Tor Relay in five minutes
The security and availability of the Tor network directly depends on the number of nodes responsible for sending traffic — relay nodes. The EFF even opened the Tor Challenge competition to stimulate as many users as possible to set up and run such nodes. As a matter of fact, the article is devoted to this uncomplicated action.
We need a server — the machine on which Tor Relay will run. You can use your home computer, you can reconfigure the smart router. I suggest another way - to use VPS (Virtual Private Server). The Tor software is quite unpretentious and easy to get along even on a VPS with a minimal configuration. 256 Mb of memory is enough, most likely 128Mb is enough. Disk requirements are also minimal: less than a gigabyte. The cost of such a server per month is close to the cost of a cup of coffee in a coffee shop.
So, register yourself VPS. For us, the main thing is that she has an honest external IP address. I like Yourserver , but you can use any other VPS with Linux or * BSD on board. As a rule, after the purchase you get a server on which one of the Linux distributions is already installed. Choose what you like. I will talk about Debian.
First you need to install Tor on the VPS:
')
By default, Tor will work in network client mode: you can use it to work with the network, but for others this instance will be useless. Alien traffic through it will not go. You must turn on Tor Relay (packet forwarding). We will also include Directory Service & mdsah; directory service responsible for distributing information about other tor servers. In principle, nothing prevents the use of arbitrary ports for forwarding and for the directory. The default configuration file suggests using port 9001 for packet forwarding and 9030 for directory services. But since this VPS will not be used for anything else, we can cheat a little and make life easier for people sitting behind strict firewalls. We will make our server available on ports 443 and 80 - on ports that are commonly used for www traffic.
Open / etc / tor / torrc and enter the following lines into it:
In the Nickname line, enter some name for this server. According to it, we can then monitor the server through special services on TorProject.
In the line ContactInfo you can enter your contact details (in case someone wants to contact you). And you can simply omit it, then our server will also not be able to tell anyone who its owner is.
The last two lines prohibit the use of our server as an exit point (Exit Node) traffic. Otherwise, Tor will try to use our server to send outgoing network traffic to external servers. Unfortunately, not everyone uses Tor with good intentions, and if the traffic leaves Tor through your server, all problems and consequences will fall on your head as well.
In addition, the prescribed configuration causes the server to tell the rest of the network that the server is available on ports 443 for sending packets and 80 to report information about other servers on the network. In this case, the server will actually wait for messages on ports 9001 and 9030. In Debian, Tor works by default not from under the root and this configuration allows you to avoid problems with connecting to ports.
With iptables, we now configure the necessary connection between the ports.
If there are special tools for setting up an iptables firewall in the selected distribution, you can use them. Easier and clearer to do everything handles.
Create a file /etc/iptables.save.rules with this content:
This way we allow work with our tor server and access to ssh for remote administration.
It remains to register the download of these rules. I usually prescribe the start of iptables-restore in / etc / network / interfaces:
On Yourserver, the / etc / network / interfaces file is overwritten every time you restart, so you can do it a little differently.
For example, insert the iptables rules loading into /etc/rc.local. To do this, at the end of the file before exit 0 insert the line
Finally, restart the tor server:
We check that we did everything right. Some time after the restart, the lines should appear in the / var / log / tor / log file:
After about an hour or two, when the information in the database is updated, you can go to globe.torproject.org and, having typed in the search box, the nickname of your server, make sure that the Tor network has replenished with one more data redistribution point.
Initially, traffic will not be sent through the new server. The life course of Tor Relay is the topic of a separate article .
UPD: Since distributions do not always contain the latest version of Tor, it makes sense to connect special repositories.
So for Debian and Ubuntu you can connect the official repository torproject.org. To do this, in /etc/apt/sources.list.d/ create a file torproject.list with the following content:
where instead of DISTRIBUTION we enter the version of your distribution (for example, jessie or saucy). We perform
We need a server — the machine on which Tor Relay will run. You can use your home computer, you can reconfigure the smart router. I suggest another way - to use VPS (Virtual Private Server). The Tor software is quite unpretentious and easy to get along even on a VPS with a minimal configuration. 256 Mb of memory is enough, most likely 128Mb is enough. Disk requirements are also minimal: less than a gigabyte. The cost of such a server per month is close to the cost of a cup of coffee in a coffee shop.
So, register yourself VPS. For us, the main thing is that she has an honest external IP address. I like Yourserver , but you can use any other VPS with Linux or * BSD on board. As a rule, after the purchase you get a server on which one of the Linux distributions is already installed. Choose what you like. I will talk about Debian.
First you need to install Tor on the VPS:
')
# aptitude install tor By default, Tor will work in network client mode: you can use it to work with the network, but for others this instance will be useless. Alien traffic through it will not go. You must turn on Tor Relay (packet forwarding). We will also include Directory Service & mdsah; directory service responsible for distributing information about other tor servers. In principle, nothing prevents the use of arbitrary ports for forwarding and for the directory. The default configuration file suggests using port 9001 for packet forwarding and 9030 for directory services. But since this VPS will not be used for anything else, we can cheat a little and make life easier for people sitting behind strict firewalls. We will make our server available on ports 443 and 80 - on ports that are commonly used for www traffic.
Open / etc / tor / torrc and enter the following lines into it:
Nickname MyCoolNick ContactInfo Person <somebody AT example dot com> ORPort 443 NoListen ORPort 9001 NoAdvertise DirPort 80 NoListen DirPort 9030 NoAdvertise ExitPolicy reject *:* # no exits allowed ExitPolicy reject6 *:* # no exits allowed In the Nickname line, enter some name for this server. According to it, we can then monitor the server through special services on TorProject.
In the line ContactInfo you can enter your contact details (in case someone wants to contact you). And you can simply omit it, then our server will also not be able to tell anyone who its owner is.
The last two lines prohibit the use of our server as an exit point (Exit Node) traffic. Otherwise, Tor will try to use our server to send outgoing network traffic to external servers. Unfortunately, not everyone uses Tor with good intentions, and if the traffic leaves Tor through your server, all problems and consequences will fall on your head as well.
In addition, the prescribed configuration causes the server to tell the rest of the network that the server is available on ports 443 for sending packets and 80 to report information about other servers on the network. In this case, the server will actually wait for messages on ports 9001 and 9030. In Debian, Tor works by default not from under the root and this configuration allows you to avoid problems with connecting to ports.
With iptables, we now configure the necessary connection between the ports.
If there are special tools for setting up an iptables firewall in the selected distribution, you can use them. Easier and clearer to do everything handles.
Create a file /etc/iptables.save.rules with this content:
# Generated by iptables-save v1.4.14 on Sat Jul 5 14:15:04 2014 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [22:1968] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT -A INPUT -p tcp -m tcp --dport 9030 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-port-unreachable COMMIT # Completed on Sat Jul 5 14:15:04 2014 # Generated by iptables-save v1.4.14 on Sat Jul 5 14:15:04 2014 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [1:104] :POSTROUTING ACCEPT [1:104] -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 9001 -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9030 COMMIT # Completed on Sat Jul 5 14:15:04 2014 This way we allow work with our tor server and access to ssh for remote administration.
It remains to register the download of these rules. I usually prescribe the start of iptables-restore in / etc / network / interfaces:
auto lo iface lo inet loopback pre-up /sbin/iptables-restore /etc/iptables.save.rules On Yourserver, the / etc / network / interfaces file is overwritten every time you restart, so you can do it a little differently.
For example, insert the iptables rules loading into /etc/rc.local. To do this, at the end of the file before exit 0 insert the line
/sbin/iptables-restore /etc/iptables.save.rules Finally, restart the tor server:
# service tor restart We check that we did everything right. Some time after the restart, the lines should appear in the / var / log / tor / log file:
Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor. Tor has successfully opened a circuit. Looks like client functionality is working. Self-testing indicates your DirPort is reachable from the outside. Excellent. Performing bandwidth self-test...done. After about an hour or two, when the information in the database is updated, you can go to globe.torproject.org and, having typed in the search box, the nickname of your server, make sure that the Tor network has replenished with one more data redistribution point.
Initially, traffic will not be sent through the new server. The life course of Tor Relay is the topic of a separate article .
UPD: Since distributions do not always contain the latest version of Tor, it makes sense to connect special repositories.
So for Debian and Ubuntu you can connect the official repository torproject.org. To do this, in /etc/apt/sources.list.d/ create a file torproject.list with the following content:
deb http://deb.torproject.org/torproject.org DISTRIBUTION main where instead of DISTRIBUTION we enter the version of your distribution (for example, jessie or saucy). We perform
# gpg --keyserver keys.gnupg.net --recv 886DDD89 # gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add - # apt-get update # apt-get install tor Source: https://habr.com/ru/post/228971/
All Articles