Contact me for feedback or questions! I reply to everyone.

Darknet setup in Slackware-based distros

UPDATE January 2023: rewritten and made into a separate article (used to be a section in Ninja's guide to the Internet).

TOR is a network that allows (relatively) anonymous internet usage (and for free, too) - as well as accessing the special TOR-only websites called onions. To get involved, find the TOR package in Gslapt / slapt-get / slackpkg and install it; take note of the version since newer ones might require newer libevent, etc. The one from your main repo should suffice if you didn't do too many modifications to the base distro, otherwise you're going to have to figure it out (0.4.2.7 works in Salix 14.2 and presumably Slackware 14.2). The default configuration requires a separate user and group for running the daemon - so let's create them. It doesn't seem that the gtkusersetup GUI allows us to do everything we want to so we will just use the command line. Type this:

sudo groupadd tor; sudo useradd tor --gid tor --base-dir /var/lib/ --system --no-user-group --shell /bin/false --comment "TOR Daemon"

The group is created by groupadd and then the user by useradd; --gid option adds him to the tor group as main. The GUI would not allow us to create a system user, while the --system option does. This avoids clogging up the /home folder as well as requiring to give the tor user a password (ugh).

Now type these commands: sudo chown -R tor:tor /var/log/tor, then sudo chown -R tor:tor /var/lib/tor and finally sudo chown -R tor:tor /var/run/tor. This will make the newly created user the owner of some directories TOR requires, so that he has the sole permissions to use them. Now edit the TOR config file /etc/tor/torrc and ensure that these lines are somewhere in there uncommented (no # signs before); use Ctrl+F to find:

DataDirectory /var/lib/tor
User tor
PidFile /var/run/tor/tor.pid

If the # sign exists before any one of those, remove it. This will make the directories that we've just made owned by the tor user the "bases of operations" (instead of clogging the home directory that's apparently the default?), and ensure that the daemon is run by the actual newly created user (security advantage). Now scroll down to the bottom of the config file and add these two lines:

DNSport 53
AutomapHostsOnResolve 1

This will allow you to use TOR as the DNS server later, preventing your ISP from knowing which sites you visit. To finish this process, put this line: nameserver 127.0.0.1 into your /etc/resolv.conf file as the only one. This is what actually decides which DNS server your computer uses. Remember to make the file unmodifiable, since otherwise dhcpcd will insert the ISP's DNS servers there on reboot, destroying your anonymity. Put nohook resolv.conf into /etc/dhcpcd.conf (my preferred option) or type sudo chattr +i /etc/resolv.conf into the terminal. This will also allow all the software on your computer to resolve onions regardless if they have a setting for it. Now install proxychains - with a command like sudo slackpkg install proxychains or sudo slapt-get --install proxychains depending on which package manager you use. 4.14 works on vanilla Salix / Slackware 14.2 so there's no need to worry about that. This piece of software allows us to run anything through TOR - and it's essential because I've noticed that most in-built proxy settings LEAK SHIT, so we won't even bother with those (though you can still set them if you want to). The whole point of proxychains, though, is that you don't need to rely on those unreliable settings. It also allows programs that lack the ability to set a proxy to still be sent through TOR. Edit the config file /etc/proxychains.conf so that the line:

proxy_dns

Is uncommented (no # sign). Though the system-wide TORDNS should protect us already, we need as much defense as possible (what if the ISP's DNS servers wind up in resolv.conf somehow, like if you forget to make it unmodifiable or remove it / reinstall dhcpcd for some reason, etc?). Also ensure that the line:

socks5 127.0.0.1 9050

Is there at the bottom. This actually decides where to "send" an application that you decide to proxify; which we have obviously defined to be the TOR proxy.

Proxychains is executed like this: proxychains4 filezilla (replace filezilla with the program you want to launch). Learn to run everything through it, because again, inbuilt settings leak shit almost always. If you are using xfce like me, you will need to edit your panel launchers like this:

Editing xfce panel launchers to use proxychains

What about command line programs? You're either going to have to type the full command every time (unreliable and annoying) or put the following lines into the file /home/your_username/.bash_aliases:

alias sli="sudo proxychains4 slapt-get --install"
alias sls="sudo proxychains4 slapt-get --search"
alias srcs="sudo proxychains4 slapt-src --search"
alias srci="sudo proxychains4 slapt-src --install"
alias whois="proxychains4 whois"
alias yt-dlp="proxychains4 yt-dlp"

The left part (before "=") is the "shortcut", the right one (after "=" )is the actual command run. And so, every time you type sls it will run the command slapt-get --search through proxychains - so you don't have to remember to type proxychains4 before every command every time if you just remember the shortcuts. You should set up a proxychains alias and / or launcher for every program you use that connects to the internet. Since if you forget to run something through proxychains, there is a risk that the software will expose your beautiful bare IP /s. Hey, apparently proxychains itself is not a perfect solution (archive), either:

The way it works is basically a HACK; so it is possible that it doesn't work with your program, especially when it's a script, or starts numerous processes like background daemons or uses dlopen() to load "modules" (bug in glibc dynlinker).

Though proxychains is a lot better than the inbuilt proxy settings of applications (which I've already proven to leak many times; it doesn't seem like programmers care too much about anonymity) - it still does not protect us from ourselves running something in the clear; and if you run a bunch of terminal commands every day, the probabilities are way against you even with the aliases. Fortunately diggy has prepared a method perfect for us schizophrenics careful people. The third line of defense - and the most important one - will let through only TOR (or additionally I2P) traffic. You will have to install nftables, and likely the newest glibc and openssl. If you have been using a VPN ufw setup earlier, you're going to need to burn your old iptables rulesets with iptables -F and iptables -X. Then create a config file such as /etc/nftables/toronly.conf and fill it with:

flush ruleset
table inet restricted {
chain inbound {
ype filter hook input priority filter; policy accept;
ct state { established, related } accept
ifname "lo" accept
iifname "eth0" tcp dport 22 accept
ip protocol icmp icmp type echo-request accept
reject with icmp port-unreachable
}

chain outbound {
type filter hook output priority filter; policy accept;
oifname "lo" accept
oifname "eth0" meta skuid tor accept
oifname "eth0" tcp sport 22 accept
reject
}

chain forward {
type filter hook forward priority filter; policy drop;
}
}

Every instance of eth0 has to be changed if using other interfaces, such as wlan0. The tor in oifname "eth0" meta skuid tor accept is the name of the user that runs TOR (you can also substitute a numerical user ID). What this firewall actually does is blocking any connections that don't come from the user tor. And because the tor user only runs the tor process, it effectively blocks anything non-TOR. Anyway, after writing down the configs, load them with the command sudo nft -f /etc/nftables/toronly.conf. Put that command into one of your startup scripts like /etc/rc.d/rc.local.

You can also add I2P to this setup. For that, you will need to install i2pd, then create an i2p user who will run exclusively that. Then add that user to the nftables config file, by replacing the line: oifname "eth0" meta skuid tor accept with oifname "eth0" meta skuid { tor, i2p } accept. Be careful while doing any of this. Have those users run ONLY their designated daemons! If you run another program as those users (or add another user to the whitelist), that program or user will be allowed internet access, threatening your anonymity.

With this setup, even if an application's proxy settings leak. Or if proxychains itself leaks. Or if you stupidly let the DNS servers change or run something bare. None of this will matter because the nftables rules will block it all. At worst, you will end up with an application that can't do anything (which means the fortress has kept it out - exactly as we want). I've used this setup for long enough now that I can say with high confidence that it is leakless. You can also do the same with iptables, by the way - which I now prefer because nftables pulls more random dependencies (while iptables is installed by default already) and doesn't really have an advantage. Just type these commands:

sudo iptables -F OUTPUT
sudo iptables -A OUTPUT -j ACCEPT -m owner --uid-owner tor
sudo iptables -A OUTPUT -j ACCEPT -o lo # used to allow traffic over the loopback device and is completely safe.
sudo iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
sudo iptables -P OUTPUT DROP

sudo ip6tables -F OUTPUT
sudo ip6tables -A OUTPUT -j ACCEPT -m owner --uid-owner tor
sudo ip6tables -A OUTPUT -j ACCEPT -o lo # used to allow traffic over the loopback device and is completely safe.
sudo ip6tables -P OUTPUT DROP

I won't pretend to have come up with this; the commands are actually stitched together from here (archive). They work on the same basis that the nftables ones do - only the tor user is allowed internet access. After inputting those, you need to save them to files so that they can be loaded on every boot. Create a folder where these files will be put, for example with the command sudo mkdir /etc/iptables. Type sudo iptables-save > /etc/iptables/toronly and sudo ip6tables-save > /etc/iptables/toronly-ipv6. Now edit /etc/rc.d/rc.local and insert these lines:

iptables-restore /etc/iptables/toronly&
ip6tables-restore /etc/iptables/toronly-ipv6&

Ensuring the rules are loaded up on every system boot. To check if that actually happens, type sudo iptables --list-rules after reboot. The result should be something like this:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT DROP
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -m owner --uid-owner 217 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

If you see the above, then non-TOR traffic is properly blocked. If there are only the first three, then the rules have not been loaded and there is no protection against rogue apps or user error. The iptables setup is less tested in terms of leaks, so beware - and also doesn't allow I2P through for now. But I'm pretty confident in it, too.

Anyway, the full darknet setup obviously provides a significant increase in anonymity compared to the VPN one (and is free), but comes with a price. It is a lot slower, for one. All UDP packets are blocked so forget about torrenting, you dirty little consoomer, you. Oh, and Cloudflare will bully you mercilessly. Even WHOIS blocks TOR (so if it works for you, you have a leak). I am warning you, this setup is only for true darknet enthusiasts. However, it's not so bad - you get used to it quick, like to uMatrix. And the rewards are worth it.

Back to the front page