Forked from gszathmari/CryptoParty Tor relay workshop
Last active
December 18, 2016 00:44
-
-
Save teor2345/c6e2890c44097fd6aaceeedec08c6431 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CryptoParty Tor Relay Workshop | |
============================== | |
This document provides instructions for launching a virtual machine and configuring it as a Tor relay | |
These instructions allow you to set up Linux or FreeBSD relays. They cover both IPv4 and IPv6 configuration. | |
The guide was created for the CryptoParty workshop on the 11/10/2016 in Sydney | |
More: https://www.meetup.com/CryptoParty-Sydney/events/234228287/ | |
Launching a Virtual Machine | |
--------------------------- | |
1. Visit https://www.vultr.com/register/ to register a new user account | |
Then apply promo code on 'Billing' at https://my.vultr.com/billing/ | |
Promo Codes | |
+++++++++++ | |
NGINX20: +$20.00 | |
GIVEME10: +$10.00 | |
Alternatively, Visit https://www.vultr.com/register/?register_promo=50for60 to register a new user account | |
Promo: Get +$50 for 60 days | |
Alternatively (affiliate link): http://www.vultr.com/?ref=6952471-3B | |
Promo: Get +$20 when you spend $10 | |
Disclosure: Gabor gets $30 for the referral from Vultr, it supports https://privacyforjournalists.org.au | |
2. Verify email address | |
3. Link credit card or PayPal account under 'Billing' on https://my.vultr.com/billing/ | |
5. Go to https://my.vultr.com/deploy/ to launch a new virtual machine (VM) | |
Configure the VM as the following: | |
1. Server Location: Sydney | |
Linux: | |
2. Server Type: Ubuntu 16.04 x64 | |
BSD: | |
2. Server Type: FreeBSD | |
3. Server Size: 15 GB SSD for $5/mo | |
4. Additional Features: Enable IPv6 | |
5. Startup Script: none | |
6. SSH Keys: none (you can add later) | |
7. Server Hostname: myrelay | |
Server Label: tor | |
6. Click on 'Deploy Now' button at the bottom to launch the VM | |
7. Go to 'Servers' at https://my.vultr.com/ | |
8. Click on your new server to open its details | |
9. Click on the 'eye' icon in the bottom-left corner to reveal the 'root' password | |
10. Take note of your SSH login details | |
IP Address: <shown on the server details page> | |
Username: root | |
Password: <as shown at step #9> | |
Configuring the Operating System | |
-------------------------------- | |
1. Log into your VM with SSH and change the root password | |
Scroll down to the bottom if you need help with SSH clients | |
# passwd | |
Enter a long, secure password that only you know. | |
Don't re-use a password from another site! | |
2. Upgrade Packages | |
Linux: | |
# apt-get update && apt-get dist-upgrade -y | |
If this fails with "E: Unable to lock the administration directory (/var/lib/dpkg/), is another process using it?", it means that the packages are already updated automatically in the background. Wait a few minutes and try again. | |
BSD: | |
# pkg update && pkg upgrade -y | |
3. Configure auto-upgrade | |
Linux Only: | |
# apt-get install unattended-upgrades -y | |
# dpkg-reconfigure --priority=low unattended-upgrades | |
Choose 'Yes' when prompted and press 'Enter' for the default settings | |
4. Install Tor | |
Linux: | |
Add the Tor software repository to Ubuntu: | |
# echo 'deb http://deb.torproject.org/torproject.org xenial main' >> /etc/apt/sources.list.d/tor.list | |
# echo 'deb-src http://deb.torproject.org/torproject.org xenial main' >> /etc/apt/sources.list.d/tor.list | |
Then add the gpg key used to sign the packages by running the following commands at your command prompt: | |
# gpg --keyserver keys.gnupg.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | |
# gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add - | |
You can install it with the following commands: | |
# apt-get update && apt-get install tor tor-arm deb.torproject.org-keyring -y | |
BSD: | |
You can install tor with the following commands: | |
# pkg install tor | |
Configure Tor as a Relay | |
------------------------ | |
1. Rename the default Tor configuration file | |
Linux: | |
# mv /etc/tor/torrc /etc/tor/torrc.default | |
BSD: | |
# mv /usr/local/etc/tor/torrc /usr/local/etc/tor/torrc.default | |
2. Open torrc with your favourite text editor: | |
(Ubuntu and FreeBSD both come with vi installed.) | |
Linux: | |
# vi /etc/tor/torrc | |
BSD: | |
# vi /usr/local/etc/tor/torrc | |
IPv6: | |
Use ifconfig to find the public IPv6 address of your relay. | |
The public IP address is the one that starts with 200, like 2001:19f0:5801:20b:5400:ff:fe3a:8c60. | |
(The IPv6 ORPort line is optional. You can delete it if you don't want your relay to be on IPv6.) | |
Add the following config: | |
RunAsDaemon 1 | |
ORPort 9001 | |
ORPort [your-public-ipv6-address-in-brackets]:9001 | |
DirPort 9030 | |
Nickname blah | |
AccountingMax 950 GBytes | |
AccountingStart month 1 00:01 | |
ContactInfo John Doe <blah@example.com> | |
ExitPolicy reject *:* # no exits allowed | |
BSD: Add this extra line: | |
Log notice file /var/log/tor/log | |
!!! *Important*: Change 'Nickname' and 'ContactInfo' !!! | |
Note: The email address in the 'ContactInfo' is public. We suggest to obscure the email addresses to avoid spam harvesting. | |
If you run more than one Tor Relay, add this line: | |
MyFamily relay0-fingerprint, relay1-fingerprint, relay2-fingerprint, ... | |
3. Save the configuration file and exit the editor | |
4. Start the Tor service | |
Linux: | |
# systemctl stop tor | |
# systemctl start tor | |
BSD: | |
# echo 'tor_enable="YES"' >> /etc/rc.conf | |
# service tor stop | |
# service tor start | |
5. Verify if the relay is starting up properly by monitoring the log file | |
# tail -f /var/log/tor/log | |
You should have "[notice] Bootstrapped 100%: Done" in the log file if everything is working a-okay. | |
6. Confirm Tor is running with the 'arm' utility | |
Linux Only: | |
# arm | |
You can exit the utility by pressing 'q' | |
Check out your relay on Tor Atlas | |
--------------------------------- | |
1. Get the Tor relay fingerprint with the following command | |
# cat /var/lib/tor/fingerprint | |
The fingerprint is the second block of long string of letters and numbers | |
2. Open the following URL in your browser: | |
https://atlas.torproject.org/#details/<fingerprint from step #1> | |
It may take up to 2-4 hours for your server to appear in Atlas. You should be able to find it by searching for its nickname set by the 'Nickname' parameter in torrc | |
SSH Clients | |
----------- | |
macOS and Linux and BSD: | |
Open Terminal and enter the following: | |
$ ssh -lroot <ip address> | |
Windows: | |
Download putty.exe from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html | |
Homework | |
-------- | |
- Give @CryptoPartySyd and @Torproject a shout out on Twitter about your new Tor relay | |
- Patch Ubuntu or FreeBSD manually on a regular basis (on Ubuntu, unattended-upgrades only applies security updates by default) | |
- Add your SSH public key and disable password authentication | |
- Read the Tor Exit Guidelines for general info about running a relay (these instructions set up a non-Exit relay): https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines | |
- Set up server monitoring (NewRelic, Uptime Robot) | |
- Secure your Vultr account with two-factor authentication (https://www.vultr.com/docs/using-two-factor-authentication-to-login-to-vultr-control-panel) | |
- Add swap (https://trac.torproject.org/projects/tor/wiki/doc/OperationalSecurity#EncryptStorageandSwapSpace) | |
- Configure firewall (iptables) | |
- Protect Ubuntu with two-factor authentication (https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-14-04) | |
- Forward OS logs to a remote location (Loggly, Papertrail) | |
- Secure the Tor agent with AppArmor | |
- Backup Tor private keys (https://trac.torproject.org/projects/tor/wiki/doc/TorRelaySecurity/OfflineKeys#Backupyourkeys) | |
- Get involved and join the Tor community (https://www.torproject.org/about/contact.html.en) | |
- Join the CyrptoParty Sydney Telegram channel (https://telegram.me/CryptoPartySyd) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment