6120 Tor Exitnode - Telecomix Crypto Munitions Bureau

Tor Exitnode

From Telecomix Crypto Munitions Bureau

Jump to: navigation, search

Run a tor exit node with Debian

For French see this page [address hasn't already been created]

[edit] Tor installation && configuration

Considering you are here, you already know what TOR is. Else you can search on the web and find plenty of docs. there are already plenty of tutorials on how to host a TOR relay, we've done this one the shortest and the simplest as possible. Quick and easy to go! This page is for building an Tor Exit node. Keep in mind that it can leads to abuse I only put the lines which have to be changed. /!\ the number is the line number coming from vim, it's there for an indication, do NOT add it.

If you have not yet installed TOR you may follow these following install guidelines.

:~$ gpg --keyserver keys.gnupg.net --recv 886DDD89
:~$ gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
:~$ apt-get update
:~$ apt-get install deb.torproject.org-keyring
:~$ apt-get install tor

(more details can be seen there : https://www.torproject.org/docs/debian.html.en#ubuntu) Now TOR should be running, You can test it whlie putting your browser on and the go to https://check.torproject.org/. (If it's a dedicated server, it's normal that this doesn't work).

Then we'll edit the configuration file which is /etc/tor/torrc. I use vim, but you can use any other text editor.

:~$ vim /etc/tor/torrc

I'll let the line number to be changed /!\ to find it quicker but please make sure you don't put the number in your script.

48 RunAsDaemon 1

To start the process in the background.

83 ORPort 9001

You can use the port 443 if you don't have any HTTPS services. It permits people behind a proxy or a firewall to access TOR.

100 Nickname Put_your_relay's_name
107 RelayBandwidthRate 100 KB  # Throttle traffic to 100KB/s (800Kbps)
108 RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps)

You can set a limit if you don't want the tor relay to use too much bandwidth.

115 ## Set a maximum of 4 gigabytes each way per period.
116 #AccountingMax 4 GB
117 ## Each period starts daily at midnight (AccountingMax is per day)
118 #AccountingStart day 00:00
119 ## Each period starts on the 3rd of the month at 15:00 (AccountingMax
120 ## is per month)
121 #AccountingStart month 3 15:00

If you want to a set a limit on the amount of data going through you relay.

126 ContactInfo Random Person <nobody AT example dot com>

Contact info to be published in the directory, so we can contact you if your relay is misconfigured or something else goes wrong. Google indexes this, so spammers might also collect it.

128 ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>

You might also include your PGP or GPG fingerprint if you have one.

132 DirPort 9030 # what port to advertise for directory connections

You can use the port 80 if you don't have any HTTP services. It permits people behind a proxy or a firewall to access TOR.

154 ## A comma-separated list of exit policies. They're considered first
155 ## to last, and the first match wins. If you want to _replace_
156 ## the default exit policy, end this with either a reject *:* or an
157 ## accept *:*. Otherwise, you're _augmenting_ (prepending to) the
158 ## default exit policy. Leave commented to just use the default, which is
159 ## described in the man page or at
160 ## https://www.torproject.org/documentation.html
161 ##
162 ## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses
163 ## for issues you might encounter if you use the default exit policy.
164 ##
165 ## If certain IPs and ports are blocked externally, e.g. by your firewall,
166 ## you should update your exit policy to reflect this -- otherwise Tor
167 ## users will be told that those destinations are down.
168 ##
169 ## For security, by default Tor rejects connections to private (local)
170 ## networks, including to your public IP address. See the man page entry
171 ## for ExitPolicyRejectPrivate if you want to allow "exit enclaving".
172 ##
173 #ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more
174 #ExitPolicy accept *:119 # accept nntp as well as default exit policy

Please see [for Running an Exit Node with Minimal Harassment]. So if you follow these guidelines you should add to you torrc :

ExitPolicy accept *:20-23    # FTP, SSH, telnet
ExitPolicy accept *:43       # WHOIS
ExitPolicy accept *:53       # DNS
ExitPolicy accept *:79-81    # finger, HTTP
ExitPolicy accept *:88       # kerberos
ExitPolicy accept *:110      # POP3
ExitPolicy accept *:143      # IMAP
ExitPolicy accept *:194      # IRC
ExitPolicy accept *:220      # IMAP3
ExitPolicy accept *:443      # HTTPS
ExitPolicy accept *:464-465  # kpasswd, SMTP over SSL
ExitPolicy accept *:543-544
ExitPolicy accept *:563      # NNTP over SSL
ExitPolicy accept *:587      # SMTP
ExitPolicy accept *:706
ExitPolicy accept *:749      # kerberos
ExitPolicy accept *:873      # rsync
ExitPolicy accept *:902-904
ExitPolicy accept *:981
ExitPolicy accept *:989-995  # FTP over SSL, Netnews Administration System, telnets, IMAP over SSL, ircs, POP3 over SSL
ExitPolicy accept *:1194     # openvpn
ExitPolicy accept *:1220     # QT Server Admin
ExitPolicy accept *:1293     # PKT-KRB-IPSec
ExitPolicy accept *:1500     # VLSI License Manager
ExitPolicy accept *:1723     # PPTP
ExitPolicy accept *:1863     # MSNP
ExitPolicy accept *:2082-2083 # Radius
ExitPolicy accept *:2086-2087 # GNUnet, ELI
ExitPolicy accept *:2095-2096 # NBX
ExitPolicy accept *:3128     # SQUID
ExitPolicy accept *:3389     # MS WBT
ExitPolicy accept *:3690     # SVN
ExitPolicy accept *:4321     # RWHOIS
ExitPolicy accept *:4643
ExitPolicy accept *:5050     # MMCC
ExitPolicy accept *:5190     # ICQ
ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL
ExitPolicy accept *:5900     # VNC
ExitPolicy accept *:6666-6667 # IRC
ExitPolicy accept *:6679
ExitPolicy accept *:6697
ExitPolicy accept *:8000    # iRDMI
ExitPolicy accept *:8008
ExitPolicy accept *:8080    # HTTP Proxies
ExitPolicy accept *:8087-8088 # Simplify Media SPP Protocol, Radan HTTP
ExitPolicy accept *:8333    # Bitcoin
ExitPolicy accept *:8443    # PCsync HTTPS
ExitPolicy accept *:8888    # HTTP Proxies, NewsEDGE
ExitPolicy accept *:9418    # git
ExitPolicy accept *:9999    # distinct
ExitPolicy accept *:10000   # Network Data Management Protocol
ExitPolicy accept *:19638
ExitPolicy reject *:*

To save the configuration file, just type


Now we're going to start TOR.

:~$ /etc/init.d/tor restart

Let's see what we have in the log

:~$ tail -f /var/log/tor/log

You should see scroll

 13 Jul 05 16:39:12.000 [notice] Tor (git-a2015428e4698ff9) opening log file.
 14 Jul 05 16:39:12.000 [notice] Parsing GEOIP file /usr/share/tor/geoip.
 15 Jul 05 16:39:12.000 [notice] Configured to measure statistics. Look for the *-stats files that will first be written to the data directory in 24 hours from now.
 16 Jul 05 16:39:12.000 [notice] No AES engine found; using AES_* functions.
 17 Jul 05 16:39:12.000 [notice] This version of OpenSSL has a slow implementation of counter mode; not using it.
 18 Jul 05 16:39:13.000 [notice] OpenSSL OpenSSL 0.9.8o 01 Jun 2010 looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation
 19 Jul 05 16:39:13.000 [notice] Your Tor server's identity key fingerprint is 'spécifique à votre serveur'
 20 Jul 05 16:39:14.000 [notice] Reloaded microdescriptor cache.  Found 6671 descriptors.
 21 Jul 05 16:39:15.000 [notice] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
 22 Jul 05 16:39:15.000 [notice] Guessed our IP address as **.**.**.** (source: **.**.**.**).
 23 Jul 05 16:39:16.000 [notice] Bootstrapped 5%: Connecting to directory server.
 24 Jul 05 16:39:16.000 [notice] Heartbeat: It seems like we are not in the cached consensus.
 25 Jul 05 16:39:16.000 [notice] Heartbeat: Tor's uptime is 0:00 hours, with 2 circuits open. I've sent 0 kB and received 0 kB.
 26 Jul 05 16:39:16.000 [notice] Bootstrapped 10%: Finishing handshake with directory server.
 27 Jul 05 16:39:16.000 [notice] We weren't able to find support for all of the TLS ciphersuites that we wanted to advertise. This won't hurt security, but it might make your Tor (if 
 67 Jul 05 16:39:23.000 [notice] Bootstrapped 80%: Connecting to the Tor network.
 68 Jul 05 16:39:24.000 [notice] Bootstrapped 85%: Finishing handshake with first hop.
 69 Jul 05 16:39:25.000 [notice] Bootstrapped 90%: Establishing a Tor circuit.
 70 Jul 05 16:39:26.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
 71 Jul 05 16:39:26.000 [notice] Bootstrapped 100%: Done.
 72 Jul 05 16:39:26.000 [notice] Now checking whether ORPort **.**.**.**:9001 and DirPort **.**.**.**:9030 are reachable... (this may take up to 20 minutes -- look for log messages indicating success)
 73 Jul 05 16:39:28.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
 74 Jul 05 16:39:28.000 [notice] Self-testing indicates your DirPort is reachable from the outside. Excellent.
 75 Jul 05 16:39:30.000 [notice] Performing bandwidth self-test...done.

It's mandatory to have this message.

73 Jul 05 16:39:28.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
74 Jul 05 16:39:28.000 [notice] Self-testing indicates your DirPort is reachable from the outside. Excellent.

This shows that your relay works.

Later if you keep watching the log, you should should have every 6 hours a message about how much data went through your tor relay.

  6 Jul 06 22:54:45.000 [notice] Heartbeat: Tor's uptime is 6:00 hours, with ** circuits open. I've sent *.** GB and received *.** GB.
  7 Jul 07 04:54:45.000 [notice] Heartbeat: Tor's uptime is 12:00 hours, with **circuits open. I've sent *.** GB and received *.** GB.

(date is not the same, I had restarted my relay between).

To shut down your relay

:~$ /etc/init.d/tor stop

This will takes 30 seconds to not to break current connections, so please wait those 30 seconds.

If you have any problem, you can ask on #telecomix, #tor or on the OFTC irc #tor

[edit] In case of abuse

The Tor Project has an abuse collection of templates to help you respond to other types of abuse complaints, too. https://trac.torproject.org/projects/tor/wiki/doc/TorAbuseTemplates

[edit] Bonus

What is Tor Weather?

Tor Weather provides an email notification service to any users who want to monitor the status of a Tor node. Upon subscribing, you can specify what types of alerts you would like to receive. The main purpose of Tor Weather is to notify node operators via email if their node is down for longer than a specified period, but other notification types are available.

Why should I subscribe?

Tor Weather is useful to node operators who want to know as soon as their router is down in order to fix the problem. You can also use Tor Weather to notify you when your router is running an out of date version of Tor or when your router has earned you a Tor T-shirt.

What if I set my router to hibernate?

You will not receive a Tor Weather report simply because the node you are monitoring is hibernating. However, if a node goes down during a hibernation period, there will likely be some delay (no more than 18 hours) before we recognize the node as down and send a notification.

Will I be spammed by Tor Weather reports?

No! You can change your preferences to minimize your Tor Weather email notifications. You can unsubscribe at any time.

To sign up to TOR weather : https://weather.torproject.org/subscribe/

Personal tools