Boost Tor Privacy: Isolating Proxy

November 15, 2016 | Views: 8678

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here


Tor is a widely popular connection-oriented anonymizing communication service used by journalists, activists groups, security investigators, among others. This article explains how to boost the Tor privacy using it as an Isolating Proxy.

An Isolating Proxy is one of the safest Tor setups. It prevents leaks present in other scenarios such as Transparent Proxy. A Transparent Proxy routes all traffic through Tor and blocks the rest, but an Isolating Proxy only allows the traffic through the SocksPort.

An Isolating Proxy requires at least two machines. Those machines can be either virtual machines or two physically isolated machines. Both machines are connected through an isolated LAN. The machine where Tor is running is called Gateway. The machine with the client applications is the Workstation.



The Gateway can be a virtual machine with two network interfaces.

The first network interface is used to connect to the Tor network (for example, eth0). Tor opens the SocksPort on the second network interface, in an isolated network (for example, eth1). The isolated network can be Host-only or any other configured in the virtualization software. The key point is that it has to be used only by the Gateway and the Workstation.

If the Gateway has the IP address, open the SocksPort in torrc with:

#DNSPort 53 # Optional, for DNS resolving

The DNSPort option is to do DNS lookups with Tor when the client applications cannot resolve domain names via SOCKS. When possible, it is preferable to use only the SocksPort.

The Gateway never forward IP packets, otherwise, the client applications from the Workstation would easily skip the Tor Proxy. Edit /etc/sysctl.conf to disable it:

On FreeBSD:


On GNU/Linux:


Reload changes:

On FreeBSD:

$ sudo /etc/rc.d/sysctl reload

On GNU/Linux:

$ sudo sysctl -p /etc/sysctl.conf


The Workstation uses Tor Gateway as the default gateway and DNS server. But this is not really necessary, as the Gateway does not forward packets. The Gateway is used as DNS server if the DNSPort is enabled.

As the Workstation is on an isolated network without clearnet access, all the client applications (Firefox, Tor Browser, nmap, etc.) must be configured to use the SocksPort, otherwise, they will be unable to connect.

Client examples

Below are a couple, of examples of how to configure, client applications to work with SOCKS proxies.


Firefox can connect via SOCKS proxies. Go into Tools, Options: Under the Advanced area, go to the Network tab and in the Connection area click the Settings button.

Choose Manual proxy configuration. Under SOCKS Host enter the Gateway IP address and the SocksPort (9050). Select SOCKS v5 and Remote DNS.


The nmap tool does not natively SOCKS support, so we need to use a proxifier like proxychains, or tsocks. We choose tsocks in this example.

First, enable DNSPort in Gateway. Then modify /etc/tsocks.conf as below, assuming the Gateway IP address is

local =
server =
server_type = 5
server_port = 9050

Now launch nmap for example with:

$ tsocks nmap -sT -Pn -p80 -v

Please note that nmap gets better results in TCP Connect mode when proxified.

Final thoughts

This guide explains how to quickly setup Tor as an Isolating Proxy. A more comprehensive and robust solution is Whonix. It uses an Isolating Proxy with an additional Transparent Proxy, which can be optionally disabled.

Keep into account that an Isolating Proxy will not protect against fingerprinting attacks on its own. It is recommended to use it in conjunction with the Tor Browser or with a distribution like Tails.

Although this configuration provides better anonymity, it does not protect against malware or software with serious security vulnerabilities.

If you combine this Tor deployment with a laptop, a mobile network connection, and a secure VPN, you will end having an advanced solution for anonymous tasks.

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Really useful, ThX

  2. This is cool thank you

  3. Very nice article.

    Please consider of writing more about Tor, Tails and how they actualy work.

    • I was wondering about how Tails relates to this article. Is this basically how Tails accesses the Internet?

      • Tails can of course be configured to use other methods for routing data traffic (such as I2P), Tails by default routes all traffic through TOR, yes. Tails is meant for anonymous internet access and TOR is one of the best publicly known methods for doing so.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?