting on a network with
a captive portal to reach the Internet, you would have to disable the
PF rule (or entire PF) at the risk of some programs leaking data.
# Same setup with I2P
If you prefer using i2p only to reach external services, replace _tor
by _i2p or _i2pd in the pf.conf rule, depending on which implementation
you used.
# Conclusion
I'm not a huge Tor user but for the people who need to be sure non-Tor
traffic can't go out, this is a simple setup to make.