Contact me for feedback or questions! I reply to everyone.

Darknet setup in Slackware-based distros

UPDATE January 2023: rewritten and made into a separate article (used to be a section in Ninja's guide to the Internet).

- Introduction + base setup -
- System-wide TORDNS setup -
- Configuring programs to use TOR -
- Using proxychains -
- Blocking all non-darknet traffic (iptables) -
- Blocking all non-darknet traffic (nftables) -
- Summary -

Introduction + base setup

TOR is a network that allows (relatively) anonymous internet usage (and for free, too) - as well as accessing the special TOR-only websites called onions. To get involved, find the TOR package in Gslapt / slapt-get / slackpkg and install it; take note of the version since newer ones might require newer libevent, etc. The one from your main repo should suffice if you didn't do too many modifications to the base distro, otherwise you're going to have to figure it out (0.4.2.7 works in Salix 14.2 and presumably Slackware 14.2). The default configuration requires a separate user and group for running the daemon - so let's create them. It doesn't seem that the gtkusersetup GUI allows us to do everything we want to so we will just use the command line. Type this:

sudo groupadd tor; sudo useradd tor --gid tor --base-dir /var/lib/ --system --no-user-group --shell /bin/false --comment "TOR Daemon"

The group is created by groupadd and then the user by useradd; --gid option adds him to the tor group as main. The GUI would not allow us to create a system user, while the --system option does. This avoids clogging up the /home folder as well as requiring to give the tor user a password (ugh).

Now type these commands: sudo chown -R tor:tor /var/log/tor, then sudo chown -R tor:tor /var/lib/tor and finally sudo chown -R tor:tor /var/run/tor. This will make the newly created user the owner of some directories TOR requires, so that he has the sole permissions to use them. Now edit the TOR config file /etc/tor/torrc and ensure that these lines are somewhere in there uncommented (no # signs before); use Ctrl+F to find:

DataDirectory /var/lib/tor
User tor
PidFile /var/run/tor/tor.pid

If the # sign exists before any one of those, remove it. This will make the directories that we've just made owned by the tor user the "bases of operations" (instead of clogging the home directory that's apparently the default?), and ensure that the daemon is run by the actual newly created user (security advantage).

System-wide TORDNS setup

Now scroll down to the bottom of the config file and add these two lines:

DNSport 53
AutomapHostsOnResolve 1

This will allow you to use TOR as the DNS server later, preventing your ISP from knowing which sites you visit. To finish this process, put this line: nameserver 127.0.0.1 into your /etc/resolv.conf file as the only one. This is what actually decides which DNS server your computer uses. Remember to make the file unmodifiable, since otherwise dhcpcd will insert the ISP's DNS servers there on reboot, destroying your anonymity. Put nohook resolv.conf into /etc/dhcpcd.conf (my preferred option) or type sudo chattr +i /etc/resolv.conf into the terminal. This will also allow all the software on your computer to resolve onions regardless if they have a setting for it. By the way, Pale Moon and FF-based browsers have a dumbfuck about:config setting called network.dns.blockDotOnion that has to be set to false to be able to resolve onions (and the default is true for fuck's sake).

Configuring programs to use TOR

Anyway, let's learn how to set a program to connect through TOR (we will use Pale Moon as an example) First, click Tools and enter the Preferences menu:

Entering Preferences menu in Pale Moon

Now click Advanced, then Network, and finally Settings:

Entering Settings in the Pale Moon Network tab

Fill everything as shown:

Proxy settings properly configured in Pale Moon

There are a few problems with doing things this way, though (but I'm including it for completeness' sake). First of all, many programs lack proxy settings completely (e.g most terminal ones), which leaves you fully naked. Then - of those that do have them - they leak (as in, attempt to do stuff in the clear under certain conditions). I've discovered this for at least a few commonly used programs including Pale Moon itself. And third - even if the main proxy connection did not leak - it is rare to see an option to proxy the DNS, as well. Therefore, the ISP will know what you're doing either way (though we've already immunized ourselves against that with the system-wide TORDNS above). I think it's still worth it to do so for all programs that support it - there's never enough defense. And sometimes (new / broken installs, etc), you just don't have access to the more advanced methods, so this has to suffice. Still, this is clearly not even close to enough, so we're going to support our setup with an a lot more effective method:

Using proxychains

Enter proxychains, which allows us to route anything through TOR. Install it with a command like sudo slackpkg install proxychains or sudo slapt-get --install proxychains depending on which package manager you use. 4.14 works on vanilla Salix / Slackware 14.2 so there's no need to worry about that. The whole point of proxychains is that you don't need to rely on those unreliable settings. It also allows programs that lack the ability to set a proxy to still be sent through TOR. Edit the config file /etc/proxychains.conf so that the line:

proxy_dns

Is uncommented (no # sign). Though the system-wide TORDNS should protect us already, we need as much defense as possible (what if the ISP's DNS servers wind up in resolv.conf somehow, like if you forget to make it unmodifiable or remove it / reinstall dhcpcd for some reason, etc?). Also ensure that the line:

socks5 127.0.0.1 9050

Is there at the bottom. This actually decides where to "send" an application that you decide to proxify; which we have obviously defined to be the TOR proxy.

Proxychains is executed like this: proxychains4 filezilla (replace filezilla with the program you want to launch). Learn to run everything through it, because again, inbuilt settings leak shit almost always. If you are using xfce like me, you will need to edit your panel launchers like this:

Editing xfce panel launchers to use proxychains Editing xfce panel launchers to use proxychains

What about command line programs? You're either going to have to type the full command every time (unreliable and annoying) or put the following lines into the file /home/your_username/.bash_aliases:

alias sli="sudo proxychains4 slapt-get --install"
alias sls="sudo proxychains4 slapt-get --search"
alias srcs="sudo proxychains4 slapt-src --search"
alias srci="sudo proxychains4 slapt-src --install"
alias whois="proxychains4 whois"
alias yt-dlp="proxychains4 yt-dlp"

The left part (before "=") is the "shortcut", the right one (after "=" ) is the actual command run. And so, every time you type sls it will run the command slapt-get --search through proxychains - so you don't have to remember to type proxychains4 before every command every time if you just remember the shortcuts. You should set up a proxychains alias and / or launcher for every program you use that connects to the internet. Since if you forget to run something through proxychains, there is a risk that the software will expose your beautiful bare IP /s. Hey, apparently proxychains itself is not a perfect solution (archive), either:

The way it works is basically a HACK; so it is possible that it doesn't work with your program, especially when it's a script, or starts numerous processes like background daemons or uses dlopen() to load "modules" (bug in glibc dynlinker).

Though proxychains is a lot better than the inbuilt proxy settings of applications (which I've already proven to leak many times; it doesn't seem like programmers care too much about anonymity) - it still does not protect us from ourselves running something in the clear; and if you run a bunch of terminal commands every day, the probabilities are way against you even with the aliases. Fortunately diggy has prepared a method perfect for us schizophrenics careful people:

Blocking all non-darknet traffic (iptables)

The third line of defense - and the most important one - will let through only TOR (or additionally I2P) traffic. We will use iptables to do this - which I now prefer over nftables, since that pulls more random dependencies (while iptables is installed by default already) and doesn't really have an advantage. Just type these commands:

sudo iptables -F OUTPUT
sudo iptables -A OUTPUT -j ACCEPT -m owner --uid-owner tor
sudo iptables -A OUTPUT -j ACCEPT -o lo # used to allow traffic over the loopback device and is completely safe.
sudo iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
sudo iptables -P OUTPUT DROP

sudo ip6tables -F OUTPUT
sudo ip6tables -A OUTPUT -j ACCEPT -m owner --uid-owner tor
sudo ip6tables -A OUTPUT -j ACCEPT -o lo # used to allow traffic over the loopback device and is completely safe.
sudo ip6tables -P OUTPUT DROP

I won't pretend to have come up with this; the commands are actually stitched together from here (archive). What this firewall actually does is block any connections that don't come from the user tor. And because the tor user only runs the tor process, it effectively blocks anything non-TOR. After inputting the commands, you need to save them to files so that they can be loaded on every boot. Create a folder where these files will be put, for example with the command sudo mkdir /etc/iptables. Type sudo iptables-save > /etc/iptables/toronly and sudo ip6tables-save > /etc/iptables/toronly-ipv6. Now edit /etc/rc.d/rc.local and insert these lines:

iptables-restore /etc/iptables/toronly&
ip6tables-restore /etc/iptables/toronly-ipv6&

Ensuring the rules are loaded up on every system boot. To check if that actually happens, type sudo iptables --list-rules after reboot. The result should be something like this:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT DROP
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -m owner --uid-owner 217 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

If you see the above, then non-TOR traffic is properly blocked. If there are only the first three, then the rules have not been loaded and there is no protection against rogue apps or user error. To more directly check if the blocking works, try a command in the clear such as wget --timeout 60 https://digdeeper.club. If the setup is proper, the connection should fail in 60 seconds with an error such as failed: Connection timed out. If the request went through - and the website downloaded - you have a leak (note, however, that the DNS request will go through regardless, because we have TORDNS system-wide). Adding proxychains4 in front of the wget should let the connection go through (you will get a message like [proxychains] Strict chain ... 127.0.0.1:9050 ... digdeeper.club:443 ... OK connected.)

Blocking all non-darknet traffic (nftables)

You can also do the same with nftables - which you're going to have to install (you need a newer version since the older ones lack certain essential commands). If you're not already running the newest Slackware, nftables will probably pull glibc / openssl upgrades (which will break your OS - beware) as well as other stuff. Follow a proper guide to upgrade your Slack, or don't bother and go with the earlier iptables setup. Anyway - if you insist on nftables and have been using any setup dependent on iptables (such as the one above or the VPN ufw setup) - you're going to need to burn your old rulesets with iptables -F and iptables -X (they'd still be active otherwise and interfere with what we're trying to do here). Next, create a config file such as /etc/nftables/toronly.conf and fill it with:

flush ruleset
table inet restricted {
chain inbound {
type filter hook input priority filter; policy accept;
ct state { established, related } accept
iifname "lo" accept
ip protocol icmp icmp type echo-request accept
reject with icmp port-unreachable
}

chain outbound {
type filter hook output priority filter; policy accept;
oifname "lo" accept
oifname "eth0" meta skuid tor accept
oifname "eth0" tcp sport 22 accept
reject
}

chain forward {
type filter hook forward priority filter; policy drop;
}
}

Every instance of eth0 has to be changed if using other interfaces, such as wlan0. The tor in oifname "eth0" meta skuid tor accept is the name of the user that runs TOR (you can also substitute a numerical user ID). Anyway, after writing down the configs, load them with the command sudo nft -f /etc/nftables/toronly.conf. Put that command into one of your startup scripts like /etc/rc.d/rc.local.

You can also add I2P to this setup. For that, you will need to install i2pd, then create an i2p user who will run exclusively that. Then add that user to the nftables config file, by replacing the line: oifname "eth0" meta skuid tor accept with oifname "eth0" meta skuid { tor, i2p } accept. Be careful while doing any of this. Have those users run ONLY their designated daemons! If you run another program as those users (or add another user to the whitelist), that program or user will be allowed internet access, threatening your anonymity.

Summary

With either of these setups (iptables or nftables), even if an application's proxy settings leak. Or if proxychains itself leaks. Or if you stupidly let the DNS servers change or run something bare. None of this will matter because the firewall rules will block it all. At worst, you will end up with an application that can't do anything (which means the fortress has kept it out - exactly as we want). I've used these setups for long enough now that I can say with high confidence that they are leakless.

Anyway, the full darknet setup obviously provides a significant increase in anonymity compared to the VPN one (and is free), but comes with a price. It is a lot slower, for one. All UDP packets are blocked so forget about torrenting, you dirty little consoomer, you. Oh, and Cloudflare will bully you mercilessly. Even WHOIS blocks TOR (edit: actually, this is only sometimes, so you can proxychains it). I am warning you, this setup is only for true darknet enthusiasts. However, it's not so bad - you get used to it quick, like to uMatrix. And the rewards are worth it.

Back to the front page