CryptoParty Tor relay workshop

CryptoParty Tor Relay Workshop
==============================

This document provides instructions for launching a virtual machine and configuring it as a Tor relay
These instructions allow you to set up Linux or FreeBSD relays. They cover both IPv4 and IPv6 configuration.

The guide was created for the CryptoParty workshop on the 11/10/2016 in Sydney

More: https://www.meetup.com/CryptoParty-Sydney/events/234228287/


Launching a Virtual Machine
---------------------------

1. Visit https://www.vultr.com/register/ to register a new user account
  Then apply promo code on 'Billing' at https://my.vultr.com/billing/
  
  Promo Codes
  +++++++++++
  NGINX20: +$20.00
  GIVEME10: +$10.00

  Alternatively, Visit https://www.vultr.com/register/?register_promo=50for60 to register a new user account
  Promo: Get +$50 for 60 days

  Alternatively (affiliate link): http://www.vultr.com/?ref=6952471-3B
  Promo: Get +$20 when you spend $10
  Disclosure: Gabor gets $30 for the referral from Vultr, it supports https://privacyforjournalists.org.au

2. Verify email address

3. Link credit card or PayPal account under 'Billing' on https://my.vultr.com/billing/

5. Go to https://my.vultr.com/deploy/ to launch a new virtual machine (VM)

  Configure the VM as the following:

    1. Server Location: Sydney
Linux:
    2. Server Type: Ubuntu 16.04 x64
BSD:
    2. Server Type: FreeBSD
    3. Server Size: 15 GB SSD for $5/mo
    4. Additional Features: Enable IPv6
    5. Startup Script: none
    6. SSH Keys: none (you can add later)
    7. Server Hostname: myrelay
       Server Label: tor

6. Click on 'Deploy Now' button at the bottom to launch the VM

7. Go to 'Servers' at https://my.vultr.com/

8. Click on your new server to open its details

9. Click on the 'eye' icon in the bottom-left corner to reveal the 'root' password

10. Take note of your SSH login details

  IP Address: <shown on the server details page>
  Username: root
  Password: <as shown at step #9>


Configuring the Operating System
--------------------------------

1. Log into your VM with SSH and change the root password

  Scroll down to the bottom if you need help with SSH clients
  
  # passwd
  
  Enter a long, secure password that only you know.
  Don't re-use a password from another site!

2. Upgrade Packages

Linux:
  # apt-get update && apt-get dist-upgrade -y

  If this fails with "E: Unable to lock the administration directory (/var/lib/dpkg/), is another process using it?", it means that the packages are already updated automatically in the background. Wait a few minutes and try again.

BSD:
  # pkg update && pkg upgrade -y

3. Configure auto-upgrade

Linux Only:
  # apt-get install unattended-upgrades -y
  # dpkg-reconfigure --priority=low unattended-upgrades

  Choose 'Yes' when prompted and press 'Enter' for the default settings

4. Install Tor

Linux:
  Add the Tor software repository to Ubuntu:

    # echo 'deb http://deb.torproject.org/torproject.org xenial main' >> /etc/apt/sources.list.d/tor.list
    # echo 'deb-src http://deb.torproject.org/torproject.org xenial main' >> /etc/apt/sources.list.d/tor.list

  Then add the gpg key used to sign the packages by running the following commands at your command prompt:

    # gpg --keyserver keys.gnupg.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
    # gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

  You can install it with the following commands:

    # apt-get update && apt-get install tor tor-arm deb.torproject.org-keyring -y
    
BSD:
  You can install tor with the following commands:

    # pkg install tor


Configure Tor as a Relay
------------------------

1. Rename the default Tor configuration file

Linux:
  # mv /etc/tor/torrc /etc/tor/torrc.default
  
BSD:
  # mv /usr/local/etc/tor/torrc /usr/local/etc/tor/torrc.default

2. Open torrc with your favourite text editor:

(Ubuntu and FreeBSD both come with vi installed.)

Linux: 
  # vi /etc/tor/torrc
BSD:
  # vi /usr/local/etc/tor/torrc

IPv6:
Use ifconfig to find the public IPv6 address of your relay.
The public IP address is the one that starts with 200, like 2001:19f0:5801:20b:5400:ff:fe3a:8c60.
(The IPv6 ORPort line is optional. You can delete it if you don't want your relay to be on IPv6.)

Add the following config:
 
RunAsDaemon 1
ORPort 9001
ORPort [your-public-ipv6-address-in-brackets]:9001
DirPort 9030
Nickname blah
AccountingMax 950 GBytes
AccountingStart month 1 00:01
ContactInfo John Doe <blah@example.com>
ExitPolicy reject *:* # no exits allowed

BSD: Add this extra line:

Log notice file /var/log/tor/log

  !!! *Important*: Change 'Nickname' and 'ContactInfo' !!!

  Note: The email address in the 'ContactInfo' is public. We suggest to obscure the email addresses to avoid spam harvesting.
  
If you run more than one Tor Relay, add this line:
MyFamily relay0-fingerprint, relay1-fingerprint, relay2-fingerprint, ...

3. Save the configuration file and exit the editor

4. Start the Tor service

Linux:
  # systemctl stop tor
  # systemctl start tor
  
BSD:
  # echo 'tor_enable="YES"' >> /etc/rc.conf
  # service tor stop
  # service tor start

5. Verify if the relay is starting up properly by monitoring the log file

  # tail -f /var/log/tor/log

You should have "[notice] Bootstrapped 100%: Done" in the log file if everything is working a-okay.

6. Confirm Tor is running with the 'arm' utility

Linux Only:
  # arm

  You can exit the utility by pressing 'q'


Check out your relay on Tor Atlas
---------------------------------

1. Get the Tor relay fingerprint with the following command

  # cat /var/lib/tor/fingerprint

  The fingerprint is the second block of long string of letters and numbers

2. Open the following URL in your browser:

  https://atlas.torproject.org/#details/<fingerprint from step #1>

It may take up to 2-4 hours for your server to appear in Atlas. You should be able to find it by searching for its nickname set by the 'Nickname' parameter in torrc


SSH Clients
-----------

macOS and Linux and BSD:

  Open Terminal and enter the following:

  $ ssh -lroot <ip address>

Windows:

  Download putty.exe from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html


Homework
--------

- Give @CryptoPartySyd and @Torproject a shout out on Twitter about your new Tor relay
- Patch Ubuntu or FreeBSD manually on a regular basis (on Ubuntu, unattended-upgrades only applies security updates by default)
- Add your SSH public key and disable password authentication
- Read the Tor Exit Guidelines for general info about running a relay (these instructions set up a non-Exit relay): https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines
- Set up server monitoring (NewRelic, Uptime Robot)
- Secure your Vultr account with two-factor authentication (https://www.vultr.com/docs/using-two-factor-authentication-to-login-to-vultr-control-panel)
- Add swap (https://trac.torproject.org/projects/tor/wiki/doc/OperationalSecurity#EncryptStorageandSwapSpace)
- Configure firewall (iptables)
- Protect Ubuntu with two-factor authentication (https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-14-04)
- Forward OS logs to a remote location (Loggly, Papertrail)
- Secure the Tor agent with AppArmor
- Backup Tor private keys (https://trac.torproject.org/projects/tor/wiki/doc/TorRelaySecurity/OfflineKeys#Backupyourkeys)
- Get involved and join the Tor community (https://www.torproject.org/about/contact.html.en)
- Join the CyrptoParty Sydney Telegram channel (https://telegram.me/CryptoPartySyd)