Running a TOR bridge / relay / exit node?

Hey!

Is anyone planning to run TOR (relay or exit node) on the router? I thought about the 2 GB upgrade to have enough free resources to do such a think. Would be the first time, some assistance would be very welcome!

Max

There no issues with Tor on OWRT, see https://trac.torproject.org/projects/tor/wiki/doc/OpenWRT. I dont think that you will need 2Gb for that, but of course more memory is always better :slightly_smiling:

Just keep in mind that exit node in some countries could make you responsible for the outgoing traffic coming from your router, so this could be a serious legal issues.

Thanks for your response! I looked into this and people are running TOR successfully on other (less powerful) hardware. I got the 2GB Upgrade because I’m although planning to let the router handle some other things :relaxed:

Regarding the exit node: Since I’m going to use the Turris Omnia as my home router, a TOR relay would be the best solution. If I’m going to run an exit node (maybe some day in the future), I would do that on an VPS (hosted somewhere) and not from my private address. It’s not recommended to mix the traffic of an exit node with the personal private traffic to avoid legal trouble.

M4x

edit:
Legal FAQ for Tor Relay Operators: https://www.torproject.org/eff/tor-legal-faq.html.en
Lifecycle of a new relay: https://blog.torproject.org/blog/lifecycle-of-a-new-relay

I’ve successfully set up a Tor relay node on my Omnia without any problems in about 10 minutes (after the initial reading).

Just do opkg update and opkg install tor, configure (my torrc: https://gist.github.com/peci1/a3639d715594698b7c125a4842ba4008), open port 9001 to the world in firewall, and enable and run the tor service.

However, I also tried making transparent translation of all .onion addresses for machines on local network (so that they can access .onion pages as normal URLs without noticing a change).

I basically followed https://www.grepular.com/Transparent_Access_to_Tor_Hidden_Services with http://wiki.wladik.net/turris/dns-forward-knot for setting up zone forwarding in Knot DNS.

This is the filesystem diff after doing as much as I could: https://gist.github.com/peci1/352a597c07a6432490058f0213cc9bd0 . What works is DNS resolution, which correctly and transparently resolves the .onion addresses to the virtual IPs.

However, I could not get the setup of the TransPort to really route me inside the Tor network. I think the problem should be in my iptables rules, but I’m not very good at creating/debugging them. So now when I start pinging an .onion address, the pings time out, and netstat shows no established connection to port 9040 where the routing inside Tor should happen.

Does anybody know how to proceed?

The routes should ideally redirect all traffic to 10.192.0.0/10 to port 9040 on the Omnia. Best, if it would work both from the router itself and the LAN-side machines.

1 Like

Hi, I think I too managed to install a Tor relay on my Omnia. I followed the guide from the Tor site and created a torrc file the same as the one for middle relay on Ubuntu (the configuration is the same as for Omnia). I have not added bandwidth limits or anything, just opened port 9001 in the firewall and indicated the IPv6 address to enable use on this protocol as well. When starting tor, run not as a service, to see the output, I can see that my relay can go outside and I get the message:

Self-testing indicates your ORPort is reachable from the outside. Excellent.
Publishing server descriptor.

Everything should be OK. My doubts:

  • during bootstrap I am told that there is no need to start tor as root and I shouldn’t. How can I get around?
  • on Atlas my relay is present and the data are all correct, but the advertised bandwith is 0 and not 20kb/s as explained in the “lifecycle of a new relay”.

Could you clarify my ideas, since you have already had a similar experience?

Hi, I’m not sure how you got Tor running as root. If you look into my config, there is a setting telling Tor to run under user tor. I’m not sure whether it is the default or not, but this is what I got. And I verified the tor daemon runs under tor user on my Omnia.

If you used my gist to set up, please, change the DataDirectory to somewhere under /srv, otherwise Tor will generate a new enryption key every Omnia reboot, which is not what you want. I updated that in my gist now.

Regarding bandwidth limits, I’ve no experience with them. Try to set some non-zero limit and see what happens. Also, the atlas can have some delay before it reflects the new state after you change your config.

1 Like

What happens if it creates a new key every time?

The Tor network doesn’t like it and treats you as a new node with every key change… Given the fact that nodes need to accumulate some trustwortihness over time before they are allowed to become part of the real network, changing the key every few weeks would basically render your Tor node unusable.

Ok, that’s clear, I’ve created the directory. Can I now delete the /tor folder in /var /log?

And what about this?

## If you have multiple network interfaces, you can specify one for
## outgoing traffic to use.
## OutboundBindAddressExit will be used for all exit traffic, while
## OutboundBindAddressOR will be used for all OR and Dir connections
## (DNS connections ignore OutboundBindAddress).
## If you do not wish to differentiate, use OutboundBindAddress to
## specify the same address for both in a single line.
#OutboundBindAddressExit 10.0.0.4
#OutboundBindAddressOR 10.0.0.5

Should I create a dedicated relay interface? One outgoing and one incoming? I have only opened the 9001 port to the device and vice versa, I have not created a new dedicated interface.

I’d suggest moving /var/lib/tor to /srv/tor… /var/log/tor should remain (that’s the log folder).

I didn’t set up any kind of dedicated interface for tor. I’m not sure about the security implications, but I think it’s okay.