If you have an interest or a need for anonymity and unblocked internet access, you have probably heard of Tor and maybe have used it. It is an effective tool for defeating censorship and surveillance, routing your traffic through multiple anonymizing relays before sending it to its destination. It is so effective that some authorities, monitoring political, military, or criminal adversaries, maintain watch lists of Tor users. If you would like to avoid having Tor usage tied to your IP address, and keep your IP address off of government watch lists, read how to do it here.
Authorities monitor VPNs and Tor by looking for the unique signalling protocols they use. OpenVPN has a certain pattern, Wireguard another, and a number of patterns for Tor - depending on whether it is basic Tor or Tor with obfuscation. Because governments in China, Iran, and other authoritarian countries expend plenty of money and effort to block Tor, Tor developers have created multiple types of bridges or means of obfuscation. They are effective, but not perfect; they are eventually found and blocked and the Tor users are investigated. Even the USA and its partner "Five Eyes" countries pay attention to Tor users.
A larger risk when authorities are interested in your Tor traffic is that they may try to unmask you. Unmasking is not easy, but it is sometimes possible. Unmasking efforts typically consist of:
One way to keep your Tor usage separated from your home or office computers is to not ever use it from said home or office. Instead, set up a distant server and operate Tor from there, with SSH and port forwarding from your local computers. It is almost seamless and does not attract attention like brazen Tor packets from your laptop. In fact, SSH is probably the last protocol to be blocked if authorities fully cut off the internet some day.
A nice aspect of keeping Tor off of your local devices is "cleanliness." An inspection will not find an instance of Tor, though you could be a heavy user through the distant server. Answering for the SSH usage could be as simple as, "I am learning how to program in Bash" or "I do web design and SEO."
You will insall Tor on a real "bare metal" or Virtual Private Server (VPS). I suggest a VPS, as there are plennty of options and even a few which are free (as in free beer):
Note: this example assumes a server with Ubuntu Linux as the operating system. Adjust as necessary if you select a server with a different system.
After getting your server spun up and running, make sure you have OpenSSH Server installed. It should be there; if not, install it. Also install tor.
Make sure Tor is installed with no errors and is running. Check it with this command, expecting a message that it is active:
sudo systemctl status tor
Use a key based login instead of a username and password. It is easier and far
more secure. Follow the instructions from your server provider to set it up.
Sometimes, you may create keys in their control panel and download them. In
other instances, you may create them locally and upload your public key to
the server. Ubuntu users should become familiar with the ssh-keygen
and ssh-copy-id tools.
In addition to setting up your key based acces to the server, be sure to set up your ssh config file. Here is an example of the file .ssh/config, which would reside in your Linux home directory:
Host * Compression yes ServerAliveInterval 240 Host berkshire HostName 220.127.116.11 User anderson Port 22 IdentityFile ~/.ssh/id_rsa Host valleyforge HostName 172.28.200.209 User lowell Port 22 IdentityFile ~/.ssh/id_rsa
Since the darknet environment is much more risky than typical clearnet sites, take some extra time to set up your browser and also configure its proxy settings:
Firefox blocks .onion sites by default. You may unblock them by going into the about:config tab:
Manage your connections to Tor by entering an SSH command in the terminal; keep the terminal open but minimized and out of the way. Here is the command:
ssh -L 9050:127.0.0.1:9050 berkshire
To exit, simply execute exit in the SSH session to log off the server.
Setting up that SSH config file is important, as it allows you to use a short command in the terminal to log on. Note the -L option, which sets up the port 9050 forwarding so your browser works with the remote Tor instance. To verify that your browser is actually using Tor, visit this page first, before you go into the darknet:
There is a tor-remote script to simplify management of your remote Tor sessions. With servers' data entered in your ssh config file, you have the convenience of a nice menu and an easy click-to-run. However, you need Rofi and / or fzf installed. MOFO Linux is nicely configured with all of this, ready to use Tor from a VPS. What I do is keep the SSH config data for some cheap servers on a USB stick, and copy it into the live system before connecting.
It is even possible to run a chain of ssh connections, through one or more servers, to a last server which has a running Tor instance for your anonymous browsing. I was pleasantly surprised to try it on a chain of servers with gigabit broadband, and they were all fast enough to stream podcasts without any problems.
What I did was connect with port forwarding from the local machine to server #1, ssh with port forwarding from there to server #2, thence from server #2 to server #3, which also had Tor. When checking the detected public IP address, it was from a Tor exit node. Locally, the browser worked fine and loaded onion sites. Upon disabling Tor on server #3, I was able to browse with a slight increase in latency and have that server's IP address instead of my local IP. Chaining works, though performance would probably be better with a series of servers set up to run a Wireguard VPN.
With Tor installed on a remote server, whether hardware or a free VPS, you can ssh into the server from your personal computer and enjoy anonymity and an unblocked internet without the risk of running Tor locally, where it may be observed by your ISP or local authorities. Even in free countries, where Tor is legal, attackers may still try to surveil you. Use this remote server method to keep the unfriendlies at bay.