Tor Exitnode
From Telecomix Crypto Munitions Bureau
Run a tor exit node with Debian
For French see this page [address hasn't already been created]
[edit] Tor installation && configuration
Considering you are here, you already know what TOR is. Else you can search on the web and find plenty of docs. there are already plenty of tutorials on how to host a TOR relay, we've done this one the shortest and the simplest as possible. Quick and easy to go! This page is for building an Tor Exit node. Keep in mind that it can leads to abuse I only put the lines which have to be changed. /!\ the number is the line number coming from vim, it's there for an indication, do NOT add it.
If you have not yet installed TOR you may follow these following install guidelines.
:~$ gpg --keyserver keys.gnupg.net --recv 886DDD89
:~$ gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
:~$ apt-get update
:~$ apt-get install deb.torproject.org-keyring
:~$ apt-get install tor
(more details can be seen there : https://www.torproject.org/docs/debian.html.en#ubuntu) Now TOR should be running, You can test it whlie putting your browser on 127.0.0.1:9050 and the go to https://check.torproject.org/. (If it's a dedicated server, it's normal that this doesn't work).
Then we'll edit the configuration file which is /etc/tor/torrc. I use vim, but you can use any other text editor.
:~$ vim /etc/tor/torrc
I'll let the line number to be changed /!\ to find it quicker but please make sure you don't put the number in your script.
48 RunAsDaemon 1
To start the process in the background.
83 ORPort 9001
You can use the port 443 if you don't have any HTTPS services. It permits people behind a proxy or a firewall to access TOR.
100 Nickname Put_your_relay's_name
107 RelayBandwidthRate 100 KB # Throttle traffic to 100KB/s (800Kbps) 108 RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps)
You can set a limit if you don't want the tor relay to use too much bandwidth.
115 ## Set a maximum of 4 gigabytes each way per period. 116 #AccountingMax 4 GB 117 ## Each period starts daily at midnight (AccountingMax is per day) 118 #AccountingStart day 00:00 119 ## Each period starts on the 3rd of the month at 15:00 (AccountingMax 120 ## is per month) 121 #AccountingStart month 3 15:00
If you want to a set a limit on the amount of data going through you relay.
126 ContactInfo Random Person <nobody AT example dot com>
Contact info to be published in the directory, so we can contact you if your relay is misconfigured or something else goes wrong. Google indexes this, so spammers might also collect it.
128 ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>
You might also include your PGP or GPG fingerprint if you have one.
132 DirPort 9030 # what port to advertise for directory connections
You can use the port 80 if you don't have any HTTP services. It permits people behind a proxy or a firewall to access TOR.
154 ## A comma-separated list of exit policies. They're considered first 155 ## to last, and the first match wins. If you want to _replace_ 156 ## the default exit policy, end this with either a reject *:* or an 157 ## accept *:*. Otherwise, you're _augmenting_ (prepending to) the 158 ## default exit policy. Leave commented to just use the default, which is 159 ## described in the man page or at 160 ## https://www.torproject.org/documentation.html 161 ## 162 ## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses 163 ## for issues you might encounter if you use the default exit policy. 164 ## 165 ## If certain IPs and ports are blocked externally, e.g. by your firewall, 166 ## you should update your exit policy to reflect this -- otherwise Tor 167 ## users will be told that those destinations are down. 168 ## 169 ## For security, by default Tor rejects connections to private (local) 170 ## networks, including to your public IP address. See the man page entry 171 ## for ExitPolicyRejectPrivate if you want to allow "exit enclaving". 172 ## 173 #ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more 174 #ExitPolicy accept *:119 # accept nntp as well as default exit policy
Please see [for Running an Exit Node with Minimal Harassment]. So if you follow these guidelines you should add to you torrc :
ExitPolicy accept *:20-23 # FTP, SSH, telnet ExitPolicy accept *:43 # WHOIS ExitPolicy accept *:53 # DNS ExitPolicy accept *:79-81 # finger, HTTP ExitPolicy accept *:88 # kerberos ExitPolicy accept *:110 # POP3 ExitPolicy accept *:143 # IMAP ExitPolicy accept *:194 # IRC ExitPolicy accept *:220 # IMAP3 ExitPolicy accept *:443 # HTTPS ExitPolicy accept *:464-465 # kpasswd, SMTP over SSL ExitPolicy accept *:543-544 ExitPolicy accept *:563 # NNTP over SSL ExitPolicy accept *:587 # SMTP ExitPolicy accept *:706 ExitPolicy accept *:749 # kerberos ExitPolicy accept *:873 # rsync ExitPolicy accept *:902-904 ExitPolicy accept *:981 ExitPolicy accept *:989-995 # FTP over SSL, Netnews Administration System, telnets, IMAP over SSL, ircs, POP3 over SSL ExitPolicy accept *:1194 # openvpn ExitPolicy accept *:1220 # QT Server Admin ExitPolicy accept *:1293 # PKT-KRB-IPSec ExitPolicy accept *:1500 # VLSI License Manager ExitPolicy accept *:1723 # PPTP ExitPolicy accept *:1863 # MSNP ExitPolicy accept *:2082-2083 # Radius ExitPolicy accept *:2086-2087 # GNUnet, ELI ExitPolicy accept *:2095-2096 # NBX ExitPolicy accept *:3128 # SQUID ExitPolicy accept *:3389 # MS WBT ExitPolicy accept *:3690 # SVN ExitPolicy accept *:4321 # RWHOIS ExitPolicy accept *:4643 ExitPolicy accept *:5050 # MMCC ExitPolicy accept *:5190 # ICQ ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL ExitPolicy accept *:5900 # VNC ExitPolicy accept *:6666-6667 # IRC ExitPolicy accept *:6679 ExitPolicy accept *:6697 ExitPolicy accept *:8000 # iRDMI ExitPolicy accept *:8008 ExitPolicy accept *:8080 # HTTP Proxies ExitPolicy accept *:8087-8088 # Simplify Media SPP Protocol, Radan HTTP ExitPolicy accept *:8333 # Bitcoin ExitPolicy accept *:8443 # PCsync HTTPS ExitPolicy accept *:8888 # HTTP Proxies, NewsEDGE ExitPolicy accept *:9418 # git ExitPolicy accept *:9999 # distinct ExitPolicy accept *:10000 # Network Data Management Protocol ExitPolicy accept *:19638 ExitPolicy reject *:*
To save the configuration file, just type
:wq
Now we're going to start TOR.
:~$ /etc/init.d/tor restart
Let's see what we have in the log
:~$ tail -f /var/log/tor/log
You should see scroll
13 Jul 05 16:39:12.000 [notice] Tor 0.2.3.18-rc (git-a2015428e4698ff9) opening log file. 14 Jul 05 16:39:12.000 [notice] Parsing GEOIP file /usr/share/tor/geoip. 15 Jul 05 16:39:12.000 [notice] Configured to measure statistics. Look for the *-stats files that will first be written to the data directory in 24 hours from now. 16 Jul 05 16:39:12.000 [notice] No AES engine found; using AES_* functions. 17 Jul 05 16:39:12.000 [notice] This version of OpenSSL has a slow implementation of counter mode; not using it. 18 Jul 05 16:39:13.000 [notice] OpenSSL OpenSSL 0.9.8o 01 Jun 2010 looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation 19 Jul 05 16:39:13.000 [notice] Your Tor server's identity key fingerprint is 'spécifique à votre serveur' 20 Jul 05 16:39:14.000 [notice] Reloaded microdescriptor cache. Found 6671 descriptors. 21 Jul 05 16:39:15.000 [notice] I learned some more directory information, but not enough to build a circuit: We have no usable consensus. 22 Jul 05 16:39:15.000 [notice] Guessed our IP address as **.**.**.** (source: **.**.**.**). 23 Jul 05 16:39:16.000 [notice] Bootstrapped 5%: Connecting to directory server. 24 Jul 05 16:39:16.000 [notice] Heartbeat: It seems like we are not in the cached consensus. 25 Jul 05 16:39:16.000 [notice] Heartbeat: Tor's uptime is 0:00 hours, with 2 circuits open. I've sent 0 kB and received 0 kB. 26 Jul 05 16:39:16.000 [notice] Bootstrapped 10%: Finishing handshake with directory server. 27 Jul 05 16:39:16.000 [notice] We weren't able to find support for all of the TLS ciphersuites that we wanted to advertise. This won't hurt security, but it might make your Tor (if ...... 67 Jul 05 16:39:23.000 [notice] Bootstrapped 80%: Connecting to the Tor network. 68 Jul 05 16:39:24.000 [notice] Bootstrapped 85%: Finishing handshake with first hop. 69 Jul 05 16:39:25.000 [notice] Bootstrapped 90%: Establishing a Tor circuit. 70 Jul 05 16:39:26.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working. 71 Jul 05 16:39:26.000 [notice] Bootstrapped 100%: Done. 72 Jul 05 16:39:26.000 [notice] Now checking whether ORPort **.**.**.**:9001 and DirPort **.**.**.**:9030 are reachable... (this may take up to 20 minutes -- look for log messages indicating success) 73 Jul 05 16:39:28.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor. 74 Jul 05 16:39:28.000 [notice] Self-testing indicates your DirPort is reachable from the outside. Excellent. 75 Jul 05 16:39:30.000 [notice] Performing bandwidth self-test...done.
It's mandatory to have this message.
73 Jul 05 16:39:28.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor. 74 Jul 05 16:39:28.000 [notice] Self-testing indicates your DirPort is reachable from the outside. Excellent.
This shows that your relay works.
Later if you keep watching the log, you should should have every 6 hours a message about how much data went through your tor relay.
6 Jul 06 22:54:45.000 [notice] Heartbeat: Tor's uptime is 6:00 hours, with ** circuits open. I've sent *.** GB and received *.** GB. 7 Jul 07 04:54:45.000 [notice] Heartbeat: Tor's uptime is 12:00 hours, with **circuits open. I've sent *.** GB and received *.** GB.
(date is not the same, I had restarted my relay between).
To shut down your relay
:~$ /etc/init.d/tor stop
This will takes 30 seconds to not to break current connections, so please wait those 30 seconds.
If you have any problem, you can ask on #telecomix, #tor or on the OFTC irc #tor
[edit] In case of abuse
The Tor Project has an abuse collection of templates to help you respond to other types of abuse complaints, too. https://trac.torproject.org/projects/tor/wiki/doc/TorAbuseTemplates
[edit] Bonus
What is Tor Weather?
Tor Weather provides an email notification service to any users who want to monitor the status of a Tor node. Upon subscribing, you can specify what types of alerts you would like to receive. The main purpose of Tor Weather is to notify node operators via email if their node is down for longer than a specified period, but other notification types are available.
Why should I subscribe?
Tor Weather is useful to node operators who want to know as soon as their router is down in order to fix the problem. You can also use Tor Weather to notify you when your router is running an out of date version of Tor or when your router has earned you a Tor T-shirt.
What if I set my router to hibernate?
You will not receive a Tor Weather report simply because the node you are monitoring is hibernating. However, if a node goes down during a hibernation period, there will likely be some delay (no more than 18 hours) before we recognize the node as down and send a notification.
Will I be spammed by Tor Weather reports?
No! You can change your preferences to minimize your Tor Weather email notifications. You can unsubscribe at any time.
To sign up to TOR weather : https://weather.torproject.org/subscribe/