Needle in a Haystack ~ Tor Relays
</div><p>Since people expressed interest in running relays, I’ve written a guide that can get you set up. There are many ways to run a relay, so for the sake of simplicity, I will focus on virtual private servers running Ubuntu 12.04. Feedback is definitely welcome.</p>
This guide includes instructions for Windows users. I will write Linux instructions in a separate post, and if someone would like to add Mac instructions, I’d greatly appreciate it.
Finding a Hosting Provider
In order to run a relay, you will need a dedicated server or a virtual private server. There are two features you should look for:
1. Geographical location
2. Bandwidth
Other specs like RAM and CPU tend not to matter until the bandwidth gets really high, like on an unmetered server. Most of the time, your bandwidth limits will keep the Tor client well below your RAM and CPU limits.
There is no minimum amount that you need to spend on a server. You can lease a VPS for under $10 a month or a dedicated server for hundreds of dollars. I think every little bit helps, especially if the servers are geographically diverse. For this guide, I’m going to assume you don’t want to drop hundreds of dollars on your first server, so we’ll focus on setting up a small to medium sized VPS. The price range I’m thinking is $10 – $50 a month, which should give you 512 MB to 1 GB of RAM and 200 GB to 1 TB of bandwidth.
I’m not going to make specific recommendations for hosting providers, for obvious reasons, but most relays are in North America and Europe. It would be nice if we had more relays in South America, Asia and Africa. The infrastructure in Africa is the most underdeveloped, so you may want to focus on finding providers in South America and Asia. They will be more expensive than providers in North America and Europe. If you can’t find providers in your price range, it’s OK to run a relay in North America and Europe. As I said, every little bit helps.
Another thing to consider when searching for a VPS is that there are different virtualization technologies. These include OpenVZ, Xen, VMWare, Virtuozzo, and KVM. For this guide, I’m going to recommend running your relay in an OpenVZ container, because it is one of the most popular virtualization technologies, it is generally cheaper than the others for the same specs, your operating system will be installed for you by the hosting provider, and the OpenVZ connection limits aren’t really a problem with low bandwidth relays. If you want your relay to push more than 1 TB of traffic a month, you should switch to something like Xen or KVM, or a dedicated server.
It’s a good idea to read reviews of the hosting provider before ordering, but this can be tricky. There are a lot of fake web sites with shill reviews. In general, well-known forums with large communities (like webhostingtalk.com) are a better place to look for reviews than random web sites.
When you find a provider that you like, look for their Acceptable Use Policy (AUP), which will sometimes be part of their Terms of Service (TOS). Most hosting providers have links to these documents on their main page. Read through them to find out if they ban proxies. If there is no mention of Tor, “proxies” or “open proxies” almost always include Tor. Some hosting providers specifically ban Tor. Some only ban exit nodes. The latter case is OK, because we will be setting up non-exit relays. You don’t want to waste time setting up a relay that will be shut down a week later because it violates your hosting provider’s AUP.
Ordering a Server
Once you find a hosting provider, you can create an account and order the VPS. I don’t see a problem with leasing a VPS with your real identity. There are 4300 relays at the moment. You will be lost in a big crowd. However, you shouldn’t mention that you set up a relay in this thread or anywhere else on the forum! You shouldn’t use information (like a username) that links you to your Silk Road identity! If you really want anonymity, at the end of this guide there’s a section that offers some suggestions, but keep in mind that takes a lot more work.
During the ordering process, you will be asked to choose an operating system. Select Ubuntu Server 12.04, so we can simplify things. Every VPS provider should have an OpenVZ image for that OS. If the VPS has 512 MB of RAM or less, use the 32 bit version. If it has 1 GB or more, use the 64 bit version.
A common box that you have to fill out is the “domain name”. You don’t need a domain name to order a VPS. You can fill in anything, like example.org. For the server name, put anything you want, it will become the hostname. If it asks for DNS information, just put ns1 and ns2, it doesn’t matter.
Also, lease the VPS on a monthly basis for the first few months, even if there are discounts for longer terms. Your VPS may turn out to have crappy networking or frequent reboots, so you don’t want to pay for a year of hosting and be forced to abandon the VPS after a month.
After ordering, you’ll get an email with the IP address and login details of your VPS.
Configuring the Relay
The first thing we need to do is figure out the RelayBandwidthRate based on the monthly bandwidth limit of the VPS. Keep in mind that most hosting providers count both incoming and outgoing bandwidth, so Tor relay traffic gets counted twice. A VPS that pushes 1 TB of traffic from the perspective of the hosting provider, actually pushes 500 GB of traffic from the perspective of the Tor network (it’s the same data, coming and going).
Let’s say your VPS is allowed 1 TB of traffic per month. That’s 1,000,000 MB. So the rate (per second) that you would use in your Tor configuration is:
1,000,000 / 30 / 24 / 60 / 60 / 2 = 0.192 MB or 192 KB
This is a good place to start. In practice, most relays don’t max out their bandwidth. In fact, many relays only use 30-50% of their max bandwidth rate. You can watch the bandwidth of your relay for a few weeks and increase it if you are using much less than your limit. For example, if in the first two weeks it uses 250 GB (and could have used 500 GB, because that’s half of your 1 TB per month), then you can double the RelayBandwidthRate. It can take a few weeks of adjusting to find the right balance.
After you get the login information, download PuTTy from the web site:
http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
This program lets you connect over a protocol called SSH, or Secure Shell, which creates an encrypted connection to a command prompt on the server. Run PuTTy and fill out the following information:
Host name (or IP address): <your VPS IP address>
Port: 22
Connection type: SSH
Before we go any further, click on the words “Default Settings” under “Saved Sessions” and click the Save button to the right of it. That way you don’t have to enter the IP address each time.
Then click Open. You’ll see a prompt to accept the server’s host key, click Yes. You only have do this the first time.
login as: root
password: <what you were given>
Note that you can resize the window if it’s too small.
The first thing you should do after logging in is change the root password, especially since it was emailed to you in plaintext. Do that with the following command:
1 |
passwd |
And enter the password twice.</p>
BTW, for all of these commands, you can copy them from this guide and paste them into PuTTy by right-clicking in the command prompt window.
Now type
1 |
nano /etc/apt/sources.list |
Add this line at the end of the file:</p>
1 |
deb http://deb.torproject.org/torproject.org precise main |
Enter the following sequence to save the file and exit: ctrl+x, y, enter</p>
Enter the following lines into the command prompt to install Tor and the relay monitor ARM:
1 2 3 4 5 |
apt-get update apt-get install deb.torproject.org-keyring apt-get update apt-get install tor tor-arm |
Hit Y[enter] whenever it asks you to confirm an action. The first install command will give you a warning because you haven’t imported the PGP key for that software repository yet, which is what you’re doing with that command.</p>
Now we’ll edit the configuration file to turn our Tor client into a relay. First, backup the original configuration file:
1 |
cp /etc/tor/torrc /etc/tor/torrc.backup |
If you screw something up, you can restore Tor to its default state with the following commands:</p>
1 2 |
cp /etc/tor/torrc.backup /etc/tor/torrc service tor restart |
Let’s edit the configuration file:</p>
1 |
nano /etc/tor/torrc |
Find the following lines and remove the # at the beginning. Anything that follows a # is treated as a comment instead of an instruction to Tor, so we are adding these instructions.</p>
1 2 3 4 5 6 7 8 9 10 11 12 13 |
ControlPort 9051 # This is a comment that Tor ignores, but everything before the hash is an instruction that Tor reads CookieAuthentication 1 ORPort 9001 # Change this to ORPort 443 !!!! Nickname ididnteditheconfig # Change ididnteditheconfig to whatever nickname you want, no spaces, nothing drug or SR related RelayBandwidthRate 100 KB # Change 100 KB to whatever you calculated for your server earlier RelayBandwidthBurst 200 KB # Make this double the value above. If you server is using too much bandwidth, make this the same as the line above ContactInfo Random Person <nobody AT example dot com> # Create a throwaway email address and put it here ExitPolicy reject *:* # This line makes your relay a non-exit |
Then type: ctrl+x, y, enter</p>
1 |
service tor reload |
Congratulations, you’re running a relay!</p>
The RelayBandwidthRate and RelayBandwidthBurst are what you will probably want to adjust after a few weeks of watching your relay’s bandwidth.
A note about the contact info. You don’t need to enter a name. Remove the “Random Person” part entirely. However, you should enter a real email address. The purpose of providing an email address is if your relay is misconfigured, the Tor people can contact you and tell you about it. On the other hand, this email address will appear in your relay’s descriptor, which is public, so use an alternate address from any of your main ones.
There is a program called ARM (Anonymous Relay Monitor) that lets you monitor your relay. To run it, type:
1 |
arm |
You can click the left and right arrow keys to see the different panels of info. To exit arm, type: q, q</p>
Another way to view info about your relay is to search for it on https://atlas.torproject.org
Finally, to exit the SSH session, type:
1 |
exit |
Securing Your Server</p>
The following is not necessary, but it’s an extremely good idea.
A better way to log in to your server is to create a regular user account, disable root logins, create an SSH key for your regular user, and disable password logins. That makes it virtually impossible for someone to break into your server (people try to hack into servers through SSH all day long).
To create a regular user account, enter this command:
1 |
adduser <username> |
Change <username> to any one-word username you want.</p>
Enter the password for that user twice, and make it different from root’s password. Leave the rest of the prompts (like Full Name) blank by hitting enter through them, then hit y at the end.
You can test out your new user. Exit the SH session and launch PuTTy again. Now that you have a regular user, you can add it to the PuTTy configuration so you don’t have to type it in every time.
In the configuration window that you get when PuTTy launches, go to Connection -> Data
Auto-login username: <the regular user you created>
Go back to the Session section, highlight “Default Settings”, and click Save again. Connect to your server. You should only have to enter the password this time, and of course it will be your regular user’s password.
When you login as the regular user, you can’t do much outside of your home folder. You can’t install or remove software. This is a security feature. You have to become root. In order to do that, type:
1 |
su |
And enter root’s password.</p>
To exit being root, type exit, and to completely exit the SSH session, type exit again.
Let’s make this even more secure by adding an SSH key.
Download this program and run it:
http://the.earth.li/~sgtatham/putty/latest/x86/puttygen.exe
Next to “Generate a public/private key pair”, click Generate. This will take a few minutes. Click around randomly to create entropy and speed it up.
When it’s done, it’ll say “Public key for pasting into OpenSSH authorized_keys file”. Copy the entire thing in the box. Log into your server as the regular user and type this:
1 2 3 |
mkdir .ssh nano .ssh/authorized_keys |
Paste that public key in (by right-clicking once, as before). Then hit ctrl+x, y, enter.</p>
Back in PuTTyGen, enter a key pass phrase and confirm it, then click “Save private key” and save it somewhere on your computer. The pass phrase protects your private key just like with PGP. At this point you can exit out of PuTTyGen.
Now launch PuTTy again, and in the configuration window, go to Connection -> SSH -> Auth.
Find the field that says Private key file for authentication, click Browse and select your private key.
Go back to Session, highlight “Default Settings” and Save.
Connect to your server again. This time it will ask you for the pass phrase to your private key, not the password to the regular user.
If you login successfully, great! You can disable root and password logins. Type:
1 2 |
su nano /etc/ssh/sshd_config |
Find these lines:</p>
1 2 3 4 |
PermitRootLogin yes # Change it to no #PasswordAuthentication yes # Remove the # at the beginning and change it to no |
Save and exit with ctrl+x, y, enter.</p>
Restart the SSH server:
1 |
service ssh restart |
Exit completely out and log back in as the regular user. You should login just fine. To test your settings, you can change PuTTy to login as root and it should deny you.</p>
Now think about what an attacker has to do to get into your server. First he has to guess your regular username. Then he has to steal your private key or brute force one that works with your public key. That’s like having a 2048 bit password! Then he has to guess root’s password. Your server is very secure.
Server Maintenance
You should login in to your server every once in a while and update the software. Login as the regular user, change to root (su), and issue these commands:
1 2 |
apt-get update apt-get dist-upgrade |
Purchasing a Server Anonymously</p>
As I said before, I don’t think it’s necessary, but if you want to get a server anonymously, here are some ideas that may or may not work. Suggestions are definitely welcome.
The first thing you need to realize is that the vast majority of hosting providers use fraud detection services, because hackers and spammers love leasing servers anonymously or with stolen credit cards. You almost certainly can’t sign up with a hosting provider from a Tor exit node. A popular fraud detection service called MaxMind claims to block VPNs and open proxies too:
https://www.maxmind.com/en/ipauthentication
If you really want to be anonymous, I don’t think you should be using a VPN anyway, because you’re trusting their word that they don’t log, or that LE won’t compel them to log in the future. The best way to find a “clean” IP address is to point Tor browser at a web proxy. There are web sites that list thousands of them, but for obvious reasons I won’t list them here. You may have try many web proxies before you find one that isn’t blocked.
The other issue is payment method. There are a few dozen hosting providers that accept bitcoins, which you could use by anonymizing them your normal way, but all of the ones that I know about are in North America and Europe, which doesn’t help the diversity of the Tor network. Again, if you really want to be anonymous, that’s fine because a relay in NA or EU is better than no relay.
Other than bitcoins, there are a few potentially anonymous payment methods with fiat currency.
1. Prepaid debit cards
2. e-currency and precious metals exchanges, like Pecunix
3. an anonymous PayPal account
MaxMind claims to block prepaid debit cards:
https://www.maxmind.com/en/ccv_overview
So I don’t know if that will work.
As far as e-currency exchanges go, Liberty Reserve is gone, so I don’t know what else exists other than Pecunix, but by routing money through several exchanges, you can potentially anonymize it. You’ll have to find a hosting provider that takes these payment methods, or cash out to a different payment method.
Also, you might be able to register a PayPal account by pointing Tor Browser at a web proxy, and use fake info that is geographically close to that proxy, then go to Freenode #bitcoin-otc or localbitcoins.com and sell BTC for PayPal credit that gets deposited to your account, then use that to pay for the server.
All of these methods involve some work and a high chance of failure, but you’re welcome to try them.
Share and Enjoy
Updated: 2014-05-11