A Linux CLI tool that transparently routes all system traffic through the Tor network using nftables.
Features β’ Requirements β’ Installation β’ Usage β’ How It Works
No per-application setup needed β just sudo ttp start and every connection goes through Tor.
Caution
TTP is a tool designed to aid privacy by routing traffic through Tor. However, no tool can guarantee 100% anonymity. Your safety also depends on your behavior (e.g., using a regular browser vs. Tor Browser, signing into accounts, etc.). Always use TTP as part of a multi-layered security strategy.
Warning
If you are a whistleblower or are engaging in high-risk activities, DO NOT use TTP. Instead, use officially audited and reliable tools like TailsOS or the Tor Browser directly. The authors and contributors of TTP assume no responsibility for your safety or the consequences of using this software.
- π System-wide transparent proxy β all TCP traffic is redirected to Tor's TransPort, all DNS queries go through Tor's DNSPort.
- π‘οΈ DNS leak prevention β dual-mode DNS management (
resolvectl/resolv.conffallback) with symlink-aware detection. - π« IPv6 leak prevention β all outgoing IPv6 is blocked to avoid ISP-level leaks.
- π Crash-safe β a lock file tracks session state; even after
kill -9or a power outage, the next run detects the orphaned session and restores the network. - β‘ Atomic firewall rules β
nftablesrules are loaded withnft -f(all-or-nothing), avoiding dangerous intermediate states. - π IP rotation β
ttp refreshrequests a new Tor circuit for a fresh exit IP. - π‘οΈ SELinux optimization β Compiles a custom SELinux policy from source (
.te) on Fedora/RHEL to allow Tor to bind to necessary ports. No opaque binaries shipped. - π§ Multi-distro β auto-detects
apt-get,pacman,dnf, andzypperfor Tor installation. Handles Debian multi-instance services (tor@default), Fedora (toranonuser), and more. - π οΈ Auto-configuration β validates and sanitizes
torrcbefore starting, removing invalid settings and appending missing options.
- Linux with systemd (tested on Debian 12+, Ubuntu 22.04+, Fedora 40+, Arch Linux)
- Python 3.10+
- nftables (pre-installed on most modern distros)
- Root privileges (required for firewall and DNS modifications)
Choose the method that best fits your distribution. Native packages are recommended for system stability and better integration.
Install the pre-built .deb package. This automatically handles dependencies like tor and nftables.
sudo apt update
sudo apt install ./packaging/ttp_0.1.0_all.debInstall the native .rpm. This package also pre-configures SELinux policies for you.
sudo dnf install ./packaging/ttp-0.1.0-1.fc43.noarch.rpmUse the provided PKGBUILD to build and install the package via makepkg.
cd packaging && makepkg -siIf you prefer to install from source or are on a different distribution:
git clone https://github.com/onyks-os/TransparentTorProxy.git
cd TransparentTorProxy
# For system-wide deployment (creates venv in /opt/ttp)
sudo ./install.shNote
After installation, the ttp command is available system-wide.
Important
All commands require sudo. Except ttp status and ttp --help.
sudo ttp start[TTP] Detecting Tor... found (v0.4.9.6), service active (user: debian-tor).
[TTP] Stateless nftables rules applied (Table: inet ttp).
[TTP] DNS set via resolvectl on interface ens3.
[TTP] Waiting for Tor to bootstrap...
[TTP] Tor is 100% bootstrapped.
[TTP] Verifying Tor routing...
[TTP] β
Session active. Exit IP: 109.70.100.11
[TTP] Use 'ttp stop' to terminate. 'ttp refresh' to change IP.
sudo ttp stop[TTP] Removing nftables rules...
[TTP] Restoring DNS...
[TTP] π΄ Session terminated. Traffic in cleartext.
sudo ttp refreshSends NEWNYM to Tor via the control interface β all active circuits are rotated and you get a new exit IP.
sudo ttp status[TTP] Status: ACTIVE
[TTP] Exit IP: 185.181.61.201
[TTP] Session started: 2026-04-19T01:07:33.384801+00:00
[TTP] Process PID: 3392
To confirm that the tunnel is working correctly and no leaks are present:
-
Verify Tor Exit IP:
curl -s https://check.torproject.org/api/ip
-
Verify DNS Routing:
# Should return a valid IP via Tor's DNSPort dig +short A check.torproject.org -
DNS Leak Test (Terminal):
# This TXT query SHOULD return an EMPTY output dig +short TXT whoami.ipv4.akahelp.netNote: An empty output is the expected behavior under Tor. Tor's transparent resolver does not support TXT records; if this command returns your real ISP's IP, you have a DNS leak.
-
Web-based Verification: Always perform additional tests on dnsleaktest.com and ipleak.net.
To remove TTP completely from the system:
sudo ./uninstall.sh- Detection β checks if Tor is installed, which systemd service runs the daemon, and dynamically detects the Tor user.
- Installation β if Tor is missing, detects the system's package manager and installs it automatically.
- Configuration β sanitizes
torrc, validates withtor --verify-config, restarts the correct service. - Firewall β generates
nftablesrules in a dedicatedinet ttptable:- Stateless approach β no system backups needed; cleanup is an atomic
nft destroy table. - Multi-Chain Protection:
prerouting: Intercepts traffic if TTP is used as a gateway.output(NAT): Redirects local TCP/DNS to Tor's ports.filter_out(Filter): Acts as a Kill-Switch.
- Execution Sequence:
- Exclude Tor user (prevents routing loops).
- Exclude root processes (system stability).
- Intercept DNS (UDP
:53) and redirect to Tor's DNSPort. - Accept loopback and local traffic (required for redirected packets).
- Redirect all TCP to Tor's TransPort (
:9040). - Drop all IPv6 output to prevent leaks.
- Kill-Switch (Reject): Terminate any cleartext traffic that bypassed redirection (e.g., pre-existing connections).
- Stateless approach β no system backups needed; cleanup is an atomic
- DNS β redirects DNS resolution to
127.0.0.1viaresolvectlor/etc/resolv.conf. - Bootstrap β waits for Tor to reach 100% bootstrap via the control interface.
- Verification β confirms traffic is routed through Tor via multiple endpoints (
check.torproject.org,ipify,ifconfig.me) for resilience. - State β writes a JSON lock file at
/var/lib/ttp/ttp.lockfor crash recovery.
TTP is designed to always restore your network, even in edge cases:
| Scenario | What happens |
|---|---|
ttp stop |
Normal cleanup: firewall restored, DNS restored, lock deleted |
Ctrl+C / kill |
Signal handler catches SIGINT/SIGTERM and runs cleanup before exit |
kill -9 / Power Outage |
Next ttp start detects the orphaned lock file and auto-restores the network |
| Manual emergency | Run sudo ./restore-network.sh to flush all nftables rules, reset DNS, and delete the lock file |
Warning
- Tor Browser: Applications using an explicit SOCKS5 proxy will create a double Tor hop. Use a regular browser instead while TTP is active.
- Chromium-based Browsers (DoH Leak): Chrome, Brave, and Edge might use DNS-over-HTTPS (DoH), which bypasses system DNS settings. To prevent leaks:
- Disable "Secure DNS" in browser settings.
- Ideally, avoid Chromium-based browsers entirely while using TTP; use Firefox instead (ensuring its own "DNS over HTTPS" setting is also disabled). This still DOES NOT ensure the absence of leaks.
- IPv6: All IPv6 traffic is blocked to prevent leaks. Future versions may support IPv6 through Tor.
- Exit IP variation: Different connections may show different exit IPs due to Tor stream isolation. After
ttp refresh, all connections get new circuits.
pip install -e .
pytest tests/ -v(unit tests run without root on any system, fully mocked).
Real integration tests should be run in a QEMU VM with snapshots:
# Start a specific VM (default is debian)
./vm-helpers/start.sh arch
# Save a snapshot before testing (vm_type command name)
./vm-helpers/snapshot.sh arch save pre-test
# Sync code to VM (auto-detects the active one)
./vm-helpers/send.sh
# SSH into the VM and test (port 2223 for Arch)
ssh -p 2223 arch@localhost
cd ~/ttp && pip install -e . && sudo ttp start
# Restore if network breaks
./vm-helpers/snapshot.sh arch load pre-testIf something goes wrong, run the diagnostic command:
sudo ttp diagnoseβββ pyproject.toml # Package metadata and dependencies
βββ README.md
βββ CONTRIBUTING.md # Contribution guidelines
βββ SECURITY.md # Security policy
βββ install.sh # System-wide installer
βββ uninstall.sh # System-wide uninstaller
βββ restore-network.sh # Emergency network recovery script
βββ assets/ # Branding and system policies
β βββ gif/ # Demo animations
β βββ selinux/ # SELinux policy source (.te only)
βββ packaging/ # Build scripts for .deb, .rpm, and Arch packages
β βββ build_deb.sh
β βββ build_rpm.sh
β βββ ttp.spec
β βββ PKGBUILD
β βββ ttp.service
βββ vm-helpers/ # QEMU VM management scripts
βββ ttp/ # Source code
β βββ cli.py # Typer entry point
β βββ exceptions.py # Custom exception hierarchy
β βββ tor_detect.py # Tor detection logic
β βββ tor_install.py # Auto-install & configuration
β βββ firewall.py # Atomic nftables management
β βββ dns.py # DNS leak prevention
β βββ state.py # Lock file and crash recovery
β βββ tor_control.py # Tor daemon interaction and API
β βββ system_info.py # System diagnostic gathering
βββ tests/ # Unit tests (mocked)
βββ docs/
βββ TDD.md # Technical Design Document
Contributions are what make the open-source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.
- Check out our Contributing Guidelines to get started.
- Please review our Security Policy before reporting vulnerabilities.
MIT. See LICENSE for more information.