[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] How to use our own TOR relay as entry node for local network hosts

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-relays] How to use our own TOR relay as entry node for local network hosts
From: "Tor User" <toruser@xxxxxxxxxx>
Date: Wed, 20 May 2015 05:07:05 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 20 May 2015 05:07:45 -0400
Importance: Normal
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: SquirrelMail/1.4.22-2.fc16

Hello,

We have been operating a moderately successful public tor relay for a
while now.   Having read about how TOR works back a couple of years ago, I
was more or less sold on the idea that if traffic originating on your
local network uses your own TOR relay as the first hop (entry node), then
by the time your traffic has left your tor relay, people in the middle
can't tell the difference between traffic originating from your network
and other (relayed) traffic passing through your TOR relay.

I also understand that this still doesn't protect you from an exit node
being able to see your traffic (and why you should use HTTPS with a
high-quality cipher if it's really important), and that there are other
ways your traffic can be analyzed -- but all in all, I would rather our
TOR traffic enter the TOR network through a relay I *KNOW* I can trust
(mine!) than leave it to chance.

We have polipo running on our public TOR relay, configured to accept
traffic from our local subnets.  We've basically followed the info in this
TOR doco:

https://trac.torproject.org/projects/tor/wiki/doc/CentralizedTorServer

The TOR browser bundle appears to function correctly, ie, it is able to
start up, open circuits, etc. and we get the expected Congratulations!
page opening a new browser window.  But when clicking the green onion to
show the circuit of relays handling the browser's connection, our relay is
never the first hop.

I'm using TBB 5.01a on one particular system, and for an example, it shows
this for the circuit:

- This browser
- Austria (aa.bb.cc.dd)
- Germany (ee.ff.gg.hh)
- Guatemala (ii.jj.kk.ll)
- Internet

I have tried defining an EntryNodes statement with the $fingerprint of our
TOR relay and setting StrictNodes 1 in the TBB's torrc file, but it can't
ever establish a circuit when I try this.  We get messages like this
logged on the browser's tor:

05/20/2015 04:21:20.700 [WARN] Failed to find node for hop 0 of our path.
Discarding this circuit.
05/20/2015 04:21:20.700 [WARN] Failed to find node for hop 0 of our path.
Discarding this circuit.
05/20/2015 04:21:20.900 [NOTICE] Closing no-longer-configured Socks
listener on 127.0.0.1:9150
05/20/2015 04:21:20.900 [NOTICE] DisableNetwork is set. Tor will not make
or accept non-control network connections. Shutting down all existing
connections.
05/20/2015 04:21:20.900 [NOTICE] Closing old Socks listener on
127.0.0.1:9150 05/20/2015 04:21:21.700 [NOTICE] Delaying directory
fetches:
DisableNetwork is set.


Is it possible to define your desired entry node via IP address and port,
or some other way that does not require a successful directory
connection/circuit first?  (so it can find the relay by its fingerprint)? 
It seems like a chicken vs. egg problem...  Or what about defining a
directory for the client to use by its IP/port?  We are operating a public
directory as well.

I can't find any info about this or other approaches anywhere.

So I always end up removing the EntryNodes and StrictNodes statement from
TBB's torrc file, leaving only the HTTPSProxy
aa.bb.cc.dd:<polipo-listen-port> statement in there with the
DataDirectory, GeoIPFile, and GeoIPv6File statements.  It gets the TBB's
on our network to the local polipo proxy, which in turn forwards the
traffic to our public TOR relay.  TBB works fine, but  I don't think our
TOR relay is the one getting to see our traffic with the original source
address with this setup.

It is definitely possible, likely even, that I am misunderstanding parts
of how this is supposed to work or how a central TOR relay/proxy is
supposed to be configured.  But it doesn't seem to me that proxying our
local network's TBB clients' traffic through the polipo instance on our
public TOR relay means that our TOR traffic is being "anonymized" as to
where it originated from before it gets to the first node in the circuit -
or we would be seeing our TOR relay as the first hop when we look at the
circuit in "the green onion button".

If I'm wrong about this, that's great - I'd love to see some documentation
to explain it better if you have any links handy.  But if I'm right, how
can I configure our TBB clients to actually MAKE them use our TOR proxy as
their entry node?

Thanks,
Tor User




_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] How to use our own TOR relay as entry node for local network hosts
  - From: s7r

Prev by Author: Re: [tor-relays] Leaseweb exit relay notice
Next by Author: Re: [tor-relays] How to use our own TOR relay as entry node for local network hosts
Previous by thread: Re: [tor-relays] Tor relay/btc node script
Next by thread: Re: [tor-relays] How to use our own TOR relay as entry node for local network hosts
Index(es):
- Author
- Thread