How can I configure my network so that when Tor is running no other traffic can leave the box?

Question

One of the fundamentals of Tor is that it can only really hide you if, when Tor is enabled and in use, you're using it exclusively.

Agents wishing to de-anonymize you can examine requests to different endpoints and look for common or synchronized requests, which suggests that the traffic from a proxied IP address is related to the traffic from the actual endpoint.

So to prevent other components on my laptop from disclosing my location, I'd like to configure the system so it blocks all traffic that isn't going through the Tor relay. For instance, Skype, Gmail, Spotify, or anything else that makes requests to the Internet must be disabled?

How can I configure Tor, or my network, so that only components using the Tor relay can make requests to the Internet? I've used firewall UNIX tools like ufw and ipfw, but automating this would reduce the potential for making mistakes and forgetting to close or block something.

Answer 1

Tails might be your best bet

The Amnesic Incognito Live System or Tails is a Debian-based Linux distribution aimed at preserving privacy and anonymity. It is the next iteration of development on the previous Gentoo based Incognito Linux distribution. All its outgoing connections are forced to go through Tor, and direct (non-anonymous) connections are blocked. The system is designed to be booted as a live CD or USB, and leaves no trace on the machine unless explicitly told to do so. The Tor Project has provided most of the financial support for development. (Wikipedia)

It would be best if you could run it on a spar computer. If you need it to run in a virtual machine you can disable DHCP on your host machine and bridge your network card to your VM.

Answer 2

You could use a virtual machine if you don't have an extra computer for Tails and install Whonix on it. Whonix has a gateway VM which works like a router and a workstation which connects to it. All traffic goes through Tor.

https://www.whonix.org/

Answer 3

This is very old thread discussed everywhere. The best solution for you, is to read the official FAQ, so called "Wiki".

See here the Tor Project Wiki page on IsolatingProxy.

Take a look, there are two ways:

• Isolating Proxy
• Transparent Proxy

The "Transparent Proxy's" way is the oldest one, there are configurations for all type of OS: Windows, Linux, BSD, MacOS, etc. There are many good and precise information for you.

However, this is the wrong way. Part of UDP traffic would leak from the transparent proxy. Once folks have discovered this, has appear the second way, called "Isolating Proxy".

You could find that this just a hardened Transparent Proxy.

See, both, Transparent and Isolated proxies, advice to use separate machine for your Tor box.

This looks like:

Your Network --> Tor-Box(Isolated proxy) --> Internet.

Answer 4

Your best bet would probably be to configure the firewall to only allow Tor traffic through. I don't have experience with the firewall in mac or linux but in windows it seems possible. If you can't find firewall setup open Run (Windows Key + R) and type WF.msc.

It seems some things like Internet Explorer aren't in the allow list and are allowed by default, you may or may not be able to block them. Also, you can configure the system wide proxy settings and that should catch most programs (including internet explorer).

You could use something like wireshark to check that it is working. Other option is to have a hardware firewall. I assume this is 10x easier on mac/linux and If someone else knows how to do it on mac/linux I also would like to know.

Remember, if you are really serious about privacy you shouldn't be using windows so this whole answer is probably useless.