« Joining NTPd to The NTP Pool Project | Home | Manipulating the kernel's page cache with vmtouch »

February 18, 2012

Setting up a Tor relay on Debian Squeeze

Tor is an anonymising relay system allowing people to reach sites on the internet without other parties being able to snoop on the traffic or to see what sites are connected to. This means that people living in regimes where their internet connection is censored (or for the super paranoid) they can connect to servers they wouldn’t otherwise be able to (such as Google Mail, Facebook, Twitter etc.).

As the system runs entirely with the help of volunteers running relays to share bandwidth and load, I decided to set one up on my hosting service using the following process.

Firstly, alter /etc/apt/sources.list to include the tor apt repositories. This not only avoids having to perform compilation and some messy config, but also means that a server doesn’t need to have a build chain installed. Currently the line you need in your sources file looks like the following:

deb http://deb.torproject.org/torproject.org squeeze main

though you should check on their site here in case this has changed at any point (and where it says ‘squeeze’ you should change it to match the version of Debian you’re running).

Then install Tor with:

gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key \
    add -
apt-get update
apt-get install deb.torproject.org-keyring    
apt-get install tor arm

I installed arm as a CLI means of keeping an eye on tor. This isn’t necessary but very useful. You will then need to edit the /etc/tor/torrc file. This should have mostly sensible defaults but the following should probably be changed:

# I set this to 0 as this is my server and I don't need to join
# tor as a client from it 
SocksPort 0

# I left this as the default but it does need to be specified
ORPort 9001

# Give your relay a nickname
Nickname armcd

# These specify how much bandwidth you want to provide. Use the
# rate in tandem with the AccountingMax option to make sure
# you don't go above your bandwidth quota set by your ISP. If this is
# too high, heavy tor traffic will result in your relay always
# hitting the imposed limit really quickly and going into hibernation
# soon after it resets. You want to try and avoid this flip flopping.
RelayBandwidthRate 100 KB
RelayBandwidthBurst 200 KB
AccountingMax 2 GB

# This is used if it is detected that your relay is doing something 
# daft. This is public so choose an account you're not worried
# being seen on the tor relay list.
ContactInfo <enter what you want here>

# I use this list of exit policies to make sure that most traffic
# that people could want to communicate can get through, but
# stopping people using bittorrent easily. Unfortunately bittorrent
# can lead to abuse complaints from your ISP (to them it appears 
# as if you're using bittorrent) and it will also ruin your
# bandwidth. It is very unlikely that people who are attempting to
# avoid censorship are going to be using bittorrent. It is more
# likely to be Americans trying to avoid MPAA notices. I
# shamelessly stole this off the tor forums.
ExitPolicy accept *:20-23     # FTP, SSH, telnet
ExitPolicy accept *:43        # WHOIS
ExitPolicy accept *:53        # DNS
ExitPolicy accept *:79-81     # finger, HTTP
ExitPolicy accept *:88        # kerberos
ExitPolicy accept *:110       # POP3
ExitPolicy accept *:143       # IMAP
ExitPolicy accept *:194       # IRC
ExitPolicy accept *:220       # IMAP3
ExitPolicy accept *:443       # HTTPS
ExitPolicy accept *:464       # kpasswd
ExitPolicy accept *:531       # IRC/AIM
ExitPolicy accept *:543-544   # Kerberos
ExitPolicy accept *:563       # NNTP over SSL
ExitPolicy accept *:706       # SILC
ExitPolicy accept *:749       # kerberos
ExitPolicy accept *:873       # rsync
ExitPolicy accept *:902-904   # VMware
ExitPolicy accept *:981       # Remote HTTPS management for firewall
ExitPolicy accept *:989-995   # FTP over SSL, Netnews Administration System, telnets, IMAP over SSL, ircs, POP3 over SSL
ExitPolicy accept *:1194      # OpenVPN
ExitPolicy accept *:1220      # QT Server Admin
ExitPolicy accept *:1293      # PKT-KRB-IPSec
ExitPolicy accept *:1500      # VLSI License Manager
ExitPolicy accept *:1533      # Sametime
ExitPolicy accept *:1677      # GroupWise
ExitPolicy accept *:1723      # PPTP
ExitPolicy accept *:1863      # MSNP
ExitPolicy accept *:2082      # Infowave Mobility Server
ExitPolicy accept *:2083      # Secure Radius Service (radsec)
ExitPolicy accept *:2086-2087 # GNUnet, ELI
ExitPolicy accept *:2095-2096 # NBX
ExitPolicy accept *:2102-2104 # Zephyr
ExitPolicy accept *:3128      # SQUID
ExitPolicy accept *:3389      # MS WBT
ExitPolicy accept *:3690      # SVN
ExitPolicy accept *:4321      # RWHOIS
ExitPolicy accept *:4643      # Virtuozzo
ExitPolicy accept *:5050      # MMCC
ExitPolicy accept *:5190      # ICQ
ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL
ExitPolicy accept *:5228      # Android Market
ExitPolicy accept *:5900      # VNC
ExitPolicy accept *:6660-6669 # IRC
ExitPolicy accept *:6679      # IRC SSL
ExitPolicy accept *:6697      # IRC SSL
ExitPolicy accept *:8000      # iRDMI
ExitPolicy accept *:8008      # HTTP alternate
ExitPolicy accept *:8074      # Gadu-Gadu
ExitPolicy accept *:8080      # HTTP Proxies
ExitPolicy accept *:8087-8088 # Simplify Media SPP Protocol, Radan HTTP
ExitPolicy accept *:8443      # PCsync HTTPS
ExitPolicy accept *:8888      # HTTP Proxies, NewsEDGE
ExitPolicy accept *:9418      # git
ExitPolicy accept *:9999      # distinct
ExitPolicy accept *:10000     # Network Data Management Protocol
ExitPolicy accept *:19294     # Google Voice TCP
ExitPolicy accept *:19638     # Ensim control panel
ExitPolicy reject *:*

Once you have this set up, start tor with /etc/init.d/tor start. Check the logs to make sure it has started without errors. You’re looking for lines like the following:

[notice] Tor 0.2.2.35 (git-73ff13ab3cc9570d) opening new log file.
[notice] Parsing GEOIP file /usr/share/tor/geoip.
[notice] OpenSSL OpenSSL 0.9.8o 01 Jun 2010 looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation
[notice] Bootstrapped 5%: Connecting to directory server.
[notice] I learned some more directory information, but not enough to build a circuit: We have no network-status consensus.
[notice] Bootstrapped 10%: Finishing handshake with directory server.
[notice] Bootstrapped 15%: Establishing an encrypted directory connection.
[notice] Bootstrapped 20%: Asking for networkstatus consensus.
[notice] I learned some more directory information, but not enough to build a circuit: We have no network-status consensus.
[notice] Bootstrapped 25%: Loading networkstatus consensus.
[notice] Bootstrapped 45%: Asking for relay descriptors.
[notice] I learned some more directory information, but not enough to build a circuit: We have only 0/2955 usable descriptors.
[notice] Bootstrapped 50%: Loading relay descriptors.
[notice] Bootstrapped 53%: Loading relay descriptors.
[notice] I learned some more directory information, but not enough to build a circuit: We have only 96/2955 usable descriptors.
[notice] Bootstrapped 57%: Loading relay descriptors.
[notice] I learned some more directory information, but not enough to build a circuit: We have only 192/2955 usable descriptors.
[notice] Bootstrapped 61%: Loading relay descriptors.
[notice] I learned some more directory information, but not enough to build a circuit: We have only 288/2955 usable descriptors.
[notice] Bootstrapped 65%: Loading relay descriptors.
[notice] I learned some more directory information, but not enough to build a circuit: We have only 384/2955 usable descriptors.
[notice] Bootstrapped 68%: Loading relay descriptors.
[notice] I learned some more directory information, but not enough to build a circuit: We have only 480/2955 usable descriptors.
[notice] Bootstrapped 72%: Loading relay descriptors.
[notice] I learned some more directory information, but not enough to build a circuit: We have only 576/2955 usable descriptors.
[notice] Bootstrapped 76%: Loading relay descriptors.
[notice] I learned some more directory information, but not enough to build a circuit: We have only 672/2955 usable descriptors.
[notice] We now have enough directory information to build circuits.
[notice] Bootstrapped 80%: Connecting to the Tor network.
[notice] Bootstrapped 90%: Establishing a Tor circuit.
[notice] Tor has successfully opened a circuit. Looks like client functionality is working.
[notice] Bootstrapped 100%: Done.
[notice] Interrupt: exiting cleanly.

If you have control of your DNS, you may want to put a reverse DNS entry for your domain so that if anyone does a dig -x on your IP address they get a result showing you run a tor proxy. This will mean if they’re investigating things in their logs, see that your running a tor relay, they may realise that you are probably not the original generator of that traffic.

Leave a comment

OpenID accepted here Learn more about OpenID

About this Entry

This page contains a single entry by Alexander McDonald published on February 18, 2012 10:16 PM.

Joining NTPd to The NTP Pool Project was the previous entry in this blog.

Manipulating the kernel's page cache with vmtouch is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.