vanguards - Additional protections for Tor Onion Services



vanguards uses the Stem Tor control port library to connect to a Tor control port. It has three defense subsystems: Vanguards, Rendguard, and Bandguards. All three subsystems apply to both service-side and client-side onion service activity, but NOT to any client traffic that exits the Tor network to the normal Internet.

This is not an endorsement. I don’t have much knowledge about it. This is just me experimenting, making vanguards work on Debian buster.

Open file /etc/tor/vanguards.conf with root rights.

lxsudo mousepad /etc/tor/vanguards.conf

Comment out control_ip = i.e. make that

#control_ip =

Change control_socket = to:

control_socket = /var/run/tor/control

Restart vanguards.

sudo systemctl restart vanguards

vanguards should probably use Tor control socket by default so it would work out of the box. Probably worth a bug report against Debian.

1 Like

Nice. CC’ing our documentation brigade @0brand @torjunkie

Too early for documentation. Don’t even know where to install. Gateway or workstation.

Todo research:

Tor version deb.torproject.org (Whonix uses) vs packages.debian.org vanguards version mismatch?

Sane for installation by default?

Vanguards available from deb.torproject.org?


1 Like

When we know where to set it up, sure - no probs.


@Patrick My guess is on the GW?


This looks easy to add by default. Doesn’t look very error prone and would be a good enhancement.


OK got mix vanguards from packages.debian.org with Tor from deb.torproject.org repository?

1 Like
1 Like

enable vanguards systemd unit file by default

1 Like
1 Like
1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]