Pre-Proxy + Tor + Post-Proxy

Using a pre-proxy before with Tor provides you with both censorship circumvention and anonymity. However, more and more sites view traffic from Tor exit nodes as suspicious. Sites will force you to complete multiple rounds of “Captchas” (completely automated public Turing tests to tell computers and humans apart) or even impose an outright block.

By adding a post-proxy, you can visit sites from a node that does not appear to be a Tor exit node. Provided that your destination website does not also object to proxy servers, this will be much more convenient. The final arrangement of software chains three components:

This article gives the practical details of constructing this arrangement. It is assumed that your PC runs a recent version of Debian or Ubuntu.

1. Install and Configure Pre-Proxy

1.1. Make Decisions

You will need to make some decisions as to which pre-proxy works best in your country. Examples of pre-proxies would be Shadowsocks, V2Ray, or Trojan-GFW.

Having decided that, you will need to decide between using a public-interest server or a private server. Which is best for you depends on your threat model. You do not know who is running the public-interest server, and you do not know if they keep logs. However, your traffic will pass through the first server completely encrypted, so the proxy operator does not know your final destination or the contents of your traffic. A private server is more secure but leaves a money trail.

1.2. Obtain Pre-Proxy Server Details

Having made your decisions, you must obtain the pre-proxy server details such as IP address, port, and password.

We will give the example of setting up a private Shadowsocks-Libev server at IP address YY.YY.YY.YY, but of course you can choose one of the other options if you wish:

ssh root@YY.YY.YY.YY
apt update && apt upgrade -y
apt install shadowsocks-libev -y
vi /etc/shadowsocks-libev/config.json

Enter your choice of configuration details. For example:

{
"server":["::1", "0.0.0.0"],
"mode":"tcp_and_udp",
"server_port":8388,
"local_port":1080,
"password":"barfoo!",
"timeout":300,
"method":"chacha20-ietf-poly1305"
}

Save the file, restart Shadowsocks-Libev, and exit your session with the server:

systemctl restart shadowsocks-libev
exit

1.3. Install and Configure Pre-Proxy Client

Whether you are using a public-interest server or a private server, you now have all the details you need to install and configure your Linux client for Shadowsocks-Libev, V2Ray, or Trojan-GFW.

For example, if you decided to use a private Shadowsocks server as your pre-proxy, you would install the client like this:

sudo apt update && sudo apt upgrade -y
sudo apt install shadowsocks-libev -y
sudo systemctl stop shadowsocks-libev
sudo systemctl disable shadowsocks-libev
sudo vi /etc/shadowsocks-libev/config.json

Enter your server details, replacing YY.YY.YY.YY by your server’s public IP address:

{
"server": "YY.YY.YY.YY",
"server_port": 8388,
"local_address": "127.0.0.1",
"local_port":1080,
"password": "barfoo!",
"method": "chacha20-ietf-poly1305",
"timeout": 300,
"fast_open": false,
"mode": "tcp_and_udp"
}

Save the file and start the local client listening on port 1080:

sudo systemctl enable shadowsocks-libev-local@config
sudo systemctl start shadowsocks-libev-local@config

2. Install and Configure Tor Browser

2.1. Download and Extract Tor Browser

Open Firefox. Download the Tor Browser for 64-bit Linux in your language from the Tor Project website.

If the Tor Project website is blocked in your country, the pre-proxy should allow you to reach it if you configure Firefox to use the SOCKS5 proxy on 127.0.0.1 port 1080. If you still have problems, send an email to gettor@torproject.org. The email responder will automatically send you alternative download links for Tor Browser.

The download will have a name such as tor-browser-linux64-9.5.4_en-US.tar.xz. Decompress the archive by opening a terminal and issuing the commands:

cd ~/Downloads
tar -xf tor-browser-linux64-9.5.4_en-US.tar.xz

Install the app like this:

cd tor-browser_en-US
./start-tor-browser.desktop --register-app

2.2. Configure Tor to Use Pre-Proxy

The Tor configuration file is stored in ~/Downloads/tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc. However, you should configure Tor within the Tor Browser graphical user interface.

Assuming you are using GNOME desktop, click Activities. Search for and start Tor Browser. At this point, you can right-click on the Tor Browser icon in the Activities menu and add it to your favorites, if you wish.

The first time Tor Browser launches:

  1. Click Configure.
  2. Check I use a proxy to connect to the Internet.
  3. Enter the details of your pre-proxy client, which will usually be proxy type SOCKS5, IP address 127.0.0.1, and port 1080.
  4. Click Connect to make sure you can connect through your pre-proxy + Tor.

As soon as you are connected through your pre-proxy to Tor, close the Tor Browser for now. If you want to see the configuration created by the graphical user interface in Tor Browser, issue the command:

cat ~/Downloads/tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc

You will see that Tor Browser has added a line to your torrc configuration file:

Socks5Proxy 127.0.0.1:1080

3. Download and Configure Psiphon 3

3.1. Download Psiphon Binary for Linux

If you have not already done so, install Git on your PC. In your terminal, issue the command:

sudo apt install git -y

Get the Psiphon binaries from GitHub (this is a large download of about 1.4 GB):

cd ~/Downloads
git clone https://github.com/Psiphon-Labs/psiphon-tunnel-core-binaries.git

Change into the Psiphon directory for Linux:

cd psiphon-tunnel-core-binaries/linux

3.2. Create Configuration File

Create a configuration file for Psiphon 3:

vi config.json

Insert lines like this. Psiphon will listen on port 1081 and expect an upstream proxy (Tor) on port 9150. We previously configured Tor to expect its own proxy on port 1080.

{
"LocalHttpProxyPort":8081,
"LocalSocksProxyPort":1081,
"UpstreamProxyURL":"socks5://127.0.0.1:9150",
"PropagationChannelId":"FFFFFFFFFFFFFFFF",
"RemoteServerListDownloadFilename":"remote_server_list",
"RemoteServerListSignaturePublicKey":"MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEAt7Ls+/39r+T6zNW7GiVpJfzq/xvL9SBH5rIFnk0RXYEYavax3WS6HOD35eTAqn8AniOwiH+DOkvgSKF2caqk/y1dfq47Pdymtwzp9ikpB1C5OfAysXzBiwVJlCdajBKvBZDerV1cMvRzCKvKwRmvDmHgphQQ7WfXIGbRbmmk6opMBh3roE42KcotLFtqp0RRwLtcBRNtCdsrVsjiI1Lqz/lH+T61sGjSjQ3CHMuZYSQJZo/KrvzgQXpkaCTdbObxHqb6/+i1qaVOfEsvjoiyzTxJADvSytVtcTjijhPEV6XskJVHE1Zgl+7rATr/pDQkw6DPCNBS1+Y6fy7GstZALQXwEDN/qhQI9kWkHijT8ns+i1vGg00Mk/6J75arLhqcodWsdeG/M/moWgqQAnlZAGVtJI1OgeF5fsPpXu4kctOfuZlGjVZXQNW34aOzm8r8S0eVZitPlbhcPiR4gT/aSMz/wd8lZlzZYsje/Jr8u/YtlwjjreZrGRmG8KMOzukV3lLmMppXFMvl4bxv6YFEmIuTsOhbLTwFgh7KYNjodLj/LsqRVfwz31PgWQFTEPICV7GCvgVlPRxnofqKSjgTWI4mxDhBpVcATvaoBl1L/6WLbFvBsoAUBItWwctO2xalKxF5szhGm8lccoc5MZr8kfE0uxMgsxz4er68iCID+rsCAQM=",
"RemoteServerListUrl":"https://s3.amazonaws.com//psiphon/web/mjr4-p23r-puwl/server_list_compressed",
"SponsorId":"FFFFFFFFFFFFFFFF",
"UseIndistinguishableTLS":true
}

4. Start Session

4.1. Start Pre-Proxy

Start your pre-proxy client running if it is not running already (e.g. Shadowsocks client, V2Ray client, or Trojan-GFW client). In our example, we just need to check the pre-proxy is running:

sudo systemctl status shadowsocks-libev-local@config

4.2. Start Tor

Start Tor Browser. We won’t actually use Tor Browser as the browser, so minimize it (“Super” key + h in GNOME desktop). We just want the Tor client itself to stay running. It listens on localhost port 9050.

4.3. Start Post-Proxy

Start Psiphon running:

./psiphon-tunnel-core-x86_64 -config config.json

It takes a few minutes to initialize when it has to run through a pre-proxy plus Tor. Leave the terminal window open, with Psiphon running in it.

4.4. Configure Firefox

Open Firefox. From the hamburger menu, select Preferences. In the Network Settings section, click Settings. Set the network settings as follows:

Firefox now sends requests to Psiphon on port 1081, which expects an upstream proxy on port 9150 (Tor), which in turn uses a proxy on port 1080 (Shadowsocks).

4.5. End-to-End Test

In Firefox, visit IP Chicken. You should see the IP address of the Psiphon server, not the IP address of your PC.