# Installing the Tor client on Windows This document briefly explains how to install Tor as a local SOCKS proxy on your Windows machine. it also shows how to make it provide hidden services. ## WARNING In most cases, downloading the "Tor Browser" is a much better idea. The browser is configured to keep you safe and anonymous. Using your usual browser will put your anonymity at risk. You should only follow these instructions here if you want to install Tor either as a local service for applications to use as proxy, or because you want to host hidden services (.onion addresses) ## Download 1. Go to [the Tor project website](https://www.torproject.org/) 2. Click "Download Tor Browser" 3. Click the link "Download Tor Source Code" 4. Download the "Windows Expert Bundle" ## Extraction Extract the downloaded zip archive to some permanent location. For this tutorial, we use `C:\Tools\TOR` as the base directory. After extraction, you should have `C:\Tools\TOR\Data` and `C:\Tools\TOR\Tor` directories. If you don't, make sure you did not accidentally let your extraction program create another Tor directory. Create the directory `C:\Tools\TOR\Cache` ## Configuration You need to create a config file. [You can download a copy here](data/torrc). Save it as `C:\Tools\TOR\torrc` Edit the file and correct the paths if you did not install it into `C:\Tools`. Also feel free to change the SOCKS port (default is 9050) if you like. ## Installation To install the service, simply perform these steps below (change paths as needed) 1. [Run](#run) `CMD.exe` as administrator. 2. Type `cd /D C:\Tools\TOR\Tor` and hit `[ENTER]` 3. Type `tor --service install --options -f C:\Tools\TOR\torrc` and hit `[ENTER]` 4. (Optional) Type `sc config tor depend= tcpip` and hit `[ENTER]` The Tor service is now installed and should now be running. To confirm that the service is running, check if the file `C:\Tools\TOR\Data\pid` exists The last step tells the system to not start Tor if the TCP/IP driver is unavailable. Tor will not run without it. The step is optional because Windows starts drivers before it starts services, which means the driver is present when Tor starts. The only case where this won't happen is if Windows is started in safe mode without networking. In that case it makes no sense to start Tor as it dies quickly anyways. ## Starting and stopping Tor will automatically start after installation. It also automatically starts whenever your computer starts. To start and stop the service manually: 1. [Run](#run) `services.msc` 2. Highlight "Tor Win32 Service" in the list. 3. On the left side, use the links to control the service To change startup behavior, double click on the service and chose an option from the drop down. ## Updating Tor Updating the Tor client is rather simple 1. Download a new zip bundle 2. Stop the Tor service (see chapter above) 3. Overwrite the contents of `C:\Tools\TOR\Tor` (the directory with the executable and DLL files) 4. Start the Tor service ## Configuration Hints You can disable commands by prefixing them with `#` instead of erasing the lines. Editing the configuration requires a service restart. The line `TruncateLogFile 1` clears the log each time the service starts. This stops the log from growing indefinitely, but you can disable the line if you need a log history. The `SocksPort` line can be present multiple times (with different port numbers) to provide multiple socks ports. Setting `SocksPort` to zero disables the SOCKS proxy. Useful if you don't need it and only want to operate hidden services. `SocksPort` also accepts an IP address. Setting the line to `SocksPort 0.0.0.0:9050` makes the listener public. Useful if you want to offer Tor for all devices in your network. Be aware that SOCKS is unencrypted. Do this only on trusted networks. Doing this might also need configuration of your windows firewall. ## Hidden services Hidden services allow you to make a service accessible in a way that keeps its location secret. Be aware that many services (if not properly configured) will allow attackers to expose your real IP one way or another. If you plan on running a serious hidden service, you should do so only on a device that has been locked down and can't access the internet directly, only over Tor. ### Preparations Create the `C:\Tools\TOR\onion` directory. This is where Tor will store hidden service information. Hidden services don't require any form of port forwarding or special permissions. You can provide hidden services as long as the Tor client can connect to the internet. ### Setting up a service *Hidden services only support TCP, not UDP or other protocols.* To create a basic hidden service, add these two lines to the configuration file: HiddenServiceDir C:\Tools\TOR\onion\YourServiceNameHere HiddenServicePort 80 The first line creates a hidden service, the second line forwards port 80 (the standard HTTP port) to a locally running web server. Tor creates the directory `YourServiceNameHere` itself, do not do so manually. The contents of the directory are explained later. Because the name is also a directory, it must be a valid file system name. To keep it simple, use only alphanumeric characters. **CAUTION!** Connections that come from a hidden service appear to be originating at your own computer (IP 127.0.0.1). Whatever service you operate, make sure it's not treating localhost access as trusted. ### Port redirection The local service doesn't needs to be running on the same port as the public service. This is useful because common protocols (like HTTP, E-mail services, SSH, etc) run on low port numbers (less than 1024). On many systems you require administrative permissions to start a service on these ports. Tor completely avoids this problem. If your web server runs on port 1234 but you want to make it accessible under port 80, you can add an IP address and port number like so: `HiddenServicePort 80 127.0.0.1:1234` This means you can run multiple local servers on various ports, but make them all accessible on the same public port via different .onion names only. Pretending to run on a default port is important because otherwise, people need to enter the port number each time they want to access your service. ### Multiple Ports `HiddenServicePort` can be present multiple times to forward multiple ports. E-mail is an example that needs multiple ports: - 25: Delivery of mail between servers via SMTP - 587: Delivery of mail from your mail program to your mail server via SMTP - 110: Port used to access the mailbox via POP3 - 143: Port used to access the mailbox via IMAP This is often coupled with port 80 to provide a web mail system. The configuration might look like this: HiddenServiceDir C:\Tools\TOR\onion\MyMailService HiddenServicePort 25 HiddenServicePort 587 HiddenServicePort 110 HiddenServicePort 143 HiddenServicePort 80 127.0.0.1:8080 HiddenServiceDir C:\Tools\TOR\onion\MyWebsite HiddenServicePort 80 127.0.0.1:8081 This example shows two hidden services. One runs a mail service on the standard ports with a web server that's redirected. The other one is a completely independent hidden service that just runs a website on a different port. Nobody will know what ports you use and what services you run. This will not stop people from trying to scan for open ports and from trying tricks to make your services tell what onion addresses they listen to. ### Hidden service directory contents **DO NOT CHANGE THE CONTENTS** Contents: - `hostname`: This file contains the .onion address of the service - `hs_ed25519_public_key`: The public key of the onion service - `hs_ed25519_secret_key`: The private key of the onion service. **NEVER SHARE THIS** You can open `hostname` in your text editor to get the .onion name. Don't open the other files. They're not text files and will not show anything useful. If you have trouble opening the file directly, open the text editor and just drag the file onto it with your mouse. ### Hidden service name You have no control over the hidden service name. The name depends on the public key contents. This has to be this way to allow anyone that connects to a hidden service to verify that the key actually matches the name. In other words, it prevents bad actors from pretending to be someone they aren't. You can use a so called [vanity generator](https://gitload.net/lachesis/scallion) to create a more memorizable name. This generator is not doing something that the Tor client can't. The generator just generates keys as fast as it can and then checks if the resulting name matches your criteria. Be aware that generating names this way is extremely slow. ### Publishing the service Hidden services are (as the name suggests) hidden. People will not magically find your service, you have to publish it somewhere. Be careful with how you publish the service. Accounts on the internet are tied to your IP address and thus your real identity. Operators of hidden services have been discovered in the past by looking at where the .onion appeared on the "regular" internet for the first time. ## Running a Relay A relay helps the Tor network to operate. There are three types of relays you can run: - Entry/Middle relay - Bridge - Exit Node All relay types allow you to restrict the bandwidth. This is done using `BandwidthRate N bytes|KBytes|MBytes|GBytes|TBytes|KBits|MBits|GBits|TBits` Note: The limit is applied for inbound and outbound traffic independently. ### Entry/Middle relay This is the most common type of relay. People can use this type of relay to enter the Tor network and to use it as intermediate relay. They cannot use this type of relay to exit the Tor network again and access the internet. It can be used to access hidden services. This relay type is usually safe to operate. **Simple Configuration** Nickname YourRelayNameHere ORPort 9001 DirPort 9030 ExitRelay 0 ContactInfo test@example.com This configuration sets up a basic relay. You can change the ports as you like. Don't forget to open a firewall rule for Tor. The `DirPort` line is optional, but helps the Tor network by taking some load of the directory authorities. Instead of just a port number, you can also use the `IP:Port` syntax. Useful if you have multiple network interfaces but only want to listen on one. The `ContactInfo` should be changed to match your needs. This is a free form text field. You're free to encode the address, for example `ContactInfo `. You can also supply a website URL if you prefer. **NAT configuration** This configuration can be used if you want to use a specific public IP, or if the public port is different from the port you listen on: Nickname YourRelayNameHere ORPort 51.154.60.34:9001 NoListen ORPort 192.168.2.2:1234 NoAdvertise DirPort 51.154.60.34:9030 NoListen DirPort 192.168.2.2:4321 NoAdvertise ExitRelay 0 - This makes Tor listen on `192.168.2.2` on ports 1234 and 4321. - Tor will advertise `51.154.60.34:9001` and `51.154.60.34:9030` but not listen on those addresses. - You need to configure port forwarding in your router/firewall to forward inbound 9001 to 1234 and 9030 to 4321. ### Bridge Bridges allow people to access the Tor network on heavily restricted networks. They're not advertised into the global Tor node directory and use various types of obfuscation to hide the fact that it's Tor traffic. To begin being a bridge, you must download [obfs4proxy.exe](data/obfs4proxy.exe) and put it into the directory where the Tor executable is located. You can also obtain this file from the Tor browser bundle. **Configuration** BridgeRelay 1 ORPort 1234 ServerTransportListenAddr obfs4 0.0.0.0:4321 ExtORPort auto ExitRelay 0 Also add `Nickname` and `ContactInfo` (see regular relay configuration example) - ORPort port number must be reachable from the internet. - ServerTransportListenAddr port number must be reachable from the internet - ServerTransportListenAddr port number should be greater than 1024 but not 9001 or 9030 ### Exit Node Exit nodes are the final nodes in a Tor circuit. They allow you to visit regular websites like this one. Exit nodes are important for the network, but running them can be tricky. The IP address of your node will be the address seen by services when it's abused. [Please read the exit node guide first](https://blog.torproject.org/tips-running-exit-node). **Configuration** The configuration is based on the configuration for running a regular relay. These changes have to be made (add lines you don't have): - Set `ExitPolicy` to `1` - If you have IPv6, `IPv6Exit 1` - Optionally set `ReducedExitPolicy` to `1` [The reduced exit policy is explained here](https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy). You used to set these entries manually, but `ReducedExitPolicy` does the same now. When you run an exit node, it's best to host an information page on a regular web server. People that see suspicious traffic from your IP might try to visit it via HTTP so it's good to have this. You can use TOR as a single page web server by making DirPort listen on 80. You can then use `DirPortFrontPage C:\path\to\info.html` to make it deliver an information page. Alternatively, [consider installing Apache](/apache) instead. To avoid abuse complaints, you can run the [exit relay self service](https://github.com/AyrA/ERSS) portal. The portal allows people to block traffic from your exit node to their address without your intervention. Set the `ContactInfo` value of your tor config to `ERSS-Enabled:`. The repository also comes with a file you can use for the `DirPortFrontPage`.