HOEVENSTEIN

I'm proud to announce a new program of mine called AORTA which stands for Another Onion Router Transproxy Application. AORTA is a small Linux utility that transparently routes all TCP and DNS traffic from a program under its control through the Tor network.

Transparent means that a program does not need to have a special Tor configuration, you simply let AORTA start the program and it will magically start using the Tor network.

Usage is as follows:

aorta [aorta parameters] [program] [program parameters]

possible (optional) aorta parameters are:

    -t   enable terminal output (for programs like wget, w3m etc.)
    -c   DO NOT CHECK if Tor handles all Internet traffic
    -a   DO NOT CHECK if the targeted program is already active

Note: ONLY use a DO NOT CHECK option if you are *very sure* that the check is
indeed not needed.

Examples:

    aorta firefox https://check.torproject.org
    aorta chromium expyuzz4wqqyqhjn.onion
    aorta -t w3m expyuzz4wqqyqhjn.onion
    aorta -t git clone http://dccbbv6cooddgcrq.onion/tor.git
    aorta bash

Requirements.

AORTA makes use of some newer kernel and firewall technologies. Your system should have:

1. A Linux kernel with a version number greater than 3.14. You can check this with the following command:

uname -a

Which reports on my system:
---------------------------

Linux jessie 4.9.0-4-amd64 #1 SMP Debian 4.9.51-1 (2017-09-28) x86_64 GNU/Linux

My kernel version is 4.9 and meets this requirement.

2. An iptables version with cgroup support. This can be checked as follows:

/sbin/iptables -m cgroup -h | grep cgroup

On my system this results in:
-----------------------------

cgroup: Could not determine whether revision 1 is supported, assuming it is.
cgroup match options:
[!] --path path                 Recursively match path relative to cgroup2 root
[!] --cgroup classid            Match cgroup classid, can't be used with --path

The cgroup match options in the output indicate that cgroup support is available.

Warning.

The Tor network hides your IP address, but it does not anonymize the contents of your network traffic. AORTA can magically route all network traffic from a program through the Tor network, but AORTA too can not anonymize the contents of your network traffic.

If you use a program that generates network traffic that contains information that can identify you, then that traffic can be used to identify you once it leaves the Tor network. I can imagine that some of you are a little bit confused, what do I mean? Let me give you two examples:

• If your email client program connects unencrypted to an email server over the Tor network, then all your email traffic, including your user name and password, can be read at the Tor exit node.

• Network traffic from web browsers contain a lot of identifying information. In most cases this information does not identify you directly, but it can still be used to track you down. Take for example a user ID stored in a cookie: if your browser at one moment in time have sended that cookie without using Tor, your real IP address can be guessed - from all recorded IP addresses seen sending the cookie, it's the one that not belongs to a Tor exit node.

The Tor project has made a special version of Firefox called Tor Browser which minimizes the sending of user identifying information. You should use Tor Browser if exposing your identity is dangerous to you. If you just don't like to be monitored by your friendly government agency or ISP, it's fine to use a normal web browser in combination with AORTA. Note however that Tor Browser has its own Tor connection and should not be started by AORTA.

Installation.

Installation of AORTA involves the following steps:

1. Download and extract AORTA.

   You can download AORTA by clicking this link which takes you to the latests version of AORTA on the downloads page. Let's assume you downloaded version 1.1 of AORTA, then you can extract it as follows:

   tar xfvz aorta-1.1.tar.gz
   

2. Go to the extracted aorta directory and compile the source code.

   cd aorta-1.1
   gcc -Wall -o aorta aorta.c
   

   This should result in an executable named aorta. If compilation does not work then you probably have no gcc compiler/environment installed. On Debian and Debian based systems like Ubuntu and Linux Mint the build-essential package contains the missing tools.

3. Execute the following commands as root:

   cp aorta /usr/local/bin/aorta
   chown root:root /usr/local/bin/aorta
   chmod u+s /usr/local/bin/aorta
   

4. Change the configuration of the local Tor daemon.

   The configuration file /etc/tor/torrc should contain the following lines:

   VirtualAddrNetworkIPv4 10.192.0.0/10
   AutomapHostsOnResolve 1
   TransPort 9040
   DNSPort 9041
   

   You can add these lines at the end of the file. After you changed the Tor configuration the Tor daemon must be restarted:

   systemctl restart tor
   

5. Test if aorta is working.

   You now should have a working aorta program. You can test it by executing the following command:

   aorta -t curl https://check.torproject.org/api/ip
   
   on my system this results in the following output:
   --------------------------------------------------
   
   TESTING if Tor handles all Internet traffic
   
   ...Resolving        - expyuzz4wqqyqhjn.onion
   ...IP address       - 10.229.18.254
   ...Connecting       - Done!
   ...Sending request  - Done!
   ...Getting response - Done!
   
   PASSED Tor connection test
   
   RUNNING curl https://check.torproject.org/api/ip
   {"IsTor":true,"IP":"137.74.73.179"}
   AORTA CLOSED ...
   

   AORTA works correctly if the output contains "IsTor": true

What can go wrong?

AORTA can only do its magic if the program it starts is under its control. In technical terms: the program must be a child process of the aorta program.

Some programs escape aorta's control if the program is already running. These programs detect at start if there is a running instance of the program. If so, they do not start a new program but instead clone the running program. This clone is a child of the running program and therefore not under the control of aorta. The clone will not use the Tor network.

AORTA checks if there is a running instance of the program you want to start and warns you about the possible problem as follows:

aorta firefox

TESTING if Tor handles all Internet traffic

...Resolving        - expyuzz4wqqyqhjn.onion
...IP address       - 10.229.18.254
...Connecting       - Done!
...Sending request  - Done!
...Getting response - Done!

PASSED Tor connection test

WARNING

The program you want to start is already running. Some programs will clone
a running program. If so, this cloned program will NOT USE THE Tor NETWORK.
You can detect this behavior as follows:

- AORTA exits after the program is started
- The title bar of Firefox/Chrome does not show (on AORTA).
- https://check.torproject.org reports: You are not using Tor.

Do you want to continue (y/N)?

It is not wise to ignore this warning. If you do you should be pretty sure that the warning is false.

IMPORTANT For AORTA it is not always possible to detect if a program is already running. On Linux it is quite simple to create a link to a program with a completely different name. It is also quite common to let a script start the actual program. In that case the script name can be different from the program name.

Problems and solutions.

During testing of AORTA the following problems were detected:

1. Firefox cannot access onion sites when running under AORTA.

   By default Firefox blocks onion addresses. Changing this behavior involves the following steps:

   • type about:config in the address bar and press enter.
   • promise you will be careful!
   • type dns in the search field on top of the page.
   • change the network.dns.blockDotOnion setting to false.

2. AORTA fails to run non-terminal programs.

   This problem was detected when running aorta on an ArchLinux system. It turned out that the X-server configuration of ArchLinux does not allow access from a remote system.

   Just before AORTA starts a program it changes the host name (only for that program). A new host name can be handy because:

   • When a shell is started by aorta, the host name will be part of its prompt
   • X11 programs like Firefox and Chromium show it on their title bars.

   So, a new host name can give a visual indication that a program is using the Tor network. But on an ArchLinux system the new host name makes the X-server think it is accessed from another system, which is not allowed by the configuration.

   There are 2 solutions for this problem:

   1. Comment-out or remove the new_hostname function in aorta.c (it's in the main function). You have to compile and install aorta again if you do this.

   2. Make the X-server configuration less restrictive by running the command:

      xhost +local:

      This command won't survive a restart. For this you have to add it to .xinitrc, just before the GUI is started.

Final words.

I hope you enjoy my little program. Don't hesitate to report problems that you encounter.