Tor HowTo

From VuzeWiki
Jump to: navigation, search
How to set up Azureus to work with Tor


Even though this has been said elsewhere, PLEASE don?t run peer-to-peer download data through Tor as it can?t handle the network traffic. If people continue to do this then Tor will start banning such traffic which will badly impact legitimate use (as indicated below).

From the Tor website (

Tor: an anonymizing overlay network for TCP

Tor is a connection-based low-latency anonymous communication system that protects TCP streams: web browsing, instant messaging, irc, ssh, etc.

This document contains an overview of how to set up the Azureus BitTorrent client ( to use Tor for both Tracker and Peer-Peer data communications.

It is currently advisable to only run Tracker communication over Tor due to the current limitations of the Tor network, however it is hoped that this restriction will be lifted in the future. (Note however that use of ?superseeding? within Azureus is an efficient way of distributing data to a swarm and can be used over Tor with little impact to the network).

That is, do not run normal data communications over Tor at the moment as the network will not handle the load. The only supported configurations are

  1. Anonymous Trackers with public clients (4.1.1). All parties need to run Tor.
  2. Anonymous initial seeds (4.3.2). Only the seeding client needs to run Tor.

Tor is still experimental, versions prior to 1.0 should not be used where anonymity requirements are high!

In the following diagrams the ?anonymous network? represents Tor, the area outside it denotes the public network.

IP <x> represents an IP address (or corresponding DNS name)

HS <y> represents a Tor Hidden Service name.

Any data communication that goes through the ?Anonymous Network? cloud requires one or more of the parties to be running Tor. The originator of any such connection must run it. The receiver of any such connection, when made to a hidden service, must also be running it.

Totally public BitTorrent[edit]

TorHowTo 1.gif

Totally Anonymous BitTorrent[edit]

TorHowTo 2.gif

Software Versions[edit]


Release or greater is required.


You want to download the latest stable 'expert bundle' from - this is not the 'Tor Browser Bundle', but rather the plain Tor server software.


Tor uses ?hidden services? to expose an anonymous inwardly connectable service. Such a service is defined in the Tor configuration file by adding lines of the form:

HiddenServiceDir <directory name>
HiddenServicePort <exposed port> <local intf>:<local port>

For example:

HiddenServiceDir /Tor/bttracker
HiddenServicePort 6969

This declares to Tor that there is a hidden service running on port 6969, connections to which should be forwarded onto the loopback interface on port 10069 (the port numbers can be the same if required).

When Tor is started, on encountering a new the hidden service entry it will generate some files in the specified directory (in the above example, /Tor/bttracker). The important file in terms of configuring Azureus is the ?hostname? file. This contains the anonymous name for the service, as made available via the Tor network. For example:


This is not a valid DNS name and hence can?t be used directly. Rather, to use it it needs to be resolved by the Tor network. Tor has a rendezvous mechanism whereby the publisher of such a service, and a client connecting to it, rendezvous anonymously somewhere in the Tor network such that either end of the connection know nothing about the other.

In order for normal applications to ?get into? the Tor network Tor runs a SOCKS proxy. In order to allow the proxy to handle the service address resolution this required SOCKS 4a (version 5 can support this too, but 4a is the preferred choice). This is because the original version 4 could only receive IP addresses as the endpoint address, rather than the necessary ?DNS? name.

Don?t use the example hidden service address used in this document, use the one(s) generated for you when you run Tor!!!!

Anonymous Tracker Server[edit]

Public Clients[edit]

Public clients are ?normal? clients in the sense that they publish their normal IP addresses to the tracker. Therefore peer-peer data communication takes place through the internet, not Tor, and is not anonymous.

TorHowTo 3.gif


Given the above general discussion it should be fairly obvious how to configure an anonymous tracker. Note that there is no requirement here to make outward connections from the tracker through the Tor proxy, so no proxy configuration is required.


Add the hidden service for the tracker, for example

HiddenServiceDir /Tor/bttracker
HiddenServicePort 6969

to the configuration file and start Tor (see below)


Extract the hidden service name from the ?hostname? file for the ?bttracker? service (in the above example this is in /Tor/bttracker/hostname ), e.g.


and enter this as the ?tracker external IP address? under the tracker server configuration. If a port other than 6969 has been selected as the local port for the tracker then this also needs to be configured ? in the above example this will need to be set to 10069.

The tracker can still be configured to run over HTTPS (SSL) and be password protected if required.

Note that the tracker will be running as normal on port 10069 (in this example) and will thus be contactable externally via normal tracker protocols. Therefore it is essential to block this port to prevent public access, either by firewall or router configuration.

Anonymous Clients[edit]

Here the tracker supports anonymous peer data, and to do so the peers publish their own hidden services to the tracker. Because these are non-resolvable DNS names the tracker needs to be configured to use the original form of the announce protocol. This supports the passing of non-resolved names to the client (as opposed to the more recent ?compact? protocol that returns resolved IP addresses only).

The diagram here is as for the ?totally anonymous BitTorrent above?


Configure as above for public peers


Configure the tracker server not to support the compact protocol.

Torrent Creation[edit]

Given the tracker address configured above, the ?create Torrent? wizard will by default have the correct announce URL for the tracker (in the above example http://k61234567895ivw.onion:6969/announce).

Setting up a browser to view the tracker web pages[edit]

Install the Tor Browser Bundle and browse to, for example, http://k61234567895ivw.onion:6969/.

Anonymous Tracker Client[edit]

For an Azureus client to be able to use an anonymous tracker, the client must also run a Tor proxy and configure Azureus to proxy the tracker communications through it.


No configuration is required, just run the Tor proxy on the default SOCKS port of 9050.


Configure the connection proxy for the tracker to be a SOCKS proxy of, port 9050 (selected ?enable proxying of tracker? and ?I have a SOCKS proxy?). Do not configure the second proxy, the data proxy, as this is not required for accessing the anonymous tracker.

Anonymous Outbound Peer Data, public Tracker[edit]

It is possible to connect to a public tracker and send/receive peer data anonymously (although inward connections from other peers to your machine are not supported). This takes advantage of the ?out proxy? functionality of Tor whereby connections to normal IP addresses/DNS names can be made anonymously. Due to the ?outbound? only nature of the data transfer this is not suitable in general (after all, if nobody accepted inbound connections there would be nobody to connect to), but can sensible be used to anonymously seed an initial copy of something (particularly in superseed mode). There are two variants to this approach

Public tracker connection[edit]

Here the connection to the tracker is made through the internet, and as such the client?s real address is fully visible. The client must be configured not to be able to receive incoming connections, either by supplying an incoming data port of 0, or by appropriate firewall configuration.

However, the data connections are routed through Tor.

It is necessary to understand the concept of ?peer id?. Normally a BitTorrent client constructs a unique peer id for a given download, this being given to both the tracker and the peers when connecting. The use of the same value allows the connection between the public IP address of the client, and the anonymous originating address of the data traffic to be made, breaking anonymity. It is therefore necessary to configure Azureus to use different values for these. Originally the BitTorrent specification assumed that when a client connected to another client it would verify that the peerid used by the other client was the same as the one registered for that client with the traffic. However, this check is not performed by Azureus, and most (all?) other clients, especially with the advent of ?compact? announce protocol as this does not even return the peer-id to the clients.

TorHowTo 4.gif


No configuration is required, just run the Tor proxy on the default SOCKS port of 9050.


Configure the incoming data port to be 0, or use alternative means to ensure that incoming connections from other peers will not be accepted.

Configure the data proxy to be, port 9050, version 4a (note here that the ?inform tracker of limitation? box will automatically force the incoming data port to be set to 0. Some trackers won?t accept 0 as a valid port though, hence the alternative approach of using a port that is blocked by a firewall). If you leave the incoming data port open then other clients will be able to connect to your real IP address and transfer data, hence anonymity is lost.

Configure the tracker client item ?use different peer identities for tracker and data comms? to be checked.

Anonymous tracker connection[edit]

This is the same as above, except the tracker connection is routed through Tor. This is a preferred approach as the clients real IP address is not visible to the tracker, however this may not work for trackers that require registration of client IP addresses, for example.

Configure the same as above, except enable the http proxy in Azureus to be a socks proxy on, port 9050.

TorHowTo 5.gif

Anonymous Inbound Peer Data, Public Tracker[edit]

To accept inbound anonymous connections it is necessary for the client to define a hidden service URL in the same way as the tracker?s hidden service was defined. This then allows other Tor-enabled clients to connect to you anonymously. For this to work the tracker used needs to support non-compact announce protocol as the hidden service addresses are registered with the tracker.

Of course, if a non-anonymous connection is made to the tracker, the tracker will be aware of the association between the client?s real IP address and its hidden service address, which breaks anonymity. Hence an anonymous connection to the tracker must be used.

TorHowTo 6.gif

Assuming this is the case the following configuration is required:


Add the hidden service for the incoming peer data, for example

HiddenServicedir /Tor/btdata
HiddenServicePort 6881

to the configuration file and start Tor (see below)


Configure the HTTP proxy as for the ?anonymous tracker connection? above.

Obtain the hidden service address from, in this example, /Tor/btdata/hostname. For example


and configure the tracker client item ?override IP address sent to tracker? with this value (as of version this is confusingly under Connection in the options, it will move in a future version).

To be able to accept incoming connections, deselect (uncheck) the ?inform tracker of limitation? in the connection data proxy section.

Anonymous Peer Data, anonymous Tracker[edit]

This is the ultimate in anonymity. Each peer has to define a hidden service to accept incoming data connections. All tracker and peer data is anonymously routed through Tor.

The configuration is exactly the same as that for the public tracker, except that the tracker is set up to act as an anonymous tracker!

Diagram is as for the ?Totally Anonymous BitTorrent? above.

Running Azureus as Tracker and Client concurrently[edit]

Azureus supports running as both tracker and client at the same time, indeed the ?sharing? functionality is designed specifically for this, and allows a resource to be published on the tracker and seeded at the same time with a single operation.

Running this process anonymously simply requires Azureus to be configured to be both an anonymous tracker and an anonymous client.



If the configuration file is called "torrc", start with (for example)

tor.exe -f torrc


Start as normal.


Here is a Tor based torrent you can test with:

You can also download the torrent over Tor via http://c4vwfltbxbd65iyd.onion:18989/torrents/Azureus5.7.5.0.jar.torrent?38BAAB3B884A477EF6203C5C2374EDA6F4233780

Note that this torrent uses a fully anonymous tracker, it will only handle anonymous peers so you will need to configure a hidden service and set your onion as the IP override.