2013. december 22., vasárnap

How to run a tor relay node on a Raspberry PI

Why?

Tor is a software that hides internet traffic from eavesdroppers. Whether you are a whistleblower, running an underground illegal drug store, your country censores the internet, or just simply paranoid, Tor can help you by turning your internet traffic to gibberish and sending it through a series of nodes, hiding the source and content.

Actually if you're just browsing the internet for regular stuff from a democratic country, it's still makes sense to use tor. Such traffic helps to hide people on the network who really need it. So settign up a tor relay and using it once in a while is very good for the network.

With a cheap pocket-computer, the Raspberry PI, you can set up such a node, and help this free service by donating some of your bandwidth.



Raspbian

Raspbian is a free operating system that based on Debian GNU/Linux, and runs on the Raspberry PI. It has a nice installer that makes the setup procedure really easy.

All you need to do is to get an SD card for the Raspberry PI and write the OS image to it with dd on linux, or Win32 Disk Imager on Windows.

After the first boot you will be presented with a menu that is quite self explanatory. Setup the OS as you'd like to.

Don't forget to resize the filesystem if the SD card is bigger than the image. (I actually recommend getting a 16G SD card, so you can play around with your system comfortably.)

Also, don't forget to set up SSH, so you can log into your tor relay node remotely. (You can do this with the ssh command on Linux, or with PuTTY on Windows.)

Tor

After you're done with the OS setup, you end up with a user that can log in on a console or with ssh.

It's time to install the tor daemon and some tools:

apt-get install tor iftop tor-arm

It's a good idea to install iftop and tor-arm packages. Iftop is a monitoring tool shows network usage similarly to how top shows CPU usage.

Just issue iftop at the command line to get a picture of what is consuming your bandwidth.

The tor-arm package provides a program that provides a lot of information about your tor node.

You can start tor-arm with the arm command. It will start with the bandwidth monitor screen. Screens can be switched with the left-right arrow buttons. Of course, this will only work once the tor node is running, so let's see how to set up that.

After installing the packages, tor is ready to be run. If you start it with sudo service tor start it will connect to the network, but not as a relay node. With the default configuration it just provides a socks proxy that can be used with your browser (for example). Anything goes through this proxy, will go through the Tor network.

We have to edit /etc/tor/torrc.

Here is the configuration I recommend. My Raspberry PI is behind a router (so it's behind a NAT), on a local network. I have no static IP address, and my connection can drop any time, changing the IP address, so I set up a hostname for my router with dyndns. I use this name for the Address entry in the configuration.

WARNING: the IP addresses are specific to my home network. Please check you PI's IP address. Also, you have to configure a static IP address your your PI in your router. Again: check and change the addresses instead of 192.168.87.102 and 192.168.87.0/24.

Also, you have to figure out a nickname for your relay (Nickname line).

I doubled the default bandwidths, because I'm a nice person. :)


The SocksPort entries control where the tor daemon listens for socks connections.

The SocksPolicy lines tells the daemon what socks clients to accept. I accept anything from inside the box, and from my home network.

OrPort and DirPort are for contacting the rest of the network. If you're behind a NAT too (it's very likely), then you have to setup port forwarding to ports 9001 and 9030. Do not forward 9100, that's only for you.

The ContactInfo entry is, well, your contact information. The hex number is my GPG public key fingerprint. This is not mandatory, if you do not have one, you can leave it out. After that comes my name, and my e-mail address. Use only ASCII characters, otherwise you will confuse arm.

The "DisableDebuggerAttachment 0" line allows arm to extract certain information from the tor daemon.

Ok, this is a sensitive part. I configured my node NOT to be an exit node. Exit nodes are tor nodes that can contact the Internet outside the Tor network. They are the last one in the connection chain and make HTTP requests (for example) in behalf of the client who wants to hide his/her traffic.

As I said, this is useful if you're living in a country with Internet censorship. Or if you're a hacker trying to DOS something. Or you're a paedophile or a terrorist. I'm not trying to judge folks here, but I'm sure the law enforcement would judge me, if the'd find out what kind of traffic I'm generating once in a while. Since I'd like to avoid awkward conversations, I decided not to run an exit node, so I wrote "ExitPolicy reject *:*", effectively disabling any traffic to the "clearnet".

A lot of folks are running exit nodes, and they are fine, so If you can, please do set up an exit node. But also be prepared for e-mails from your ISP accusing you with various stuff. It's not a big deal, you're doing nothing illegal (well, it can be country-dependent), but it can be an annoyance.

SocksPort 9050
SocksPort 192.168.87.102:9100

SocksPolicy accept 192.168.87.0/24
SocksPolicy accept 127.0.0.0/8
SocksPolicy reject *
ORPort 9001

Address helldog.mine.nu
Nickname helldog
RelayBandwidthRate 200 KB
RelayBandwidthBurst 400 KB
ContactInfo 0xAAAABA59 FABIAN Tamas Laszlo <giganetom@gmail.com>

DirPort 9030
ExitPolicy reject *:*
DisableDebuggerAttachment 0

When you're done editing your configuration, just issue the following command:

service tor start

or

service tor restart

if you've already started the daemon.

If you start iftop or arm now, you will see spiking network traffic and a lot of connections coming and going: your realy is working, congratulations!

You can use your tor node either by setting up your browser to use the socks server it provides.

If you are new to Tor, I recommend you running the Tor Browser Bundle. This is tor+firefox packaged together. This particular firefox is set up to work securely over Tor. You average browser might do stuff that would compromise your anonimity.

The TBB can very well be run without a Raspberry PI tor node, since it contains a pre-configured version of the Tor software. If you want to use your own relay node, configure the TBB to use it as a "bridge".

You can set up your RPI tor node as a bridge when you first start TBB, or click on the green onion icon in TBB's firefox, open up network preferences, choose "My Internet Service Provider (ISP) blocks connections to the Tor network", and write your PI's IP and OrPort to the text box, like so: "bridge 192.168.87.102:9001".

There you go.