[tor-talk] [RELEASE] Raspbian guide and image for Tor nodes
CJ Barlow
cbarlow at sigaint.org
Mon Jun 1 02:38:05 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Would you like to contribute to the Tor network by running your own relay?
This is a guide to do just that via a Raspberry Pi 2.
This guide is intended to cover the set up in detail from start-to-finish
but, as always, will need to be tweaked with community feedback.
In an attempt to make this as plug-and-play as possible I fully prepared
an image[1] while writing this guide. This image was tested on my
Raspberry Pi 2.
TL;DR: Download the image file, copy it to your Raspberry Pi 2 MicroSDHC
card and run a relay.
You can use either dd[2] or Win32 Disk Imager[3] to write the image to
your MicroSDHC card. Alternatively, you can follow these instructions to
tweak the official Raspbian image[4].
*I do not have any experience with a headless set up. Additional
help/corrections, especially to the SSH part of the guide are
appreciated.*
Equipment needed:
- - Raspberry Pi 2
- - Ethernet cable
- - 4GB Class 10 (or higher) MicroSDHC card. A 16GB card is recommended.
- - Power supply with at least 2A output.
Some nice-to-have but optional equipment:
- - Case
- - Heatsinks
Step 1:
- Install a torrent client such as Deluge.[5]
- Download the image prepared with this guide or the official one. Please
be sure to seed it.
- The prepared image is signed with my GPG subkey.[6]
- Use either dd or Win32 Disk Imager to write the image to your MicroSDHC
card.
Step 2:
- Insert your MicroSDHC card into the Raspberry Pi 2 and plug it in to
power it on.
- If you are using the stock image skip to step 3c.
- The default login for my image is:
tor / changeme
- Use raspi-config to change the locale settings (keyboard, time zone
etc.) and user password:
sudo raspi-config
- Select Expand Filesystem so the entire SDHC card is available to the
Raspberry Pi 2.
- Press <TAB> twice to select Finish and reboot.
- Bring the image up-to-date with:
sudo apt-get update
sudo apt-get upgrade
Step 3a:
- Check that tor is running and the ORPort is reachable:
sudo tail -f /var/log/tor/notices.log
- The following lines will be in the log file if your Relay is working
correctly:
[notice] Tor has successfully opened a circuit. Looks like client
functionality is working.
[notice] Self-testing indicates your ORPort is reachable from the
outside. Excellent. Publishing server descriptor.
[notice] Self-testing indicates your DirPort is reachable from the
outside. Excellent.
[notice] Performing bandwidth self-test...done.
- If the above lines are not present see the troubleshooting section at
the end of the document.
- Please read "Tor Fingerprint backup" at the end of the document.
- As an optional step you can change your relay's nickname. Change the
nickname line in torrc with:
sudo /etc/tor/torrc
- Edit the Nickname line, leaving a space between Nickname and what you
change it to. For example:
Nickname pickyourownnickname
- Your Relay is now up and running!
Step 3b (SSH usage)[7][8]:
- Enable SSH with:
sudo raspi-config
- Select Advanced Options:
Set SSH to Enable.
- Find the IP of your Raspberry Pi 2 with:
hostname -I
- SSH to the Pi:
ssh <username>@<Pi IP>
- For off-site usage, I recommend a DynamicDNS on the Relay's connection.
This will make SSHing to it easier.
- The DynamicDNS goes on the Address line of torrc, for example:
Address thisismy.duckdns.org
- SSH to it with:
ssh <username>@thisismy.duckdns.org
Step 3c:
Instructions if using the stock image[9]:
- Select Expand Filesystem so the entire SDHC card is available to the
Raspberry Pi 2.
- Press <TAB> twice to select Finish and reboot.
- The default login is:
pi / raspberry
- Run raspi-config:
sudo raspi-config
- Change Internationalisation Options to suit your preferences.
- When changing locale press the spacebar to select the option(s).
- Select Overclock:
Pi2
- Overclocking your Raspberry Pi 2 this way does not void the warranty!
- Select Advanced Options:
- Hostname is the device name on your network.
- Select Finish and reboot.
- Log back in using:
pi / raspberry
- Create a new user:
sudo adduser username
- Load the sudoers list:
sudo visudo
- Change the last line to:
username ALL=(ALL)ALL
- Example:
bill ALL=(ALL)ALL
- Be sure to leave a space after username *and* below the last line.
- Press Control + X to close the document.
- Press Y to save the changes and Enter to accept the default file name.
- Reboot and log in under the username you just created.
sudo reboot
- Remove the pi user:
sudo deluser --remove-home pi
- Update the OS and all packages:
sudo apt-get update
sudo apt-get upgrade
- Install cron-apt to automate updates.
sudo apt-get install cron-apt
- Configure a cron job to automatically download updates on a semi-daily
basis with:
sudo nano /etc/cron.d/cron-apt
- Add a # to the start of line 5.
- Change line 6 to "Every 12 hours." Delete the # (and the space) from
line 7 and put:
0 */12 * * * root test -x /user/sbin/cron-apt && /usr/sbin/cron-apt
/etc/cron-apt/config2
- Run the following once or twice a day to install updates:
sudo apt-get dist-upgrade
- Install tor with:
sudo apt-get install tor
- Change the following in /etc/tor/torrc (from top-to-bottom in torrc) with:
sudo nano /etc/tor/torrc
- Remove the "#" before the following lines (lines with dashes are
comments for this guide):
- Change the SocksPort to 0 from 9050.
SocksPort 9050
Log notice file /var/log/tor/notices.log
RunAsDaemon 1
- Change the DataDirectory to a RAM drive per TorProject's suggestion.[10]
- See "Tor Fingerprint backup" at the bottom of this document.
DataDirectory /dev/shm/tor
ORPort 9001
Nickname pickyourownnickname
- Run a speed test and convert the result to Megabytes by dividing by 8.
- Alternatively you can use a online bits-to-bytes calculator, such as
Google.[11]
- At least 2 Megabits of upload is recommended for a good relay.
- Set the RelayBandwidthRate to a maximum of 80% of your upload speed.
- Set the RelayBandwidthBurst to a maximum of 95% of your upload speed.
- Burst speed is used occasionally.
RelayBandwidthRate
RelayBandwidthBurst
*Bandwidth accounting is unidirectional, it will use twice what is listed!*
- To use 50GB per month (starting on the first of the month at midnight):
AccountingMax 25GB
AccountingStart month 1 00:00
- The contact info is posted online so please keep that in mind!
ContactInfo Your name <youremail at address>
DirPort 9030
- Be sure to uncomment this line so you only run as a middle relay.
ExitPolicy reject *:*
- Reboot with:
sudo reboot
- Log back in to the Pi.
- Check that tor is running and the ORPort is reachable:
sudo tail -f /var/log/tor/notices.log
- The following lines will be in the log file if your Relay is working
correctly:
[notice] Tor has successfully opened a circuit. Looks like client
functionality is working.
[notice] Self-testing indicates your ORPort is reachable from the
outside. Excellent. Publishing server descriptor.
[notice] Self-testing indicates your DirPort is reachable from the
outside. Excellent.
[notice] Performing bandwidth self-test...done.
- If these are not present see the troubleshooting section below.
THANK YOU for running a relay! :-)
Relay Fingerprint backup:
Because the Fingerprint is contained on a RAM Drive it is erased in the
event of a power loss (due to shut down, reboot, etc). This makes your
Relay appear as "new" each time.
To maintain a steady relay back up the fingerprint to a USB flash drive
with the following commands:
First, make a directory to mount the drive to:
mkdir /mnt/d
If it is the only drive connected and formatted to FAT32 use:
sudo mount -t vfat /dev/sda1 /mnt/d
If it is formatted to NTFS you will need to install ntfs-3g first:
apt-get install ntfs-3g
Then mount it with:
sudo mount -t ntfs /dev/sda1 /mnt/d
To access the RAM drive you need to be root (sudo):
sudo su
Browse to the Fingerprint location:
cd /dev/shm/tor/keys
Copy the "secret_id_key", which is the fingerprint, to your flash drive.
Rename it something memorable like "tor_fingerprint".
cp secret_id_key /mnt/d/tor_fingerprint
rm /mnt/tor-root/var/lib/tor/keys/secret_id_key
Invert the copy (cp) command to restore it.
Troubleshooting:
If you do not see "Self-testing indicates your ORPort is reachable from
the outside. Excellent." in the notices log you will need to check that
your port is forwarded correctly in your router.
If your port forwarding is correct but the ORPort is still unreachable you
may need a Dynamic DNS. The Dynamic DNS address will be put in the Address
line in torrc.
See footnote 13 for a example on setting up a Dynamic DNS.
Extra info:
To safely shut down the system use:
sudo shutdown -h now
If Bandwidth accounting is *enabled* the DirPort is automatically disabled.
Tor uses TCP ports, the UDP ports do *not* need to be forwarded.
OS modifications for my images:
"Turbo mode" overclocking is enabled with Pi 2 setting. This does *not*
void the warranty![12]
OS hardening enabled via harden-servers package.
Tor logs are rotated daily, rotated logs are not kept.
Semi-daily cron job running apt-get update and apt-get upgrade.
Removed pi (default) user.
Hostname is RelayPi.
RelayBandwidthRate and RelayBandwidthBurst are set to 80% and 90% of the
Ookla Global Broadband upload speeds, respectively.
AccountMax is set to 25GB (50GB per month), starts at midnight on the
first day of the month.
[1]
https://torrage.com/torrent/64CF7A9D083BA58C31987B2AFA1B34B4334456F7.torrent
[2]
https://www.raspberrypi.org/documentation/installation/installing-images/linux.md
[3] https://i.imgur.com/gIamfK7.png
[4] http://downloads.raspberrypi.org/raspbian_latest.torrent
[5] http://deluge-torrent.org/
[6] https://pgp.mit.edu/pks/lookup?op=vindex&search=0xD4EB587D15734B19
Primary Fingerprint:
3E37 9905 05C0 050A FEFE C675 D4EB 587D 1573 4B19
Signing subkey Fingerprint:
2F28 004A 19B2 E62B 3690 BF2B CCF6 3BA2 CBE9 49C3
[7]
https://www.raspberrypi.org/documentation/troubleshooting/hardware/networking/ip-address.md
[8] https://www.raspberrypi.org/documentation/remote-access/ssh/unix.md
https://www.raspberrypi.org/documentation/remote-access/ssh/windows.md
[9] http://www.instructables.com/id/Raspberry-Pi-Tor-relay/?ALLSTEPS
[10] https://trac.torproject.org/projects/tor/wiki/doc/TorRelaySecurity
[11] https://www.google.com/?q=9000Kbps+to+MBps
[12]
https://www.raspberrypi.org/introducing-turbo-mode-up-to-50-more-performance-for-free/
[13]
https://tor.stackexchange.com/questions/6558/relay-getting-traffic-showing-as-unreachable/6575#6575
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVa8OrAAoJEMz2O6LL6UnDzEYP/1FYY1cZ+ZpzKIo9rd7CEoCF
jhZ/c7MMh8G2I9v9H8xCXJOAwE2EYm0omGcdMDJ/FrQBq4+SrWfhklH5pLb71wMd
CcPCPE23l9sspmm8Ll4Ox/AGOgn1I7AhLR8/c6gqlYuL2VroJv7FSrU4wlXaiqtb
Us5o8xGeKKdENnyR59Hsct0/XvuACv8KdjIibn/r0GmiRbF87hKtyrOa/fAQPR6G
CAZ+cxbsLWaplUyimcJdMjerfA/OFAM/ghCCPCmrG4HfDe3+rpEZpSiTmjU+wMID
kpcc/vZH2mJD8IAa0XgFvMUj6aSjG+Bk5TcHo1QVleTF0IvraDSyYk4CC3Z7ZPBv
rCJKiTUIRdr0MoVXSXs5DL9Pa+dqfQKd3d0sgzox/095wOf5VAnr3EeZ6Jh0dyDc
mQZz55rAoCFP0MI/XPkd/SyoICP6rVWpCg9v/OwuPhj++jKDKySc/StP1Ppq++6m
MIM7RQIVNIPoeNK/1bmYTXEyFmsUyerZq4QWjbBvlE7rnnWdBqjJ7XraUTgtbWAm
lP1KKVO9UlverDAheAk3wvAYuF5LUltxoTSL5zZssHBEWdOiooIS6C/aphycNVLK
cHsWh7fIoXZmLSJc6uVYbKxfXmlt6T6fHucpoOgYUX6JWePlpy5To9rB0tYYDv2x
33UYpCp4tZ0julM7xPqy
=Jr3r
-----END PGP SIGNATURE-----
More information about the tor-talk
mailing list