Pre-Proxy + Tor + Post-Proxy
Using a pre-proxy before with Tor provides you with censorship circumvention and improved privacy. However, more and more sites are suspicious of traffic that comes from a Tor exit node. They will force you to complete multiple rounds of “Captchas” (completely automated public Turing tests to tell computers and humans apart), or even impose an outright block. By adding a post-proxy, you can visit these sites from a node that does not appear to be a Tor exit node. The final arrangement of software chains three components:
- a pre-proxy for anticensorship
- Tor for anonymity
- a post-proxy to avoid having a Tor exit node as your final IP address
This article gives some practical details to construct this arrangement.
We assume that your PC runs a recent version of Debian or Ubuntu. We tested this procedure with Debian 11 Buster Release Candidate 2. If your PC runs Windows or macOS, you will have to experiment on your own.
You will need to make some decisions as to which pre-proxy will work best. Examples of pre-proxies would be Shadowsocks, V2Ray, or Trojan-GFW. We have tested this procedure with Shadowsocks. We have not tested V2Ray or Trojan-GFW.
Having decided that, you will need to decide between using a public-interest server or a private server. Which is best for you depends on your threat model. You do not know who is running the public-interest server, and you do not know if they keep logs. However, your traffic will pass through the first server completely encrypted, so the proxy operator does not know your final destination or the contents of your traffic. A private server is more secure but leaves a money trail.
Having made your decisions, you must obtain the pre-proxy server details such as IP address, port, and password.
- If you decide that a public-interest server will work best for you, you can find servers from lists on the Internet.
- If you decide that a private server will work best for you, you can set one up as described in the articles on Shadowsocks-Libev, V2Ray, and Trojan-GFW.
We give the example of setting up a private Shadowsocks-Libev server at IP address
apt update && apt upgrade -y
apt install shadowsocks-libev -y
Enter your choice of configuration details. For example:
Save the file, restart Shadowsocks-Libev, and exit your session with the server:
systemctl restart shadowsocks-libev
Whether you are using a public-interest server or a private server, at this stage you must have the details of your server so that you can configure your client.
This article uses the example of a Shadowsocks server as the pre-proxy. You would install the client on Debian or Ubuntu like this:
sudo apt update && sudo apt upgrade -y
sudo apt install shadowsocks-libev -y
Since this will be a Shadowsocks local client, stop the Shadowsocks server:
sudo systemctl stop shadowsocks-libev
sudo systemctl disable shadowsocks-libev
Edit a configuration file for the client:
sudo vi /etc/shadowsocks-libev/config.json
Enter your server details, replacing
YY.YY.YY.YY by your server’s public IP address:
Save the file.
Start the local client listening on port
sudo systemctl enable [email protected]
sudo systemctl start [email protected]
Open Firefox. Download the Tor Browser for 64-bit Linux in your language from the Tor Project website.
If the Tor Project website is blocked in your country, the pre-proxy should allow you to reach it if you configure Firefox to use the SOCKS5 proxy on
1080. If you still have problems, send an email to [email protected]. The email responder will automatically send you alternative download links for Tor Browser.
The download will have a name such as
tor-browser-linux64-10.0.17_en-US.tar.xz. Decompress the archive by opening a terminal and issuing the commands:
tar -xf tor-browser-linux64-10.0.17_en-US.tar.xz
Install the app like this:
The Tor configuration file is stored in
~/Downloads/tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc. However, you should configure Tor within the Tor Browser graphical user interface.
Assuming you are using GNOME desktop, click Activities. Search for and start Tor Browser. (At this point, you can right-click on the Tor Browser icon in the Activities menu and add it to your favorites, if you wish.)
The first time Tor Browser launches:
- Click Configure.
- Check I use a proxy to connect to the Internet.
- Enter the details of your pre-proxy client, which will usually be proxy type SOCKS5, IP address
127.0.0.1, and port
- Click Connect to make sure you can connect through your pre-proxy + Tor.
As soon as you are connected through your pre-proxy to Tor, close the Tor Browser for now. If you want to see the configuration created by the graphical user interface in Tor Browser, issue the command:
You will see that Tor Browser has added a line to your
torrc configuration file:
Get the Psiphon binary from GitHub:
Make it executable:
chmod +x psiphon-tunnel-core-x86_64
Create a configuration file for Psiphon 3:
Insert lines like this. Psiphon will listen on port
1081 and expect an upstream proxy (Tor) on port
9150. We previously configured Tor to expect its own proxy on port
We just need to check the pre-proxy is still running:
sudo systemctl status [email protected]
If necessary, type
q to quit the status display.
Start Tor Browser. We won’t actually use Tor Browser as the browser, so hide it (“Super” key + h in GNOME desktop). We just want the Tor client itself to stay running. It listens on
Start Psiphon running:
./psiphon-tunnel-core-x86_64 -config config.json
It takes a few minutes to initialize when it has to run through a pre-proxy plus Tor. Leave the terminal window open, with Psiphon running in it.
Open Firefox. From the hamburger menu, select Preferences. In the Network Settings section, click Settings. Set the network settings as follows:
- Select Manual proxy configuration
- Fill in
127.0.0.1in SOCKS Host
- Fill in
1081in the Port (this is the port that Psiphon is listening on)
- Select SOCKS v5
- Check Proxy DNS when using SOCKS v5
- Click OK when you’ve set everything up
Firefox now sends requests to Psiphon on port
1081, which expects an upstream proxy on port
9150 (Tor), which in turn uses a proxy on port
In Firefox, visit https://check.torproject.org. You should see that you do not appear to be using Tor. You see the IP address of the Psiphon server, not the IP address of a Tor exit node.