HowTo: run a tor relay or bridge

[ I setup a Debian virtual machine over the weekend with the goal of creating an Electrum server. The instructions I found involve running bitcoind over tor, but they were full of minor typos and strange characters that broke things when I copied & pasted commands, so I decided to clone them here and fix them as much as possible. This article is the first of three, copied & edited from sky-ip.org]

 Configure a Tor relay or bridge on Debian or Ubuntu Linux

  1. Install updates and utilities – type these commands as root:
apt-get update && apt-get dist-upgrade -y
apt-get install nano; apt-get install screen; apt-get install sudo; apt-get install ntp -y; apt-get install ntpdate -y

 

You have installed NTP (network time protocol) so your clock is permanently synced with servers on the internet. It is vital important for Tor to have an accurate clock. Use ntpdate to force-sync first time and after that NTP service will run in background and keep the time accurate. Type these commands as root:

service ntp stop
ntpdate 0.europe.pool.ntp.org
service ntp start

 

Now you have an accurate time and you don’t have to do anything else. Please note if you are on a virtual server which uses OpenVZ virtualization, you will not be able to change to clock as all virtual machines share the Kernel on the host machine. You need to contact your provider and ask them to install NTP and sync the time on the host machine, and the change will bind to all virtual machines too.

 

  1. Secure remote SSH access (you can skip this step if you don’t want to enable SSH keys but if you skip this step make sure you have a really strong root password like JKHGSD*^%SD&uaAsd2734 and at least change the SSH port):

This will disable clear password authentication for remote SSH connections to your sever. It will use only SSH keys which are far more secure. Make sure you generate a SSH-2 key pair type RSA 4096 bit, set a passphrase for it (use PuttyGen on Windows or Linux utility to generate a SSH key pair in any Linux distribution) and save the SSH public key to a file (example sshpubkey.asc). Also be sure to backup the private key somewhere safe in encrypted format, otherwise you will be locked out of your server if you lose the SSH-2 key pair. Make sure you follow this step by step so you won’t get locked out of your server and need to contact your provider to fix it.

 

Edit the sshd_config file with nano text editor – change these settings as root:

nano /etc/ssh/sshd_config

Do the following:

  1. a)Change the line Port 22to other non-custom port, example Port 39346 – now automated scripts can’t brute force your server
  2. b)Uncomment the line # AuthorizedKeysFile    %h/.ssh/authorized_keys(just remove the # from the beginning to uncomment)
  3. c)Uncomment and change value to no for # PasswordAuthentication yesremove # and change to no to look like: PasswordAuthentication no
  4. d)Uncomment # KerberosAuthentication no(just remove the # from the beginning to uncomment)
  5. e)Uncomment # GSSAPIAuthentication no(just remove the # from the beginning to uncomment)
  6. f)Change last line UsePAM yesto UsePAM no

–          Save the file in nano by pressing CTRL + X , enter y to confirm saving and hit enter.

 

Create the keys folder and set permissions – type these commands as root:

mkdir -p ~/.ssh && cd ~/.ssh
chmod 0700 ~/.ssh
nano authorized_keys

–          Open your sshpubkey.asc file (previously saved SSH-2 RSA public key), select ALL its content and copy/paste it to nano editor in console. It needs to be in complete format.

–          Save the file in nano by pressing CTRL + X , enter y to confirm saving and hit enter.

Change permissions for authorized_keys file (important, otherwise key-based authentication won’t work) – type the command as root:

 chmod 0600 ~/.ssh/*

Finally, restart SSH service for the changes to go into effect – type command as root:

service ssh restart

 

Disconnect from the server, type exit and re-connect again using the NEW SSH port which you configured and with the SSH-2 RSA key.

 

  1. Install Tor Project repository – very important as this will always give you the latest stable version of Tor and obfsproxy. It is also very easy to update from this repo with just one command.

Find out your Debian / Ubuntu distribution codename – type command as root:

lsb_release -c

It will output something like, for example: wheezy (this is you distribution codename). Memorize or copy it and add it to your apt sources:

echo "deb http://deb.torproject.org/torproject.org wheezy main" >> /etc/apt/sources.list

*Make sure you substitute “wheezy” with your distribution codename instead if different.

 

Add Tor Project signing key to your keyring and enable it – type command as root:

gpg --keyserver keys.gnupg.net --recv 886DDD89; gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -

 

Update headers – type command as root:

apt-get update

 

Finally install Tor Project keyring, Tor, Tor-arm and obfsproxy from the official repository:

apt-get install deb.torproject.org-keyring; apt-get install tor -y; apt-get install obfsproxy -y; apt-get install tor-arm -y 

 

  1. If the server is not just a Tor relay but also serves other purposes, it is vital important for you to audit all applications listening and opening to the public internet. There are really high chances your server will be brute-forced after its IP address is publicly listed. These are just some basic things, depending on what you have on the server you need to audit everything and make sure everything is secure:
  2. a)You don’t have any other users except root with easy-to-guess password allowed to remotely SSH access the machine;
  3. b)You have a very strong passphrase for root, like KSDk8648as5%&$%DS%ahnh*74fs and preferably default SSH port 22 changed to a different one
  4. c)You don’t have anonymous / guest FTP access enabled to your machine or FTP users with easy-to-guess password. Use strong passwords like the one for root, use password generators and store the passwords in a password keeper, like keepassx
  5. d)You don’t allow PHPMYADMIN access from the internet, and if you must allow (think again if you must) use a very strong passphrase. Use PhpMyAdmin manual to set this access to local only.
  6. e)Your MySQL or PostgresSQLdoes not listen on the public IP address of the server, but it listens only to 127.0.0.1 – MySQL database should never be open to the public internet unless it’s a remote SQL server (like one for backup or something). If the website is hosted on the same machine, use localhost interface cat 127.0.0.1 and never bind to the public IP address. Consult MySQL  or PostgresSQL manual to set this.

[Editor’s note: Stop here if you just want to run a hidden service. I found that running a relay caused non-stop brute-force attempts on my server to the point of DOS, and it is also considered a potential security vulnerability to run a hidden service on a relay.]

  1. Install own DNS recursive resolver on localhost(only important for Exit relays. If you don’t plan to be an Exit relay, you can skip this step)

Usually DNS servers from the provider cause problems on high speed Exit relays as they are unreliable and sometimes change results (like inexistent domains) to redirect to their own advertising websites. Tor won’t like such behavior and this can have real impact on your relay Exit flag. Just install a light-weight local DNS resolver with one command – type as root:

apt-get install unbound

 

That’s it. It just works out of the box. No settings for the DNS server. Just need to configure your operating system to use it. Edit the resolv.conf file with nano text editor – type as root:

nano /etc/resolv.conf

delete the lines there, and enter just one line on top:

nameserver 127.0.0.1

–          Save the file in nano by pressing CTRL + X , enter y to confirm saving and hit enter.

 

  1. At last, let’s configure Tor:

First, stop the running Tor service – type as root:

service tor stop

Edit torrc file – type as root:

cd /etc/tor
rm -rf torrc
nano torrc

 

Now you’ve opened and empty configuration file. Need to edit Tor config. Here are the lines you need to add in this config:

ORPort – this is what enables your server to be a Tor relay. You just need to specify the port. Usually, we go with 443 for solid connectivity, but if port 443 is already busy with other app on your machine feel free to choose one of your choice.  If you can’t use 443 or 22, we recommend 9001. Example:

ORPort 443

*If your server has multiple IP addresses / network interfaces and you want to bind Tor relay to a certain one, specify its IP address here like this:

ORPort 100.100.100.100:443 – substitute 100.100.100.100 with the public IP address of your server where you want to bind Tor.

 

DirPort – this will enable you to mirror the directory authorities consensus data too. If you have enough bandwidth, this is helpful too. Usually we use port 80 for this, but if that port is already busy on your server choose a different one, we recommend 9030. Example:

DirPort 80

*The same you can bind to a certain IP address if you have multiple, like this:

DirPort 100.100.100.100:80 – substitute 100.100.100.100 with the public IP address of your server where you want to bind Tor.

 

If you specify a certain IP address at ORPort and DirPort, make sure you also specify OutboundBindAddress with the same IP. Example:

OutboundBindAddress 100.100.100.100 – substitute 100.100.100.100 with the public IP address of your server where you want to bind Tor.

 

Choose a nickname for your relay:

Nickname TorRelayNick

 

Set a contact address for your relay so the community might contact you. This happens really, really rare. Obfuscate the email to prevent spam like user [SPAMfree at] domain [spamtrap dot] com

ContactInfo  Youremail

 

Use this if you use DirPort on port 80 and want to output a webpae when someone enters your relay’s IP address in their browser. Click here for an example page, save it to /etc/tor under name index.html.

DirPortFrontPage /etc/tor/index.html

 

If it’s only a relay and you don’t want it to be a Tor client also. This is not mandatory

SocksPort 0

 

You might want to use sometimes a Tor controller, like arm:

ControlPort 127.0.0.1:9051

 

For ethics in practice, if you run more relays, specify them in MyFamily argument via their fingerprints, comma separated. You need to add this on the torrc file of all your relays in a single family.

MyFamily <fingerprint>,<fingerprint>

 

If you want to limit the bandwidth you are willing to give to Tor – use this only if you want to throttle and limit speed, if not do not add these lines. Make sure you give it a high Burst, so the relay won’t touch its max. limit. You can replace MBytes wit KBytes, for lower limits but please take in consideration to give at least 600 KBytes to RelayBandwidthRate and a really big Burst:

RelayBandwidthRate 2 MBytes

RelayBandwidthBurst 20 MBytes

 

You don’t have unmetered traffic on your server? You can set Accounting of how much you’re able to give. Let’s pretend you have a server with 1 TB of monthly traffic, and you want to donate to Tor 990 GB (always make sure you keep 1% of your traffic for updates and remote administration, so you won’t ever reach the limit imposed by your provider). Choose the day when you want accounting to start (e.g. 3rd of each month – substitute with your desired value) and the hour in 24 hour format HH:MM. In the example accounting will reset on 3rd of each month at 00:00 hours. Substitute with your desired values. If you have unmetered traffic, do not add these lines to your torrc:

AccountingMax 990 GBytes

AccountingStart month 3 00:00

 

Almost done, now we need to specify the exit policy, what ports we allow exit to. If you are an exit relay, it is always recommended to block port 25 outgoing (SMTP) to prevent SPAM. To allow everything except port 25 SMTP (prevent spam) enter these lines:

ExitPolicy reject 0.0.0.0/8:*
ExitPolicy reject 169.254.0.0/16:*
ExitPolicy reject 127.0.0.0/8:*
ExitPolicy reject 192.168.0.0/16:*
ExitPolicy reject 10.0.0.0/8:*
ExitPolicy reject *:25
ExitPolicy accept *:*

 

If you want a reduced exit policy, to allow most commonly used services (like web browsing, ssh access, skype and email clients) and be more restrictive into allowing everything, here is a reduced exit policy configuration which we use. This will only allow-the-necessary and reject anything else as well as block high ports which are commonly used for p2p file sharing. We recommend using this sample, to keep abuses down and bandwidth consumption reasonable.

ExitPolicy reject 0.0.0.0/8:*
ExitPolicy reject 169.254.0.0/16:*
ExitPolicy reject 127.0.0.0/8:*
ExitPolicy reject 192.168.0.0/16:*
ExitPolicy reject 10.0.0.0/8:*
ExitPolicy accept *:20-23
ExitPolicy accept *:53
ExitPolicy accept *:79-81
ExitPolicy accept *:88
ExitPolicy accept *:110
ExitPolicy accept *:143
ExitPolicy accept *:194
ExitPolicy accept *:220
ExitPolicy accept *:389
ExitPolicy accept *:443
ExitPolicy accept *:464
ExitPolicy accept *:531
ExitPolicy accept *:543-544
ExitPolicy accept *:554
ExitPolicy accept *:563
ExitPolicy accept *:636
ExitPolicy accept *:706
ExitPolicy accept *:749
ExitPolicy accept *:873
ExitPolicy accept *:902-904
ExitPolicy accept *:981
ExitPolicy accept *:989-995
ExitPolicy accept *:1194
ExitPolicy accept *:1220
ExitPolicy accept *:1293
ExitPolicy accept *:1500
ExitPolicy accept *:1533
ExitPolicy accept *:1677
ExitPolicy accept *:1723
ExitPolicy accept *:1755
ExitPolicy accept *:1863
ExitPolicy accept *:2082
ExitPolicy accept *:2083
ExitPolicy accept *:2086-2087
ExitPolicy accept *:2095-2096
ExitPolicy accept *:2102-2104
ExitPolicy accept *:3128
ExitPolicy accept *:3389
ExitPolicy accept *:3690
ExitPolicy accept *:4321
ExitPolicy accept *:4643
ExitPolicy accept *:5050
ExitPolicy accept *:5190
ExitPolicy accept *:5222-5223
ExitPolicy accept *:5228
ExitPolicy accept *:5900
ExitPolicy accept *:6660-6669
ExitPolicy accept *:6679
ExitPolicy accept *:6697
ExitPolicy accept *:8000
ExitPolicy accept *:8008
ExitPolicy accept *:8080
ExitPolicy accept *:8087-8088
ExitPolicy accept *:8330-8339
ExitPolicy accept *:8440-8449
ExitPolicy accept *:8888
ExitPolicy accept *:9000-9999
ExitPolicy accept *:18333-18335
ExitPolicy reject *:*

 

Don’t want to be an Exit relay, just a middle one? Simple, just add this NO exit policy in your configuration file and you’re done, Tor won’t allow exiting via your relay and only use it to route traffic inside the Tor network:

ExitPolicy reject *:*

 

If you want to be a bridge relay and help the censored users reach the internet you just need to add these lines. If you want to configure a bridge, make sure it’s a bridge supporting Pluggable Transports such as obfs (that’s why we installed obfsproxy along with Tor earlier). Regular bridges with no support for pluggable transports are not of much help. Bridge relay IP addresses are not publicly listed in Tor network (that’s the purpose of being a bridge, otherwise the bridge IP would be blocked too if listed like a regular relay). To be a bridge supporting obfs3 and scramblesuitpluggable transports, simply add these lines. You need to REMOVE DirPort line if you are a bridge, you cannot be a bridge relay and serve directory data too, so NO DirPort line if you are a bridge.

BridgeRelay 1
ServerTransportPlugin obfs3,scramblesuit exec /usr/bin/obfsproxy managed

 

When you will start tor service as you see below, check the log file at /var/log/tor/log to see the obfs3 and scramble suit opened ports. Obfsproxy will randomly bind these pluggable transports to some ports. Copy those along with the bridge identity fingerprint and hand them over to your friends who need to access the network under camouflage.

 

After entering the lines to configure the relay as per your preferences, save torrc file in nano by pressing CTRL + X , enter y to confirm saving and hit enter.

 

Start tor service again – type as root:

service tor start

Check the log for success (might take some minutes until Tor advertises itself to the network). It should be a notice saying Success, your ORPort is reachable, excellent, publishing server descriptor. Check the log at:

cat /var/log/tor/log

 

Use Tor-arm to check Tor relay’s state and relevant data about sent/received traffic, circuits, resources (RAM/CPU) consumption, etc Just type:

sudo -u debian-tor -i arm

To exit arm press q key 2 times consecutively.

 

THAT’S NOT ALL. A RELAY ONCE SETUP CANNOT BE ABANDONED. YOU NEED TO KEEP AN EYE OUT FOR UPDATES AND REGULARY UPDATE YOUR OPERATING SYSTEM AND TOR VERSION. SECURITY PATCHES AND NEWER VERSIONS ARE ISSUED ALL THE TIME. ON DEBIAN OR UBUNTU, ALL YOU NEED TO DO IS – AS ROOT: 

 

apt-get update && apt-get dist-upgrade -y

 

Restart Tor service or Reboot the server for new files to go into effect. Type service tor restart or reboot

 

  1. Sample configuration files

 

Exit Relay sample configuration file with reduced exit policy (only most commonly used services, no p2p file sharing) on a server with a single public IP address, unmetered traffic (no traffic accounting limits), maximum speed allowed (no relay rate limits) and ports 443 and 80 free:

ORPort 443
DirPort 80
SocksPort 127.0.0.1:9150
ControlPort 127.0.0.1:9051
Nickname SkyIPSample
ContactInfo uma [at] *SPAMTRAP* gmail [d0t] com
DirPortFrontPage /etc/tor/index.html
ExitPolicy reject 0.0.0.0/8:*
ExitPolicy reject 169.254.0.0/16:*
ExitPolicy reject 127.0.0.0/8:*
ExitPolicy reject 192.168.0.0/16:*
ExitPolicy reject 10.0.0.0/8:*
ExitPolicy accept *:20-23
ExitPolicy accept *:53
ExitPolicy accept *:79-81
ExitPolicy accept *:88
ExitPolicy accept *:110
ExitPolicy accept *:143
ExitPolicy accept *:194
ExitPolicy accept *:220
ExitPolicy accept *:389
ExitPolicy accept *:443
ExitPolicy accept *:464
ExitPolicy accept *:531
ExitPolicy accept *:543-544
ExitPolicy accept *:554
ExitPolicy accept *:563
ExitPolicy accept *:636
ExitPolicy accept *:706
ExitPolicy accept *:749
ExitPolicy accept *:873
ExitPolicy accept *:902-904
ExitPolicy accept *:981
ExitPolicy accept *:989-995
ExitPolicy accept *:1194
ExitPolicy accept *:1220
ExitPolicy accept *:1293
ExitPolicy accept *:1500
ExitPolicy accept *:1533
ExitPolicy accept *:1677
ExitPolicy accept *:1723
ExitPolicy accept *:1755
ExitPolicy accept *:1863
ExitPolicy accept *:2082
ExitPolicy accept *:2083
ExitPolicy accept *:2086-2087
ExitPolicy accept *:2095-2096
ExitPolicy accept *:2102-2104
ExitPolicy accept *:3128
ExitPolicy accept *:3389
ExitPolicy accept *:3690
ExitPolicy accept *:4321
ExitPolicy accept *:4643
ExitPolicy accept *:5050
ExitPolicy accept *:5190
ExitPolicy accept *:5222-5223
ExitPolicy accept *:5228
ExitPolicy accept *:5900
ExitPolicy accept *:6660-6669
ExitPolicy accept *:6679
ExitPolicy accept *:6697
ExitPolicy accept *:8000
ExitPolicy accept *:8008
ExitPolicy accept *:8080
ExitPolicy accept *:8087-8088
ExitPolicy accept *:8330-8339
ExitPolicy accept *:8440-8449
ExitPolicy accept *:8888
ExitPolicy accept *:9000-9999
ExitPolicy accept *:18333-18335
ExitPolicy reject *:*

 

Middle Relay sample configuration file on a server with a single public IP address, unmetered traffic (no traffic accounting limits), maximum speed allowed (no relay rate limits) and ports 443 and 80 free:

ORPort 443
DirPort 80
SocksPort 127.0.0.1:9150
ControlPort 127.0.0.1:9051
Nickname SkyIPSample
ContactInfo uma [at] *SPAMTRAP* gmail [d0t] com
DirPortFrontPage /etc/tor/index.html
ExitPolicy reject *:*

 

Obfuscated Bridge Relay sample configuration file on a server with a single public IP address, unmetered traffic (no traffic accounting limits), maximum speed allowed (no relay rate limits) and ports 443 and 80 free:

ORPort 443
BridgeRelay 1
SocksPort 127.0.0.1:9150
ControlPort 127.0.0.1:9051
Nickname SkyIPBridge
ContactInfo uma [at] *SPAMTRAP* gmail [d0t] com
ServerTransportPlugin obfs3,scramblesuit exec /usr/bin/obfsproxy managed
ExitPolicy reject *:*

 

 

Original article: https://www.sky-ip.org/configure-relay-debian-ubuntu.html

One thought on “HowTo: run a tor relay or bridge

  1. Pingback: HowTo: run bitcoind via tor | Ross M. W. Bennetts

Leave a Reply