In this Security and Maintenance Update, our focus was on fixing a possible vulnerability when using TorBox or TorBox on a Cloud as an OpenVPN server. To circumvent possible firewalls, the default port was set to 443. So far, TorBox on a Cloud has not been affected by this vulnerability. However, fixing the OpenVPN server functionality on a real TorBox needed a change in the iptables configuration. This change, in connection with port 443, would allow UDP packets sent to port 443 to be sent directly into the Internet, bypassing the redirection through the Tor network. But, wait, https traffic is TCP and not UDP, right? Unfortunately, UDP on port 443 is associated with the QUIC protocol, which was developed by Google and is now used by several major web services and applications to provide faster and more efficient encrypted web connections. If UDP port 443 is blocked, applications using QUIC will automatically fall back to standard HTTPS over TCP port 443, which will be routed through the Tor Network. If selected for installation, the OpenVPN server will use UDP port 1194 by default. The user can still change this port during the installation, but regarding possible firewalls, the safest solution is to forward this port.

TorBox Image (about 1 GB): v.0.5.4 (20.07.2025) – SHA-256 values
TorBox mini Image (about 1 GB): v.0.5.4 (20.07.2025) – SHA-256 values
TorBox Menu only: v.0.5.4 (20.07.2025) – SHA-256 values

Alternatively, you can download the image from our TorBox cloud test installation.

• • •

Changelog

Besides the fixes and security improvements regarding the OpenVPN server functionality, the TorBox Mini variant has received substantial attention in this update, and altogether, some more issues were addressed:

Updated: The system is based on Raspberry Pi OS “Bookworm” lite 64bit with the Linux Kernel 6.12.34 and Tor version 0.4.8.17 with obfs4proxy version 0.0.14 and Snowflake 2.11.0.
Security: TorBox provides better SSH access control mechanisms with special considerations for TorBox on a Cloud where SSH access is essential for installation and maintenance. A more comprehensive improvement regarding SSH access control is already integrated in the TorBox v.0.5.5 developer branch, which allows selectively enabling/disabling SSH access for certain types of clients, from the Internet or completely allowing/blocking SSH access.
Security: A new feature enables administrators to enable/disable root access.
Improved: We introduced a TorBox mini default Main Menu for users who want it to work and don’t want to have numerous options, which could brick the TorBox mini in the worst-case scenario. However, for experts, we included Multiple Client Support for TorBox mini, meaning if the expert Main Menu is enabled in the Danger Zone (this option is only available on TorBox mini), then you have all the connection possibilities in the Main Menu known from a standard TorBox. This is particularly interesting for experts who attach additional interfaces to a Raspberry Pi Zero 2 W. With the upcoming TorBox v.0.5.5, we are exploring the possibility of providing more flexibility regarding the cable interface. By default, TorBox will automatically detect and use clients on eth0, except when eth0 is used as an Internet source; in this case, eth1 is used as a potential client. However, in cases where a cable connection does not provide the Internet, we would like to use both eth0 and eth1 as potential client connections (see issue #365).
Improved: Documentation on how to backup/restore domain exclusion lists is now accessible in the Danger Zone sub-menu.
Fixed: Year after year, the same issue – the official Tor repository on GitLab changed the links to the different versions, leading to an error when trying to fetch the version information.

• • •

How to update

For default installations of TorBox and TorBox mini

If you have an already running TorBox v.0.5.4 then you can manually update your system to close potential vulnerabilities and update Tor:

Eventually, use entry 1 in the Update & Maintenance sub-menu to update the base system.
Use entry 5 in the Update & Maintenance sub-menu to update the TorBox menu.
Use entry 4 in the Update & Maintenance sub-menu to update Tor and Snowflake.
Add/change the following options in run/torbox.run by using sudo nano /home/torbox/torbox/run/torbox.run:

# OPENVPN access from the Internet
# 0 - OPENVPN access from the Internet is blocked
# 1 - OPENVPN access from the Internet is allowed (default)
OPENVPN_FROM_INTERNET=0

# NEW v.0.5.4-post: New added with default 1194
# Default OPENVPN port
OPENVPN_PORT=1194

# Is this a TorBox Mini default installation?
# 0 - No
# 1 - Yes (default)
TORBOX_MINI_DEFAULT=1

Reconfigure the firewall by using an entry between 5 and 10 in the Main menu.

For default installations of TorBox on a Cloud

In addition to the steps for default installations of TorBox and TorBox mini explained above, do the following additional steps:

Use entry 14 in the Configuration sub-menu to enable SSH access from the Internet. This is a precautionary measure in case something goes wrong. After OpenVPN is working, and your SSH access via OpenVPN is successfully tested, you can disable the SSH access from the Internet again.
Save iptables with sudo iptables-save > /etc/iptables.ipv4.nat
Change all --dport 443 to --dport 1194 by using sudo nano /etc/iptables.ipv4.nat . For experts: Compare /etc/iptables.ipv4.nat with /home/torbox/torbox/etc/iptables.ipv4-cloud.nat and manually correct any incorrect configurations (this shouldn’t be the case).
Change in /etc/openvpn/server.conf port 443 to port 1194 by using sudo nano /etc/openvpn/server.conf.
Change on your client in the .ovpn-file on the row beginning with remote 443 to 1194 by using a text editor.
Load the changed iptables with sudo /sbin/iptables-restore < /etc/iptables.ipv4.nat
Restart OpenVPN by using sudo systemctl restart openvpn
Test OpenVPN and SSH through OpenVPN access
Disable SSH access from the Internet by using entry 14 in the Configuration sub-menu

• • •

We need your feedback!!

We hope this version pleases you. However, we are dependent on feedback. It is not just about fixing bugs and improving usability, but also about supporting additional interfaces and hardware in future releases:

What do you like?
What should be improved (why and how)?
What would you like to see next? Which features do you request?

With the TorBox GitHub repository, it is straightforward for everyone to report issues or change the code and propose it in a pull request. Because we continue to travel around, it sometimes takes more time to address the issues and proposals.

For future versions, we need to understand what you require and what you would like to see from the Onion Services implementation. Please feel free to use the discussion forum to share your needs with us.

ke on TorBox v.0.5.4 – Security and Maintenance Update 20 July 2025: “suggestion: Add torbox to https://www.freedombox.org/ I am a computer layperson. I can not estimate how much work it is to…” Sep 22, 14:20
ke on TorBox v.0.5.4 – Security and Maintenance Update 20 July 2025: “can torbox be installed on a raspberry pi 3b v1.2? If so how would you go about it? Any instructions?…” Sep 22, 14:03
ke on TorBox v.0.5.4 – Security Update 17 April 2025: “can torbox be installed on a raspberry pi 3b v1.2? If so how would you go about it? Any instructions?…” Sep 22, 13:51
ke on TorBox v.0.5.4 – Security Update 17 April 2025: “Writing here on torbox.ch requires an email account. Writing here https://github.com/radio24/TorBox/issues requires a github account. Maybe there are people wanting…” Aug 27, 20:34
ke on TorBox v.0.5.4 – Security Update 17 April 2025: “https://github.com/radio24/TorBox/issues/295#issuecomment-3065989611 Did you manage to run a torbox instance (not a torbox mini instance) on a raspberry pi zero 2…” Aug 27, 19:59