Tor

From Segfault
Jump to: navigation, search

Installation

If we don't want to install a binary package, we can compile it from source too. Install prerequisites, for Debian or Ubuntu:

sudo apt-get install automake libevent-dev zlib1g-dev libssl-dev docbook-xsl docbook-xml libxml2-utils xsltproc asciidoc 

...for Fedora or CentOS:

sudo yum install automake libevent-devel zlib-devel openssl-devel docbook-utils libxslt

Checkout the source:

git clone https://git.torproject.org/git/tor tor-git
cd tor-git

./autogen.sh
./configure --prefix=/opt/tor --enable-gcc-warnings --enable-gcc-hardening --enable-linker-hardening --with-openssl-dir=/opt/openssl
make
sudo make install

Note:

  • "--enable-gcc-warnings" might fail (because of newer OpenSSL versions) - try to use "--enable-gcc-warnings-advisory" instead.

Set up tor user:

groupadd -g 207 -r tor
useradd -d /var/lib/tor -r -s /usr/sbin/nologin -u 207 -g tor tor
mkdir -m0700 -p /var/lib/tor /var/log/tor
chown tor:tor /var/lib/tor /var/log/tor

Configuration

Relay

A relay is a listed (public) entry-relay.

$ cat torrc
ORPort                 9001
BridgeRelay            0
ExitPolicy             reject *:*

Nickname               alice
ContactInfo            Alice alice@example.com

RunAsDaemon            1
DataDirectory          /var/lib/tor
Log notice file        /var/log/tor/notices.log

RelayBandwidthRate     100 KBytes # Throttle traffic
RelayBandwidthBurst    250 KBytes # But allow bursts
MaxAdvertisedBandwidth 100 KBytes

AccountingMax           50 GBytes
AccountingStart       week 1 00:00

Bridge relay

A bridge-relay is an unlisted entry-relay, replacing the first hop. Bridges are not listed publicly but are discovered by another process.

$ cat torrc
ORPort                 9001
BridgeRelay            1
ExitPolicy             reject *:*

Nickname               alice
ContactInfo            Alice alice@example.com

RunAsDaemon            1
DataDirectory          /var/lib/tor
Log notice file        /var/log/tor/notices.log

RelayBandwidthRate     100 KBytes # Throttle traffic
RelayBandwidthBurst    250 KBytes # But allow bursts
MaxAdvertisedBandwidth 100 KBytes

AccountingMax           50 GBytes
AccountingStart       week 1 00:00

obfsproxy may be useful so that censored clients can connect to Tor. Install obfsproxy and add the following lines to torrc:

ServerTransportPlugin           obfs2,obfs3 exec /usr/bin/obfsproxy managed
ServerTransportListenAddr       obfs2 0.0.0.0:20001
ServerTransportListenAddr       obfs3 0.0.0.0:30001

The ServerTransportListenAddr directive is optional but it can be useful to have static portnumbers, because they have to be opened (resp. port-forwarded) at the firewall.

Exit node

An exitnode is the last hop in the onion network. These nodes might be blocked by certain services and sometimes have to deal with legal issues too.

$ cat torrc
ORPort                 9001
BridgeRelay            0
# ExitPolicy           reject *:*

Nickname               alice
ContactInfo            Alice alice@example.com

RunAsDaemon            1
DataDirectory          /var/lib/tor
Log notice file        /var/log/tor/notices.log

RelayBandwidthRate     100 KBytes # Throttle traffic
RelayBandwidthBurst    250 KBytes # But allow bursts
MaxAdvertisedBandwidth 100 KBytes

AccountingMax           50 GBytes
AccountingStart       week 1 00:00

Notes:

SOCKS-Proxy

Add the following Socks... options to run a SOCKS-Server, where SOCKS-enabled clients (i.e. HTTP-proxies) can connect to:

SocksListenAddress     127.0.0.1:9050
SocksPolicy accept     10.0.0.0/24
SocksPolicy accept     127.0.0.1
SocksPolicy reject     *:*

Add the following to the Privoxy config:

forward-socks5  /   127.0.0.1:9050 .

Or, for Polipo:

socksParentProxy = "127.0.0.1:9050"
socksProxyType   = socks5

Statistics

Add the following to allow Munin-plugins to connect to tor to gather statistics:[1]

ControlPort            9051
ControlListenAddress   127.0.0.1:9051
HashedControlPassword  16:D10B09C3D2D1F7E3603C6D86EA782D51300FCD5E2CA2552D6A08BE57AA

The password is generated with:

$ tor --hash-password s3cr3tp4ssw0rd
16:D10B09C3D2D1F7E3603C6D86EA782D51300FCD5E2CA2552D6A08BE57AA

Alternatively, one can use a CookieAuthFile[2] instead of a password:

CookieAuthentication   1
CookieAuthFile         /var/lib/tor/control_auth_cookie

tor-arm

The anonymizing relay monitor ("arm") is a CLI status monitor for Tor:

sudo apt-get install tor-arm                             # Debian, Ubuntu
sudo yum install tor                                     # Fedora, RHEL

arm needs DisableDebuggerAttachment set to "0" in torrc to function properly.[3][4]

sudo -u tor arm

Links

       0	TCP	Inbound+Outbound
      25	TCP	Inbound+Outbound
      68	UDP	Inbound	
 135-139	TCP/UDP	Inbound+Outbound
 161-162	TCP/UDP	Inbound+Outbound
     445	TCP	Inbound+Outbound
     520	TCP/UDP	Inbound+Outbound
    1080	TCP	Inbound

References