-
Notifications
You must be signed in to change notification settings - Fork 127
Troubleshooting
Expand To Check Dashboard
Test Latency: time toriptables2.py --ip
Status | Active | IP API Endpoint | Failover | Method |
---|---|---|---|---|
🟢 | Yes | https://check.torproject.org/api/ip | ✅ |
|
🟢 | Yes | https://ident.me | ✔️ |
|
Expand for a quick tweak and workaround
💯 [Hack] A quick tweak and workaround is to change the retries from 12 to 1 or 2.
💯 [Fix] Change config.me to ident.me
Expand for Public IP issues
-
Still waiting for IP address... fail after 12 retries.
-
Still waiting for IP address... get IP after 12 retries.
-
Long delays on refreshing ip address or getting ip address.
Still waiting for IP address...
Still waiting for IP address...
[!] Can't get public ip address!
The Fix: Disable systemd-resolved Cleanly
-
sudo systemctl enable tor
-
sudo service tor start
-
sudo systemctl disable systemd-resolved.service
-
sudo systemctl stop systemd-resolved
-
sudo unlink /etc/resolv.conf
-
sudo vi /etc/resolv.conf
-
Then add to resolv.conf below and save
- nameserver 1.1.1.1 # Your ISP DNS Server
- nameserver 8.8.8.8 # Any public DNS server
- nameserver 127.0.0.1 # Tor's Local DNS Server
- Brute-force: sudo chattr +i /etc/resolv.conf
Possible endpoint issue. Test the active IP endpoint status.
Expand for command to test the active IP endpoint status
time curl -s https://check.torproject.org/api/ip | python2 -c "import sys,json; sys.stdout.write(json.load(sys.stdin)['IP'])"
Expand for possible fix and solutions to getting public IP issue
-
Download the latest version of toriptables2.
Expand for toriptables2 command to test the IP endpoint in use
toriptables2.py --ip
► systemctl disable systemd-resolved.service
- Try unloading AppArmor profiles. Apparmor is preventing tor from starting.
- Dnsmasq address is conflicting with Tor's local DNS address.
Expand for the fix or solution
-
Change dnsmasq listening address:
listen-address=127.0.0.1
tolisten-address=127.0.1.1
-
Try purging and re-installing tor. toriptables2 needs the stock /etc/tor/torrc to work properly.
-
Try hosting your own simple Public IP API service using ipify API.
Expand for Distro Specific Fix
Distro | Tor User ID | DNSPort |
---|---|---|
Arch | tor | 5300 |
Fedora | toranon |
sed -i 's/debian-tor/tor/' toriptables2.py
► Linux systemd-resolved.service
On Fedora create a SELinux rule
Expand for Selinux commands
grep tor /var/log/audit/audit.log | audit2allow -M mytor
sudo semodule -i mytor.pp
Expand for iptables failed to initialize nf_tables
Debian Buster uses the new nftables framework by default.
Moving from nftables back to legacy xtables:
sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
sudo update-alternatives --set arptables /usr/sbin/arptables-legacy
sudo update-alternatives --set ebtables /usr/sbin/ebtables-legacy
sudo update-alternatives --list iptables
/usr/sbin/iptables-legacy
/usr/sbin/iptables-nft
sudo update-alternatives --config iptables
There are 2 choices for the alternative iptables (providing /usr/sbin/iptables).
Selection Path Priority Status
------------------------------------------------------------
* 0 /usr/sbin/iptables-nft 20 auto mode
1 /usr/sbin/iptables-legacy 10 manual mode
2 /usr/sbin/iptables-nft 20 manual mode
Press <enter> to keep the current choice[*], or type selection number:1
update-alternatives: using /usr/sbin/iptables-legacy to provide /usr/sbin/iptables (iptables) in manual mode
sudo update-alternatives --config iptables
There are 2 choices for the alternative iptables (providing /usr/sbin/iptables).
Selection Path Priority Status
------------------------------------------------------------
0 /usr/sbin/iptables-nft 20 auto mode
* 1 /usr/sbin/iptables-legacy 10 manual mode
2 /usr/sbin/iptables-nft 20 manual mode
Press <enter> to keep the current choice[*], or type selection number:
Enter
Expand for Frequently Asked Questions
How long will you support Python 2.7?? It's pass EOL dude!
Until the Kali Gods nuke Python 2.7 support from their distribution.
What about security going forward? I'm in the process of nuking Python 2.7 and all remnant from my machines.
Personally, I compile my legacy Python 2.7 standalone scripts to a Linux ELF 64-bit LSB executable using Nuitka.
The created binary executes independent of a Python installation.
A precompiled x86_64 toriptables2 Binary can be found under releases.
Ok smart arse, you didn't answer my question -- would there be a version for Python 3.x?
Yes. There is a toriptables3 for Python 3.8. Tested on Kali 2020.2 Python 3.8.2.
Also an one file precompiled x86_64 toriptables3 AppImage executable is available under toriptables3's releases.
Will the binary installation over write, collide and/or conflict with my standard toriptable2.py or toriptables3.py install?
No. In fact, they are easy to install and uninstall. They will happily coexist with any standard .py installed.
The binaries are executed w/o the .py extension, E.g. sudo toriptables2
or sudo toriptables3
.
Which one you use, prefer and/or recommend, and why?
I prefer the toriptables2 binary, it's a little faster and robust -- in my seat-of-the-pants testing. And best of all, no Python 3.x H3LL. 😀
Use the one you’re most comfortable with and what would be appropriate for your environment.
Why toriptables2 doesn't have tons of features like some other anonymizers?
It was written using the Unix philosophy. Do One Thing and Do It Well (DOTADIW).
I was looking for something that's easy to install that will give anonymity and work on Windows.
Installing the Tor Browser probably would be the path of least resistance.
I see it's written in Python. Will it work on Windows?
Not at this time. Iptables is not native to Windows. At the rate Microsoft is making Windows more Linux like, maybe in the near future...
Does it work on the raspberrypi3?
Yes. Tested on raspberrypi3 4.9.35-v7+ #1014 SMP armv7l GNU/Linux
Why do I get an IPv6 Address? Whatismyipaddress shows my real location?
► Disable IPv6 at the OS level
Expand for disabling the OS IPv6 commands
Copy/paste below in a terminal.
sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.lo.disable_ipv6=1
► Enable IPv6 Privacy Extension in Linux
Why toriptables2 script doesn't support IPv6 only host/computer?
As of 2018 there aren't many IPv6 users, or IPv6 guards, so Tor over IPv6 is less anonymous than Tor over IPv4.
Is there another way to set Tor's IP address changing interval without using tor_ip_switcher?
Yes. See Advance tweaks below. Note: "Looks like it's got a 10-second minimum".
Can we change the time of the loop [?] Still waiting for IP address...
Yes. Change the sleep time. The default is 5 seconds.
Is Tor Really Anonymous?
Well, It depends on who you ask.
I was looking for a "free" VPN not Tor per se. Do you know of any?
You can give this VPN Gate client script a try. Your mileage may vary.
Expand for Advance Tweaks
To configure Tor's circuitry to automatically change your IP address every 60 seconds.
Edit: /etc/tor/torrc
. Copy/paste and save.
## If 0, CircuitBuildTimeout adaptive learning is disabled. (Default: 1)
LearnCircuitBuildTimeout 0
## Circuit that was first used at most NUM seconds ago
MaxCircuitDirtiness 60
## Every NUM seconds consider whether to build a new circuit
NewCircuitPeriod 60
Reload the new configuration sudo toriptables2.py --refresh
.
Expand for Set Tor ExitNodes
Tor has the ability to let you choose which ExitNodes you’d like to use – either by name, fingerprint, or country code. If you have a trusted list of nodes you’d like to use as a whitelist, you can use that, or if you have a list of nodes on a blacklist, it supports that configuration. But for those of us that are attempting to be someone else, specifically someone from a different country, we can use Tor to not only hide our identity, but make it appear to be from a specific geographic location.
Our example here may be an identity where you want to appear like a Ukrainian dissident — when in reality you’re a soccer Mom from Chicago, IL. By setting up a dedicated machine, with a specific Tor configuration, you can make sure that all of your traffic is routed out of an Ukrainian Exit Node.
The configuration is pretty simple, modify your torrc file to add the follwoing line to ensure Tor will only use Ukraine based exit nodes:
1 2ExitNodes {ua} StrictNodes 1
Please backup the original /etc/tor/torrc file. Please note that in all of these examples, we must enable StrictNodes.
This example will use either Ukraine, Uganda, South Korea, or Ireland as an exit:
1
ExitNodes {ua},{ug},{kr},{ie}
To test the changes, reload Tor's new torrc configuration file:
sudo toriptables2.py --load
Expand for Blacklisting
You can also use this as a defensive measure as well.
If you believe there is some kind of geo-centric threat in Uganda, you can configure Tor to never use these exit nodes.
1
ExcludeExitNodes {ug}
You can exclude all node types for a specific country as well – exits, relays, entry, and bridge nodes.
1
ExcludeNodes {us}
You have the ability to whitelist all node types which is to say you can make sure that your entire Tor circuit only uses a certain country.
This is NOT recommended of course. An ideal circuit will cross countries and legal jurisdictions.
Expand for The "??" Country
Tor uses Maxmind’s Geo-ip lookup system for this functionality. Some of the versions of their database contain a “??” country code. This is reserved for IPs they either don’t know, or aren’t willing to share. (Tor is making some changes to compensate for this in the future.)
Knowing this can be useful in one of two ways:
First, you may think that if you don’t know what country you’re going to be using as a node, then you don’t want to use it. This is probably a legitimate thought without having more information on what causes an IP to have “??”.
Second, and more interestingly, some (poorly configured) firewalls will automatically drop connections from certain countries. Admins will say “Screw it, block China. Hacking problem solved!” and ask for a raise. Maxmind is a very popular Geo-ip lookup database and you can imagine that all of the security services built into those fancy enterprise firewalls will most likely be using it if it’s doing geographic lookups. While many of these admins will have policies for how to handle “us”, “cn”, and “de”, I’ve found many have issues with a country code that is “??”. In one case, I’ve found a system that blocks all exit nodes, except those coming from a “??” country. I have not identitied why this mis-configuration occurs, but hopefully someone can leverage this to their advantage.
Expand for List of country codes for Tor
Country Code ASCENSION ISLAND {ac} AFGHANISTAN {af} ALAND {ax} ALBANIA {al} ALGERIA {dz} ANDORRA {ad} ANGOLA {ao} ANGUILLA {ai} ANTARCTICA {aq} ANTIGUA AND BARBUDA {ag} ARGENTINA REPUBLIC {ar} ARMENIA {am} ARUBA {aw} AUSTRALIA {au} AUSTRIA {at} AZERBAIJAN {az} BAHAMAS {bs} BAHRAIN {bh} BANGLADESH {bd} BARBADOS {bb} BELARUS {by} BELGIUM {be} BELIZE {bz} BENIN {bj} BERMUDA {bm} BHUTAN {bt} BOLIVIA {bo} BOSNIA AND HERZEGOVINA {ba} BOTSWANA {bw} BOUVET ISLAND {bv} BRAZIL {br} BRITISH INDIAN OCEAN TERR {io} BRITISH VIRGIN ISLANDS {vg} BRUNEI DARUSSALAM {bn} BULGARIA {bg} BURKINA FASO {bf} BURUNDI {bi} CAMBODIA {kh} CAMEROON {cm} CANADA {ca} CAPE VERDE {cv} CAYMAN ISLANDS {ky} CENTRAL AFRICAN REPUBLIC {cf} CHAD {td} CHILE {cl} PEOPLE’S REPUBLIC OF CHINA {cn} CHRISTMAS ISLANDS {cx} COCOS ISLANDS {cc} COLOMBIA {co} COMORAS {km} CONGO {cg} CONGO (DEMOCRATIC REPUBLIC) {cd} COOK ISLANDS {ck} COSTA RICA {cr} COTE D IVOIRE {ci} CROATIA {hr} CUBA {cu} CYPRUS {cy} CZECH REPUBLIC {cz} DENMARK {dk} DJIBOUTI {dj} DOMINICA {dm} DOMINICAN REPUBLIC {do} EAST TIMOR {tp} ECUADOR {ec} EGYPT {eg} EL SALVADOR {sv} EQUATORIAL GUINEA {gq} ESTONIA {ee} ETHIOPIA {et} FALKLAND ISLANDS {fk} FAROE ISLANDS {fo} FIJI {fj} FINLAND {fi} FRANCE {fr} FRANCE METROPOLITAN {fx} FRENCH GUIANA {gf} FRENCH POLYNESIA {pf} FRENCH SOUTHERN TERRITORIES {tf} GABON {ga} GAMBIA {gm} GEORGIA {ge} GERMANY {de} GHANA {gh} GIBRALTER {gi} GREECE {gr} GREENLAND {gl} GRENADA {gd} GUADELOUPE {gp} GUAM {gu} GUATEMALA {gt} GUINEA {gn} GUINEA-BISSAU {gw} GUYANA {gy} HAITI {ht} HEARD & MCDONALD ISLAND {hm} HONDURAS {hn} HONG KONG {hk} HUNGARY {hu} ICELAND {is} INDIA {in} INDONESIA {id} IRAN, ISLAMIC REPUBLIC OF {ir} IRAQ {iq} IRELAND {ie} ISLE OF MAN {im} ISRAEL {il} ITALY {it} JAMAICA {jm} JAPAN {jp} JORDAN {jo} KAZAKHSTAN {kz} KENYA {ke} KIRIBATI {ki} KOREA, DEM. PEOPLES REP OF {kp} KOREA, REPUBLIC OF {kr} KUWAIT {kw} KYRGYZSTAN {kg} LAO PEOPLE’S DEM. REPUBLIC {la} LATVIA {lv} LEBANON {lb} LESOTHO {ls} LIBERIA {lr} LIBYAN ARAB JAMAHIRIYA {ly} LIECHTENSTEIN {li} LITHUANIA {lt} LUXEMBOURG {lu} MACAO {mo} MACEDONIA {mk} MADAGASCAR {mg} MALAWI {mw} MALAYSIA {my} MALDIVES {mv} MALI {ml} MALTA {mt} MARSHALL ISLANDS {mh} MARTINIQUE {mq} MAURITANIA {mr} MAURITIUS {mu} MAYOTTE {yt} MEXICO {mx} MICRONESIA {fm} MOLDAVA REPUBLIC OF {md} MONACO {mc} MONGOLIA {mn} MONTENEGRO {me} MONTSERRAT {ms} MOROCCO {ma} MOZAMBIQUE {mz} MYANMAR {mm} NAMIBIA {na} NAURU {nr} NEPAL {np} NETHERLANDS ANTILLES {an} NETHERLANDS, THE {nl} NEW CALEDONIA {nc} NEW ZEALAND {nz} NICARAGUA {ni} NIGER {ne} NIGERIA {ng} NIUE {nu} NORFOLK ISLAND {nf} NORTHERN MARIANA ISLANDS {mp} NORWAY {no} OMAN {om} PAKISTAN {pk} PALAU {pw} PALESTINE {ps} PANAMA {pa} PAPUA NEW GUINEA {pg} PARAGUAY {py} PERU {pe} PHILIPPINES (REPUBLIC OF THE) {ph} PITCAIRN {pn} POLAND {pl} PORTUGAL {pt} PUERTO RICO {pr} QATAR {qa} REUNION {re} ROMANIA {ro} RUSSIAN FEDERATION {ru} RWANDA {rw} SAMOA {ws} SAN MARINO {sm} SAO TOME/PRINCIPE {st} SAUDI ARABIA {sa} SCOTLAND {uk} SENEGAL {sn} SERBIA {rs} SEYCHELLES {sc} SIERRA LEONE {sl} SINGAPORE {sg} SLOVAKIA {sk} SLOVENIA {si} SOLOMON ISLANDS {sb} SOMALIA {so} SOMOA,GILBERT,ELLICE ISLANDS {as} SOUTH AFRICA {za} SOUTH GEORGIA, SOUTH SANDWICH ISLANDS {gs} SOVIET UNION {su} SPAIN {es} SRI LANKA {lk} ST. HELENA {sh} ST. KITTS AND NEVIS {kn} ST. LUCIA {lc} ST. PIERRE AND MIQUELON {pm} ST. VINCENT & THE GRENADINES {vc} SUDAN {sd} SURINAME {sr} SVALBARD AND JAN MAYEN {sj} SWAZILAND {sz} SWEDEN {se} SWITZERLAND {ch} SYRIAN ARAB REPUBLIC {sy} TAIWAN {tw} TAJIKISTAN {tj} TANZANIA, UNITED REPUBLIC OF {tz} THAILAND {th} TOGO {tg} TOKELAU {tk} TONGA {to} TRINIDAD AND TOBAGO {tt} TUNISIA {tn} TURKEY {tr} TURKMENISTAN {tm} TURKS AND CALCOS ISLANDS {tc} TUVALU {tv} UGANDA {ug} UKRAINE {ua} UNITED ARAB EMIRATES {ae} UNITED KINGDOM (no new registrations) {gb} UNITED KINGDOM {uk} UNITED STATES {us} UNITED STATES MINOR OUTL.IS. {um} URUGUAY {uy} UZBEKISTAN {uz} VANUATU {vu} VATICAN CITY STATE {va} VENEZUELA {ve} VIET NAM {vn} VIRGIN ISLANDS (USA) {vi} WALLIS AND FUTUNA ISLANDS {wf} WESTERN SAHARA {eh} YEMEN {ye} ZAMBIA {zm} ZIMBABWE {zw}
Expand for Firefox Add-ons and Troubleshooting
► Excellent Firefox Privacy Add-ons
► Firefox configuration hardening
Expand for Firefox .onion domain error and fix
Introduced a new preference (network.dns.blockDotOnion) to allow blocking .onion at the DNS level.
The new "feature" is enabled by default to block .onion addresses.
Browser Error:
"Hmm. We're having trouble finding that site."
"We can't connect to server at abcdevwxyz.onion"
The Browser Fix:
about:config
Search: blockDotOnion
Change from: true
network.dns.blockDotOnion user set boolean true
network.dns.blockDotOnion user set boolean false
- Note: Tor over IPv6 is less anonymous than Tor over IPv4. See FAQ.