Update: There's a better Howto at the Tor Wiki. This here is history.

Howto install tor chrooted and unpriviledged on OpenBSD

  1. tar xfz tor-...tar.gz
  2. cd tor-...tar.gz
  3. build a static binary so we don't have to worry about dynamic libs, loaders, etc. Tor will run chrooted and we're not bored enough to set up file system hierarchies, so:
    env CFLAGS=-static ./configure --prefix=/
  4. gmake
  5. /var is mounted with -o nodev in many OpenBSD installations, and tor needs to write stuff, so the usual /var/empty will not do. We will create /tor . You can choose any other location, but the filesystem must allow executables and devices there.
    export TORDIR=/tor # bourne-shell (sh/ksh/bash/zsh)
    sudo mkdir $TORDIR
    WARNING: If you omit the export TORDIR, the following commands will fail or damage your system seriously, because they are executed as root on the root-directory / .
  6. install it:
    sudo gmake DESTDIR=$TORDIR install
  7. tor uses /dev/*random for key creation, so it needs those (and then a few, like /dev/null):
    sudo mkdir $TORDIR/dev
    cd $TORDIR/dev
    sudo sh /dev/MAKEDEV random
    sudo sh /dev/MAKEDEV std
  8. remove unnecessary and potentially dangerous special files in $TORDIR/dev:
    sudo rm drum ksyms kmem mem tty console klog xf86
  9. I suggest to get tor's logs in /var/log/messages, so let's have syslog install a socket in tor's /dev upon restart:
    sudo vi /etc/rc.conf.local
    add a line syslogd_flags="-a $TORDIR/dev/log" but replace $TORDIR by the actual directory you chose (/tor in this example).
  10. We'll not run tor as root, we create a special user _tor with group _tor, class daemon, no typeable password and nologin as shell (this creates the user in /etc/master.passwd)
    sudo groupadd _tor
    sudo useradd -g _tor -d /nonexistent -L daemon \
    -c '_tor anonymizer' -s /sbin/nologin _tor
  11. The chrooted tor will never see /etc/master.passwd, so we have to provide a copy:
    sudo touch $TORDIR/etc/master.passwd
    sudo grep "^_tor:" /etc/master.passwd | sudo dd of=$TORDIR/etc/master.passwd
  12. The /etc/pwd.db and so forth are still missing:
    sudo touch $TORDIR/etc/spwd.db $TORDIR/etc/pwd.db
    sudo pwd_mkdb -d $TORDIR/etc -u _tor $TORDIR/etc/master.passwd
    (creates $TORDIR/etc/{passwd,master.passwd,pwd.db,spwd.db})
  13. Provide a _tor group:
    sudo touch $TORDIR/etc/group
    grep "^_tor:" /etc/group | sudo dd of=$TORDIR/etc/group
  14. Create writable space and modify tor's config for our setup
    sudo mkdir -p $TORDIR/var/tor
    sudo chown -R _tor:_tor $TORDIR/var
    sudo cp $TORDIR/etc/tor/torrc.sample $TORDIR/etc/tor/torrc
    sudo vi $TORDIR/etc/tor/torrc
    add lines:
    User _tor
    Group _tor
    Log notice syslog
    RunAsDaemon 1
    DataDirectory /var/tor
  15. restart syslog with an additional "-a $TORDIR/dev/log" (creates a socket to the syslog daemon)
  16. Start tor to see if it works out:
    sudo chroot $TORDIR /bin/tor -f /etc/tor/torrc
  17. Look in /var/log/messages for lines from tor. If it seems to run allright,
  18. install privoxy. Necessary because almost no browser correctly implements socks4a:
    cd /usr/ports/www/privoxy; make ; sudo make install
  19. Configure privoxy to forward everything through tor:
    vi /etc/privoxy/config
    search for the socks4a-forward section and add
    forward-socks4a / localhost:9050 .
  20. Start privoxy
    sudo /usr/local/sbin/privoxy
  21. configure your browser to use http://localhost:8118/ as proxy for everything. For lynx, it's sufficient to set http_proxy="http://127.0.0.1:9050/".
  22. start sudo tcpdump -v port 80 in one terminal and start the browser in another (close all other running browsers, RSS-readers, wgets, etc.).
  23. If it works, add startup code to /etc/rc.local:
    if [ -x /tor/bin/tor ]; then
    chroot /tor/ /bin/tor
    echo -n ' tor';
    fi
  24. Finished. Thank you for your attention
    Matthias Bauer <obsdtor@weggla·franken·org>
    Feb 7 2005