torrc.d is comming

Up to Debian to decide. I would hope they go for tor-service-defaults-torrc and guess they will. Otherwise still better to go with Debian, to keep the delta of Whonix to Debian small. So Whonix keeps simpler and better understandable. Less complexity. Unless going for these goals creates a bigger mess than deriving from it.

It’s a good question. The packager of deb.torproject.org is the same as tor from packages.debian.org. If that change is made in Debian, it probably flows back to Tor Project. This was my thinking. However, asking Tor Project about deb.torproject.org is a good idea as well.

1 Like

Daniel said on @tor-dev:

I’ve already created #22391
(https://trac.torproject.org/projects/tor/ticket/22391) to add torrc.d
to the deb package.

If his pull request is adopted, then %include /etc/tor/torrc.d/ will be added to tor-service-defaults-torrc.

1 Like

teor said on the @tor-dev that:

My understanding is that:

1 Like

It makes sense. Debian bug reporting instructions says:

Don’t file bugs upstream

If you file a bug in Debian, don’t send a copy to the upstream software maintainers yourself, as it is possible that the bug exists only in Debian. If necessary, the maintainer of the package will forward the bug upstream.

1 Like



1 Like

What’s the order of config file parsing as per Debian tor package default?

  • Parse first /usr/share/tor/tor-service-defaults-torrc?
  • Parse last (in lexical order) /etc/torrc.d?
  • Parse second /etc/torrc?

Is this stated by Debian yet? Could you ask please?

1 Like

Daniel answered on @tor-dev:

The precedence for tor options is the following (1 overrides 2, etc…):

  1. Command line options.
  2. Configuration file options (your /etc/torrc).
  3. Defaults file options (your /usr/share/tor/tor-service-defaults-torrc).

In the same file, options that appear later override earlier options.

Currently, there is no torrc.d directory created when you install the tor package. However, you can use a %include in the configuration file or in the defaults file. When you insert a %include in a file, it works as if all the options for the included file or folder were written on the line of the %include. If you’re including a folder, the files will be processed in lexicographic order and files starting with a dot will be ignored.

Here is an example:

SomeOption 0
%include /etc/tor/torrc.d/ # SomeOption is now 2
SomeOption 3 # SomeOption is now 3

SomeOption 1

SomeOption 2

With this configuration, the value for some option is 3.
But we can have a torrc with %include too:

SomeOption 4 # SomeOption is now 4
%include /etc/tor/foo.torrc # SomeOption is now 5
SomeOption 6 # SomeOption is now 6

SomeOption 5

With both these files, the value for SomeOption is 6.

There are also different types of options and some can take multiple values. For more information see the section “Mid-level semantics” on this file: https://gitweb.torproject.org/tor.git/tree/doc/torrc_format.txt

//cc @JasonJAyalaP

1 Like

Should we suggest user use a separate file /etc/torrc.d/bridges.torrc as configuration file? Or a more general question: should user use /etc/torrc.d/ or /etc/tor/torrc ?


  1. The torrc configuration is more modularized ;


  1. torrc configuration will be more scattered. Sometime users may forget they put a .torrc in /etc/torrc.d/ which they do not want anymore.
  2. Although torrc.d feature is available in Tor stable now, it has not been decided by Debian on which directory to use as default torrc.d directory.
1 Like

Always go for .d whenever possible. We recommend this at
https://www.whonix.org/wiki/Whonix_Configuration_Files but I think a
more general advice on configuration files editing would be useful as
well in the wiki. @torjunkie

Otherwise users get an dpkg interactive conflict resolution dialog.



Which will confuse them even more. They might:

  • select “overwrite” and loose their settings or,
  • select nothing and keep the update stalled.
  • select “not overwrite” and miss recommended changes by upstream
    (Debian or Whonix)

The fewest of them will be able to merge upstream changes with their
local changes.

As for /etc/torrc.d/bridges.torrc the file name part bridges.torrc
is not ideal.

Good that you are using an extension .torrc. Using no extension (if
that would even work) is not so great. Harder to parse. Easier to
source *.torrc rather than parsing * and then skipping files
ending ~ (graphical editor backup files) and files ending -dpkg.old
or similar.

I think adding a number_ prefix would be better. Such as 50_user.torrc.

There are a few .d folders and it’s not well standardized. But I would
suggest 50_ for users. 10_ for Debian, 20_ for torproject, 30_
for Whonix and so forth. Somehow a useful stackable order. An ordering
where the more upstream something is (Linux (most upstream) -> Debian
(distribution) -> Ubuntu (derivative of Debian, further downstream than
Debian)). Could you please look at existing .d folders of any other
projects tell me what you think? Perhaps discuss this with Tor Project.

1 Like


  • Could you please look at existing .d folders of any other
    projects tell me what you think? Perhaps discuss this with Tor Project.

  • update Wiki

  • rename /etc/torrc.d/anon-connection-wizard.torrc to /etc/torrc.d/51_anon-connection-wizard.torrc ? I am not sure if it should be 49 or 51 but since anon-connection-wizard is used by user, anon-connection-wizard.torrc should also be seen as user configuration.

1 Like

Please make that 40_. Reason: not by a distribution but also not done manually by the user. Done with a gui tool. 50_ could be used to override settings by the gui tool the user disagrees with (mostly theoretic at this point).

1 Like

Thank you for your guidance, @Patrick !

Done: https://github.com/irykoon/anon-connection-wizard/commit/64fc291298aeff8632c478133aea4d4398503ad0

I will do a pull request later with other fixed and changes :slight_smile:

1 Like

Doudble check: DisableNetwork 0 should also go to /etc/torrc.d/50_user.torrc and it should not appear in any other .torrc correct?

If it is correct, anon-connection-wizard's repair_torrc.py and tor_status.py and whonix-setup-wizard's tor_status.py should be changed.

(actually we need to remove tor_status.py from whonix-setup-wizard packet, correct?)

Thank you very much!

1 Like


Doudble check: DisableNetwork 0 should also go to /etc/torrc.d/50_user.torrc and it should not appear in any other .torrc correct?

When using anon-connection-wizard gui:

DisableNetwork 0 can be in a torrc file generated by
anon-connection-wizard 40_...


Recommend use of /etc/torrc.d/50_user.torrc.

But I am not too sure about this yet. Someone who first did it manually
using /etc/torrc.d/50_user.torrc UseBridges 0 and then uses
anon-connection-wizard UseBridges 1 would result in actually
UseBridges 0.

So it’s not perfect yet. I guess nothing similar has been done before
that’s why we struggle with this?

Solution? anon-connection-wizard should parse all Tor config files and
warn/abort (not enable/restart Tor) about any conflicting (final)
result? That would be future work.

(actually we need to remove tor_status.py from whonix-setup-wizard packet, correct?)



Yes, this can be a solution. I am going to think the problem and I will let you know if I came up with any other solutions :slight_smile:






Btw… After a while (undefined time)… Please create a ticket from
what has been consensus among the developers from that discussion on
trac.torproject.org. Please reference the thread. Additionally, I like
to reference the ticket being created on the mailing list to neatly link
everything together.

Alternatively, you could also skip the mailing list discussion and post
right on trac.torproject.org.

1 Like

Thank you so much for your guidance, Patrick!




When I install the package locally using make deb-icup, I got a hint to do: systemctl daemon-reload so that the new configurations will take effect.

I am wondering if this is something we should take care of in the package installation process? If so, what’s the proper way to auto execute systemctl daemon-reload? In Makefile I guess?

Thank you very much!

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]