This FAQ has been migrated to ​General FAQ. The answers in this FAQ may be old, incorrect, or obsolete.

• Copyright 2003-2006 Roger Dingledine
• Copyright 2004-2005 Nick Mathewson
• Copyright 2004 Douglas F. Calvert
• Copyright 2004-2006 Peter Palfrader
• Copyright 2005-2009 Andrew Lewman
• Copyright 2007 Matt D. Harris
• Copyright 2010 The Tor Project, Inc.

---

Distributed under the MIT license, see Legal Stuff for a full text.

---

Running Tor

How can I share files anonymously through Tor?

​Answer moved to our new FAQ page

I'm supposed to "edit my torrc". What does that mean?

​Answer moved to our new FAQ page

How do I set up logging, or see Tor's logs?

​Answer moved to our new FAQ page

What log level should I use?

​Answer moved to our new FAQ page

Do I have to open all these outbound ports on my firewall?

​Answer moved to our new FAQ page

My Tor keeps crashing.

​Answer moved to our new FAQ page

I installed Tor and Polipo but it's not working.

​Answer moved to our new FAQ page

How can I tell if Tor is working, and that my connections really are anonymized? Are there external servers that will test my connection?

​Answer moved to our new FAQ page

How do I use my browser for ftp with Tor?

​Answer moved to our new FAQ page

Will ​Torbutton be available for other browsers?

​Answer moved to our new FAQ page

Does Tor remove personal information from the data my application sends?

Moved to ​https://www.torproject.org/docs/faq.html.en#NoDataScrubbing

I want to run my Tor client on a different computer than my applications.

​Answer moved to our new FAQ page

How often does Tor change its paths?

​Answer moved to our new FAQ page

Why does netstat show these outbound connections?

​Answer moved to our new FAQ page

Tor uses hundreds of bytes for every IRC line. I can't afford that!

​Answer moved to our new FAQ page

Can I control what nodes I use for entry/exit, or what country the nodes are in?

​Answer moved to our new FAQ page

Google makes me solve a Captcha or tells me I have spyware installed.

​Answer moved to our new FAQ page

Gmail warns me that my account may have been compromised.

​Answer moved to our new FAQ page

Why does Google show up in foreign languages?

​Answer moved to our new FAQ page

How do I access Tor hidden services?

​Answer moved to our new FAQ page

My Internet connection requires an HTTP or SOCKS proxy.

​Answer moved to our new FAQ page

My firewall only allows a few outgoing ports.

​Answer moved to our new FAQ page

Is there a list of default exit ports?

​Answer moved to our new FAQ page

What should I do if I can't use an http proxy with my application?

​Answer moved to our new FAQ page

I keep seeing these warnings about SOCKS and DNS and information leaks. Should I worry?

​Answer moved to our new FAQ page

How do I check if my application that uses SOCKS is leaking DNS requests?

​Answer moved to our new FAQ page

Tor/Vidalia prompts for a password at start

​Answer moved to our new FAQ page

Why do we need Polipo or Privoxy with Tor? Which is better?

You do not need one anymore. See ​https://www.torproject.org/docs/faq#TBBPolipo

Vidalia doesn't work in Windows 2000?

No. Vidalia doesn't work in Win2k because of a winsock DLL bug in Win2K. The explanation for why is here: ​http://msdn.microsoft.com/en-us/library/ms737931. If you don't want to recompile Vidalia yourself, this site offers a replacement DLL (with source) that appears to work: ​http://codemagnet.blogspot.com/2007/10/winsock2-replacement.html and ​http://martin.brenner.de/files/winsock2_getaddrinfo.rar

Tor Browser Bundle

There is no Flash in TBB!

Moved to ​https://www.torproject.org/torbutton/torbutton-faq.html.en#noflash

I'm on OSX or Linux and I want to run another application through the Tor launched by Tor Browser Bundle. How do I predict my SOCKS port?

In Vidalia, go to Settings->Advanced and uncheck the box that says 'Configure ControlPort automatically'. Your SOCKS port will then be on 9050.

I need an HTTP proxy.

Moved to ​https://www.torproject.org/docs/faq#TBBPolipo

I want to leave Tor Browser Bundle running but close the browser.

Moved to ​https://www.torproject.org/docs/faq#TBBCloseBrowser

I want to use a different browser with Tor.

​Answer moved to our new FAQ page

I want to install my favorite extension in TBB. How do I do it?

You can install extensions in TBB the same way you install them in a normal Firefox.

Do I have to reinstall my extensions every time I upgrade TBB?

If you are extracting a new TBB over the old TBB directory, assuming there are no version conflicts between a new Firefox and your old extensions, it should work. If it doesn't, please let us know by filing a bug.

Running a Tor relay

How do I decide if I should run a relay?

Moved to ​https://www.torproject.org/docs/faq.html.en#HowDoIDecide

Why isn't my relay being used more?

Moved to ​https://www.torproject.org/docs/faq.html.en#WhyIsntMyRelayBeingUsedMore

How can I get Tor to fully make use of my high capacity connection?

Moved to ​https://www.torproject.org/docs/faq.html.en#HighCapacityConnection

I'd run a relay, but I don't want to deal with abuse issues.

​Answer moved to our new FAQ page

Do I get better anonymity if I run a relay?

Moved to ​https://www.torproject.org/docs/faq.html.en#BetterAnonymity

Why doesn't my Windows (or other OS) Tor relay run well?

Moved to ​https://www.torproject.org/docs/faq#BestOSForRelay

So I can just configure a nickname and ORPort and join the network?

Moved to ​https://www.torproject.org/docs/faq.html.en#JoinTheNetwork

I want to upgrade/move my relay. How do I keep the same key?

​Answer moved to our new FAQ page

How do I run my Tor relay as an NT service?

Moved to ​https://www.torproject.org/docs/faq.html.en#NTService

Can I run a Tor relay from my virtual server account?

Moved to ​https://www.torproject.org/docs/faq.html.en#VirtualServer

I want to run more than one relay.

​Answer moved to our new FAQ page

My relay is picking the wrong IP address.

Moved to ​https://www.torproject.org/docs/faq.html.en#WrongIP

I don't have a static IP.

Moved to ​https://www.torproject.org/docs/faq.html.en#IDontHaveAStaticIP

I'm behind a NAT/Firewall

Moved to ​https://www.torproject.org/docs/faq#BehindANAT

My cable/dsl modem keeps crashing. What's going on?

Moved to ​https://www.torproject.org/docs/faq.html.en#ModemKeepsCrashing

Why do I get portscanned more often when I run a Tor relay?

Moved to ​https://www.torproject.org/docs/faq.html.en#PortscannedMore

I have more than one CPU. Does this help?

Moved to ​https://www.torproject.org/docs/faq.html.en#MoreThanOneCPU

Why is my Tor relay using so much memory?

​Answer moved to our new FAQ page

What bandwidth shaping options are available to Tor relays?

Moved to ​https://www.torproject.org/docs/faq.html.en#BandwidthShaping

Does BandwidthRate really work?

Moved to ​https://www.torproject.org/docs/faq.html.en#BandwidthShaping

How can I limit the total amount of bandwidth used by my Tor relay?

Moved to ​https://www.torproject.org/docs/faq.html.en#LimitTotalBandwidth

Why does my relay write more bytes onto the network than it reads?

Moved to ​https://www.torproject.org/docs/faq#RelayWritesMoreThanItReads

Note that in Tor 0.1.1.8-alpha and later, your relay is more intelligent about deciding whether to advertise its DirPort. The main change is to not advertise it if we're running at capacity and either a) we could hibernate or b) our capacity is under 50kB and we're using a DirPort above 1024.

Why can I not browse anymore after limiting bandwidth on my Tor relay?

Moved to ​https://www.torproject.org/docs/faq#Hibernation

How can I make my relay accessible to people stuck behind restrictive firewalls?

Expose your Tor relay on port 443 (HTTPS) so that people whose firewalls restrict them to HTTPS can still get to it. Also, you should expose your directory mirror on port 80 (that even works if Apache is already listening there; but not working for a bridge).

If you're using the version of Tor packaged for Debian (or Debian-based distributions like Ubuntu) then you can do this by setting orport to 443 and dirport to 80 in your relay's torrc.

However, if you aren't using Tor's deb package then this will take some more work. Binding to ports under 1024 usually requires you to run as root, and running Tor as root is not recommended (in case there are unknown exploitable bugs). Instead, you should configure Tor to advertise its orport as 443, but really bind to another port (such as 9001). Then, set up your computer to forward incoming connections from port 443 to port 9001.

The Tor side is pretty easy - just set this in your torrc file:

ORPort 443 NoListen
ORPort 0.0.0.0:9001 NoAdvertise

This will make your Tor relay listen for connections to any of its IPs on port 9001, but tell the world that it's listening on port 443 instead. Similarly, "DirPort 80" and "DirPort 0.0.0.0:9030 NoAdvertise" will bind to port 9030 locally but advertise port 80.

If your relay has multiple IP addresses and you want to advertise a port on an IP address that isn't your default IP, you can do this with Tor's "Address" config option.

Forwarding TCP connections is system dependent, however. Here are some possibilities (you can put them in your rc.local so they execute at boot):

• On Linux 2.4 or 2.6 (with iptables):

     iptables -t nat -A PREROUTING -p tcp -d $IP --dport 443 \
        -j DNAT --to-destination $IP:9001 
  

  . Assuming you have a simple, consumer-level NAT gateway/firewall that is configured to forward TCP requests on port 443 of your external (WAN) IP to port 443 of your Tor relay, then "$IP", in the command above, refers to the internal (LAN) IP address of your Tor relay. Often (but not always), this will begin with 192.168....
• If you want to make this redirection work from localhost, add the following rule as well:

       iptables -t nat -A OUTPUT -p tcp -d $external_IP --dport 443 \
        -j DNAT --to-destination $internal_IP:9001
  

  . Here, "$internal_IP" is the same as "$IP" in the previous example, but "$external_IP" refers to the WAN IP of your gateway/firewall.
• When using shorewall (version 2.2.3) you may find it helpful to do add something like this (inside /etc/shorewall/rules):

     # DirPort $IP:9091 NoAdvertise #Listen address
     DNAT    net     $FW:$IP:9091  tcp     80      -       $IP
     ACCEPT  $FW:$IP       net     tcp     9091
     # ORPort $IP:9090 NoAdvertise #Listen address
     DNAT    net     $FW:$IP:9090  tcp     443     -       $IP
     ACCEPT  $FW:$IP       net     tcp     9090
  

  . Don't forget to tune your default policy (/etc/shorewall/policy) so that it doesn't log those rules when they're triggered.
• With ssh (do not use in conjunction with DirPolicyg):

     ssh -fNL 443:localhost:9001 localhost
  

  . Note: if you get an error message "channel 2: open failed: connect failed: Connection refused", try replacing "localhost" with "127.0.0.1" in the ssh command.)
• To offer your directory mirror on port 80, where apache is already listening, add this to your apache config:

     <IfModule mod_proxy.c>
         ProxyPass /tor/ http://localhost:9030/tor/
         ProxyPassReverse /tor/ http://localhost:9030/tor/
     </IfModule>
  

  . Ideally you wouldn't log those requests. That's not very hard either: Remove your normal AccessgLog, and use a Custom}}}Log:

     LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
     ...
     SetEnvIf Request_URI "^/tor/" request_is_for_tor=yes
     CustomLog /var/log/apache/combined.log combined env=!request_is_for_tor
     CustomLog /dev/null common env=request_is_for_tor
  

  . Refer to the Apache documentation for why this works: ​http://httpd.apache.org/docs/mod/mod_log_config.html#customlog and ​http://httpd.apache.org/docs/mod/mod_setenvif.html

• If you have Nginx instead of Apache, add this to your config to achieve the same:

          location /tor {
                  # Proxy all requests for /tor* to the DirPort
                  proxy_pass        http://localhost:9030;
                  # But don't log them.
                  access_log        off;
          }
  

  . See ​http://wiki.nginx.org/NginxHttpProxyModule and ​http://wiki.nginx.org/HttpLogModule

• To offer your directory on port 80 when Apache (or anything else) is not listening, use a port redirection for the dirport, as per the orport method described earlier in this section.

• On Linux 2.4 or 2.6 (with iptables):

     iptables -t nat -A PREROUTING -p tcp -d $IP --dport 80 \
        -j DNAT --to-destination $IP:9030
  

• On OpenBSD/FreeBSD/NetBSD with PF (​Tutorial). Assume you have a 3com 905b card connected to an Internet gateway.

    # Redirect traffic coming in on xl0 from any:any   to $IP:443   to localhost:9001   rdr on xl0 proto tcp from any to $IP port 443 -> $IP port 9001 g
  

• On Mac OS X (tested on Leopard, might work on Panther/Tiger as well):

     sudo ipfw add fwd 127.0.0.1,9030 tcp from any to me 80 in
     sudo ipfw add fwd 127.0.0.1,9001 tcp from any to me 443 in
  

• If you just use an external NAT router as your firewall, you only need to do the port forwarding through that.

Volunteers: please add advice for other platforms if you know how they work.

Bridge related questions

• See the ​Bridge manual for details on setting up, publicizing, understanding and troubleshooting your bridge. * How long until a new bridge gets some traffic? Hard to answer. We're working on better feedback mechanisms for bridge operators.

Can I install Tor on a central server, and have my clients connect to it?

Moved to ​https://www.torproject.org/docs/faq.html.en#ServerClient

How do I provide a hidden service?

Moved to ​https://www.torproject.org/docs/faq.html.en#ProvideAHiddenService

What is the BadExit flag?

Moved to ​https://www.torproject.org/docs/faq#WhatIsTheBadExitFlag

I got the BadExit flag. Why did that happen?

Moved to ​https://www.torproject.org/docs/faq#IGotTheBadExitFlagWhyDidThatHappen

My relay recently got the Guard flag and traffic dropped by half!

​https://www.torproject.org/docs/faq#MyRelayRecentlyGotTheGuardFlagAndTrafficDroppedByHalf

I'm facing legal trouble. How do I prove that my server was a Tor relay at a given time?

​https://www.torproject.org/docs/faq#FacingLegalTrouble

I'm still having issues. Where can I get help?

Moved to ​https://www.torproject.org/docs/faq.html.en#SupportMail

Running an Onion Service

See NextGenOnions

How can I protect my Onion Service?

See "Tor Hidden (Onion) Services Best Practices" in ​https://www.torproject.org/docs/tor-onion-service.html.en#three

Start by running an onion server on a dedicated machine in a network enclave behind NAT and with intentionally invalid hostnames, so that any/all metadata that might leak in (say) Apache headers, is mostly useless; the NAT-internal network would be 10.0.0.0/24, the hostname "invalid.invalid", etc...

• ​example setup

The other benefit of putting your onion servers in a NAT enclave is that you can lock down your guards to a limited set and drill holes in your firewall specifically for those, and then ban all other outgoing traffic from your machine; this will help prevent identification via DNS lookups, package update checks, pingbacks in your CMS stack, etc.

Then: work out for yourself how to do software updates via (say) a HTTP proxy + VPN.

How to audit an Onion Service to make sure that my IP can not easily be compromised?

For HTTP(S) servers:

• Ensure your clock is correct and is corrected automatically once or twice a day to reduce time skews
• If your server is exposed to the internet, ensure that one cannot hit your onionsite by specifying it in the host header on the clearnet. Ensure the onionsite is only listening on the internal IP.
• Similarly, ensure that your external website(s)are only listening on external ip addresses, and one cannot hit them over the onionsite by specifying them in the Host header
• Best case: run your service on a machine that _has_ no external IP address and only internal IP addresses
• Check your SSL configuration and ensure your onionsite isn't sending a cert for external websites
• Don't run a relay and a hidden service on the same tor instance

Then there are a ton of advice items for individual languages/frameworks. For example for PHP, don't expose phpinfo() or $_SERVER. Don't expose error messages.

There is a class of web attack called 'SSRF' or Server Side Request Forgery. The toehold of this attack is that you can induce the _server_ to perform a connection. This could be through a DNS lookup, a XML DTD fetch, or other types of vulnerabilities. If an attacker can do this on your onionsite, they can trigger you to connect to their server and learn your server address. You can mitigate this by strict egress firewalling.

What attacks remain against onion routing?

Moved to ​https://www.torproject.org/docs/faq.html.en#AttacksOnOnionRouting

Is there a list of things to do to try to hack my own site to try to find the IP?

Have a look at README_SECURITY.md in ​vanguards.

Development

Who is responsible for Tor?

Moved to ​https://www.torproject.org/docs/faq.html.en#WhoIsResponsible

What do these weird version numbers mean?

Moved to ​https://www.torproject.org/docs/faq.html.en#VersionNumbers

How do I set up my own private Tor network?

Moved to ​https://www.torproject.org/docs/faq.html.en#PrivateTorNetwork

How can I make my Java program use the Tor Network?

Moved to ​https://www.torproject.org/docs/faq.html.en#UseTorWithJava

What is libevent?

Moved to ​https://www.torproject.org/docs/faq.html.en#WhatIsLibevent ​https://www.torproject.org/docs/faq.html.en#WhatIsLibevent

What do I need to do to get a new feature into Tor?

Moved to ​https://www.torproject.org/docs/faq.html.en#MyNewFeature

Anonymity and Security

What protections does Tor provide?

Moved to ​https://www.torproject.org/docs/faq.html.en#WhatProtectionsDoesTorProvide

Can exit nodes eavesdrop on communications? Isn't that bad?

​https://www.torproject.org/docs/faq.html.en#CanExitNodesEavesdrop

What is Exit Enclaving?

Moved to ​https://www.torproject.org/docs/faq.html.en#ExitEnclaving

So I'm totally anonymous if I use Tor?

Moved to ​https://www.torproject.org/docs/faq.html.en#AmITotallyAnonymous

Please explain Tor's public key infrastructure.

​Answer moved to our new FAQ page

Where can I learn more about anonymity?

​Read these papers (especially the ones in boxes) to get up to speed on anonymous communication systems.

What's this about entry guard (formerly known as "helper") nodes?

​Answer moved to our new FAQ page

What about powerful blocking mechanisms?

Moved to ​https://www.torproject.org/docs/faq#PowerfulBlockers

Does Tor resist "remote physical device fingerprinting"?

Moved to ​https://www.torproject.org/docs/faq.html.en#RemotePhysicalDeviceFingerprinting

Tor and VPN

See TorPlusVPN.

Aren't 10 proxies (proxychains) better than Tor with only 3 hops? - proxychains vs Tor

Moved to ​https://www.torproject.org/docs/faq.html.en#Proxychains

bridge vs non-bridge users anonymity

"How safe is it to use bridges compared to not using bridges?"

See ​tor-talk anonymity: bridge users vs. entry guard users question from proper and answer from Roger Dingledine.

Which Tor node knows what?

There is a lot of confusion, which Tor node knows what. Read ​How is Tor different from other proxies? and ​How Tor works as introduction. The following comparison tells the same, just in another overview.

Bridge/guard

• knows:
  • the Tor user's IP/location
  • middle node's IP/location
• doesn't know:
  • IP/location of exit node
  • message for middle node
  • message of exit node

Middle node

• knows:
  • IP/location of bridge/guard
  • IP/location of exit node
• doesn't know:
  • Tor user's IP/location
  • message for exit's node
  • message for the bridge/guard's node

Exit node

• knows:
  • IP/location of middle node
  • content of the message from the user
    • When not using end-to-end encryption, such as SSL, or if end-to-end encryption is broken (malicious certificate authority, yes happened):
      • For example it knows some things like:
        • "Someone wants to know what IP has the DNS name example.com, which is 1.2.3.4."
        • "Someone wants to view 1.2.3.4."
        • Date and time of transmission.
        • When fetching 1.2.3.4: the content of that transmission (how the site looks like).
        • A pattern, amount of x traffic send from time y to time z.
        • "Login with username: exampleuser and password: examplepassword."
    • When using end-to-end encryption:
      • For example it knows some things like:
        • "Someone wants to know what IP has the DNS name example.com, which is 1.2.3.4."
        • "Someone wants to view 1.2.3.4."
        • Date and time of transmission.
        • When fetching 1.2.3.4: how much traffic has been transmitted.
        • A pattern, amount of x traffic send from time y to time z.
• doesn't know:
  • Tor user's IP/location
  • bridge/guard's IP/location
  • message for the bridge/guard's node
  • message for the middle node

Another story

• ​traffic fingerprinting

Overview as table

	user	bridge node or entry guard	middle node	exit node
Tor user's IP/location	yes	yes	no	no
IP of bridge node or entry guard	yes	yes	yes	no
message for bridge node or entry guard	yes	yes	no	no
IP of middle node	yes	yes	yes	yes
message for middle node	yes	no	yes	no
IP of exit node	yes	no	yes	yes
message for exit node	yes	no	no	yes
IP of destination server	yes	no	no	yes
message for destination server	yes	no	no	yes

Comments:

• Of course, everyone knows their own IP.
• Due to the nature of the internet, you know the IP/location of your predecessor and your successor.
• See above for detailed information, what happens, when using end-to-end encryption.

Alternate designs that we don't do (yet)

You should send padding so it's more secure.

Moved to ​https://www.torproject.org/docs/faq.html.en#SendPadding

You should make every Tor user be a relay.

​Answer moved to our new FAQ page

You should transport all IP packets, not just TCP packets.

​Answer moved to our new FAQ page

You should hide the list of Tor relays, so people can't block the exits.

​Answer moved to our new FAQ page

You should let people choose their path length.

Moved to ​https://www.torproject.org/docs/faq.html.en#ChoosePathLength

You should split each connection over many paths.

Moved to ​https://www.torproject.org/docs/faq.html.en#SplitEachConnection

You should migrate application streams across circuits.

Moved to ​https://www.torproject.org/docs/faq.html.en#MigrateApplicationStreamsAcrossCircuits

• It's not just a 2/3 improvement, it is a thing that is simply necessary to truly anonymize hosts connected using a dynamic IP setup, like many consumer ISPs use them. Without the possibility to migrate streams, an attacker can examine which long-lived connections end when the observed person gets a new IP. By allowing stream migration, the connection can persist as if nothing had happened. This will make Tor a tool for more than anonymity, as it improves networking in general. Maybe it's not even that hard to implement. It could be gradually phased into the protocol. The first step would be to send sequencing information with the data stream. Future versions could then investigate possibilities for picking up the connections. Security should not be a problem as we are already using strong cryptography, which enables us to authenticate the stream owner.

You should let the network pick the path, not the client.

Moved to ​https://www.torproject.org/docs/faq#LetTheNetworkPickThePath

You should use steganography to hide Tor traffic.

Moved to ​https://www.torproject.org/docs/faq.html.en#Steganography

Your default exit policy should block unallocated net blocks too.

Moved to ​https://www.torproject.org/docs/faq.html.en#UnallocatedNetBlocks

Exit policies should be able to block websites, not just IP addresses

Moved to ​https://www.torproject.org/docs/faq.html.en#BlockWebsites

You should change Tor to prevent users from posting certain content.

Moved to ​https://www.torproject.org/docs/faq.html.en#BlockContent

Tor should support IPv6.

​https://www.torproject.org/docs/faq.html.en#IPv6

Abuse

Doesn't Tor enable criminals to do bad things?

Moved to ​https://www.torproject.org/docs/faq.html.en#Criminals

How do I respond to my ISP about my exit relay?

Moved to ​https://www.torproject.org/docs/faq.html.en#RespondISP

Info to help with police or lawyers questions about exit relays

Moved to ​https://www.torproject.org/docs/faq.html.en#HelpPoliceOrLawyers