[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] forward relay connections



> On May 23, 2019, at 3:54 AM, tor-relay@xxxxxxxxxx wrote:
> 
> I think that a network based to much on remotes VMs, with closed source software running on the most deep machine level, is not very resilient and secure.
> 

Actually, it’s very secure. By default, Tor doesn’t log anything but simple notice messages. In addition, if you use Offline Master Keys (https://trac.torproject.org/projects/tor/wiki/doc/TorRelaySecurity/OfflineKeys) the security of your node is greatly enhanced. As long as you have direct root access to the VM, you’re fine. Also, most VM use OSS HyperVisors such as KVM or Xen.

> So the reason why I was thinking to do so is that I wanted to run a small exit relay on a device running only open source software, like Olimex Lime2 does, and under my direct control.
> 
If you really want to use this device as an exit, I would strongly suggest that you don’t do it at home, there’s actually a few companies that specialize in colocation for small hardware platforms such as the Lime2.

> The latency from my home and the VM is not so high (45-50 ms), and I was pretty sure that with a proper configuration I didn't risk that users exit through my home connection.  But If you say that with a so small bandwidth It can't run properly, I trust you, so I keep a non-exit relay.

That’s actually very high latency to add to the hop because you’re going to add SSH encryption on top of it, which will add more latency, just to get to the VM? I wouldn’t consider it feasible.

Now that I’m thinking about it, you could try finding a VPN provider that allows Tor and using that VPN provider on your Lime2.

-Conrad

> 
> Anyway thanks for your advices
> 
> Il 22/05/19 11:05, nusenu ha scritto:
>> tor-relay@xxxxxxxxxx
>> :
>> 
>>> I'm running a non exit relay on a debian machine (in the next few
>>> months I will switch to *BSD) on a Lime2. 
>>> 
>> I assume you are referring to a relay run at home.
>> 
>> 
>>> I'm running an exit relay
>>> too on a remote VM.
>>> 
>>> I would turn my non-exit relay in an exit one, but for obvious
>>> reasons, I don't want to run It from my shitty ISP IP. I could give
>>> 10-14 mbps from my home connection, so I think that the lime2 would
>>> be  powerful enough to run It properly.
>>> 
>> I would discourage such a setup for the following reasons:
>> 
>> - this setup includes the risk that users will exit 
>> through your home broadband IP address (bad!) if tunnels break down
>> - such setups that introduce an additional hop decrease the user-experience
>> - most users will not be happy with an "10-14mbps" exit at a home broadband connection
>> - it is not clear to me why you would involve your home IP at all for your exit
>> if you have a VM in a datacenter
>> 
>> 
>> nonetheless, thanks for running relays,
>> nusenu
>> 
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> tor-relays mailing list
>> 
>> tor-relays@xxxxxxxxxxxxxxxxxxxx
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> _______________________________________________
> tor-relays mailing list
> tor-relays@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays