Tor Transparent Proxy

Obscurix uses a transparent proxy to force all connections except I2P/Freenet traffic through Tor and block anything it can't torify. This makes IP leaks impossible without a root exploit or compromise of Tor, I2P or Freenet.

The firewall is configured with iptables and the rules are in /etc/iptables/iptables.rules.

The Tor Browser's Tor daemon is disabled and the system Tor daemon is configured to open a SocksPort at 9150. This is to prevent the Tor Browser's Tor daemon's traffic being forced through the system Tor daemon thus resulting in Tor over Tor. Instead, the Tor Browser uses the system Tor daemon.

Unlike Tails, there is no Unsafe Browser. The reason for this is that it allows an adversary to easily discover your IP address without root privileges. This makes it not possible to login to captive portals though. If you do need to login to a captive portal, you can specify the notor parameter at boot, login to the captive portal and re-enable Tor by running

sudo systemctl start tor.service iptables.service

Stream Isolation

Tor stream isolation is configured for applications by default to prevent identity correlation through circuit sharing. It does this by configuring applications to go through their own SocksPorts.

The Tor Browser is configured to go though SocksPort 9150 and pacman is configured to go through SocksPort 9060. Some generic applications are configured to go through SocksPort 9050 and every other connection will go through the TransPort (port 9040).


/etc/resolv.conf is set to use as its nameserver for DNS resolution. The problem with this is it only supports port 53 and the DNSPort is set at port 5353 so Obscurix uses dnsmasq to solve this problem. /etc/resolv.conf points to dnsmasq which then points to the Tor DNSPort. NetworkManager is configured not to overwrite /etc/resolv.conf and resolv.conf has the immutable flag so it can't be overwritten.

Tor Control Port Filter Proxy

The Tor control port allows you to send commands that control the Tor process. By default, there is no authentication needed and all commands are allowed. This is bad as there are some extremely dangerous commands such as GETINFO address which can leak your real external IP address. To test this, install netcat, configure a control port in your torrc by adding ControlPort (port) and make sure there is no authentication set. For this example, the Tor control port will be set at 9151 (the default for the Tor Browser).

To connect to the Tor control port, run

nc 9151



It should say

250 OK

If not, there is some authentication configured in your torrc. Now enter

GETINFO address

You should now see your real IP address.

This is dangerous for obvious reasons. To fix this, we can disable the control port altogether, or we can add a control port filter proxy. Disabling the Tor control port will break a lot of functionality such as the "New Identity" button on the Tor Browser. A control port filter proxy filters out dangerous Tor control port commands and allows only the needed ones. For example, we can use the "New Identity" button without being able to use GETINFO address.

Obscurix uses Tails' onion-grater as a control port filter proxy. It's open source, written in a memory safe language and is easy to use.