[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Tor on the OLPC: Working as a server!



I purchased an OLPC from "the buy one get one" program last year. After
waiting nearly 5 months, FedEX brought it!

I used the terminal program and ran `su -` before running the commands
below.
Anyone attempting this could also use ssh to login to the machine.
Set a password for the olpc user first.
I highly suggest firewalling the olpc, it runs many things as root!
It's just waiting for all the world to contact it.

-bash-3.2# cat /etc/redhat-release
Fedora release 7 (Moonshine)

-bash-3.2# uname -a
Linux xo-10-DA-61.localdomain 2.6.22-20071121.7.olpc.af3dd731d18bc39 #1
PREEMPT Wed Nov 21 00:39:06 EST 2007 i586 i586 i386 GNU/Linux

-bash-3.2# cat /proc/cpuinfo
processor       : 0
vendor_id       : AuthenticAMD
cpu family      : 5
model           : 10
model name      : Geode(TM) Integrated Processor by AMD PCS
stepping        : 2
cpu MHz         : 430.936
cache size      : 128 KB
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 1
wp              : yes
flags           : fpu de pse tsc msr cx8 sep pge cmov clflush mmx mmxext
3dnowext 3dnow
bogomips        : 862.97
clflush size    : 32

-bash-3.2# free
             total       used       free     shared    buffers     cached
Mem:        237848     184084      53764          0          0      58268
-/+ buffers/cache:     125816     112032
Swap:            0          0          0

I would install a few utilities on the OLPC before moving forward:
-bash-3.2# yum install gnupg lsof

You'll need to find the proper libevent rpm to make Tor install. Search
here:
http://rpmfind.net/linux/rpm2html/search.php?query=libevent

I choose to use libevent-1.3b-1.fc7.i386.rpm
You can read about that version of the RPM here:
http://rpmfind.net//linux/RPM/fedora/8/i386/libevent-1.3b-1.fc7.i386.html

When you've decided that it the one for you, download the libevent RPM:
-bash-3.2# wget
ftp://rpmfind.net/linux/fedora/releases/8/Everything/i386/os/Packages/libevent-1.3b-1.fc7.i386.rpm

Then you'll want to download Tor and verify the signature of the Tor RPM:
-bash-3.2# wget
https://www.torproject.org/dist/rpm/tor-0.1.2.19-tor.0.fc7.i386.rpm
-bash-3.2# wget
https://www.torproject.org/dist/rpm/tor-0.1.2.19-tor.0.fc7.i386.rpm.asc

You'll need the key for the package signature:
-bash-3.2# gpg --keyserver subkeys.pgp.net --search-keys 0x31B0974B
-bash-3.2# gpg --fingerprint 0x31B0974B

You should see the following (If you do not see the right fingerprint,
stop!):
pub   1024D/31B0974B 2003-07-17
      Key fingerprint = 0295 9AA7 190A B9E9 027E  0736 3B9D 093F 31B0 974Bo

Now verify the RPM:
-bash-3.2# gpg --verify tor-0.1.2.19-tor.0.fc7.i386.rpm.asc
gpg: Signature made Fri Jan 18 22:35:11 2008 EST using DSA key ID 31B0974B
gpg: Good signature from "Andrew Lewman (phobos) <phobos@xxxxxxxxxx>"

If the above doesn't make sense, please read this wiki page about
signatures:
https://wiki.torproject.org/noreply/TheOnionRouter/VerifyingSignatures

Now you'll want to install the two RPMS:
-bash-3.2# rpm -i libevent-1.3b-1.fc7.i386.rpm
-bash-3.2# rpm -i tor-0.1.2.19-tor.0.fc7.i386.rpm

Now you'll want to make up for the fact that the RPM doesn't create two
directories:
-bash-3.2# mkdir /var/log/tor/
-bash-3.2# mkdir /var/lib/tor/

You'll want to make a very basic config:
cat << 'EOF' > /etc/tor/torrc
SocksPort 9050 # what port to open for local application connections
SocksListenAddress 127.0.0.1 # accept connections only from localhost
Log notice file /var/log/tor/notices.log
Nickname olpc
ORPort 443
ORListenAddress 0.0.0.0:9001
DirPort 80 # what port to advertise for directory connections
DirListenAddress 0.0.0.0:9030
ExitPolicy reject *:* # no exits allowed
EOF

I also suggest the firewall advice from the wiki before starting Tor:
cat << 'EOF' > tor-redirect.sh
#!/bin/bash -x
IP=YOURIPGOESHERE
iptables -t nat -A PREROUTING -p tcp -d $IP --dport 443 \
        -j DNAT --to-destination $IP:9001;

iptables -t nat -A PREROUTING -p tcp -d $IP --dport 80 \
        -j DNAT --to-destination $IP:9030;
EOF

Now insert those rules into the firewall:
-bash-3.2# chmod +x tor-redirect.sh
-bash-3.2# ./tor-redirect.sh

Now you can start Tor like so:
-bash-3.2# /etc/init.d/tor start

You should see some nice messages in /var/log/tor/tor.log that look like
the following:
Mar 14 00:54:53.205 [notice] Tor 0.1.2.19 opening log file.
Mar 14 00:54:55.640 [notice] Your Tor server's identity key fingerprint
is 'olpc B286 353F 0BE3 8D25 CB50 00BE A2D5 B006 A8E4 DEB4'
Mar 14 00:55:24.368 [notice] We now have enough directory information to
build circuits.
Mar 14 00:55:30.571 [notice] Tor has successfully opened a circuit.
Looks like client functionality is working.
Mar 14 00:55:30.571 [notice] Now checking whether ORPort 1.2.3.4:443 and
DirPort 1.2.3.4:80 are reachable... (this may take up to 20 minutes --
look for log messages indicating success)
Mar 14 00:55:39.899 [notice] Self-testing indicates your DirPort is
reachable from the outside. Excellent.
Mar 14 00:56:10.790 [notice] Self-testing indicates your ORPort is
reachable from the outside. Excellent. Publishing server descriptor.
Mar 14 00:56:25.685 [notice] Performing bandwidth self-test...done.

Furthermore, lsof should show Tor:
-bash-3.2# lsof -ni|grep tor
tor      3224 _tor    7u  IPv4  73211       TCP *:etlservicemgr (LISTEN)
tor      3224 _tor    8u  IPv4  73212       TCP *:9030 (LISTEN)
tor      3224 _tor    9u  IPv4  73213       TCP 127.0.0.1:9050 (LISTEN)

I hacked up a little bash script[0] (based on Weasel's zsh dotfile) to
test that I could reach it from the outside and it seemed to be
registering itself with the directory authorities just fine:
 ./sd olpc
router olpc 1.2.3.4 443 0 80
platform Tor 0.1.2.19 on Linux i586
published 2008-03-14 07:50:42
opt fingerprint B286 353F 0BE3 8D25 CB50 00BE A2D5 B006 A8E4 DEB4
uptime 28
bandwidth 3145728 6291456 0
onion-key
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAMCMsWTN44Bhe7ZpfiHg6q5OLxVqKGdno/hG4zBHReEnNbsmgequLQBK
6xxlCyf5XuriTaCduhatV2TSBT2l0VlqN41KskrT6MtqCwbcSwwxjBpNNG3oHBaQ
94rl0Y8K4yO2oGdxEoPWOBH/rCompy7oU2CtH5kxCfP2dCiQlRv9AgMBAAE=
-----END RSA PUBLIC KEY-----
signing-key
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAJaBLJfwJROa1X11yOnOFIjIhJIZtht5/bjL9CwGWlSrnr8ftQ3sRfFI
WUESBv9JXPNyRghyOpEB0MKNXybc8zc0BfQBrzpNCEBHP/O/hwKcYmXupkvkJFEY
MPuaqxbX0D9n5LT39gVHBvU467NHXsVq72VIFxDB1ARvRsZxi1aDAgMBAAE=
-----END RSA PUBLIC KEY-----
opt write-history 2008-03-14 07:48:57 (900 s)
149504,7168,8192,0,13312,0,14336,0,23552,2048,18432,4096,13312,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
opt read-history 2008-03-14 07:48:57 (900 s)
2629632,3072,191488,0,196608,0,206848,0,335872,2048,224256,2048,263168,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
reject *:*
router-signature
-----BEGIN SIGNATURE-----
JXCuqec8OIA33pxJYTh44TwBhaxaA8HNVoxVg4F/zTW1AXzvkeXtKk2iaCe0DEmY
W4jTovOFLYLka4hCl5ZTtSez8FnoeRq2bWYRz/NoSkDLRAqJ3Js/9aJDxNSj345f
Nyr58l63m2eRtzlpBamgAXuZL49tRJmK9Uqfk1Yq0NY=
-----END SIGNATURE-----

Enjoy!

Regards,
Jacob Appelbaum

[0] https://tor-svn.freehaven.net/svn/tor/trunk/contrib/sd