111 lines
7.2 KiB
Plaintext
111 lines
7.2 KiB
Plaintext
extends article.pug
|
|
|
|
block append head
|
|
link(rel='canonical' href='https://arav.su/stuff/article/setting_up_a_tor_proxy_relay_hiddenserv')
|
|
|
|
block article
|
|
header
|
|
h2 Setting up a Tor proxy, relay and hidden service
|
|
div.menu
|
|
a(href='/stuff#articles') Go back to articles list
|
|
time(datetime='2020-08-15') 15 August 2020
|
|
nav
|
|
h3 Contents
|
|
ol
|
|
li #[a(href='#art-1') Introduction]
|
|
li #[a(href='#art-2') Installation]
|
|
li #[a(href='#art-3') Configuration]
|
|
ol
|
|
li #[a(href='#art-3-1') Tor SOCKS/HTTP proxy]
|
|
li #[a(href='#art-3-2') Tor relay]
|
|
li #[a(href='#art-3-3') Hidden service]
|
|
li #[a(href='#art-4') Miscellaneous]
|
|
ol
|
|
li #[a(href='#art-4-1') Nyx — status monitor for Tor nodes]
|
|
li #[a(href='#art-4-2') Notes]
|
|
|
|
h3#art-1 #[a(href='#art-1') 1. Introduction]
|
|
p In this article I'll show you how to setup your own Tor proxy (SOCKS5 and HTTP), relay, and hidden service.
|
|
|
|
h3#art-2 #[a(href='#art-2') 2. Installation]
|
|
p Install #[code tor] package using your package manager.
|
|
p You definitely want to have control over your node and monitor it. For that purpose there is #[code nyx] tool. I'll cover it in 3.1 section.
|
|
p Any program can be passed through Tor using #[code torify] from #[code torsocks] package.
|
|
|
|
h3#art-3 #[a(href='#art-3') 3. Configuration]
|
|
p Tor is already bundled with a great documented #[code torrc-dist] file. You may just copy a #[code torrc-dist] file and name it as #[code torrc] and change what you need.
|
|
|
|
h4#art-3-1 #[a(href='#art-3-1') 3.1. Tor SOCKS/HTTP proxy]
|
|
p Here is an example of SOCKS/HTTP proxy settings:
|
|
pre
|
|
| SocksPort 192.168.0.100:9050, [ipv6 address]:9050
|
|
| HTTPTunnelPort 192.168.0.100:8118, [ipv6 address]:8118
|
|
|
|
|
| SocksPolicy accept 192.168.0.0/24
|
|
| SocksPolicy accept6 [012:3fe1:337::]/48
|
|
| SocksPolicy reject *
|
|
|
|
|
| BandwithRate 70MBits
|
|
| BandwithBurst 100MBits
|
|
|
|
|
| ExcludeNodes {ru}, {ua}, {by}, {kz}, {??}
|
|
| ExcludeExitNodes {ru}, {ua}, {by}, {kz}, {??}
|
|
p #[code SocksPort] assigns IP-address and port for SOCKS5 proxy to listen on. #[code HTTPTunnelPort] is for HTTP proxy. You may leave just port number to listen on all interfaces.
|
|
p #[code SocksPolicy] option has the form #[code accept|reject IP-subnet[, ...]]. It points which subnetwork is dis-/allowed to use SOCKS proxy, so there may be multiple entries. For example, #[code SocksPolicy accept 192.168.1.0/24] is allowing everyone from that network to use it. In order to forbid all other networks add #[code reject *] after all #[code SocksPolicy] entries. You may preffer to have them on separate lines for the sake of readability.
|
|
p #[code BandwithRate] and #[code BandwithBurst] set the average and maximum speed of incoming and outgoing connections for proxy. #[code BandwithBurst] must be greater or equal to #[code BandwithRate]. E.g. values may look like #[code 70MBits], #[code 10MBytes], #[code 5MB].
|
|
p #[code HTTPTunnelPort] enables HTTP proxy, set it to desireable IP:Port.
|
|
p There are also #[code ExcludeNodes] and #[code ExcludeExitNodes] options that are the comma separated lists of forbidden nodes. There may be placed country codes, address patterns and identity fingerprints of nodes to never use in circuits. They are looking like #[code {ru}, {??}, 123.45.*]. I recommend to leave there at least #[code {??}] to forbid misconfigured nodes or nodes of an unknown origin, especially for exit nodes.
|
|
|
|
h4#art-3-2 #[a(href='#art-3-2') 3.2. Tor relay]
|
|
p Here is an example of relay settings.
|
|
pre
|
|
| ORPort 8443, [::]:8443
|
|
| Nickname Anon
|
|
| Address example.org
|
|
| ContactInfo Anon <anon@example.org>
|
|
|
|
|
| RelayBandwithRate 8MBits
|
|
| RelayBandwithBurst 10MBits
|
|
|
|
|
| AccountingMax 6 GB
|
|
| # Every midnight.
|
|
| AccountingStart day 00:00
|
|
| # Every 3rd day of month.
|
|
| AccountingStart month 3 00:00
|
|
|
|
|
| # In case you don't want to be an exit node.
|
|
| ExitPolicy reject *:*
|
|
p To enable a Tor relay you need to set #[code ORPort] option.
|
|
p You should also provide some information. You have to set #[code Nickname] option that is a name of a relay. Also, optionally, yet recommended, you may fill #[code ContactInfo] option with your e-mail address.
|
|
p If you leave your e-mail address Tor weather service will send you a notification if your node goes down.
|
|
p You can also set #[code Address] option if you have a domain name or set it to your white IP-address. Otherwise, if you don't add it or comment out it, Tor will guess it.
|
|
p #[code RelayBandwithRate] and #[code RelayBandwithBurst] are the same as #[code BandwithRate] and #[code BandwithBurst] but for relay.
|
|
p Add #[code ExitPolicy reject *:*] to disable exit node if you don't need it. I found out that setting #[code ExitRelay] to 0 doesn't disable an exit node, so you must add rejecting policy.
|
|
p #[code AccountingMax] and #[code AccountingStart] are used to limit traffic for given period.
|
|
|
|
h4#art-3-3 #[a(href='#art-3-3') 3.3. Hidden service]
|
|
p There are two mandatory options to work with: #[code HiddenServiceDir] and #[code HiddenServicePort].
|
|
p Of course, there are many other options, e.g. client authentication. But in simple case all you need are those two options above.
|
|
p Every hidden service starts with #[code HiddenServiceDir <path>] directory that contains public and secret keys, hostname for a hidden service and a directory called #[code authorized_clients] that stores info on all clients that are authorized to access this hidden service.
|
|
p And at least one #[code HiddenServicePort <tor port> <host:port of service>] sets port to listen to in Tor network as first parameter and the second one is a service that you want to give access from Tor to. E.g. #[code HiddenServicePort 80 localhost:8201] for webserver.
|
|
p It allows you to give access to many services by one Tor hostname.
|
|
p Example:
|
|
pre
|
|
| HiddenServiceDir /var/lib/tor/hidden-services/website
|
|
| HiddenServicePort 80 localhost:8201
|
|
| HiddenServicePort 25 192.168.1.160:25
|
|
|
|
h3#art-4 #[a(href='#art-4') 4. Miscellaneous]
|
|
|
|
h4#art-4-1 #[a(href='#art-4-1') 4.1. Nyx — status monitor for Tor nodes]
|
|
p You have to set #[code ControlPort] option to desired port, it will listen on localhost. If you need access from outside then set it to IP:9051. Also, you need to set #[code DisableDebuggerAttachment] option to 0, otherwise you'll not be able to use nyx. At least in my case nyx cannot connect with this option being set to 1.
|
|
p Example:
|
|
pre
|
|
| ControlPort 192.168.1.200:9051
|
|
| DisableDebuggerAttachment 0
|
|
p You may install it using package manager, but guaranteed last version can be installed from Python's #[code pip] package manager (#[code pip install nyx]).
|
|
|
|
h4#art-4-2 #[a(href='#art-4-2') 4.2. Notes]
|
|
p I hope you have a static IP-address or your IP changes once a month at least, otherwise you'll never become a guard (entry) node.
|
|
p An option #[code AvoidDiskWrites] is usefull in case you're running from SSD or SD card.
|
|
p You have to make a backup of #[code /var/lib/tor/keys] folder to save your node's cryptographic identity keys. They are used to identify your node. You can see stats on your node at #[a(href="https://metrics.torproject.org" rel="noopener noreferrer" target="_blank") metrics.torproject.org]. To find your node use what you put in #[code Nickname] parameter or a fingerprint that is shown in nyx. |