Skip to content

Troubleshooting

Rupert Edwards edited this page Jul 26, 2024 · 552 revisions

⚠️ Check Tor's IP Endpoint. 😠

Expand To Check Dashboard

Test Latency: time toriptables2.py --ip

Status Active IP API Endpoint Failover Method
🟢 Yes https://check.torproject.org/api/ip
  • cURL
  • JSON
  • WGET
🟢 Yes https://ident.me ✔️
  • cURL
  • JSON
  • WGET

Expand for a quick tweak and workaround

💯 [Hack] A quick tweak and workaround is to change the retries from 12 to 1 or 2.

💯 [Fix] Change config.me to ident.me


Getting Public IP:

Expand for Public IP issues
  • Still waiting for IP address... fail after 12 retries.

  • Still waiting for IP address... get IP after 12 retries.

  • Long delays on refreshing ip address or getting ip address.

Still waiting for IP address...
Still waiting for IP address...
[!] Can't get public ip address!

The Fix: Disable systemd-resolved Cleanly

Works for Linux Mint 💯

  1. sudo systemctl enable tor

  2. sudo service tor start

  3. sudo systemctl disable systemd-resolved.service

  4. sudo systemctl stop systemd-resolved

  5. sudo unlink /etc/resolv.conf

  6. sudo vi /etc/resolv.conf

  7. Then add to resolv.conf below and save

  • nameserver 1.1.1.1 # Your ISP DNS Server
  • nameserver 8.8.8.8 # Any public DNS server
  • nameserver 127.0.0.1 # Tor's Local DNS Server
- Brute-force: sudo chattr +i /etc/resolv.conf

Possible endpoint issue. Test the active IP endpoint status.

Expand for command to test the active IP endpoint status

time curl -s https://check.torproject.org/api/ip | python2 -c "import sys,json; sys.stdout.write(json.load(sys.stdin)['IP'])"

Expand for possible fix and solutions to getting public IP issue
  1. Download the latest version of toriptables2.

  2. Test "Getting public IP" JSON public endpoint IP API.

Expand for toriptables2 command to test the IP endpoint in use
toriptables2.py --ip

systemctl disable systemd-resolved.service

  1. Try unloading AppArmor profiles. Apparmor is preventing tor from starting.

sudo aa-teardown

  1. Dnsmasq address is conflicting with Tor's local DNS address.

sudo service dnsmasq stop

Expand for the fix or solution
  1. Try purging and re-installing tor. toriptables2 needs the stock /etc/tor/torrc to work properly.

  2. Try hosting your own simple Public IP API service using ipify API.


Distro Specific Fix:

Expand for Distro Specific Fix
Distro Tor User ID DNSPort
Arch tor 5300
Fedora toranon
sed -i 's/debian-tor/tor/' toriptables2.py

Linux systemd-resolved.service

On Fedora create a SELinux rule

Expand for Selinux commands

grep tor /var/log/audit/audit.log | audit2allow -M mytor

sudo semodule -i mytor.pp


Iptables Failed to initialize nf_tables:

Expand for iptables failed to initialize nf_tables

Debian Buster uses the new nftables framework by default.

Moving from nftables back to legacy xtables:

sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
sudo update-alternatives --set arptables /usr/sbin/arptables-legacy
sudo update-alternatives --set ebtables /usr/sbin/ebtables-legacy
  • sudo update-alternatives --list iptables
/usr/sbin/iptables-legacy
/usr/sbin/iptables-nft
  • sudo update-alternatives --config iptables
There are 2 choices for the alternative iptables (providing /usr/sbin/iptables).

  Selection    Path                       Priority   Status
------------------------------------------------------------
* 0            /usr/sbin/iptables-nft      20        auto mode
  1            /usr/sbin/iptables-legacy   10        manual mode
  2            /usr/sbin/iptables-nft      20        manual mode

Press <enter> to keep the current choice[*], or type selection number:1

update-alternatives: using /usr/sbin/iptables-legacy to provide /usr/sbin/iptables (iptables) in manual mode

  • sudo update-alternatives --config iptables
There are 2 choices for the alternative iptables (providing /usr/sbin/iptables).

  Selection    Path                       Priority   Status
------------------------------------------------------------
  0            /usr/sbin/iptables-nft      20        auto mode
* 1            /usr/sbin/iptables-legacy   10        manual mode
  2            /usr/sbin/iptables-nft      20        manual mode

Press <enter> to keep the current choice[*], or type selection number: Enter


Frequently Asked Questions:

Expand for Frequently Asked Questions

FAQ:

How long will you support Python 2.7?? It's pass EOL dude!

Until the Kali Gods nuke Python 2.7 support from their distribution.

What about security going forward? I'm in the process of nuking Python 2.7 and all remnant from my machines.

Personally, I compile my legacy Python 2.7 standalone scripts to a Linux ELF 64-bit LSB executable using Nuitka.

The created binary executes independent of a Python installation.

A precompiled x86_64 toriptables2 Binary can be found under releases.

Ok smart arse, you didn't answer my question -- would there be a version for Python 3.x?

Yes. There is a toriptables3 for Python 3.8. Tested on Kali 2020.2 Python 3.8.2.

Also an one file precompiled x86_64 toriptables3 AppImage executable is available under toriptables3's releases.

Will the binary installation over write, collide and/or conflict with my standard toriptable2.py or toriptables3.py install?

No. In fact, they are easy to install and uninstall. They will happily coexist with any standard .py installed.

The binaries are executed w/o the .py extension, E.g. sudo toriptables2 or sudo toriptables3.

Which one you use, prefer and/or recommend, and why?

I prefer the toriptables2 binary, it's a little faster and robust -- in my seat-of-the-pants testing. And best of all, no Python 3.x H3LL. 😀

Use the one you’re most comfortable with and what would be appropriate for your environment.

Why toriptables2 doesn't have tons of features like some other anonymizers?

It was written using the Unix philosophy. Do One Thing and Do It Well (DOTADIW).

I was looking for something that's easy to install that will give anonymity and work on Windows.

Installing the Tor Browser probably would be the path of least resistance.

I see it's written in Python. Will it work on Windows?

Not at this time. Iptables is not native to Windows. At the rate Microsoft is making Windows more Linux like, maybe in the near future...

Does it work on the raspberrypi3?

Yes. Tested on raspberrypi3 4.9.35-v7+ #1014 SMP armv7l GNU/Linux

Why do I get an IPv6 Address? Whatismyipaddress shows my real location?

Disable IPv6 at the OS level

Expand for disabling the OS IPv6 commands

Copy/paste below in a terminal.

sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.lo.disable_ipv6=1

Enable IPv6 Privacy Extension in Linux

Expand for Enable IPv6 Privacy Extension GUI

► IPv6 Privacy Extension in Linux

Why toriptables2 script doesn't support IPv6 only host/computer?

As of 2018 there aren't many IPv6 users, or IPv6 guards, so Tor over IPv6 is less anonymous than Tor over IPv4.

Is there another way to set Tor's IP address changing interval without using tor_ip_switcher?

Yes. See Advance tweaks below. Note: "Looks like it's got a 10-second minimum".

Can we change the time of the loop [?] Still waiting for IP address...

Yes. Change the sleep time. The default is 5 seconds.

Is Tor Really Anonymous?

Well, It depends on who you ask.

I was looking for a "free" VPN not Tor per se. Do you know of any?

You can give this VPN Gate client script a try. Your mileage may vary.


Advance Tweaks:

Expand for Advance Tweaks

To configure Tor's circuitry to automatically change your IP address every 60 seconds.

Edit: /etc/tor/torrc. Copy/paste and save.

## If 0, CircuitBuildTimeout adaptive learning is disabled. (Default: 1)
LearnCircuitBuildTimeout 0

## Circuit that was first used at most NUM seconds ago
MaxCircuitDirtiness 60

## Every NUM seconds consider whether to build a new circuit
NewCircuitPeriod 60

Reload the new configuration sudo toriptables2.py --refresh.


Set Tor ExitNodes:

Expand for Set Tor ExitNodes

Tor has the ability to let you choose which ExitNodes you’d like to use – either by name, fingerprint, or country code. If you have a trusted list of nodes you’d like to use as a whitelist, you can use that, or if you have a list of nodes on a blacklist, it supports that configuration. But for those of us that are attempting to be someone else, specifically someone from a different country, we can use Tor to not only hide our identity, but make it appear to be from a specific geographic location.

Our example here may be an identity where you want to appear like a Ukrainian dissident — when in reality you’re a soccer Mom from Chicago, IL. By setting up a dedicated machine, with a specific Tor configuration, you can make sure that all of your traffic is routed out of an Ukrainian Exit Node.

Torrc:

The configuration is pretty simple, modify your torrc file to add the follwoing line to ensure Tor will only use Ukraine based exit nodes:

1
2
ExitNodes {ua}
StrictNodes 1
  • Please backup the original /etc/tor/torrc file.
  • Please note that in all of these examples, we must enable StrictNodes.

  • This example will use either Ukraine, Uganda, South Korea, or Ireland as an exit:

    1
    
    ExitNodes {ua},{ug},{kr},{ie}

    To test the changes, reload Tor's new torrc configuration file:

    sudo toriptables2.py --load

    Blacklisting:

    Expand for Blacklisting

    You can also use this as a defensive measure as well.

    If you believe there is some kind of geo-centric threat in Uganda, you can configure Tor to never use these exit nodes.

    1
    
    ExcludeExitNodes {ug}

    You can exclude all node types for a specific country as well – exits, relays, entry, and bridge nodes.

    1
    
    ExcludeNodes {us}

    You have the ability to whitelist all node types which is to say you can make sure that your entire Tor circuit only uses a certain country.

    This is NOT recommended of course. An ideal circuit will cross countries and legal jurisdictions.


    The "??" Country:

    Expand for The "??" Country

    Tor uses Maxmind’s Geo-ip lookup system for this functionality. Some of the versions of their database contain a “??” country code. This is reserved for IPs they either don’t know, or aren’t willing to share. (Tor is making some changes to compensate for this in the future.)

    Knowing this can be useful in one of two ways:

    First, you may think that if you don’t know what country you’re going to be using as a node, then you don’t want to use it. This is probably a legitimate thought without having more information on what causes an IP to have “??”.

    Second, and more interestingly, some (poorly configured) firewalls will automatically drop connections from certain countries. Admins will say “Screw it, block China. Hacking problem solved!” and ask for a raise. Maxmind is a very popular Geo-ip lookup database and you can imagine that all of the security services built into those fancy enterprise firewalls will most likely be using it if it’s doing geographic lookups. While many of these admins will have policies for how to handle “us”, “cn”, and “de”, I’ve found many have issues with a country code that is “??”. In one case, I’ve found a system that blocks all exit nodes, except those coming from a “??” country. I have not identitied why this mis-configuration occurs, but hopefully someone can leverage this to their advantage.


    List of country codes for Tor:

    Expand for List of country codes for Tor
    Country Code
    ASCENSION ISLAND {ac}
    AFGHANISTAN {af}
    ALAND {ax}
    ALBANIA {al}
    ALGERIA {dz}
    ANDORRA {ad}
    ANGOLA {ao}
    ANGUILLA {ai}
    ANTARCTICA {aq}
    ANTIGUA AND BARBUDA {ag}
    ARGENTINA REPUBLIC {ar}
    ARMENIA {am}
    ARUBA {aw}
    AUSTRALIA {au}
    AUSTRIA {at}
    AZERBAIJAN {az}
    BAHAMAS {bs}
    BAHRAIN {bh}
    BANGLADESH {bd}
    BARBADOS {bb}
    BELARUS {by}
    BELGIUM {be}
    BELIZE {bz}
    BENIN {bj}
    BERMUDA {bm}
    BHUTAN {bt}
    BOLIVIA {bo}
    BOSNIA AND HERZEGOVINA {ba}
    BOTSWANA {bw}
    BOUVET ISLAND {bv}
    BRAZIL {br}
    BRITISH INDIAN OCEAN TERR {io}
    BRITISH VIRGIN ISLANDS {vg}
    BRUNEI DARUSSALAM {bn}
    BULGARIA {bg}
    BURKINA FASO {bf}
    BURUNDI {bi}
    CAMBODIA {kh}
    CAMEROON {cm}
    CANADA {ca}
    CAPE VERDE {cv}
    CAYMAN ISLANDS {ky}
    CENTRAL AFRICAN REPUBLIC {cf}
    CHAD {td}
    CHILE {cl}
    PEOPLE’S REPUBLIC OF CHINA {cn}
    CHRISTMAS ISLANDS {cx}
    COCOS ISLANDS {cc}
    COLOMBIA {co}
    COMORAS {km}
    CONGO {cg}
    CONGO (DEMOCRATIC REPUBLIC) {cd}
    COOK ISLANDS {ck}
    COSTA RICA {cr}
    COTE D IVOIRE {ci}
    CROATIA {hr}
    CUBA {cu}
    CYPRUS {cy}
    CZECH REPUBLIC {cz}
    DENMARK {dk}
    DJIBOUTI {dj}
    DOMINICA {dm}
    DOMINICAN REPUBLIC {do}
    EAST TIMOR {tp}
    ECUADOR {ec}
    EGYPT {eg}
    EL SALVADOR {sv}
    EQUATORIAL GUINEA {gq}
    ESTONIA {ee}
    ETHIOPIA {et}
    FALKLAND ISLANDS {fk}
    FAROE ISLANDS {fo}
    FIJI {fj}
    FINLAND {fi}
    FRANCE {fr}
    FRANCE METROPOLITAN {fx}
    FRENCH GUIANA {gf}
    FRENCH POLYNESIA {pf}
    FRENCH SOUTHERN TERRITORIES {tf}
    GABON {ga}
    GAMBIA {gm}
    GEORGIA {ge}
    GERMANY {de}
    GHANA {gh}
    GIBRALTER {gi}
    GREECE {gr}
    GREENLAND {gl}
    GRENADA {gd}
    GUADELOUPE {gp}
    GUAM {gu}
    GUATEMALA {gt}
    GUINEA {gn}
    GUINEA-BISSAU {gw}
    GUYANA {gy}
    HAITI {ht}
    HEARD & MCDONALD ISLAND {hm}
    HONDURAS {hn}
    HONG KONG {hk}
    HUNGARY {hu}
    ICELAND {is}
    INDIA {in}
    INDONESIA {id}
    IRAN, ISLAMIC REPUBLIC OF {ir}
    IRAQ {iq}
    IRELAND {ie}
    ISLE OF MAN {im}
    ISRAEL {il}
    ITALY {it}
    JAMAICA {jm}
    JAPAN {jp}
    JORDAN {jo}
    KAZAKHSTAN {kz}
    KENYA {ke}
    KIRIBATI {ki}
    KOREA, DEM. PEOPLES REP OF {kp}
    KOREA, REPUBLIC OF {kr}
    KUWAIT {kw}
    KYRGYZSTAN {kg}
    LAO PEOPLE’S DEM. REPUBLIC {la}
    LATVIA {lv}
    LEBANON {lb}
    LESOTHO {ls}
    LIBERIA {lr}
    LIBYAN ARAB JAMAHIRIYA {ly}
    LIECHTENSTEIN {li}
    LITHUANIA {lt}
    LUXEMBOURG {lu}
    MACAO {mo}
    MACEDONIA {mk}
    MADAGASCAR {mg}
    MALAWI {mw}
    MALAYSIA {my}
    MALDIVES {mv}
    MALI {ml}
    MALTA {mt}
    MARSHALL ISLANDS {mh}
    MARTINIQUE {mq}
    MAURITANIA {mr}
    MAURITIUS {mu}
    MAYOTTE {yt}
    MEXICO {mx}
    MICRONESIA {fm}
    MOLDAVA REPUBLIC OF {md}
    MONACO {mc}
    MONGOLIA {mn}
    MONTENEGRO {me}
    MONTSERRAT {ms}
    MOROCCO {ma}
    MOZAMBIQUE {mz}
    MYANMAR {mm}
    NAMIBIA {na}
    NAURU {nr}
    NEPAL {np}
    NETHERLANDS ANTILLES {an}
    NETHERLANDS, THE {nl}
    NEW CALEDONIA {nc}
    NEW ZEALAND {nz}
    NICARAGUA {ni}
    NIGER {ne}
    NIGERIA {ng}
    NIUE {nu}
    NORFOLK ISLAND {nf}
    NORTHERN MARIANA ISLANDS {mp}
    NORWAY {no}
    OMAN {om}
    PAKISTAN {pk}
    PALAU {pw}
    PALESTINE {ps}
    PANAMA {pa}
    PAPUA NEW GUINEA {pg}
    PARAGUAY {py}
    PERU {pe}
    PHILIPPINES (REPUBLIC OF THE) {ph}
    PITCAIRN {pn}
    POLAND {pl}
    PORTUGAL {pt}
    PUERTO RICO {pr}
    QATAR {qa}
    REUNION {re}
    ROMANIA {ro}
    RUSSIAN FEDERATION {ru}
    RWANDA {rw}
    SAMOA {ws}
    SAN MARINO {sm}
    SAO TOME/PRINCIPE {st}
    SAUDI ARABIA {sa}
    SCOTLAND {uk}
    SENEGAL {sn}
    SERBIA {rs}
    SEYCHELLES {sc}
    SIERRA LEONE {sl}
    SINGAPORE {sg}
    SLOVAKIA {sk}
    SLOVENIA {si}
    SOLOMON ISLANDS {sb}
    SOMALIA {so}
    SOMOA,GILBERT,ELLICE ISLANDS {as}
    SOUTH AFRICA {za}
    SOUTH GEORGIA, SOUTH SANDWICH ISLANDS {gs}
    SOVIET UNION {su}
    SPAIN {es}
    SRI LANKA {lk}
    ST. HELENA {sh}
    ST. KITTS AND NEVIS {kn}
    ST. LUCIA {lc}
    ST. PIERRE AND MIQUELON {pm}
    ST. VINCENT & THE GRENADINES {vc}
    SUDAN {sd}
    SURINAME {sr}
    SVALBARD AND JAN MAYEN {sj}
    SWAZILAND {sz}
    SWEDEN {se}
    SWITZERLAND {ch}
    SYRIAN ARAB REPUBLIC {sy}
    TAIWAN {tw}
    TAJIKISTAN {tj}
    TANZANIA, UNITED REPUBLIC OF {tz}
    THAILAND {th}
    TOGO {tg}
    TOKELAU {tk}
    TONGA {to}
    TRINIDAD AND TOBAGO {tt}
    TUNISIA {tn}
    TURKEY {tr}
    TURKMENISTAN {tm}
    TURKS AND CALCOS ISLANDS {tc}
    TUVALU {tv}
    UGANDA {ug}
    UKRAINE {ua}
    UNITED ARAB EMIRATES {ae}
    UNITED KINGDOM (no new registrations) {gb}
    UNITED KINGDOM {uk}
    UNITED STATES {us}
    UNITED STATES MINOR OUTL.IS. {um}
    URUGUAY {uy}
    UZBEKISTAN {uz}
    VANUATU {vu}
    VATICAN CITY STATE {va}
    VENEZUELA {ve}
    VIET NAM {vn}
    VIRGIN ISLANDS (USA) {vi}
    WALLIS AND FUTUNA ISLANDS {wf}
    WESTERN SAHARA {eh}
    YEMEN {ye}
    ZAMBIA {zm}
    ZIMBABWE {zw}

    Firefox Privacy Add-ons and Hardening:

    Expand for Firefox Add-ons and Troubleshooting

    Excellent Firefox Privacy Add-ons

    Firefox configuration hardening

    Expand for Firefox .onion domain error and fix

    ⚠️ Firefox Release 45.0 March 8, 2016:

    Introduced a new preference (network.dns.blockDotOnion) to allow blocking .onion at the DNS level.

    The new "feature" is enabled by default to block .onion addresses.

    Browser Error:

    "Hmm. We're having trouble finding that site."

    "We can't connect to server at abcdevwxyz.onion"

    The Browser Fix:

    about:config

    Search: blockDotOnion

    Change from: true

    network.dns.blockDotOnion user set boolean true

    Change to: false

    network.dns.blockDotOnion user set boolean false


    - Note: Tor over IPv6 is less anonymous than Tor over IPv4. See FAQ.