Route your internet traffic through multiple proxy layers and Tor so websites only see a Tor exit node, not your real IP.
Works on Windows and Linux. No VPN subscription needed. Free and open source.
When you visit a website normally, your real IP address shows up in their server logs. PrivacyStack changes that by routing every connection through this chain:
Your PC
|
SOCKS5 proxy (127.0.0.1:8080)
|
Optional proxy 1 (your own or auto-fetched)
|
Optional proxy 2
|
Tor Guard Node <-- encrypted layer 3
|
Tor Middle Node <-- encrypted layer 2
|
Tor Exit Node <-- encrypted layer 1
|
Website <-- only sees the exit node IP
On top of that it also:
- Blocks all traffic if Tor goes down (kill switch) so your real IP never leaks
- Routes DNS through Tor so your ISP cannot see what sites you look up
- Blocks IPv6 completely since IPv6 can bypass the main kill switch
- Randomizes your MAC address so routers cannot track you by hardware ID
- Strips identifying HTTP headers before they leave your machine
- Hardens Firefox settings to block WebRTC leaks and canvas fingerprinting
- Python 3.10 or higher
- Windows 10/11 (64-bit) or Linux (Ubuntu, Debian, Arch, Fedora -- anything with apt, dnf, or pacman)
- Internet connection to download Tor during setup
Step 1 -- Install Python
Download Python from https://www.python.org/downloads/ and install it. During install, check the box that says "Add Python to PATH".
Step 2 -- Download this repo
git clone https://github.com/blackrose007/PrivacyStack.git
cd PrivacyStack
Or click the green "Code" button on this page and download the ZIP, then extract it.
Step 3 -- Run setup (one time only)
Open PowerShell as Administrator (right-click the Start button, choose "Windows PowerShell (Admin)") and run:
cd C:\path\to\PrivacyStack
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
.\setup.ps1Setup will download Tor from the official Tor Project website, install the Python packages, and check everything is working. Takes about a minute.
Step 4 -- Start PrivacyStack
Right-click launch.bat and choose "Run as administrator".
Or from an admin PowerShell window:
python privacy_stack.pyPress 1 in the menu to start. It will connect to Tor and enable the kill switch.
Step 5 -- Configure your browser
In Firefox: Settings -> scroll down to Network Settings -> click Settings -> choose Manual proxy configuration -> set SOCKS Host to 127.0.0.1 and Port to 8080, select SOCKS v5, and check the box "Proxy DNS when using SOCKS v5".
In Chrome: download the extension "Proxy SwitchyOmega" and add a SOCKS5 profile pointing to 127.0.0.1:8080.
Step 6 -- Check it worked
Visit https://check.torproject.org in your browser. It should say "Congratulations. This browser is configured to use Tor."
Step 1 -- Download this repo
git clone https://github.com/blackrose007/PrivacyStack.git
cd PrivacyStack/linuxStep 2 -- Run setup (one time only)
chmod +x setup.sh
sudo ./setup.shThis installs Tor using your package manager (apt, dnf, or pacman), installs Python packages, and writes the Tor config.
Step 3 -- Start PrivacyStack
sudo python3 privacy_stack_linux.pyPress 1 to start. With root it also enables the iptables kill switch and DNS protection.
For transparent proxy mode (every app on your system uses Tor without any configuration), press 5 to toggle it on, then restart.
Step 4 -- Configure your browser (if not using transparent mode)
Same as Windows -- set Firefox or Chrome to use SOCKS5 127.0.0.1:8080.
# Windows
python privacy_stack.py start # start everything
python privacy_stack.py stop # stop and restore normal network
python privacy_stack.py check # check your IP and run leak tests
python privacy_stack.py newip # get a new Tor exit IP
python privacy_stack.py status # quick status
# Linux
sudo python3 linux/privacy_stack_linux.py start
sudo python3 linux/privacy_stack_linux.py stop
python3 linux/privacy_stack_linux.py check
python3 linux/privacy_stack_linux.py newipWhen you run the script without arguments you get an interactive menu:
1 Start PrivacyStack
2 Stop PrivacyStack
3 Check IP and run leak tests
4 Request new Tor circuit (changes your exit IP)
5 Toggle transparent proxy mode (Linux -- routes everything without per-app config)
6 Add your own proxy to the chain
7 Auto-fetch and test free SOCKS5 proxies
8 Clear the proxy chain
9 Browser setup guide
10 Status
11 Security extras menu
These are the additional hardening features that go beyond basic Tor routing:
MAC randomization Changes the MAC address on your network adapters before you connect. Routers and access points log MAC addresses. Randomizing it means they cannot track you by hardware.
Security Extras -> option 1
IPv6 block Your main kill switch only covers IPv4. IPv6 traffic can completely bypass it and reveal your real address. This disables IPv6 at the firewall level and on each network adapter.
Security Extras -> option 2
Auto circuit rotation Requests a new Tor circuit on a timer. Default is every 10 minutes. This changes your exit IP regularly and makes it harder to correlate traffic over time.
Security Extras -> option 3
HTTP header stripping proxy Runs a second proxy on port 8081. When you route HTTP traffic through it, it strips or replaces headers like User-Agent, Accept-Language, Referer, and X-Forwarded-For before the request goes out. Configure your browser HTTP proxy to 127.0.0.1:8081 for this.
Security Extras -> option 4
Full security audit Checks every major leak vector and tells you what is and is not protected. Checks: kill switch, IPv6 leakage, WebRTC/STUN reachability, DNS leakage, Tor DNS port, timezone, and IPv6 adapter status.
Security Extras -> option 5
Firefox profile hardener Applies about 50 privacy settings to every Firefox profile on your machine. Disables WebRTC completely, blocks canvas fingerprinting, disables geolocation, turns off telemetry, forces HTTPS-only mode, and configures the proxy automatically. Based on the arkenfox user.js project. Backs up your existing settings first.
Security Extras -> option 6
This is the strongest mode available on Linux. It creates a separate network environment at the kernel level. Any program you run inside it cannot reach the internet at all except through Tor. Not through misconfigured settings, not through IPv6, not through anything -- there is just no path out except Tor.
# Make sure PrivacyStack is running first
sudo python3 linux/privacy_stack_linux.py start
# Create the isolated namespace
sudo linux/netns_isolate.sh create
# Run a program inside it -- it will only be able to use Tor
sudo linux/netns_isolate.sh run firefox
sudo linux/netns_isolate.sh run bash # opens a shell where everything uses Tor
# Check the status
sudo linux/netns_isolate.sh status
# Clean up when done
sudo linux/netns_isolate.sh destroyIf you have a VPS or a SOCKS5 proxy you trust, you can add it as an extra hop before Tor.
Option A -- through the menu:
Menu -> 6 (Add manual proxy)
Type: socks5
Host: your.proxy.com
Port: 1080
Option B -- edit config/settings.json directly:
{
"chain_mode": "manual",
"proxy_chain": [
{"type": "socks5", "host": "your.proxy.com", "port": 1080, "user": "", "pass": ""}
]
}The proxy chain always ends with Tor. So if you add two proxies the full path is:
You -> Proxy 1 -> Proxy 2 -> Tor (3 hops) -> Website
Edit config/torrc and uncomment the bridge section:
UseBridges 1
ClientTransportPlugin obfs4 exec .\bin\tor\pluggable_transports\lyrebird.exe
Bridge obfs4 YOUR_BRIDGE_LINE_HERE
Get bridge lines from https://bridges.torproject.org/ -- select the obfs4 type. obfs4 makes your Tor traffic look like random HTTPS so it does not get blocked by deep packet inspection.
- Logging into personal accounts (Gmail, Facebook, etc.) while using the tool. They know who you are the moment you log in.
- JavaScript-based browser fingerprinting. Use the Firefox hardener (menu -> security extras -> option 6) to reduce this.
- Sharing your real name or personal details in conversations.
- Malware on your own machine that could bypass all of this.
PrivacyStack/
|-- privacy_stack.py main script for Windows
|-- check_ip.py standalone IP and leak checker (both platforms)
|-- setup.ps1 one-time setup script for Windows
|-- launch.bat double-click to start on Windows
|-- stop.bat double-click to stop on Windows
|-- generate_pdf.py generates the PDF guide
|-- src/
| |-- security_extras.py MAC randomize, IPv6 block, header proxy, audit, Firefox harden
|-- config/
| |-- torrc Tor configuration
| |-- settings.json proxy chain and app settings
|-- linux/
| |-- privacy_stack_linux.py main script for Linux
| |-- setup.sh one-time setup for Linux
| |-- launch.sh start script
| |-- stop.sh stop script
| |-- netns_isolate.sh network namespace isolation
| |-- torrc Linux-specific Tor config (adds TransPort)
Once PrivacyStack is running, point any app to:
Type : SOCKS5
Host : 127.0.0.1
Port : 8080
No username or password needed.
9050 Tor SOCKS5 port
9052 Tor SOCKS5 port with stream isolation
9053 Tor DNS port
9151 Tor control port (used for circuit rotation)
9040 Tor transparent proxy port (Linux only)
8080 PrivacyStack chain server (point your apps here)
8081 HTTP header stripping proxy (optional)
- Windows 11 Home (22H2 and later)
- Ubuntu 22.04 LTS
- Debian 12
- Arch Linux
MIT License. Use it however you want.