Setting-up Tor Relays

This topic was published by and viewed 965 times since "". The last page revision was "".

Viewing 1 post (of 1 total)
  • Author
    Posts
  • DevynCJohnson
    DevynCJohnson
    Keymaster
    • Topics - 444
    • @devyncjohnson

    Linux can serve numerous purposes such as web-servers, routers, firewalls, embedded devices, etc.. Obviously, Linux can also act as a Tor Relay. Tor Relays are a crucial part of the Tor Darknet (Onion Network). If more people understood how to setup a Tor Relay, then perhaps, the Onion Network would be larger, faster, and better.

    Concepts

    The Tor network is composed of relays and bridges. Relays are network nodes that connect the client system to the server (such as a web-site). The list of relays is publicly available, which is how the Tor web-browser and relays know where to connect. There are three types of relays.

    • Entry Relays - This network node (also called a guard-relay) provides an entrance to the Tor/Onion network.
    • Middle Relays - These relays connect to other middle-relays, and entry-relays and exit-relays are connected to middle-relays.
    • Exit Relays - Exit-relays (also called exit-nodes) send data out of the Tor/Onion network and to the destination/server.

    Bridges are a special type of entry-relays that are not publicly listed. However, for networking nodes to know how to access a bridge, a few bridges are listed at a time by TorProject.org (https://bridges.torproject.org/bridges). Also, the address and information of some bridges are hard-coded into Tor. These hard-coded bridges are highly trusted and such a bridge is called a "Directory Authority" or "Direct Authority" (DA). This hard-coded list is in the config.c file in the "default_authorities[]" character array. The DA bridges have a master list of relays and one of the ten has a master list of bridges.

    NOTE: Bridges specified in lists are given in the format "IP_ADDRESS:PORT FINGERPRINT". For example, "141.201.27.48:420 4352e58420e68f5e40bf7c74faddccd9d1349413" is a "bridge configuration line". Sometimes, a transport type is listed before the IP address.

    The torrc File

    The "torrc" file is the Tor configuration file. On Linux and Unix systems, this file may be found in one of several places.

    • /usr/local/etc/tor/torrc
    • /etc/tor/torrc
    • /etc/torrc
    • ~/.tor-browser-en/INSTALL/Browser/TorBrowser/Data/Tor/torrc

    Sample torrc file - https://gitweb.torproject.org/tor.git/plain/src/config/torrc.sample.in

    When changing the settings in torrc, Tor must be restarted to make the changes take effect. This can be done by executing "service tor reload" or by sending Tor the "HUP" signal (killall --SIGHUP tor).

    Installing Tor

    Tor can be downloaded from GitHub (https://gitweb.torproject.org/tor.git) and then compiled and installed locally.

    To install Tor on a Debian-based system, use TorProject's repository because the default repositories may contain out-dated packages.

    To add the TorProject repository (requires Root privileges)

    • Add "deb http://deb.torproject.org/torproject.org DISTRO main" to /etc/apt/sources.list
    • Add the GPG key - gpg --keyserver keys.gnupg.net --recv 886DDD89 && gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
    • Refresh the repository list - apt-get update

    Once the repo has been added, Tor can be installed by executing apt-get install tor deb.torproject.org-keyring.

    Prepare the Computer

    It is important to ensure that the computer is properly setup and prepared. There are multiple tasks and settings that should be checked and configured.

    • Ensure that the firewall will allow Tor-related traffic
    • Hardware firewalls and routers may need to use port-forwarding
    • The time should be synchronized and correctly displayed; install an NTP service (i.e. ntpd or openntpd)
    • Backup Tor's private relay key (/var/lib/tor/keys/secret_id_key) and ensure that the backup and original are secure (only readable by owner)
    • Check out the Secure Tor Server guidelines - https://trac.torproject.org/projects/tor/wiki/doc/OperationalSecurity
    • Install Python2, which is needed by some pluggable transports (https://www.torproject.org/docs/pluggable-transports.html.en)
      • Debian-based - apt-get install python2.7 python-pip python-dev build-essential
      • RedHat-based - yum install make automake gcc python-pip python-devel libyaml-devel

    Install obfsproxy

    "obfsproxy" is a Python framework that provides pluggable transports such as obfs2, obfs3, and others. To find the port used by obfsproxy, look in the Tor logs for a line containing something like "Registered server transport 'obfs3' at '0.0.0.0:40172'".

    Install obfsproxy using the given command with Root privileges - pip install obfsproxy

    Creating a Bridge

    To create a bridge (private entry-relay), edit the "torrc" file and set the file's contents to the code below.

    SocksPort 0
    ORPort auto
    BridgeRelay 1
    SafeLogging 1
    Exitpolicy reject *:*

    After saving the file, the fingerprint of the bridge can be obtained from /var/lib/tor/fingerprint or the Tor logs.

    Creating a Relay

    To create a relay, edit the "torrc" file and set the file's contents to the code below.

    ORPort 443
    ExitRelay 0
    Exitpolicy reject *:*
    SafeLogging 1
    Nickname RELAY_NAME
    ContactInfo EMAIL_ADDRESS

    To make the node an exit-relay, replace "Exitpolicy reject *:*" with "Exitpolicy accept *:*" and "ExitRelay 0" with "ExitRelay 1". If you are planning on making an exit-relay, then read the exit-relay guidelines - https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines. Before setting up an exit-relay, understand the risks. If the exit-relay is used to access illegal content (like child pornography) law-enforcement may try to track the client system that obtained the illegal data. Obviously, the client will appear to be the exit-relay, so the exit-relay owner is at risk of legal issues. This article about minimizing such issues - https://blog.torproject.org/running-exit-node.

    It is possible to host a protocol-specific exit-relay. For example, to make a POP3S exit-relay, use this exit-policy - ExitPolicy accept *:995

    torrc Tips

    • The port used by DirPort can be set by adding "DirPort PORT_NUM" to torrc.
    • Certain protocols can be blocked or allowed in the torrc file. For instance, to block rsync, use "Exitpolicy reject *:749".
    • To run Tor as a daemon - RunAsDaemon 1
    • On computers with more than one network interface, out-bound traffic can be set to use a different network card - OutboundBindAddress IP_ADDRESS
    • Throttle traffic (data per second) - RelayBandwidthRate X MBits
    • Remove sensitive data from the logs - SafeLogging 1
    • To allow IPv6 on an exit-relay, add "Exitpolicy accept6 *:*" and "IPv6Exit 1" to torrc
    • Allow DNS lookups - ServerDNSSearchDomains 1
    • Check out the Tor Manual for more options - https://www.torproject.org/docs/tor-manual.html.en

    Further Reading

Viewing 1 post (of 1 total)