Skip to main content

Run a Tor Node | Learn By Doing

Running a Tor node is an excellent way to advocate for privacy while learning system administration. The cost is likely a lot cheaper than you think.
Tor Enables Human Rights
Human rights including privacy and freedom of speech are under attack worldwide [1]. We need a need a decentralized, guerrilla movement for resistance that is not purely technological. [2] However, technology is an essential part of enabling the resistance to things like information censorship and anonymity, specially in the short term.

Tor is a specially important technology that can help meet requirements in both of these areas. Tor is a logical overlay network for the internet that provides anonymisation of IP address and when paired with the Tor browser, helps defeat fingerprinting that enables web surveillance. Tor also allows publishing of anonymous internet services, called “onion” or “hidden” services. Tor is used to exercise freedoms of association, speech, to access information and is used by whistle blowers, advocates for human rights, dissidents, journalistas, and everyday people.
Tor Needs You!

The Tor Project is a non-profit organization responsible for the development and advocacy surrounding Tor and the Tor Browser. The Tor-Project is not responsible for operating the Tor Network, although they adjust the design to meet design goals and operate and moderate Directory Servers that list participants by removing known malicious actors.

The integrity of the Tor network depends on having a wide variety of operators. The underlying premise of “onion routing” is that multiple actors who don’t know the whole picture are involved in routing your traffic. If any one actor controls too much of the Tor network nodes, they can reconstruct more of the picture, deanonymizing users. Tor has a good faith mitigation to this where nodes can declare they are controlled by the same organizer (MyFamily option), but malicious actors including governments do not act in good faith. To be robust the Tor network needs a large, unrelated, decentralized set of operators acting in good faith. And that means you.
Operating a Tor node is cheap

Operating a Tor Node is cheap and a great opportunity to learn system administration while advocating for your values. The best way to learn anything is to do it. I have personally found that no amount of reading system administration books, or running *nix on my personal machines has been anything like running service and offering to the public. Operating a relay allows you to learn :

    How to Install, Update, and maintain common services.
    How to Secure an Internet Facing Node with Technologies like firewalls (nftables,pf), blacklisting (fail2ban,blacklistd), automatic updates, and detective controls (snort, logwatch).
    How to monitor a host. For what a Tor node costs to run, it is an excellent education.

Operating a Relay

There are a few different kinds of Tor node: Relay, Bridge and Exit-Relay. The core of the network, and the lowest risk to operate is a Tor Relay. Operating a Tor Relay has little risk if the government near you doesn’t harm Tor users - The IP used will be publicly listed, but you will not have any useful information to provide anyone : The traffic will be encrypted, and its ultimate source and destination unknown.
Operating From Home

You can operate a Tor Relay from home, probably for free. This situation isn’t ideal for a few reasons that may or may not apply to you. First, your bandwidth may be metered. This isn’t a deal breaker, because Tor has accounting options that allow you to stay below a maximum, and rate limits that allow you to provide just spare bandwidth to avoid slowing your connection. Further along this line, is that if you Port forward through a router, your router may not be able to handle number of incoming connections. This is harder to mitigate, as Tor doesn’t provide a way to limit the maximum number of current connections.
Operating From a Data Centre

More realistic is operating from a Virtual Private Server (VPS). A VPS is rented monthly, and provides an instance of an operating system for you to run public services on. No port forwarding is necessary as it already has a public IP address. You can expect to pay between $3 - $10 USD per month.

There are a couple of interesting concerns to balance here:

    Your anonymity as the operator
    The Price you pay for the VPS
    The service you get out of the VPS , and
    The VPS provider, and Operating System

As a Tor Relay operator you have low risk, and may even want to identify yourself. In fact, the Tor Project will offer you a T-Shirt for operating a Relay. Risks surrounding your anonymity are generally related to the information you provide to the VPS provider. Means of payment, name, address , IP address used to interact with the provider/admin the service, and even a reused username/email could identify you. Think about if this a concern. If you are concerned about retaining your anonymity, check out accountless VPSs : Some VPS providers will let you create Virtual Servers without a User Account or any identifying details at all.

As a recurring bill, you will want to minimize the cost of the VPS. Research done up front could save serious money long term.

VPSs have specs. How much memory, bandwidth, virtual cpus, and disk space are all available. Relays require almost nothing beyond bandwidth, the Tor Project recommends 2 Tb per month, but as a volunteer, you get to make your own decision.

Most interestingly, the reason you are needed is that Tor needs to be decentralized. If all VPSs that make up the network are hosted in the same Data Centres under the control of the same companies, the risk is increased. Operating a Tor node from another less common network is more valuable. Of course, interacting with VPS providers and determining Relay Policy takes time and effort. Further, the Tor network benefits from having a diverse ecosystem in operating systems - currently almost all tor nodes are Linux machines. Similarly configured hosts are mean the entire network is more likely to be vulnerable to the same vulnerabilities, reducing security. Choosing an alternative operating system means contributing to diversity, but perhaps having less support. Running any Tor node is better than running none. Do not let the perfect be the enemy of the good.
An Actual Setup : Accountless FreeBSD VPS in Digital Ocean Via SporeStack at $8.99 per month.

Here I am going demonstrate how to run a Tor Node that maximizes your anonymity at the expense of choosing a less common provider, and paying a decent premium for the service.

Here is the overview:

    Create the VPS on Sporestack
    Install Tor
    Edit the torrc config file to make a relay
    Restart and Enable Tor

Sporestack.com is a no-bullshit accountless VPS provider. You give them BTC and an ssh key, they give you the public IP address to your new machine. No personal information required. Sporestack supports a variety of different operating systems including FreeBSD, Ubuntu and Centos. Sporestack currently only resells access to DigitalOcean, where a similar VPS is 5 USD / mo, they charge 9 USD mo but accept BTC and require no personal information. This also only offers half the recommended bandwidth of 2 Tb.

To create an ssh key use the ssh-keygen command.

ssh-keygen -f tor_vpskey

The key fingerprint in the .pub file is what sporestack is asking for.

Access your VPS with the IP address provided in the JSON file generated via ssh:

ssh -i <key_file_path> root@<ipaddr>

Now we can install Tor. On FreeBSD the package manager is pkg . We install tor as below:

pkg install tor

Now, we do the most serious part of the exercise, setup our Tor Service. The config file for this is /usr/local/etc/tor/torrc. The file is commented, and the options are mostly self documenting. 1.) Uncomment the ORPort line, by removing the ‘#’ character. Set your ORPort 9001. Uncommenting this line is what makes you a relay. 2.) Set your nickname. You can put anything you want. This is to distinguish your relay from others. Uncomment the nickname line, and place anything you want in the field. 3.) Set your admin contact for the relay by uncommenting ContactInfo This field can be anything you want, including empty. I choose to use a unique identifier and email so that I could preserve my anonymity, while being reachable for administrivia. 4.) Now we setup accounting to prevent the Tor daemon from exceeding our limits. Tor counts bandwidth in a strange way: the allocation for input and output are allocated separately but identically. So AccountingMax, the limit should actually be half what we want it to be. Reserving 2 Gb for admin traffic, gives, 499Gb per month as the limit. So, our accounting line looks like:

AccountingMax 499 GBytes
AccountingStart month [day of month you opened vps] [time of month you opened vps]

Now, Restart tor:

service tor restart

That’s it! We have a Tor Relay operating.
Bonus : Monitor with Nyx

Running a Tor Node isn’t really sexy without graphs. How do you know its working? How much data have you moved? Nyx is a Tor Node monitoring tool that will display a graph, letting you know your Tor Node is up, and show in real time how much data is being moved. Install the program with :

pkg install nyx

Run the program with: nyx

Quit with ‘q’.

Check out The Coarse Engima guide to Unprivileged Monitoring of Tor here.
Next Steps

Now that you have a Tor Node running, you have to secure it. While the Tor Daemon itself has little adjustable attack service, you can start by securing ssh - most immediately against brute forces. Look into blacklistd. Can you setup one-time authentication codes? How about setting up a firewall with pf? How about running a hidden blog on top of your Tor Node? Now that you have a VPS you have a live box to experiment with. Don’t knock it down to much, or it won’t actually be providing that community service you hope’d to provide. Happy Hacking.🙂

Comments

Popular posts from this blog

How to hack wifi in Windows 7/8/8.1/10 without any software | using with cmd

How to Hack Wifi password using cmd Hello Friends, In this article we will share some tricks that can help you to hack wifi password using cmd. Youcan experiment these trick with your neighbors or friends. It’s not necessarily that this trick will work with every wifi because of upgraded hardware. But you can still try this crack with wifi having old modems or routers. 1: WEP: Wired Equivalent Privacy (WEP) is one of the widely used security key in wifi devices. It is also the oldest and most popular key and was added in 1999. WEP uses 128 bit and 256-bit encryption. With the help of this tutorial, you can easily get into 128-bit encryption and Hack WiFi password using CMD. 2: WAP and WAP2: Wi-Fi Protected Access is an another version of WiFi encryption and was first used in 2003. It uses the 256-bit encryption model and is tough to hack. WAP2 is an updated version of WAP and was introduced in 2006. Since then it has replaced WAP and is now been used mostly in offices and colle...

A Beginner’s Guide to Getting Started with Bitcoin

A man looks for Bitcoin Oasis If you have heard about blockchain or cryptocurrency, then the term that initially comes to mind is Bitcoin . Launched 12 years ago, it was the late 2017 bull run that created a media frenzy that propelled Bitcoin into the mainstream and our modern day lexicon. Often labeled as the “original” cryptocurrency, Bitcoin has been the catalyst (directly and/or indirectly) behind many new innovations in the blockchain and digital asset space, most notably Ethereum and Monero . Shortly after the late 2017 bull run lost its steam, interest in these new technologies started to fade ― but here we are in 2021 with Bitcoin having risen like a phoenix from the ashes. As you would assume, an appetite for the blockchain and digital asset space has returned and now it is more important than ever that we understand what exactly is behind this unique asset, Bitcoin. This article is meant to be a guide for individuals who are new to cryptocurren...

Copilot - Microsoft is gearing up to introduce its AI companion

 Microsoft is gearing up to introduce its AI companion, Copilot, this upcoming fall season. The highly-anticipated rollout is scheduled for September 26, with Copilot poised to seamlessly integrate with various Microsoft services, including Windows 11 and Microsoft 365. Additionally, enterprise customers can look forward to the availability of a new AI assistant, Microsoft 365 Chat, starting in November. Copilot, described by Yusuf Mehdi, Corporate Vice President and Consumer Chief Marketing Officer at Microsoft, as an "everyday AI companion," aims to make your daily workflow smoother and more efficient. Its primary goal is to embed an AI-powered "copilot" within Microsoft's most popular products, ensuring widespread accessibility. What distinguishes Copilot from other AI assistants is its focus on integration. Rather than operating in isolation within specific applications, Copilot promises a seamless user experience across multiple Microsoft products. This com...