Goal

Master advanced Tor techniques including VPN combinations, bypassing censorship with bridges, contributing to the network by running relays, integrating Tor with SSH, and understanding when NOT to use Tor.

Prerequisites: Week 7a (Tor Fundamentals)

This is Part 2 of 2 - Covers advanced configuration and limitations.

1. Tor and VPNs - When to Combine

Tor Over VPN (VPN → Tor → Internet)

Setup: Connect to VPN, then launch Tor Browser

Advantages:

  • Hides Tor usage from ISP
  • Useful in countries that block Tor

Disadvantages:

  • VPN provider can see you’re using Tor (not your traffic)
  • Adds a trusted third party
  • Slower

Use case: If ISP/government blocks Tor or criminalizes Tor usage.

VPN Over Tor (Tor → VPN → Internet)

Setup: Configure VPN client to route through Tor (advanced)

Advantages:

  • VPN provider doesn’t know your real IP

Disadvantages:

  • Complex setup
  • Very slow
  • VPN must accept Tor exits (many don’t)

Use case: Rare - accessing services that block Tor exit IPs.

When NOT to Use VPN with Tor

Default recommendation: Just use Tor alone.

  • VPN adds complexity and potential points of failure
  • Tor already provides strong anonymity
  • VPN is a single point of trust (you’re trusting the provider)

Exception: If Tor is blocked in your region, VPN → Tor can bypass censorship.

2. Tor Bridges - Bypassing Censorship

What Are Bridges?

Bridges are Tor relays not listed in the main public directory. Used to connect to Tor when it’s censored or blocked.

Types of bridges:

  • obfs4 - Obfuscates traffic (looks like random data, not Tor)
  • meek - Routes through CDNs (looks like regular HTTPS to Microsoft/Amazon)
  • Snowflake - Uses temporary proxies from volunteers’ browsers

Getting Bridges

Method 1: Tor Browser built-in

Connection Settings → Tor is censored in my country → Request a Bridge

Method 2: bridges.torproject.org

# Visit in regular browser
firefox https://bridges.torproject.org/

# Complete CAPTCHA
# Receive bridge addresses like:
obfs4 192.0.2.3:1234 [fingerprint] cert=[cert] iat-mode=0

Method 3: Email request

Send email to: [email protected]
From: Gmail or Riseup only (anti-spam)
Body: "get bridges"

Configuring Bridges

In Tor Browser:

Settings → Connection → Tor is censored in my country
→ Select bridge type (obfs4 recommended)
→ Provide a bridge (paste addresses)
→ Connect

3. Running a Tor Relay

Contributing to the Tor network by running a relay helps everyone’s anonymity.

Types of Relays

1. Guard (Entry) Relay

  • High bandwidth, stable
  • Listed in public directory
  • Sees user IPs (but not destinations)

2. Middle Relay

  • Safest to run (no legal risk)
  • Doesn’t see source or destination
  • Just passes encrypted traffic

3. Exit Relay

  • Highest legal risk (your IP = Tor traffic source to outside world)
  • Can receive DMCA notices, abuse complaints
  • Not recommended unless you understand the legal implications

4. Bridge Relay

  • Helps users bypass censorship
  • Not publicly listed
  • Lower bandwidth requirements

Requirements:

  • Stable internet connection
  • At least 2 Mbps upload speed
  • 200 GB/month bandwidth (or unlimited)
  • Linux server (VPS or home server)

Install Tor:

sudo apt update
sudo apt install tor

Configure as Middle Relay:

sudo nano /etc/tor/torrc

Add these lines:

Nickname YourRelayNickname    # Choose a unique name
ContactInfo [email protected]    # Your contact (abuse reports)
ORPort 9001                   # Relay port (must allow incoming)
ExitPolicy reject *:*         # This makes it a MIDDLE relay (no exits)

# Optional: Bandwidth limits
RelayBandwidthRate 100 KBytes  # 100 KB/s sustained
RelayBandwidthBurst 200 KBytes # 200 KB/s burst

Restart Tor:

sudo systemctl restart tor

Verify relay is working:

sudo journalctl -u tor | grep "Bootstrapped 100%"

Check metrics:

Middle relays:

  • Very low legal risk
  • EFF Tor Legal FAQ: Generally safe

Exit relays:

  • High legal risk - abuse complaints directed to your IP
  • Requires dedicated IP, legal understanding, abuse response plan
  • Only run if you fully understand implications

4. Tor + SSH Integration

Tor can anonymize SSH connections (useful for accessing servers without revealing your location).

SSH Over Tor (Using Tor as SOCKS5 Proxy)

Step 1: Ensure Tor is running

sudo systemctl status tor
# Should show: active (running)

Step 2: SSH through Tor

ssh -o ProxyCommand="nc -X 5 -x 127.0.0.1:9050 %h %p" [email protected]

Or connect to clearnet server:

ssh -o ProxyCommand="nc -X 5 -x 127.0.0.1:9050 %h %p" [email protected]

Add to ~/.ssh/config for convenience:

Host myserver-tor
    Hostname example.com
    User myuser
    ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p

Now just:

ssh myserver-tor

SSH to .onion Hidden Services

If the server is a hidden service:

ssh [email protected]
# Through Tor SOCKS proxy as above

Useful for:

  • Anonymous shell access
  • Remote server management without IP exposure

5. When NOT to Use Tor

Tor Is Not the Right Tool For:

❌ Downloading large files

  • Torrents (leaks IP, congests network)
  • OS ISOs (use direct download or VPN)

❌ Streaming video

  • Too slow for HD video
  • Unfair to other Tor users (bandwidth)

❌ Banking and financial transactions

  • Banks may flag Tor IPs as suspicious
  • Use VPN instead for banking privacy

❌ Logging into personal accounts

  • Defeats anonymity purpose
  • Use separate browser for social media

❌ Real-time gaming

  • Too high latency
  • Tor is for asynchronous communication

Tor Limitations

Tor does NOT protect against:

  • Malware on your device
  • Bad OpSec (logging into personal accounts)
  • Correlation attacks if adversary controls entry + exit
  • Traffic confirmation attacks (advanced)
  • Browser fingerprinting (if you customize Tor Browser)

Tor DOES protect against:

  • ISP seeing what sites you visit
  • Websites knowing your real IP/location
  • Network surveillance (if used correctly)
  • Censorship (with bridges)

6. Tor Alternatives

I2P (Invisible Internet Project)

Similar to Tor but:

  • Optimized for hidden services (not clearnet access)
  • Garlic routing (bundles multiple messages)
  • Fully distributed (no central directory)

Use case: Anonymous file sharing, messaging, hosting

Freenet

Decentralized, censorship-resistant platform

  • Stores encrypted data across network
  • No central servers
  • Designed for publishing, not browsing

Nym Mixnet (Advanced)

Next-generation mix network

  • Metadata resistance beyond Tor
  • Covered in Advanced Modules

7. Journal & Git Commit

echo "Week 7: Completed Tor deep dive - installed Tor Browser, tested circuits, accessed .onion sites, learned OpSec practices. Key insight: Tor is for anonymity, not speed." >> notes/week07_journal.md

git add .
git commit -S -m "Week 7 - Tor, onion routing, bridges, relays"

Week 7 Checklist

  • Installed Tor Browser from official source
  • Verified GPG signature (recommended)
  • Tested Tor Browser with check.torproject.org
  • Configured security level (tried Safer or Safest)
  • Accessed at least 2 .onion sites
  • Tested New Circuit functionality
  • Reviewed Tor OpSec do’s and don’ts
  • Understood when NOT to use Tor
  • (Optional) Configured Tor bridges
  • (Optional) Set up SSH over Tor
  • (Advanced) Installed Tor relay as middle node
  • Updated journal with Tor learnings

Additional Resources

Official Documentation:

Learning Resources:

Technical Deep Dives:

Key Takeaways

  • VPN + Tor is usually unnecessary - Tor alone provides strong anonymity
  • Bridges bypass censorship - obfs4 recommended for blocked regions
  • Running a middle relay is safe and helpful - Contributes to network anonymity
  • SSH over Tor hides your location - Useful for anonymous server access
  • Tor is not for everything - Don’t torrent, stream, or use for banking
  • Know Tor’s limitations - It’s not magic, OpSec still required