lar.ven – this.ven's wiki

Authority through knowledge (of FLOSS and GNU/Linux)

User Tools

Site Tools


services:tor:relay

Relay

A relay in the context of the Tor network is a routing node registering itself at another special-purpose relay (directory authority) that maintains and publishes a list of currently-running relays called consensus. Relays can perform different roles in the Tor network.

I was running a bridge on a Raspberry Pi single-board computer, but due to limited capabilities of the used internet connection I could barely comply with relay requirements and switched to a WebRTC based solution via Snowflake. Nevertheless, for documentation purposes the former setup is provided in the following.

Basic setup

Void Linux Since hardware specifications of a Raspberry Pi 3 A+ are low Void Linux is used as operating system. Full disk encryption method is not employed during installation as Tor is already not storing identifiable data tracks by design and thus, not leading to a leakage. After downloading and writing a pre-built image to a SD card, the system can be booted on the single-board computer. Login using default credentials and change the root password by entering a new one twice after invoking passwd.

Networking

As there's no wired network interface in the chosen Raspberry Pi model, wireless networking is used. The wpa_supplicant packages is installed by default and provides tools to create and manage connections. To configure a typical WPA-PSK connection found in home networks use the following commands and adapt the values for SSID and PSK to match your network credentials:

SSID="My network name"
PSK="Super secret key"
wpa_passphrase $SSID $PSK >> /etc/wpa_supplicant/wpa_supplicant.conf

Edit the file /etc/wpa_supplicant/wpa_supplicant.conf and add scan_ssid=1 as well as key_mgmt=WPA-PSK to match the following:

wpa_supplicant.conf
# home network; allow all valid ciphers
network={
	ssid="$SSID"
	scan_ssid=1
	key_mgmt=WPA-PSK
        #psk="$PSK"
	psk="<wpa_passphrase output>"
}
Note: The parameters ssid and #psk your network credentials. The latter can be safely removed for protecting the clear-text passphrase.

More examples can be found in the man page. Afterwards enable and start the daemon:

ln -s /etc/sv/wpa_supplicant /var/service/
sv up wpa_supplicant

IP addressing will be done by static DHCP via the router connecting the bridge to the internet. Thus, it needs to use dhcpcd on all interfaces by enabling and starting its service:

ln -s /etc/sv/dhcpcd /var/service/
sv up dhcpcd

Time synchronization

In order to synchronize the system time to time servers the timezone must be set and the chrony service is installed, enabled and started after initial manual setting current date and time with date utility (adjust 20221019 16:40 to your current date and time):

ln -sf /usr/share/zoneinfo/<timezone> /etc/localtime
date --set="20221019 16:40"
xbps-install -Sy chrony
ln -s /etc/sv/chronyd /var/service/
sv up chronyd

Console privacy

To prevent eavesdropping from the display the screen can be blanked after 30 seconds of inactivity by appending consoleblank=30 as kernel parameter in /boot/cmdline.txt.

OBFSv4 bridge setup

General instructions on how to deploy an obfs4 bridge on Void Linux can be found in the technical setup guide for bridges. This section only covers some additional settings for /etc/tor/torrc that I found useful. Remember to restart the Tor service after editing the configuration:

sv restart tor

Torify XBPS

Using XBPS with Tor minimizes clearnet communication during updates and thus, supports keeping the relay anonymous. Permanent configuration is done by overriding default repository mirrors with an onion service mirror in the /etc/xbps.d directory:

mkdir -p /etc/xbps.d
cp /usr/share/xbps.d/*-repository-*.conf /etc/xbps.d/
sed -i 's|https://repo-default.voidlinux.org|http://lysator7eknrfl47rlyxvgeamrv7ucefgrrlhk7rouv3sna25asetwid.onion/pub/voidlinux|g' /etc/xbps.d/*-repository-*.conf

Additionally, the SOCKS_PROXY environment variable must be set to avoid DNS leaks:

cat - <<EOF > /etc/profile.d/socksproxy.sh
#!/bin/sh
export SOCKS_PROXY="socks5://127.0.0.1:9050"
EOF

Port selection

When considering an ORPort and obfs4 port to be used in ServerTransportListenAddr a look at the list of TCP and UDP port numbers might help to find candidates. As stated in the example configuration snippet best practice is to:

Avoid port 9001 because it's commonly associated with Tor and censors may be scanning the Internet for this port.

Also, I had to setup port forwarding on my router to make the chosen ports reachable from the internet. The reachability test can be used with the public IP address (<public-ip>) to check each port (<port>):

https://bridges.torproject.org/scan/scan?address=<public-ip>&port=<port>

For more sophisticated checks, use the following netcat command:

nc -zv <public-ip> <port>

Bandwidth limitation

Running a bridge on a home internet connection causes a lot of traffic. Thus, it's advisable to specify bandwidth limits in the /etc/tor/torc configuration file like as follows:

RelayBandwidthRate 250 KBytes  # Throttle traffic to 250 kB/s (2 Mbps)
RelayBandwidthBurst 300 KBytes # But allow bursts up to 300 kB/s (2.4 Mbps)

The values above depend on our internet speed. Use a speedtest to identify your connection speed and calculate values that do not exceed more than half of your upload rate to maintain enough bandwidth for your other internet applications.

For example, a common asymmetric 50 Mbps home internet connection typically only has an upload rate of about 6 Mbps equal to 750 kBps (or KBytes as used in the torrc file). Allowing Tor bridge bursts up to 40% of the bandwidth means 300 KBytes (= 2.4 Mbps) at max. and about one third on the average:

6 Mbps * 125 = 750 kBps
750 kBps * 40% = 300 kBps
300 kBps / 125 = 2.4 Mbps
250 kBps / 125 = 2 Mbps
2 Mbps / 6 Mbps * 100 = 33.33%

Note: If you are using a metered connection to the internet, you'd probably want to limit the total amount of bandwidth.

Monitoring

For real-time information on the local Tor service nyx can be used for monitoring. Installation is done by:

xbps-install -Sy nyx

and for granting nyx access to the Tor service edit the /etc/tor/torrc configuration file to uncomment the following lines:

#ControlPort 9051
#CookieAuthentication 1

Restart Tor afterwards and start nyx:

sv restart tor && nyx

Node information

The Tor network maintains information about relays identified by a hashed fingerprint (<hashed-fingerprint>). The latter is written to the file /var/lib/tor/hashed-fingerprint and is needed for showing the bridge status and metrics:

https://bridges.torproject.org/status?id=<hashed-fingerprint>
https://metrics.torproject.org/rs.html#details/<hashed-fingerprint>

If you consider specifying ContactInfo in the configuration file /etc/tor/torrc, you can not only use your name and email, but also a lot of other options. There is a specification and a generator available. For example, I was using an URI with uri-rsa proof method to fetch Tor relay fingerprints from my website.

Category: Tor

services/tor/relay.txt · Last modified: 2023/03/30 17:16 by this.ven