TL;DR Read handbook, figure out your security and anonymity requirement(s) and/or goal(s), read at links on Tor.
There's also a need to check for things like DNS leaks and using a VPN is recommended.
https://www.dnsleaktest.com/
If it's just experimental, or for some modicum of privacy in the modern age, as most use it for, you probably don't need all the bells and whistles.
However, security-wise, There's always compiling a Xen kernel
xen(4)(),
Code:
#Add to your kernel config file for Xen support.
options XENHVM
device xenpci
using bHyve
bhyve(8)(), or Virtualbox (
emulators/virtualbox-ose. I'd recommend an encrypted disk
zfs(8)() and
geli(8)(). If possible, configure/install with hardened options (ram/swap encryption, disk encryption). Use pf, ipfw, or whatever you're most comfortable with, then just run
Tails (linux-OS in a virtual machine).
Maybe best to start with this on OpenBSD, NetBSD, or Mir (which I have virtually know knowledge of).... or even pFsense. Don't use root, etc. etc.
I can't give you specific advise because I don't know your intended designs/requirements, nor am I an expert Tor. Tor guides will generally steer you in a safe direction.... with the exception of Microsoft (and possibly Apple's) keylogging and constant data flow, the most minimal system you can have, hardened, and trusted would provide the best security, along with virtual networking devices, etc. etc. The handbook and man pages are a
man's best friend
Jails are also another option.
I'd read all of the
Security section of the handbook (Chapter 13) (probably a must),
14: Jails,
15: Mandatory Access Control,
29: Firewalls, and
30: Advanced Networking
We can probably help with specefics but it all depends on how much tin foil you need to wear/what you are doing etc.
Breeze through the synopses of the
Handbook, figure out a desired setup, and then perhaps we can give better advice.
For ultimate tinfoil hat, hardened NetBSD (I'm not sure about OpenBSD and Xen, but if there's a Xen kernel, maybe OpenBSD)... FreeBSD+Jailed vbox/bhyve+tails+a dns caching server or two, and ZFS and/or NetBSD's upgraded UFS, virtual hosts/networking, VPN (or two, or three)... but TBH tails does a decent job, especially with a VPN, of anonymizing traffic (though, as stated before, anonymous traffic != secure! But with a setup like that, you might just get hired at the NSA, assuming they'll give you any kind of clearance after you start your anti-psychotics.
Oh and if you're worried about security, everything should be wired, no wireless devices. Especially unencrypted keyboards and mice... but also wifi and bluetooth, obviously, kind of defeats the purpose of encrypting things when someone can easily access your encryption keys and everything you've ever typed in your system
.
Oh! Make sure you're gateway and routers are secure, otherwise, again, what's the point? For that matter,
tor has a page for good and bad ISPs.
Do be careful with what you click on and where you browse on Tor. Some hidden services are quite unsavory and I have browsed some but luckily not seen anything so bad that it traumatized me, but it's out there... Pedofiles and the like, who should just be castrated, murder for hire (yup, seen the sights, not sure if they're real, scams, setups, or what, but it's pretty weird to see it), but I think they're a minority of the users. Also tails is very good at paying attention to your nodes, but entry/exit nodes are a whole topic that is well documented on the Tor site itself.
Sorry for long post, haven't been on the forums in forever.