TTP

July 1, 2026 · View on GitHub

This document describes all external interfaces exposed by Transparent Tor Proxy (TTP): the command-line interface, integration points with the Tor daemon, and integration with Linux kernel subsystems.

Audience: contributors, security auditors, and packagers who need to understand how TTP interacts with the outside world.


Table of Contents

  1. Command Line Interface (CLI)
  2. Tor Integration
  3. System Integration
  4. External Network Endpoints

1. Command Line Interface (CLI)

TTP exposes a single binary entry point ttp, implemented via Typer in ttp/cli.py.

1.1 Invocation

ttp [COMMAND] [OPTIONS]

Most commands require root privileges (sudo). Exceptions are noted in the table below.

1.2 Command Reference

CommandRequires RootDescription
ttp startActivates the transparent Tor proxy: installs Tor if missing, applies nftables rules, mounts DNS overlay, waits for Tor bootstrap, and verifies the exit IP.
ttp stopZero-leak teardown: stops watchdog, resolves Tor UID, applies teardown lockdown, sends SHUTDOWN to Tor, stops Tor service, applies active socket slaughter (TCP RST & reject), waits 1.5s, flushes connection tracking via conntrack -F, removes nftables rules, unmounts DNS overlay, and deletes the session lock.
ttp restartShortcut for ttp stop followed by ttp start. Accepts all start options.
ttp refreshRequests a new Tor circuit via NEWNYM signal. All active streams are rotated for a new exit IP.
ttp statusDisplays current session state from the lock file: status, exit IP, session start time, and PID.
ttp checkLive network check: verifies the real-world Tor routing state, current IP, IsTor flag, and latency to torproject.org.
ttp check-leakRuns DNS and IP leak detection tests. Use -v/--verbose for raw output.
ttp logsStreams real-time content from the volatile log at /run/ttp/ttp.log.
ttp diagnoseCollects full system diagnostics: OS info, Tor service status, active torrc, nftables ruleset, and DNS state.
ttp uninstallRemoves TTP system-wide (only applicable to source installs via scripts/install.sh).
ttp watchdog startManually starts the background session integrity watchdog as a volatile systemd service.
ttp watchdog stopManually stops the watchdog service.
ttp watchdog statusShows the current state of the watchdog daemon (active/inactive, PID).
ttp watchdog runInternal command. Runs the continuous integrity monitoring loop (invoked by the watchdog service unit).

1.3 ttp start Options

OptionTypeDefaultDescription
--interface, -istrAuto-detectNetwork interface for DNS overlay (e.g. eth0, wlan0).
--bootstrap-timeoutint180Seconds to wait for Tor to reach 100% bootstrap before aborting.
--allow-rootflagoffExempt root (uid 0) processes from Tor routing (allows direct internet for system updates).
--no-lan-bypassflagoffDisable LAN bypass: all RFC 1918 and link-local traffic is also routed through Tor.
--no-ipv6flagoffForce disable all IPv6 traffic (drops outgoing IPv6 to prevent leaks).
--watchdog, -wflagoffStart the background session integrity watchdog daemon after activation.
--bypass-userstrComma-separated list of system users whose traffic bypasses Tor (split tunneling).
--bypass-groupstrComma-separated list of system groups whose traffic bypasses Tor (split tunneling).
--use-bridgesflagoffEnable Tor bridges support.
--bridge-filestrPath to a file containing Tor bridge lines.
--bridgestrIndividual Tor bridge line (can be specified multiple times).

1.4 Exit Codes

CodeMeaning
0Success
1Generic error (printed to stderr)
2Invoked without root privileges where required

2. Tor Integration

TTP manages a dedicated, isolated Tor instance via a volatile systemd service (ttp-tor.service). It does not interact with or modify any pre-existing system tor.service.

2.1 Managed Tor Ports

PortProtocolRoleDefaultConfigurable
TransPortTCPTransparent proxy: receives redirected application traffic from nftables9041Via --transport-port (internal)
DNSPortUDPTor's internal DNS resolver: receives DNS queries redirected from port 539054Via --dns-port (internal)
ControlSocketUnix socketAuthenticated control interface used by stem for bootstrap monitoring, NEWNYM, and SHUTDOWN signals/run/tor/ttp/control.sockNo

Note: Ports 9041 and 9054 are intentionally non-standard to avoid conflicts with existing Tor service instances that may use the default ports 9040 and 5353.

2.2 Tor Control Protocol

TTP communicates with the Tor daemon via the Tor Control Protocol (see Tor control spec) using the Python stem library.

OperationSignal/CommandTrigger
AuthenticateCOOKIE auth via CookieAuthFileAt session start
Monitor bootstrapGETINFO status/bootstrap-phaseDuring ttp start
Rotate circuitsSIGNAL NEWNYMttp refresh
Graceful shutdownSIGNAL SHUTDOWNttp stop

2.3 Generated torrc Configuration

TTP generates a volatile torrc at /run/tor/ttp/torrc on each start. Key directives:

DirectiveValuePurpose
VirtualAddrNetworkIPv410.192.0.0/10Address range for AutomapHostsOnResolve
AutomapHostsOnResolve1Maps .onion and .exit to virtual IPs
SocksPort0SOCKS proxy disabled (transparent-only mode)
CookieAuthentication1Enables cookie-based control auth
DataDirectory/var/lib/tor/ttp/Persistent entry guard cache (survives reboots)
MapAddressuse-application-dns.net 0.0.0.0 (+ others)DoH canary domain mitigation

2.4 Pluggable Transports (Optional)

When bridges are configured, TTP supports pluggable transports via external helper binaries:

TransportBinaryPackage (Debian)Package (Fedora)
obfs4 / meek_liteobfs4proxyobfs4proxyobfs4
snowflakesnowflake-clientsnowflake-clientsnowflake-client

Missing binaries are auto-installed via the detected system package manager. For a detailed guide on obtaining and configuring bridges, see the Bridges & Pluggable Transports Guide.


3. System Integration

TTP interacts directly with several Linux kernel subsystems and system services.

3.1 nftables Firewall

TTP creates a dedicated, isolated nftables table that does not interfere with any pre-existing firewall rules.

AttributeValue
Table nameinet ttp
Application methodAtomic load via nft -f <rules_file> (all-or-nothing)
Teardown Lockdownnft insert rule inet ttp filter_out [meta skuid != <tor_uid>] oifname != "lo" drop (applied at stop start)
Socket Slaughternft insert rule inet ttp filter_out meta l4proto tcp counter reject with tcp reset and nft insert rule inet ttp filter_out meta l4proto udp counter reject (applied before final cleanup)
Conntrack Flushconntrack -F (atomic flush of Netfilter tracked streams)
Cleanup methodnft flush table inet ttp followed by nft destroy table inet ttp

Chains within inet ttp:

ChainHookTypePurpose
preroutingpreroutingnatIntercepts traffic arriving on the machine (gateway mode)
outputoutputnatRedirects local TCP and DNS to Tor ports
filter_outoutputfilterKill-switch: drops/rejects traffic that bypasses Tor

Rule execution order within filter_out:

  1. Teardown Lockdown: drop all outbound traffic except loopback and the Tor UID (inserted dynamically during the teardown sequence) 0b. Active Socket Slaughter: TCP Reset (meta l4proto tcp counter reject with tcp reset) and UDP Port Unreachable (meta l4proto udp counter reject) rules (inserted dynamically at the start of final ruleset removal)
  2. Exempt Tor process user (prevent routing loops)
  3. Exempt bypass users/groups (split tunneling — meta skuid/meta skgid)
  4. Exempt root processes (if --allow-root is set)
  5. LAN bypass: accept RFC 1918 + IPv6 link-local/unique-local traffic (optional, --no-lan-bypass disables)
  6. Accept loopback interface (lo - IPv4 and IPv6)
  7. Block DNS-over-TLS (reject tcp dport 853)
  8. Block well-known DNS-over-HTTPS (DoH) IPs on port 443 (IPv4 and IPv6)
  9. Drop IPv6 traffic (if IPv6 loopback is not supported by the system OR if --no-ipv6 is passed)
  10. Kill-Switch: reject all remaining traffic (forces fallback of redirected TCP/DNS or blocks unauthorized bypasses)

3.2 DNS Subsystem

TTP uses a stateless mount --bind overlay to redirect DNS without modifying files on disk.

AttributeValue
Overlay source/run/ttp/resolv.conf (volatile, on tmpfs)
Overlay targetReal path of /etc/resolv.conf (resolved through symlinks)
Contentnameserver 127.0.0.1 pointing to Tor's DNSPort
Mount typemount --bind (bind mount)
Teardownumount -l (lazy unmount — safe even if file is open)
IdempotencyStale mounts from previous unclean exits are cleaned from /proc/mounts before applying

3.3 systemd Integration

TTP manages two volatile systemd service units, written to /run/systemd/system/ (evaporate on reboot):

UnitPathPurpose
ttp-tor.service/run/systemd/system/ttp-tor.serviceDedicated Tor instance. Runs with a custom volatile torrc, no sandboxing restrictions.
ttp-watchdog.service/run/systemd/system/ttp-watchdog.serviceSession integrity watchdog. Invokes ttp watchdog run every 15 seconds.

Both units are registered via systemctl daemon-reload and removed on ttp stop.

3.4 Filesystem — Volatile Runtime Paths

All TTP runtime state is stored in tmpfs paths that disappear on reboot, ensuring zero persistent configuration state or residue is left on the host storage.

PathContentsCleared On
/run/ttp/Session root directoryReboot or ttp stop
/run/ttp/ttp.lockJSON session lock: PID, timestamps, interface, bypass configttp stop
/run/ttp/ttp.logRolling log (1 MB limit)Reboot
/run/ttp/resolv.confDNS resolver file for bind-mount overlayReboot
/run/tor/ttp/torrcGenerated Tor configurationReboot
/run/tor/ttp/control.sockTor control Unix socketTor shutdown
/run/tor/ttp/auth_cookieCookie for Tor control authenticationTor shutdown
/run/systemd/system/ttp-tor.serviceVolatile Tor service unitReboot
/run/systemd/system/ttp-watchdog.serviceVolatile watchdog service unitReboot
/run/systemd/resolved.conf.d/ttp.confsystemd-resolved volatile configuration overrideReboot or ttp stop

Persistent path (survives reboots):

PathContentsPurpose
/var/lib/tor/ttp/Tor DataDirectory: entry guards, consensus cacheReduces bootstrap time from ~30s to ~3s across sessions

4. External Network Endpoints

TTP contacts the following external URLs exclusively for session verification and diagnostics. No telemetry or tracking data is ever sent.

URLTriggerPurpose
https://check.torproject.org/api/ipttp start, ttp checkPrimary Tor exit IP verification + IsTor flag
https://api.ipify.orgttp start (fallback)Backup IP check if torproject.org is unreachable
https://ifconfig.me/ipttp start (fallback)Second backup IP check
https://torproject.orgttp checkLatency measurement to the Tor network
https://api4.my-ip.io/ipttp check-leakIPv4 leak detection
https://api6.my-ip.io/ipttp check-leakIPv6 leak detection

All connections to these endpoints are routed through Tor itself (verifying correct operation). They are never contacted via the clearnet directly.