[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] [RELEASE] Raspbian guide and image for Tor nodes



I could produce one of these for the intel edison, but I have a feeling
that nobody would use the image file, since the instructions set is still
x86, and that I'm not a trusted source for such software.

On Sun, May 31, 2015 at 7:38 PM, CJ Barlow <cbarlow@sigaint.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Would you like to contribute to the Tor network by running your own relay?
> This is a guide to do just that via a Raspberry Pi 2.
>
> This guide is intended to cover the set up in detail from start-to-finish
> but, as always, will need to be tweaked with community feedback.
>
> In an attempt to make this as plug-and-play as possible I fully prepared
> an image[1] while writing this guide. This image was tested on my
> Raspberry Pi 2.
>
> TL;DR: Download the image file, copy it to your Raspberry Pi 2 MicroSDHC
> card and run a relay.
> You can use either dd[2] or Win32 Disk Imager[3] to write the image to
> your MicroSDHC card. Alternatively, you can follow these instructions to
> tweak the official Raspbian image[4].
>
> *I do not have any experience with a headless set up. Additional
> help/corrections, especially to the SSH part of the guide are
> appreciated.*
>
> Equipment needed:
> - - Raspberry Pi 2
> - - Ethernet cable
> - - 4GB Class 10 (or higher) MicroSDHC card. A 16GB card is recommended.
> - - Power supply with at least 2A output.
>
> Some nice-to-have but optional equipment:
> - - Case
> - - Heatsinks
>
> Step 1:
>         - Install a torrent client such as Deluge.[5]
>         - Download the image prepared with this guide or the official one.
> Please
> be sure to seed it.
>                 - The prepared image is signed with my GPG subkey.[6]
>         - Use either dd or Win32 Disk Imager to write the image to your
> MicroSDHC
> card.
>
> Step 2:
>         - Insert your MicroSDHC card into the Raspberry Pi 2 and plug it
> in to
> power it on.
>
>         - If you are using the stock image skip to step 3c.
>
>         - The default login for my image is:
>                 tor / changeme
>
>         - Use raspi-config to change the locale settings (keyboard, time
> zone
> etc.) and user password:
>                 sudo raspi-config
>
>         - Select Expand Filesystem so the entire SDHC card is available to
> the
> Raspberry Pi 2.
>                 - Press <TAB> twice to select Finish and reboot.
>
>         - Bring the image up-to-date with:
>                 sudo apt-get update
>                 sudo apt-get upgrade
>
> Step 3a:
>
>         - Check that tor is running and the ORPort is reachable:
>                 sudo tail -f /var/log/tor/notices.log
>
>         - The following lines will be in the log file if your Relay is
> working
> correctly:
>                 [notice] Tor has successfully opened a circuit. Looks like
> client
> functionality is working.
>                 [notice] Self-testing indicates your ORPort is reachable
> from the
> outside. Excellent. Publishing server descriptor.
>                 [notice] Self-testing indicates your DirPort is reachable
> from the
> outside. Excellent.
>                 [notice] Performing bandwidth self-test...done.
>
>                 - If the above lines are not present see the
> troubleshooting section at
> the end of the document.
>
>         - Please read "Tor Fingerprint backup" at the end of the document.
>
>         - As an optional step you can change your relay's nickname. Change
> the
> nickname line in torrc with:
>                         sudo /etc/tor/torrc
>
>                 - Edit the Nickname line, leaving a space between Nickname
> and what you
> change it to. For example:
>                         Nickname pickyourownnickname
>
>         - Your Relay is now up and running!
>
> Step 3b (SSH usage)[7][8]:
>         - Enable SSH with:
>                 sudo raspi-config
>                         - Select Advanced Options:
>                                 Set SSH to Enable.
>
>         - Find the IP of your Raspberry Pi 2 with:
>                 hostname -I
>
>         - SSH to the Pi:
>                 ssh <username>@<Pi IP>
>
>         - For off-site usage, I recommend a DynamicDNS on the Relay's
> connection.
> This will make SSHing to it easier.
>                 - The DynamicDNS goes on the Address line of torrc, for
> example:
>                         Address thisismy.duckdns.org
>
>                 - SSH to it with:
>                         ssh <username>@thisismy.duckdns.org
>
> Step 3c:
>         Instructions if using the stock image[9]:
>
>         - Select Expand Filesystem so the entire SDHC card is available to
> the
> Raspberry Pi 2.
>                 - Press <TAB> twice to select Finish and reboot.
>
>         - The default login is:
>                 pi / raspberry
>
>         - Run raspi-config:
>                 sudo raspi-config
>
>         - Change Internationalisation Options to suit your preferences.
>                 - When changing locale press the spacebar to select the
> option(s).
>
>         - Select Overclock:
>                 Pi2
>                 - Overclocking your Raspberry Pi 2 this way does not void
> the warranty!
>
>         - Select Advanced Options:
>                 - Hostname is the device name on your network.
>
>         - Select Finish and reboot.
>
>         - Log back in using:
>                 pi / raspberry
>
>         - Create a new user:
>                 sudo adduser username
>
>         - Load the sudoers list:
>                 sudo visudo
>
>         - Change the last line to:
>                 username ALL=(ALL)ALL
>                         - Example:
>                                 bill ALL=(ALL)ALL
>
>                         - Be sure to leave a space after username *and*
> below the last line.
>                         - Press Control + X to close the document.
>                         - Press Y to save the changes and Enter to accept
> the default file name.
>
>         - Reboot and log in under the username you just created.
>                 sudo reboot
>
>         - Remove the pi user:
>                 sudo deluser --remove-home pi
>
>         - Update the OS and all packages:
>                 sudo apt-get update
>                 sudo apt-get upgrade
>
>         - Install cron-apt to automate updates.
>                 sudo apt-get install cron-apt
>
>                 - Configure a cron job to automatically download updates
> on a semi-daily
> basis with:
>                         sudo nano /etc/cron.d/cron-apt
>
>                         - Add a # to the start of line 5.
>
>                         - Change line 6 to "Every 12 hours." Delete the #
> (and the space) from
> line 7 and put:
>                         0 */12 * * *    root    test -x
> /user/sbin/cron-apt && /usr/sbin/cron-apt
> /etc/cron-apt/config2
>
>                 - Run the following once or twice a day to install updates:
>                         sudo apt-get dist-upgrade
>
>         - Install tor with:
>                 sudo apt-get install tor
>
>         - Change the following in /etc/tor/torrc (from top-to-bottom in
> torrc) with:
>                 sudo nano /etc/tor/torrc
>
>         - Remove the "#" before the following lines (lines with dashes are
> comments for this guide):
>
>                 - Change the SocksPort to 0 from 9050.
>                 SocksPort 9050
>
>                 Log notice file /var/log/tor/notices.log
>                 RunAsDaemon 1
>
>                 - Change the DataDirectory to a RAM drive per TorProject's
> suggestion.[10]
>                 - See "Tor Fingerprint backup" at the bottom of this
> document.
>
>                 DataDirectory /dev/shm/tor
>
>                 ORPort 9001
>                 Nickname pickyourownnickname
>
>                 - Run a speed test and convert the result to Megabytes by
> dividing by 8.
>                         - Alternatively you can use a online bits-to-bytes
> calculator, such as
> Google.[11]
>                         - At least 2 Megabits of upload is recommended for
> a good relay.
>
>                 - Set the RelayBandwidthRate to a maximum of 80% of your
> upload speed.
>                 - Set the RelayBandwidthBurst to a maximum of 95% of your
> upload speed.
>                         - Burst speed is used occasionally.
>
>                 RelayBandwidthRate
>                 RelayBandwidthBurst
>
>                 *Bandwidth accounting is unidirectional, it will use twice
> what is listed!*
>                 - To use 50GB per month (starting on the first of the
> month at midnight):
>
>                         AccountingMax 25GB
>                         AccountingStart month 1 00:00
>
>                 - The contact info is posted online so please keep that in
> mind!
>                 ContactInfo Your name <youremail@address>
>
>                 DirPort 9030
>
>                 - Be sure to uncomment this line so you only run as a
> middle relay.
>                 ExitPolicy reject *:*
>
>         - Reboot with:
>                 sudo reboot
>
>         - Log back in to the Pi.
>
>         - Check that tor is running and the ORPort is reachable:
>                 sudo tail -f /var/log/tor/notices.log
>
>         - The following lines will be in the log file if your Relay is
> working
> correctly:
>                 [notice] Tor has successfully opened a circuit. Looks like
> client
> functionality is working.
>                 [notice] Self-testing indicates your ORPort is reachable
> from the
> outside. Excellent. Publishing server descriptor.
>                 [notice] Self-testing indicates your DirPort is reachable
> from the
> outside. Excellent.
>                 [notice] Performing bandwidth self-test...done.
>
>         - If these are not present see the troubleshooting section below.
>
>
> THANK YOU for running a relay! :-)
>
> Relay Fingerprint backup:
> Because the Fingerprint is contained on a RAM Drive it is erased in the
> event of a power loss (due to shut down, reboot, etc). This makes your
> Relay appear as "new" each time.
>
> To maintain a steady relay back up the fingerprint to a USB flash drive
> with the following commands:
> First, make a directory to mount the drive to:
>         mkdir /mnt/d
>
> If it is the only drive connected and formatted to FAT32 use:
>         sudo mount -t vfat /dev/sda1 /mnt/d
>
> If it is formatted to NTFS you will need to install ntfs-3g first:
>         apt-get install ntfs-3g
>
> Then mount it with:
>         sudo mount -t ntfs /dev/sda1 /mnt/d
>
> To access the RAM drive you need to be root (sudo):
>         sudo su
>
> Browse to the Fingerprint location:
>         cd /dev/shm/tor/keys
>
> Copy the "secret_id_key", which is the fingerprint, to your flash drive.
> Rename it something memorable like "tor_fingerprint".
>         cp secret_id_key /mnt/d/tor_fingerprint
>         rm /mnt/tor-root/var/lib/tor/keys/secret_id_key
>
> Invert the copy (cp) command to restore it.
>
> Troubleshooting:
> If you do not see "Self-testing indicates your ORPort is reachable from
> the outside. Excellent." in the notices log you will need to check that
> your port is forwarded correctly in your router.
> If your port forwarding is correct but the ORPort is still unreachable you
> may need a Dynamic DNS. The Dynamic DNS address will be put in the Address
> line in torrc.
> See footnote 13 for a example on setting up a Dynamic DNS.
>
> Extra info:
> To safely shut down the system use:
>         sudo shutdown -h now
>
> If Bandwidth accounting is *enabled* the DirPort is automatically disabled.
> Tor uses TCP ports, the UDP ports do *not* need to be forwarded.
>
> OS modifications for my images:
>         "Turbo mode" overclocking is enabled with Pi 2 setting. This does
> *not*
> void the warranty![12]
>         OS hardening enabled via harden-servers package.
>         Tor logs are rotated daily, rotated logs are not kept.
>         Semi-daily cron job running apt-get update and apt-get upgrade.
>         Removed pi (default) user.
>         Hostname is RelayPi.
>         RelayBandwidthRate and RelayBandwidthBurst are set to 80% and 90%
> of the
> Ookla Global Broadband upload speeds, respectively.
>         AccountMax is set to 25GB (50GB per month), starts at midnight on
> the
> first day of the month.
>
> [1]
>
> https://torrage.com/torrent/64CF7A9D083BA58C31987B2AFA1B34B4334456F7.torrent
> [2]
>
> https://www.raspberrypi.org/documentation/installation/installing-images/linux.md
> [3] https://i.imgur.com/gIamfK7.png
> [4] http://downloads.raspberrypi.org/raspbian_latest.torrent
> [5] http://deluge-torrent.org/
> [6] https://pgp.mit.edu/pks/lookup?op=vindex&search=0xD4EB587D15734B19
>         Primary Fingerprint:
>         3E37 9905 05C0 050A FEFE C675 D4EB 587D 1573 4B19
>         Signing subkey Fingerprint:
>         2F28 004A 19B2 E62B 3690 BF2B CCF6 3BA2 CBE9 49C3
> [7]
>
> https://www.raspberrypi.org/documentation/troubleshooting/hardware/networking/ip-address.md
> [8] https://www.raspberrypi.org/documentation/remote-access/ssh/unix.md
>
> https://www.raspberrypi.org/documentation/remote-access/ssh/windows.md
> [9] http://www.instructables.com/id/Raspberry-Pi-Tor-relay/?ALLSTEPS
> [10] https://trac.torproject.org/projects/tor/wiki/doc/TorRelaySecurity
> [11] https://www.google.com/?q=9000Kbps+to+MBps
> [12]
>
> https://www.raspberrypi.org/introducing-turbo-mode-up-to-50-more-performance-for-free/
> [13]
>
> https://tor.stackexchange.com/questions/6558/relay-getting-traffic-showing-as-unreachable/6575#6575
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVa8OrAAoJEMz2O6LL6UnDzEYP/1FYY1cZ+ZpzKIo9rd7CEoCF
> jhZ/c7MMh8G2I9v9H8xCXJOAwE2EYm0omGcdMDJ/FrQBq4+SrWfhklH5pLb71wMd
> CcPCPE23l9sspmm8Ll4Ox/AGOgn1I7AhLR8/c6gqlYuL2VroJv7FSrU4wlXaiqtb
> Us5o8xGeKKdENnyR59Hsct0/XvuACv8KdjIibn/r0GmiRbF87hKtyrOa/fAQPR6G
> CAZ+cxbsLWaplUyimcJdMjerfA/OFAM/ghCCPCmrG4HfDe3+rpEZpSiTmjU+wMID
> kpcc/vZH2mJD8IAa0XgFvMUj6aSjG+Bk5TcHo1QVleTF0IvraDSyYk4CC3Z7ZPBv
> rCJKiTUIRdr0MoVXSXs5DL9Pa+dqfQKd3d0sgzox/095wOf5VAnr3EeZ6Jh0dyDc
> mQZz55rAoCFP0MI/XPkd/SyoICP6rVWpCg9v/OwuPhj++jKDKySc/StP1Ppq++6m
> MIM7RQIVNIPoeNK/1bmYTXEyFmsUyerZq4QWjbBvlE7rnnWdBqjJ7XraUTgtbWAm
> lP1KKVO9UlverDAheAk3wvAYuF5LUltxoTSL5zZssHBEWdOiooIS6C/aphycNVLK
> cHsWh7fIoXZmLSJc6uVYbKxfXmlt6T6fHucpoOgYUX6JWePlpy5To9rB0tYYDv2x
> 33UYpCp4tZ0julM7xPqy
> =Jr3r
> -----END PGP SIGNATURE-----
>
>
> --
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk