How to Use Git over Tor

If you want to get access to the source code of Tor project, you need to use Git and Tor no matter it is a clear net address or and onion address.

Tor and Tor browser

So, generally, if we want to get access to clone source code on .onion sites, it is needed to use proxy over Tor.

Firstly, you need to run Tor.

You can use apt or snap to install Tor. For example: ` sudo apt-get install tor`

For a normal user, however, it is okay if you just use Tor.

Run Tor and Test

Then start it, it uses tcp 9050 port, accepting SOCKS connections from the other applications.

$ sudo systemctl start tor
$ ss -aln | grep 9050

Or you can simply see what are the ports listened to sudo netstat -tulpn | grep LISTEN As you run this, you will find there are 3 ports related to Tor.

tcp        0      0 127.0.0.1:9150          0.0.0.0:*               LISTEN      20876/tor           
tcp        0      0 127.0.0.1:9151          0.0.0.0:*               LISTEN      20876/tor  
tcp        0      0 127.0.0.1:9050          0.0.0.0:*               LISTEN      1253/tor

9150 is a TCP port providing SOCKS5 proxy to transport SOCKS5 packets between browser and tor. 9151 is a control port used for exchanging control commands and results between browser and tor. 9050 is the port Tor listens on.

You can also test if your torsocks works well as the following command.

$ torsocks wget -qO - https://bing.com; echo

Git and DNS

Git’s HTTP(S) proxy doesn’t do DNS resolution over SOCKS.

How Git resolves DNS, default! See /etc/hosts and /etc/resolv.conf

Take curl as an example:

--socks5-hostname <host[:port]>
              Use the specified SOCKS5 proxy (and let the proxy resolve the host name). If the port number is not specified, it is assumed at port 1080.

              This option overrides any previous use of -x, --proxy, as they are mutually exclusive.

              Since 7.21.7, this option is superfluous since you can specify a socks5 hostname proxy with -x, --proxy using a socks5h:// protocol prefix.

              Since  7.52.0, --preproxy can be used to specify a SOCKS proxy at the same time -x, --proxy is used with an HTTP/HTTPS proxy. In such a case curl first connects to the SOCKS proxy and
              then connects (through SOCKS) to the HTTP or HTTPS proxy.

              If this option is used several times, the last one will be used.

              Added in 7.18.0.
 --socks5 <host[:port]>
              Use the specified SOCKS5 proxy - but resolve the host name locally. If the port number is not specified, it is assumed at port 1080.

              This option overrides any previous use of -x, --proxy, as they are mutually exclusive.

              Since 7.21.7, this option is superfluous since you can specify a socks5 proxy with -x, --proxy using a socks5:// protocol prefix.

              Since 7.52.0, --preproxy can be used to specify a SOCKS proxy at the same time -x, --proxy is used with an HTTP/HTTPS proxy. In such a case curl first connects to the SOCKS proxy  and
              then connects (through SOCKS) to the HTTP or HTTPS proxy.

              If this option is used several times, the last one will be used.

              This option (as well as --socks4) does not work with IPV6, FTPS or LDAP.

              Added in 7.18.0.

To clone something over Tor, let’s say, not only the .onion addresses but also torproject.org, we need to resolve the hostname over Tor instead of doing it locally.

So even if your port 9150 is listened and you use the proper proxy over Tor, you will see the results below:

This works.

$ curl https://torproject.org --socks5-hostname '127.0.0.1:9150'
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://www.torproject.org/">here</a>.</p>
<hr>
<address>Apache Server at torproject.org Port 443</address>
</body></html>

But curl https://torproject.org --socks5 '127.0.0.1:9150' doesn’t work, for it resolves the hostname locally.

Resolutions in conlusion

Use torsocks or simply use proxychains by editing /etc/proxychains.conf and changing socks4 127.0.0.1 9050 to socks5 127.0.0.1 9150.

Attention: sudo is needed for proxychains

Other things

Use man torsocks to see details about it.

By default, torsocks will assume that it  should  connect  to  the  Tor
SOCKS proxy running at 127.0.0.1 on port 9050 being the defaults of the
Tor daemon.

In order to use a  configuration  file,  torsocks  tries  to  read  the
/etc/tor/torsocks.conf  file  or look for the environment variable TOR‐
SOCKS_CONF_FILE with the location of the file. If that file  cannot  be
read, torsocks will use sensible defaults for most Tor installations.

For further information on configuration, see torsocks.conf(5).

Check the file /etc/tor/torsocks.conf

Here is default Tor addr and port and you can change it ofc.

# Default Tor address and port. By default, Tor will listen on localhost for
# any SOCKS connection and relay the traffic on the Tor network.
TorAddress 127.0.0.1
TorPort 9050

For tor, the client, the default configuration file is ` /etc/tor/torrc`

Use git to clone: git -c http.proxy=socks5h://127.0.0.1:9050 clone [addr]

Ref

https://stackoverflow.com/questions/40857891/can-anyone-access-pluggable-transports-meek-git https://gist.github.com/evantoli/f8c23a37eb3558ab8765 https://gitlab.torproject.org/tpo/applications/tor-launcher/-/issues/13150