How to Set Up a Tor Proxy Server on pfSense

Updated on January 15, 2018
skear profile image

Sam works as a Network Analyst for an algorithmic trading firm. He obtained his Bachelors Degree in Information Technology from UMKC.

Why You Should Use Tor

Anyone looking to protect their identity and location should route their internet traffic through the Tor network.

Once an internet request leaves your computer it passes through multiple different networks. At any time this data can be intercepted by any of these intermediate points without you ever knowing your data was compromised.

When internet traffic passes through Tor it is automatically encrypted and decrypted as it passes through multiple randomly selected relays.

The final relay, or exit node, decrypts the final layer of encryption and transmits the original data to the intended destination.

Since the data is protected through encryption during transit your information is protected from prying eyes.

By setting up a Tor proxy on pfSense you can easliy allow multiple users on your home or business network to transmit data securely.

Download and Install the Tor Package

Since Tor isn't an officially supported pfSense package it cannot be installed through the pfSense package manager. Instead it must be manually installed using the pkg_add command.

This command can be ran through an SSH terminal, or through the diagnostics\command prompt page in the web interface.

pkg_add -r ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/Latest/tor-devel.tbz

A successful installation will display the message seen in the image below.

Installing the Tor package using the pkg_add command through the command prompt.
Installing the Tor package using the pkg_add command through the command prompt.

Libevent Error Messages

You may receive a warning message if the installer detects a conflicting version of libevent on the system. Some pfSense packages such as ntop install a version of libevent that will cause Tor to fail to start.

In order for Tor to work correctly you will need to remove any existing version of libevent , then reinstall the Tor package.

To list any versions of libevent installed on the system:

pkg_info | grep libevent

libevent-1.4.14b_1 Provides an API to execute callback functions on certain ev
libevent-1.4.14b_2 Provides an API to execute callback functions on certain ev
libevent2-2.0.16 API for executing callback functions on events or timeouts

If any conflicting versions are detected, remove them with these commands:

pkg_delete libevent-1.4.14b_1

pkg_delete libevent-1.4.14b_2

pkg_delete libevent2-2.0.16

If you see an error message stating the package cannot be deinstalled and is required by other packages you must remove the packages that depend on it.

pkg_delete: package 'libevent-1.4.14b_1' is required by these other packages
and may not be deinstalled:
ntop-5.0.1

pkg_delete ntop-5.0.1

Create the Required Directories and Log File

Tor requires the creation of two directories before it can be started, run the commands below to create them.

mkdir /var/db/tor
mkdir /var/run/tor

Tor also requires the creation of a log file before it will start.

touch /var/log/tor

Finally we must set the the Tor user as the owner of both directories and the log file.

chown -R _tor /var/db/tor/
chown -R _tor /var/log/tor
chown _tor /var/run/tor

Edit the Config File

The Tor package includes a default config file that can be used as a good starting point for most users.

The command below will create a copy of the default config file called torrc in the same directory as the sample.


cp /usr/local/etc/tor/torrc.sample /usr/local/etc/tor/torrc

There are a couple of lines in the config file that need to be modified.

You can make these changes through the command line using the Vi editor but I find it much easier to use the file editor in the web gui located in the diagnostics menu.

In the /usr/local/etc/tor/torrc file uncomment both of the lines below by removing the # sign at the beginning of the lines. Modify the ip address in the second line to reflect the LAN IP address of the pfSense router.

SocksListenAddress 127.0.0.1:9100

SocksListenAddress 192.168.0.1:9100

In order for Tor to run in daemon mode you'll need to uncomment the following line as well.

RunAsDaemon 1

Editing the Tor configuration file using the text editor in the web interface.
Editing the Tor configuration file using the text editor in the web interface.

Edit the rc.conf File

Tor will fail to start and display an error message unless tor_enable is set to 'yes' in the rc.conf file. The command below will add the required entry to the bottom of the rc.conf file.

echo "tor_enable=yes" >> /etc/defaults/rc.conf

Creating the Tor Startup Script

When pfSense boots the system will automatically run any scripts with a .sh file extension located in /usr/local/etc/rc.d. To allow Tor to run at boot time the script must be created, and the permissions must be modified to make it executable.

The commands below will create create the tor.sh startup script, and make the script executable.

touch /usr/local/etc/rc.d/tor.sh

chmod +x /usr/local/etc/rc.d/tor.sh

After creating the script copy and paste the contents in the code section below into the file and save it.

This step can be completed using either the vi text editor (vi /usr/local/etc/rc.d/tor.sh) , or the web based file editor.

Tor.sh

#!/bin/sh

rc_start() {
           /usr/local/etc/rc.d/tor tart
}

rc_stop() {
           /usr/local/etc/rc.d/tor stop
}

case $1 in
        start)
                rc_start
                ;;
        stop)
                rc_stop
                ;;
        restart)
                rc_stop
                rc_start
                ;;
esac

Starting the Tor Service

At this point all of the pieces are in place to start the Tor service. Run the init script created in the previous step with the 'start' parameter to start Tor.

/usr/local/etc/rc.d/tor.sh start

If the Tor daemon successfully start you'll see a message similar to the one below. If you don't see this message you may receive an error message that will provide a clue of why Tor is unable to start.

[notice] Opening Socks listener on 192.168.10.254:9100

Starting the Tor service using the startup script.
Starting the Tor service using the startup script.

Setting up a Proxy Server

At this point the Tor daemon should be up and running but we're not quite finished yet.

If you attempt to configure he IP and port of the server as a proxy in you web browser you'll receive a message that states "Tor is not an HTTP Proxy".

Since Tor is a SOCKS proxy it operates at a lower level then most web proxy servers which makes it necessary to run a separate web proxy server in addition to the Tor daemon.

Unfortunately the popular Squid proxy server does not support the SOCKS protocol unless it is recompiled from source. Instead of recompiling Squid I recommend installing the Polipo caching proxy service.

Polipo is a very fast, lightweight proxy service with native support for SOCKS and some other really cool features such as HTTP piplining and partial object caching.

Tor is not an HTTP proxy error message.
Tor is not an HTTP proxy error message.

Configuring Tor as an Upstream Proxy for Polipo

After installing Polipo it must be configured to use the Tor daemon as a parent proxy server. Edit the Polipo configuration file (/usr/local/etc/polipo/config) and uncomment both of the lines below.

socksParentProxy = "localhost:9100"

socksProxyType = socks5

Save the changes to this file once the edits have been made.

Editing the Polipo configuration file to support an upstream Tor proxy.
Editing the Polipo configuration file to support an upstream Tor proxy.

After the changes to the config file have been modified the Polipo service must be restarted to apply the changes.

/usr/local/etc/rc.d/polipo.sh restart

Testing the Tor Proxy

Now that Tor is running and Polipo has been configured to use Tor as a parent proxy everything is in place for testing!

If you haven't already done so configure your browser to point to the LAN IP address of pfSense on port 8123 (the default port for Polipo)

To confirm your internet traffic is being forwarded through the Tor network visit https://check.torproject.org/. This page will run a test on your connection to determine if it is using the Tor network. If your traffic is going through Tor successfully you'll see the message below displayed.

Confirming Tor is working using the online test page.
Confirming Tor is working using the online test page.

Contributing to Tor

Since the Tor network is operated by volunteers the best way you can contribute to the project is to operate your own Tor relay.

Anyone with a reliable internet connection can operate a relay by running Tor in relay mode. Additional Tor relays add to the speed and reliability of the entire Tor network.

Further Protect Your Identity With Bitcoin

Once you've starting using Tor for anonymity you may want to consider protecting your financial information by making purchases with Bitcoin.

You can easily purchase Bitcoins (or mine your own) making it possible to make anonymous purchases.

Bitcoins spend like cash but can be transmitted over the internet instantly to any location in the world.

Questions & Answers

    © 2013 Sam Kear

    Comments

      0 of 8192 characters used
      Post Comment

      • profile image

        Kane 

        18 months ago

        @Yehiel Samson

        Install snort, start it on your LAN (or VLAN) interface, enable the TOR policy rules and set to block?

      • Yehiel Samson profile image

        Yehiel Samson 

        19 months ago

        Additional question, I have setup different VLAN to test out all the options (blocking, allowing traffic etc...).

        But on the one making it a safe network (SafeSearch, OpenVPN etc...) using Squid and SquidGuard, I noticed that TOR isn't blocked.

        From looking on the web, no real way on blocking TOR. Might you have a solution?

      • Yehiel Samson profile image

        Yehiel Samson 

        19 months ago

        Hi,

        I have pfSense 2.3.3, and at the first step (to install the package) I got stuck.

        The Kernel Version: 10.3-RELEASE-p16

        In pfSense version 2.3.3, pkg_add is depricated.

        Now it is "pkg add".

        I tried to look for the latest release of "tor-devel" and I found it for 10-current.

        But when trying to install:

        pkg add ftp://92.53.112.226/freebsd/ports/amd64/packages-1...

        I receive the following...

        pkg: /tmp/tor-devel.tbz.XXXXX is not a valid package: no manifest found

        Failed to install the following 1 package(s): ftp://92.53.112.226/freebsd/ports/amd64/packages-1...

        Any suggestion?

        PS. I also tried the version you proposed, but I receive the same error

      • profile image

        msurg 

        24 months ago

        How to install on pfSense 2.3.2?

      • EdwinGarzon profile image

        EdwinGarzon 

        2 years ago

        How to install on pfsense 2.3.2, help !!!

      • profile image

        Stremenx 

        2 years ago

        How to install pfSense 2.3.1 help...

      • skear profile imageAUTHOR

        Sam Kear 

        2 years ago from Kansas City

        @Chad

        On pfSense 2.x you'll need to install the pkg command first. See the link below for information on bootstrapping pkg.

        https://doc.pfsense.org/index.php/Installing_FreeB...

      • profile image

        Chad 

        2 years ago

        I use Pfsense 2.5.5 and can not find command pkg_add in shell.

      • profile image

        Aydin 

        3 years ago

        How i can use only with https traffics and without configure used squid?

        Thank you for your help..

      • Brandon Bledsoe profile image

        Brandon 

        3 years ago from Houston, Texas

        Great. Thanks

      • Aladdins Cave profile image

        Aladdins Cave 

        3 years ago from Melbourne, Australia

        I wanted to do what exactly what this Hub is about.

        But man o man, I gotta go back to school first, I'm lucky if I can switch

        the modem on / off switch :)

        If your ever in Melbourne, look me up, I've got a small job for you hehehe

        Cheers from DOWNUNDER

      • profile image

        JulioQc 

        3 years ago

      • profile image

        Dave 

        4 years ago

        Would you please let us know how to configure for to act as a relay?

      • profile image

        barbambea 

        4 years ago

      • profile image

        kiddo 

        4 years ago

        nice tut but this site cannot be browse with tor on.

      • profile image

        lpdourado 

        4 years ago

        Hi!

        Isn't a problem any more. I already solve.

        I delete the folder /var/log/tor and create the log file correctly with the touch command and gave the permissions to the log file.

        Thank you.

      • profile image

        lpdourado 

        4 years ago

        Hi!

        First of all, this is a great tutorial with a brief explanation of any kind of command. Great work!

        I had a problem to starting the Tor.

        When I started occurs me an error:

        "[warn] Couldn't open the file for 'Log notice file /var/log/tor': Is a directory"

        Can help me with this error?

        Thanks

      • Le Doanh Tran profile image

        Le Doanh Tran 

        4 years ago from Brampton, Ontario

        I realized after running /usr/local/etc/rc.d/tor.sh start the system kicks me out as root and log me in as _tor user. But tor is actually not running. I can get both tor and polipo to run if I run both as root using command "polipo & && tor"

      • Le Doanh Tran profile image

        Le Doanh Tran 

        4 years ago from Brampton, Ontario

        This is what I got after running /usr/local/etc/rc.d/tor.sh start

        Couldn't open file for 'Log notice file /var/log/tor': Permission denied

        The version Im running is 2.1-RELEASE (i386)

      • profile image

        me 

        4 years ago

        @create symbolic link to fix

        ln -s /usr/local/lib/event2/libevent-2.0.so.6 /usr/lib/libevent-2.0.so.6

      • profile image

        Andrea 

        4 years ago

        thank for this guide! i can install and run tor correctly but i've an issue: i got all the right messages after start tor for the first time but when i reboot pfsense i can't run tor and the error is:

        Shared object "libevent-2.0.so.6" not found, required by tor.

        but if i search for "libevent-2.0.so.6" i found it in ./usr/local/lib/event2/libevent-2.0.so.6

        i tried uninstalling tor and libevent with same result: at first start everything is right but when i restart pfSense something goes wrong (with the same error)

        i run pfSense 2.1 (freebsd 8.3) and installed tor via pkg_add -r tor

      • skear profile imageAUTHOR

        Sam Kear 

        5 years ago from Kansas City

        @0scar

        Thanks for helping me debug this issue. I've added a section above called "Libevent Error Messages" in case anyone else encounters the same issue.

      • profile image

        0scar 

        5 years ago

        I send you a mail

        thanks

      • skear profile imageAUTHOR

        Sam Kear 

        5 years ago from Kansas City

        @0scar

        I'm running on the same version as you are using and I can't seem to reproduce the problem. It's possible you have another package installed that is providing a conflicting version of libevent.

        Can you try removing the other packages from pfSense and try to reinstall the tor package?

        You can remove the current tor installation by running:

        pkg_delete tor-devel-0.2.2.13.a

        If you're running a different version you can find the installed version with this command:

        pkg_info

      • profile image

        0scar 

        5 years ago

        2.0.3-RELEASE (amd64)

        built on Fri Apr 12 10:27:56 EDT 2013

        FreeBSD 8.1-RELEASE-p13

      • skear profile imageAUTHOR

        Sam Kear 

        5 years ago from Kansas City

        @0scar

        Which version of pfSense are you using?

      • profile image

        0scar 

        5 years ago

        ;-(

        /usr/local/etc/rc.d/tor start

        Starting tor.

        /libexec/ld-elf.so.1: Shared object "libevent-1.4.so.3" not found, required by "tor"

        /usr/local/etc/rc.d/tor: WARNING: failed to start tor

        i have libevent-1.4.so.3 and i try this ln -s libevent-1.4.so.4 libevent-1.4.so.3

        and...

        /libexec/ld-elf.so.1: /usr/local/lib/libevent-1.4.so.3: unsupported file layout

        /usr/local/etc/rc.d/tor: WARNING: failed to start tor

      working

      This website uses cookies

      As a user in the EEA, your approval is needed on a few things. To provide a better website experience, turbofuture.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

      For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: https://turbofuture.com/privacy-policy#gdpr

      Show Details
      Necessary
      HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
      LoginThis is necessary to sign in to the HubPages Service.
      Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
      AkismetThis is used to detect comment spam. (Privacy Policy)
      HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
      HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
      Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
      CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
      Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the googleapis.com or gstatic.com domains, for performance and efficiency reasons. (Privacy Policy)
      Features
      Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
      Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
      Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
      Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
      Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
      VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
      PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
      Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
      MavenThis supports the Maven widget and search functionality. (Privacy Policy)
      Marketing
      Google AdSenseThis is an ad network. (Privacy Policy)
      Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
      Index ExchangeThis is an ad network. (Privacy Policy)
      SovrnThis is an ad network. (Privacy Policy)
      Facebook AdsThis is an ad network. (Privacy Policy)
      Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
      AppNexusThis is an ad network. (Privacy Policy)
      OpenxThis is an ad network. (Privacy Policy)
      Rubicon ProjectThis is an ad network. (Privacy Policy)
      TripleLiftThis is an ad network. (Privacy Policy)
      Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
      Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
      Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
      Statistics
      Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
      ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
      Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)