Pre-Proxy + Tor + Post-Proxy
Using a pre-proxy before with Tor provides you with both censorship circumvention and anonymity. However, more and more sites view traffic from Tor exit nodes as suspicious. Sites will force you to complete multiple rounds of “Captchas” (completely automated public Turing tests to tell computers and humans apart) or even impose an outright block.
By adding a post-proxy, you can visit sites from a node that does not appear to be a Tor exit node. Provided that your destination website does not also object to proxy servers, this will be much more convenient. The final arrangement of software chains three components:
- a pre-proxy for anticensorship
- Tor for anonymity
- a post-proxy to avoid having a Tor exit node as your final IP address
This article gives the practical details of constructing this arrangement. It is assumed that your PC runs a recent version of Debian or Ubuntu.
You will need to make some decisions as to which pre-proxy works best in your country. Examples of pre-proxies would be Shadowsocks, V2Ray, or Trojan-GFW.
Having decided that, you will need to decide between using a public-interest server or a private server. Which is best for you depends on your threat model. You do not know who is running the public-interest server, and you do not know if they keep logs. However, your traffic will pass through the first server completely encrypted, so the proxy operator does not know your final destination or the contents of your traffic. A private server is more secure but leaves a money trail.
Having made your decisions, you must obtain the pre-proxy server details such as IP address, port, and password.
- If you decide that a public-interest server will work best for you, you can find servers from lists on the Internet.
- If you decide that a private server will work best for you, you can set one up as described in the articles on Shadowsocks-Libev, V2Ray, and Trojan-GFW.
We will give the example of setting up a private Shadowsocks-Libev server at IP address
YY.YY.YY.YY, but of course you can choose one of the other options if you wish:
apt update && apt upgrade -y
apt install shadowsocks-libev -y
Enter your choice of configuration details. For example:
Save the file, restart Shadowsocks-Libev, and exit your session with the server:
systemctl restart shadowsocks-libev
Whether you are using a public-interest server or a private server, you now have all the details you need to install and configure your Linux client for Shadowsocks-Libev, V2Ray, or Trojan-GFW.
For example, if you decided to use a private Shadowsocks server as your pre-proxy, you would install the client like this:
sudo apt update && sudo apt upgrade -y
sudo apt install shadowsocks-libev -y
sudo systemctl stop shadowsocks-libev
sudo systemctl disable shadowsocks-libev
sudo vi /etc/shadowsocks-libev/config.json
Enter your server details, replacing
YY.YY.YY.YY by your server’s public IP address:
Save the file and start the local client listening on port
sudo systemctl enable shadowsocks-libev-local@config
sudo systemctl start shadowsocks-libev-local@config
Open Firefox. Download the Tor Browser for 64-bit Linux in your language from the Tor Project website.
If the Tor Project website is blocked in your country, the pre-proxy should allow you to reach it if you configure Firefox to use the SOCKS5 proxy on
1080. If you still have problems, send an email to email@example.com. The email responder will automatically send you alternative download links for Tor Browser.
The download will have a name such as
tor-browser-linux64-9.5.4_en-US.tar.xz. Decompress the archive by opening a terminal and issuing the commands:
tar -xf tor-browser-linux64-9.5.4_en-US.tar.xz
Install the app like this:
The Tor configuration file is stored in
~/Downloads/tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc. However, you should configure Tor within the Tor Browser graphical user interface.
Assuming you are using GNOME desktop, click Activities. Search for and start Tor Browser. At this point, you can right-click on the Tor Browser icon in the Activities menu and add it to your favorites, if you wish.
The first time Tor Browser launches:
- Click Configure.
- Check I use a proxy to connect to the Internet.
- Enter the details of your pre-proxy client, which will usually be proxy type SOCKS5, IP address
127.0.0.1, and port
- Click Connect to make sure you can connect through your pre-proxy + Tor.
As soon as you are connected through your pre-proxy to Tor, close the Tor Browser for now. If you want to see the configuration created by the graphical user interface in Tor Browser, issue the command:
You will see that Tor Browser has added a line to your
torrc configuration file:
If you have not already done so, install Git on your PC. In your terminal, issue the command:
sudo apt install git -y
Get the Psiphon binaries from GitHub (this is a large download of about 1.4 GB):
git clone https://github.com/Psiphon-Labs/psiphon-tunnel-core-binaries.git
Change into the Psiphon directory for Linux:
Create a configuration file for Psiphon 3:
Insert lines like this. Psiphon will listen on port
1081 and expect an upstream proxy (Tor) on port
9150. We previously configured Tor to expect its own proxy on port
Start your pre-proxy client running if it is not running already (e.g. Shadowsocks client, V2Ray client, or Trojan-GFW client). In our example, we just need to check the pre-proxy is running:
sudo systemctl status shadowsocks-libev-local@config
Start Tor Browser. We won’t actually use Tor Browser as the browser, so minimize it (“Super” key + h in GNOME desktop). We just want the Tor client itself to stay running. It listens on
Start Psiphon running:
./psiphon-tunnel-core-x86_64 -config config.json
It takes a few minutes to initialize when it has to run through a pre-proxy plus Tor. Leave the terminal window open, with Psiphon running in it.
Open Firefox. From the hamburger menu, select Preferences. In the Network Settings section, click Settings. Set the network settings as follows:
- Select Manual proxy configuration
- Fill in
127.0.0.1in SOCKS Host
- Fill in
1081in the Port (this is the port that Psiphon is listening on)
- Select SOCKS v5
- Check Proxy DNS when using SOCKS v5
- Click OK when you’ve set everything up
Firefox now sends requests to Psiphon on port
1081, which expects an upstream proxy on port
9150 (Tor), which in turn uses a proxy on port
In Firefox, visit IP Chicken. You should see the IP address of the Psiphon server, not the IP address of your PC.