negative zero

SchildiChat (Element) over Tor

2022 June 30

[matrix] [messaging] [privacy] [tech] [tor] [tutorial]

Running SchildiChat over Tor

I wanted to set up SchildiChat (which is just Element with a nicer UI) to use Tor on Debian. (Probably the easiest way to do this is just use Tor Browser to connect to the web version of SchildiChat, but I wanted to use the installed desktop version.)

I installed SchildiChat through my package manager, as in the website's apt instructions. This puts the schildichat-desktop executable in /opt/SchildiChat/. Your installation may look different.

I tried torsocks schildichat-desktop, but that exited with an error. I looked it up and found this helpful Reddit comment which said to use the --proxy-server switch:

schildichat-desktop --proxy-server=socks5://

This launches SchildiChat and uses a SOCKS5 proxy running on localhost on port 9050 (where Tor runs by default). Modify this as needed for a different host/port.

Is it proxying DNS?

I noticed, this is socks5, not socks5h. Often, the convention is to use socks5h to also proxy the hostname (i.e., not leak DNS requests).

I tried using socks5h:// instead, and it didn't work. Back to socks5, I guess.

I wondered, is this even a problem? I closed all the other networked applications on my device and launched Wireshark to start capturing my traffic. I ran schildichat-desktop --proxy-server=socks5:// and signed into my server. During this time, not a single request was made to my DNS provider. Just using socks5 must also proxy the DNS request, so we're okay there.

Using Tor by default

This works if I take care to launch SchildiChat with the right flags. The next problem was ensuring I don't accidentally run SchildiChat untorified.

I created an alias in my ~/.bashrc to run schildichat-desktop with the proxy argument:

alias schildichat-desktop='schildichat-desktop --proxy-server=socks5://'

Now, if I launch SchildiChat from a new shell, it will connect over Tor. (If you're following along, consider closing all currently open terminal sessions, just to be sure this alias is applied everywhere.)

I also wanted SchildiChat to use Tor if it was launched from the application launcher. The schildichat-desktop.desktop file was located at /usr/share/applications/schildichat-desktop.desktop. I copied this to ~/.local/share/applications/schildichat-desktop.desktop. This new local .desktop file takes priority over the global one.

I modified the Exec line from:

Exec=/opt/SchildiChat/schildichat-desktop %U


Exec=/opt/SchildiChat/schildichat-desktop --proxy-server=socks5:// %U

(Depending on how you installed SchildiChat, the executable could be located in a different place. Just modify whatever's there to use --proxy-server as described above.)

Testing that it worked

To test that this is working properly, I stopped all other networked programs, started capturing my traffic with Wireshark, and did the following tests:

  1. Stop Tor and launch SchildiChat.
  2. SchildiChat should fail to connect, and Wireshark should not show any TCP/TLS connections being made.

  3. Start Tor and launch SchildiChat.
  4. SchildiChat should now connect.

  5. Examine the traffic from the previous two steps to ensure that no DNS requests were made during this time.
  6. (I did this by filtering for ip.addr == <my DNS provider's IP address>.)

I did these tests for both schildichat-desktop launched from the command line and SchildiChat launched from the application launcher.