Anonymity Part 1: Tor Fundamentals
Five interactive exercises covering onion routing architecture, Tor installation, configuration, hidden services, and OPSEC limitations. Features an animated circuit walkthrough.
Tor routes traffic through three volunteer-operated relay nodes. Each relay knows only its immediate neighbors — never the full path. Click through each hop to see how encryption layers are peeled at every relay.
Before sending data, your Tor client wraps it in three layers of encryption — one for each relay. Each relay decrypts its own layer to reveal the next hop address, then forwards the payload. By the time the packet exits, no single node has seen both the origin and destination.
(Client)
Relay
Relay
Relay
(Destination)
Guard (Entry): Knows your real IP, does not know the destination. Middle: Knows neither your IP nor the destination — only the adjacent relays. Exit: Knows the destination, does not know your IP. This division is why no single node can de-anonymize you without controlling multiple positions simultaneously.
Walk through all 5 steps of the circuit to complete this exercise. Use the Next / Prev buttons above.
Install Tor, start the service, watch it bootstrap to the network, and verify your traffic is exiting through Tor. A three-step terminal sequence with a live bootstrap animation.
Install Tor using apt. Type: sudo apt install tor
Tor exposes a SOCKS5 proxy on localhost:9050 by default. Any application that supports SOCKS5 can route through Tor without additional configuration. The curl --socks5 flag, torsocks wrapper, and the Tor Browser all use this socket. HTTP traffic exiting through the exit node is unencrypted unless the site uses HTTPS — always prefer HTTPS sites when using Tor.
The torrc file controls Tor's behavior: exit node country selection, strict routing, and exclusions. You will edit it and understand the trust and censorship implications of each directive.
Open the Tor config file for editing. Type: sudo nano /etc/tor/torrc
Specifying ExitNodes {us} forces exit traffic through US-based relays. This can help reach geo-restricted content, but it also concentrates trust in one jurisdiction — that government could compel relay operators to log traffic. ExcludeExitNodes {cn},{ru} avoids adversarial infrastructure, but Tor's own position is that restricting nodes weakens the anonymity set. Use country restrictions only when the operational need is clear.
Set up a Tor Hidden Service that makes a local web server accessible via a .onion address — without a public IP or open port. Both client and server use Tor circuits; there is no exit node involved.
Add hidden service directives to torrc. Type: sudo nano /etc/tor/torrc
CLIENT SIDE SERVER SIDE
┌─────────────┐ ┌─────────────┐
│ Tor Client │ │ Hidden Svc │
│ (Browser) │ │ (your site) │
└──────┬──────┘ └──────┬──────┘
│ Tor Circuit │ Tor Circuit
│ (3 hops) │ (3 hops)
▼ ▼
┌─────────────────────────────────────────────────┐
│ RENDEZVOUS POINT (volunteer relay) │
│ Client picks this relay & tells server │
│ Server builds a circuit TO the same relay │
│ They meet in the middle — no exit node needed │
└─────────────────────────────────────────────────┘
.onion address = public key hash of the service's
Ed25519 keypair. Tor uses this to authenticate
and route to the hidden service automatically.
No DNS, no public IP, no port forwarding needed.
Unlike regular Tor circuits where exit traffic can be plaintext, .onion connections are end-to-end encrypted using the service's Ed25519 key. There is no exit node — both sides use Tor circuits that meet at a rendezvous point. This makes .onion services more private and resistant to exit node monitoring than clearnet Tor browsing.
Tor is a tool, not a magic cloak. Identify real attack surfaces, understand DNS leaks, and distinguish behaviors that destroy anonymity from behaviors that preserve it.
A DNS leak occurs when your DNS queries bypass Tor and reach your ISP's resolver, revealing which hostnames you are looking up even if the TCP connection itself is tunneled. Use torsocks to force DNS resolution through Tor as well.
Logging into a personal account instantly de-anonymizes you regardless of Tor. Torrent clients often make UDP connections that bypass Tor entirely, leaking your real IP to tracker servers. Browser fingerprinting (canvas, WebGL, fonts, screen size) can identify you even without an IP address. Full-disk encryption, compartmentalization (separate VMs or Tails OS), and disciplined behavior matter more than the network tool itself.
Run a Tor verification check using curl through the SOCKS5 proxy. Type: curl --socks5 localhost:9050 https://check.torproject.org/api/ip
Lab Progress
Complete all five exercises to mark this lab finished and record your progress.