[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] [RELEASE] Raspbian guide and image for Tor nodes
I could produce one of these for the intel edison, but I have a feeling
that nobody would use the image file, since the instructions set is still
x86, and that I'm not a trusted source for such software.
On Sun, May 31, 2015 at 7:38 PM, CJ Barlow <cbarlow@xxxxxxxxxxx> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Would you like to contribute to the Tor network by running your own relay?
> This is a guide to do just that via a Raspberry Pi 2.
>
> This guide is intended to cover the set up in detail from start-to-finish
> but, as always, will need to be tweaked with community feedback.
>
> In an attempt to make this as plug-and-play as possible I fully prepared
> an image[1] while writing this guide. This image was tested on my
> Raspberry Pi 2.
>
> TL;DR: Download the image file, copy it to your Raspberry Pi 2 MicroSDHC
> card and run a relay.
> You can use either dd[2] or Win32 Disk Imager[3] to write the image to
> your MicroSDHC card. Alternatively, you can follow these instructions to
> tweak the official Raspbian image[4].
>
> *I do not have any experience with a headless set up. Additional
> help/corrections, especially to the SSH part of the guide are
> appreciated.*
>
> Equipment needed:
> - - Raspberry Pi 2
> - - Ethernet cable
> - - 4GB Class 10 (or higher) MicroSDHC card. A 16GB card is recommended.
> - - Power supply with at least 2A output.
>
> Some nice-to-have but optional equipment:
> - - Case
> - - Heatsinks
>
> Step 1:
> - Install a torrent client such as Deluge.[5]
> - Download the image prepared with this guide or the official one.
> Please
> be sure to seed it.
> - The prepared image is signed with my GPG subkey.[6]
> - Use either dd or Win32 Disk Imager to write the image to your
> MicroSDHC
> card.
>
> Step 2:
> - Insert your MicroSDHC card into the Raspberry Pi 2 and plug it
> in to
> power it on.
>
> - If you are using the stock image skip to step 3c.
>
> - The default login for my image is:
> tor / changeme
>
> - Use raspi-config to change the locale settings (keyboard, time
> zone
> etc.) and user password:
> sudo raspi-config
>
> - Select Expand Filesystem so the entire SDHC card is available to
> the
> Raspberry Pi 2.
> - Press <TAB> twice to select Finish and reboot.
>
> - Bring the image up-to-date with:
> sudo apt-get update
> sudo apt-get upgrade
>
> Step 3a:
>
> - Check that tor is running and the ORPort is reachable:
> sudo tail -f /var/log/tor/notices.log
>
> - The following lines will be in the log file if your Relay is
> working
> correctly:
> [notice] Tor has successfully opened a circuit. Looks like
> client
> functionality is working.
> [notice] Self-testing indicates your ORPort is reachable
> from the
> outside. Excellent. Publishing server descriptor.
> [notice] Self-testing indicates your DirPort is reachable
> from the
> outside. Excellent.
> [notice] Performing bandwidth self-test...done.
>
> - If the above lines are not present see the
> troubleshooting section at
> the end of the document.
>
> - Please read "Tor Fingerprint backup" at the end of the document.
>
> - As an optional step you can change your relay's nickname. Change
> the
> nickname line in torrc with:
> sudo /etc/tor/torrc
>
> - Edit the Nickname line, leaving a space between Nickname
> and what you
> change it to. For example:
> Nickname pickyourownnickname
>
> - Your Relay is now up and running!
>
> Step 3b (SSH usage)[7][8]:
> - Enable SSH with:
> sudo raspi-config
> - Select Advanced Options:
> Set SSH to Enable.
>
> - Find the IP of your Raspberry Pi 2 with:
> hostname -I
>
> - SSH to the Pi:
> ssh <username>@<Pi IP>
>
> - For off-site usage, I recommend a DynamicDNS on the Relay's
> connection.
> This will make SSHing to it easier.
> - The DynamicDNS goes on the Address line of torrc, for
> example:
> Address thisismy.duckdns.org
>
> - SSH to it with:
> ssh <username>@thisismy.duckdns.org
>
> Step 3c:
> Instructions if using the stock image[9]:
>
> - Select Expand Filesystem so the entire SDHC card is available to
> the
> Raspberry Pi 2.
> - Press <TAB> twice to select Finish and reboot.
>
> - The default login is:
> pi / raspberry
>
> - Run raspi-config:
> sudo raspi-config
>
> - Change Internationalisation Options to suit your preferences.
> - When changing locale press the spacebar to select the
> option(s).
>
> - Select Overclock:
> Pi2
> - Overclocking your Raspberry Pi 2 this way does not void
> the warranty!
>
> - Select Advanced Options:
> - Hostname is the device name on your network.
>
> - Select Finish and reboot.
>
> - Log back in using:
> pi / raspberry
>
> - Create a new user:
> sudo adduser username
>
> - Load the sudoers list:
> sudo visudo
>
> - Change the last line to:
> username ALL=(ALL)ALL
> - Example:
> bill ALL=(ALL)ALL
>
> - Be sure to leave a space after username *and*
> below the last line.
> - Press Control + X to close the document.
> - Press Y to save the changes and Enter to accept
> the default file name.
>
> - Reboot and log in under the username you just created.
> sudo reboot
>
> - Remove the pi user:
> sudo deluser --remove-home pi
>
> - Update the OS and all packages:
> sudo apt-get update
> sudo apt-get upgrade
>
> - Install cron-apt to automate updates.
> sudo apt-get install cron-apt
>
> - Configure a cron job to automatically download updates
> on a semi-daily
> basis with:
> sudo nano /etc/cron.d/cron-apt
>
> - Add a # to the start of line 5.
>
> - Change line 6 to "Every 12 hours." Delete the #
> (and the space) from
> line 7 and put:
> 0 */12 * * * root test -x
> /user/sbin/cron-apt && /usr/sbin/cron-apt
> /etc/cron-apt/config2
>
> - Run the following once or twice a day to install updates:
> sudo apt-get dist-upgrade
>
> - Install tor with:
> sudo apt-get install tor
>
> - Change the following in /etc/tor/torrc (from top-to-bottom in
> torrc) with:
> sudo nano /etc/tor/torrc
>
> - Remove the "#" before the following lines (lines with dashes are
> comments for this guide):
>
> - Change the SocksPort to 0 from 9050.
> SocksPort 9050
>
> Log notice file /var/log/tor/notices.log
> RunAsDaemon 1
>
> - Change the DataDirectory to a RAM drive per TorProject's
> suggestion.[10]
> - See "Tor Fingerprint backup" at the bottom of this
> document.
>
> DataDirectory /dev/shm/tor
>
> ORPort 9001
> Nickname pickyourownnickname
>
> - Run a speed test and convert the result to Megabytes by
> dividing by 8.
> - Alternatively you can use a online bits-to-bytes
> calculator, such as
> Google.[11]
> - At least 2 Megabits of upload is recommended for
> a good relay.
>
> - Set the RelayBandwidthRate to a maximum of 80% of your
> upload speed.
> - Set the RelayBandwidthBurst to a maximum of 95% of your
> upload speed.
> - Burst speed is used occasionally.
>
> RelayBandwidthRate
> RelayBandwidthBurst
>
> *Bandwidth accounting is unidirectional, it will use twice
> what is listed!*
> - To use 50GB per month (starting on the first of the
> month at midnight):
>
> AccountingMax 25GB
> AccountingStart month 1 00:00
>
> - The contact info is posted online so please keep that in
> mind!
> ContactInfo Your name <youremail@address>
>
> DirPort 9030
>
> - Be sure to uncomment this line so you only run as a
> middle relay.
> ExitPolicy reject *:*
>
> - Reboot with:
> sudo reboot
>
> - Log back in to the Pi.
>
> - Check that tor is running and the ORPort is reachable:
> sudo tail -f /var/log/tor/notices.log
>
> - The following lines will be in the log file if your Relay is
> working
> correctly:
> [notice] Tor has successfully opened a circuit. Looks like
> client
> functionality is working.
> [notice] Self-testing indicates your ORPort is reachable
> from the
> outside. Excellent. Publishing server descriptor.
> [notice] Self-testing indicates your DirPort is reachable
> from the
> outside. Excellent.
> [notice] Performing bandwidth self-test...done.
>
> - If these are not present see the troubleshooting section below.
>
>
> THANK YOU for running a relay! :-)
>
> Relay Fingerprint backup:
> Because the Fingerprint is contained on a RAM Drive it is erased in the
> event of a power loss (due to shut down, reboot, etc). This makes your
> Relay appear as "new" each time.
>
> To maintain a steady relay back up the fingerprint to a USB flash drive
> with the following commands:
> First, make a directory to mount the drive to:
> mkdir /mnt/d
>
> If it is the only drive connected and formatted to FAT32 use:
> sudo mount -t vfat /dev/sda1 /mnt/d
>
> If it is formatted to NTFS you will need to install ntfs-3g first:
> apt-get install ntfs-3g
>
> Then mount it with:
> sudo mount -t ntfs /dev/sda1 /mnt/d
>
> To access the RAM drive you need to be root (sudo):
> sudo su
>
> Browse to the Fingerprint location:
> cd /dev/shm/tor/keys
>
> Copy the "secret_id_key", which is the fingerprint, to your flash drive.
> Rename it something memorable like "tor_fingerprint".
> cp secret_id_key /mnt/d/tor_fingerprint
> rm /mnt/tor-root/var/lib/tor/keys/secret_id_key
>
> Invert the copy (cp) command to restore it.
>
> Troubleshooting:
> If you do not see "Self-testing indicates your ORPort is reachable from
> the outside. Excellent." in the notices log you will need to check that
> your port is forwarded correctly in your router.
> If your port forwarding is correct but the ORPort is still unreachable you
> may need a Dynamic DNS. The Dynamic DNS address will be put in the Address
> line in torrc.
> See footnote 13 for a example on setting up a Dynamic DNS.
>
> Extra info:
> To safely shut down the system use:
> sudo shutdown -h now
>
> If Bandwidth accounting is *enabled* the DirPort is automatically disabled.
> Tor uses TCP ports, the UDP ports do *not* need to be forwarded.
>
> OS modifications for my images:
> "Turbo mode" overclocking is enabled with Pi 2 setting. This does
> *not*
> void the warranty![12]
> OS hardening enabled via harden-servers package.
> Tor logs are rotated daily, rotated logs are not kept.
> Semi-daily cron job running apt-get update and apt-get upgrade.
> Removed pi (default) user.
> Hostname is RelayPi.
> RelayBandwidthRate and RelayBandwidthBurst are set to 80% and 90%
> of the
> Ookla Global Broadband upload speeds, respectively.
> AccountMax is set to 25GB (50GB per month), starts at midnight on
> the
> first day of the month.
>
> [1]
>
> https://torrage.com/torrent/64CF7A9D083BA58C31987B2AFA1B34B4334456F7.torrent
> [2]
>
> https://www.raspberrypi.org/documentation/installation/installing-images/linux.md
> [3] https://i.imgur.com/gIamfK7.png
> [4] http://downloads.raspberrypi.org/raspbian_latest.torrent
> [5] http://deluge-torrent.org/
> [6] https://pgp.mit.edu/pks/lookup?op=vindex&search=0xD4EB587D15734B19
> Primary Fingerprint:
> 3E37 9905 05C0 050A FEFE C675 D4EB 587D 1573 4B19
> Signing subkey Fingerprint:
> 2F28 004A 19B2 E62B 3690 BF2B CCF6 3BA2 CBE9 49C3
> [7]
>
> https://www.raspberrypi.org/documentation/troubleshooting/hardware/networking/ip-address.md
> [8] https://www.raspberrypi.org/documentation/remote-access/ssh/unix.md
>
> https://www.raspberrypi.org/documentation/remote-access/ssh/windows.md
> [9] http://www.instructables.com/id/Raspberry-Pi-Tor-relay/?ALLSTEPS
> [10] https://trac.torproject.org/projects/tor/wiki/doc/TorRelaySecurity
> [11] https://www.google.com/?q=9000Kbps+to+MBps
> [12]
>
> https://www.raspberrypi.org/introducing-turbo-mode-up-to-50-more-performance-for-free/
> [13]
>
> https://tor.stackexchange.com/questions/6558/relay-getting-traffic-showing-as-unreachable/6575#6575
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVa8OrAAoJEMz2O6LL6UnDzEYP/1FYY1cZ+ZpzKIo9rd7CEoCF
> jhZ/c7MMh8G2I9v9H8xCXJOAwE2EYm0omGcdMDJ/FrQBq4+SrWfhklH5pLb71wMd
> CcPCPE23l9sspmm8Ll4Ox/AGOgn1I7AhLR8/c6gqlYuL2VroJv7FSrU4wlXaiqtb
> Us5o8xGeKKdENnyR59Hsct0/XvuACv8KdjIibn/r0GmiRbF87hKtyrOa/fAQPR6G
> CAZ+cxbsLWaplUyimcJdMjerfA/OFAM/ghCCPCmrG4HfDe3+rpEZpSiTmjU+wMID
> kpcc/vZH2mJD8IAa0XgFvMUj6aSjG+Bk5TcHo1QVleTF0IvraDSyYk4CC3Z7ZPBv
> rCJKiTUIRdr0MoVXSXs5DL9Pa+dqfQKd3d0sgzox/095wOf5VAnr3EeZ6Jh0dyDc
> mQZz55rAoCFP0MI/XPkd/SyoICP6rVWpCg9v/OwuPhj++jKDKySc/StP1Ppq++6m
> MIM7RQIVNIPoeNK/1bmYTXEyFmsUyerZq4QWjbBvlE7rnnWdBqjJ7XraUTgtbWAm
> lP1KKVO9UlverDAheAk3wvAYuF5LUltxoTSL5zZssHBEWdOiooIS6C/aphycNVLK
> cHsWh7fIoXZmLSJc6uVYbKxfXmlt6T6fHucpoOgYUX6JWePlpy5To9rB0tYYDv2x
> 33UYpCp4tZ0julM7xPqy
> =Jr3r
> -----END PGP SIGNATURE-----
>
>
> --
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk