Using Tor and SSH Tunneling


One of the things about the sad state of affairs in the world today is that everything is being monitored.

What used to be perfectly legal may bring the ire of a government down upon you.  That was why I started to think about how to privately surf the web without someone trying to match log files with my machine's IP address.

Of course, there are proxy servers out there, but still there are those damned log files that some sites keep for a long time.  You never know.  Some of you may be familiar with SSH tunneling and that is another way, but still you're counting on the one SSH server to forward your packets out to the web, or rather, to a proxy server.  And how long are those log files kept?  Unless you're the owner of the server, you should always assume the worst.

I've only been reading 2600 for about a year, so if I'm repeating information I apologize.  But I know that there are some newbies like me out there who might be interested in this subject, so I thought it would be nice to revisit this subject with a twist.  But, I'll get to that later.

One way to privately surf the net (without buying proprietary software) is by using a program called Tor.  Their own documentation states that, "Tor provides a distributed network of servers ('onion routers').  Users bounce their TCP streams (web traffic, FTP, SSH, etc) around the routers.  This makes it hard for recipients, observers, and even the onion routers themselves to track the source of the stream."

You can download Tor at  If you're using a UNIX-like system, you should gunzip and untar the package you download in any directory you want.

You will also need a package called libevent and it can be downloaded at

First untar the libevent package, then cd into the libevent directory.

The installation instructions for UNIX (I am using Linux) are very straightforward:

# ./configure
# make
# make install

Then you must cd into the untarred Tor directory and repeat the above commands to build Tor.

Check at Tor's website for more in depth installation instructions and documentation.

At the time I wrote this article, the latest version of Tor was  However, I had no problems during the build.

For Windows users, the Tor website also has prebuilt executables that you can use on Windows based machines.  I tried compiling Tor under Cygwin (a UNIX simulation program) and it appeared to compile correctly on my Windows XP box, but the program wouldn't run correctly.  So I suggest you stick with the precompiled version.

At this point, you're ready to run Tor.  Assuming the executable is in your path, you should just be able to run the command tor in an Xterm or shell.  Tor recommends you not run it as root.

The program should start up and begin to try to connect to the network.  Running Tor in command line option allows you to see the messages it prints and a lot of times I've found this is good for debugging.

Windows users should have a Tor icon on their desktop.  Just double-click it and it should run, assuming you chose a default installation.

One particular message you want to look out for is "Tor has successfully opened a circuit.  Looks like it's working."  That means you're good to go.

When I first started using Tor, I opened up Ethereal just to sniff my network and see where the packets were going.  If you do the same you'll see packets are going to several different IPs at various times.  However, when I started up Tor I noticed the message "This is experimental software.  Do not rely on it for strong anonymity."

This concerned me, so I began to think of other ways to possibly add another layer of anonymity to the process.  Could I possibly incorporate the usage of the well-known SSH tunneling with Tor?  The answer is yes, you can.

In order to use this option, you should first download a simple C program written by Shunichi Goto.  You can find it at

To compile, follow the instructions in the source code.  They are very easy to follow.

One option that the SSH client allows you to do is to execute a command when you connect to an SSH server.  This is very handy especially since the connect program can work with Tor.

Therefore, you can connect to an SSH server, but via the Tor network and not directly to the SSH server.  Open up an Ethereal/tcpdump process to watch the packets flow before you connect to the SSH server of your choice and watch what happens.

First, let's start with a more simple example.

Let's say you want to connect to an SSH server, but through the Tor system.  Assuming Tor is still running and you have a valid account on an SSH server, you can connect with this command (all on one line):

$ /usr/bin/ssh -l [userid] [ip_of_ssh_server] -o ProxyCommand="/tmp/connect -4 -S %h %p"

Note that I'm using the IP of the SSH server, not the DNS name.

Try to stay away from any DNS name resolutions made from your machine to a DNS server.  As an added measure, you might want to comment out any DNS servers listed in your /etc/resolv.conf file.  However, keep in mind that some programs do their own DNS resolution calls.

Anyway, in this example, I compiled the connect.c source code in /tmp, but you can do it anywhere you want.  This method of connecting to an SSH server will be slower, but now you add a layer of anonymity that you might not have when directly connecting to an SSH server.

But what if you want to go a step further and surf the web through the SSH tunnel?  Then you must run a more tricky command.

You should go back and re-read the man pages for the SSH client to refresh your memory on port forwarding, but I'll give you an example.  Say you want to surf the web and use a tunnel to an SSH server on which you have an account.

Now, not all SSH servers allow this maneuver, but let's assume yours will.

First, you need an IP address and port number of a proxy server that will allow you to surf the web through it.  Not all proxy servers allow this, but some do.  You can find a list at  But let's say you found one at using port 8080.  As a side note, don't use this IP in actual operation since it's a reserved internal IP address and I'm using it just as an example.

Now, you must choose a port where you want your local machine to be listening for requests from your browser.  Let's choose a random port, say 4567.

This is the setup: when you make a request from your browser, the call goes to port 4567, then to port 9050 on your local machine, then through the Tor network to the SSH server which forwards the packets to

Before you can do this though, you must first change the proxy settings in your browser.  Since browsers differ on where this setting is at, I won't be able to expound on this, but if you're a Mozilla/Thunderbird user, you can find it under: "Edit -> Preferences -> Advanced -> Proxy".

For Microsoft's IE (XP), the setting is located under: "Tools -> Internet Options -> Connections -> LAN Settings".

Choose the manual configuration and set the host to and the port to 4567.

Close out the first SSH session and open a new Xterm session.  Make sure Tor is running and you are connected to that network.  Now you are set to run your SSH command (all on one line):

$ /usr/bin/ssh -l [userid] [ip_of_ssh_server] -L4567: -o ProxyCommand="/tmp/connect -4 -S %h %p"

You should be prompted for your password for the ssh account.  Do not exit out of this session.

You need it open while browsing the web.  Open the browser and start surfing.

Watch the Tor messages that might indicate that tunneling is not allowed or the proxy refuses to forward requests.  If so, you may have to choose another proxy or your SSH server doesn't allow tunneling.

Assuming success, to test what IP address a website may be seeing you come from you can go to a website such as  You should see the IP address of the proxy server, in this example  It's also a good idea to open an Ethereal/tcpdump process and watch where the packets are going.

One thing I'm not sure of is where the DNS name resolution takes place if I have removed nameservers out of all my network files.  Is it at the proxy?  At the SSH server?  Along the Tor network?

Any experts out there may want to shed some light on this subject, but I didn't see any DNS requests in my Ethereal sessions coming from my machine when using the above method.

You should realize that browsing the web using the technique above will be slower, possibly very slow depending on what proxy server you choose, but vary the proxy settings to see how your response time changes.  Occasionally, I've gotten reasonable response times across the web using this technique.

Return to $2600 Index