# Setting up a TOR bridge Recent events show how important it is for all worlds citizens to have a reliable, unmonitored, uncensored way to access the internet. The [TOR](https://torproject.org) projects offers just that. TOR is made of a series of interconnected computers called TOR nodes. When you make a normal connection to a website, both the website and your internet provider (and therefore the government) can know what your IP is (and therefore who you are, as the provider has a list of which of their clients is using which IP) and what IP you are visiting. So your internet activities can be monitored and some of them made inaccessible. When using TOR to visit the same website, your computer is only communicating with a TOR node. Then, that TOR node will encrypt your request and transfer it to any number of intermediary TOR nodes. Each of them only knows the IP of the previous and the next node. The last node connects to the website you are trying to visit. Even more, the communication between you and the first TOR node is camouflaged so it looks like, say, a Skype conversation. TOR uses many different applications to camouflage, so it is pretty hard for someone to figure out that it is in fact TOR traffic. The website doesn't know who is visiting them. They only have the IP of the last TOR node. Your internet provider only knows you visited the IP of the first TOR node, and it looks to them as normal internet traffic. The TOR project is very serious about all this and the efficiency of all I wrote above is regularly tested and assessed. Only problem, what if your government has the list of all IPs of all TOR nodes? Then they could know you are using TOR, and maybe block it. That's where bridges come in. Bridges are TOR nodes whose IP address is unpublished. Nobody is able to obtain the complete list. If you request a bridge IP from TOR, you will get only a couple, and new bridges get added all the time. For that, it is useful that people with a few Megabits to spare on their broadband internet connection help the system by setting up a TOR bridge. Since I have a spare laptop here doing nothing and a comfortable fiber internet connection, I set up a TOR bridge. Here it goes: ### 1. Install Debian [Debian](https://debian.org) is my distro of choice, but this should work for any Linux distribution. The instructions below should work out of the box for any Debian-based distro such as Ubuntu or Mint. The standard way is to [install Debian from a minimal ISO](https://www.debian.org/download), which will then download all necessary packages during the install, but I would recommend using an [alternative minimal ISO](https://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/) that includes firmwares to overcome wifi setup problems. Install everything the standard way, with Gnome or your favourite desktop environment, but as we will use it as a server we'll disable the graphical login later. ### 2. System setup Set a new hostname to recognize the machine on the network: ```bash sudo hostnamectl set-hostname new_hostname ``` Add your user to sudoers, so you can use sudo from it: ```bash su /sbin/usermod -a -G sudo YourUserName exit ``` You need to restart or logoff/login for this to take effect. Verify that your user is in the sudo group with: ```bash groups ``` Install ssh so you can access your server from another computer: ```bash sudo apt install ssh ``` Verify that ssh is running: ```bash sudo systemctl status ssh ``` Normally installing ssh will automatically have activated it, but if not, enable & start ssh: ```bash sudo systemctl enable --now ssh ``` Install tmux, which is useful to launch processes from an ssh session that need to continue running after you closed the ssh session: ```bash sudo apt install tmux ``` I prefer micro over nano, so I also installed micro: ```bash sudo apt install micro ``` Install vbetool to be able to switch the display on/off: ```bash sudo apt install vbetool ``` You can then turn the laptop display on/off with: ```bash sudo vbetool dpms off sudo vbetool dpms on ``` To prevent the laptop lid to suspend the computer when closed, edit `/etc/systemd/logind.conf` and change: ```bash HandleLidSwitch=suspend ``` to: ```bash HandleLidSwitch=ignore ``` And then restart the service: ```bash sudo systemctl restart systemd-logind.service ``` If using SSH keys, from another computer, copy your SSH key to the server: ```bash ssh-copy-id username@remote_host ``` Verify that it is working: ```bash ssh username@remote_host ``` Optionally, disable password authentication (recommended) by editing `/etc/ssh/ssh_config` and setting: ```bash PasswordAuthentication no ``` Then restart ssh: ```bash sudo systemctl restart ssh ``` ### 3. Enable automatic updates First enable automatic, unattended software updates: Put the lines below into the configuration file `/etc/apt/apt.conf.d/50unattended-upgrades`, and add `"origin=TorProject"`under the other `"oriign="` lines in `Unattended-Upgrade::Origins-Pattern`: ```bash Unattended-Upgrade::Origins-Pattern { ... "origin=Debian,codename=${distro_codename},label=Debian-Security"; "origin=TorProject"; ... }; ``` Edit the file `/etc/apt/apt.conf.d/20auto-upgrades` and add the following content: ```bash APT::Periodic::Update-Package-Lists "1"; APT::Periodic::AutocleanInterval "5"; APT::Periodic::Unattended-Upgrade "1"; APT::Periodic::Verbose "1"; ``` You can test your unattended-upgrades setup with the following command: ```bash unattended-upgrade --debug ``` If you just want to see the debug output but don't change anything use: ```bash unattended-upgrade --debug --dry-run ``` ### 4. Install and configure TOR First install all the TOR packages and the obfs4 camouflager: ```bash sudo apt install tor sudo apt install obfs4proxy ``` Now choose two port numbers as you like. Both will need to be reachable from outside your network. Avoid 9001 because it's commonly associated with Tor and censors may be scanning the Internet for this port. I chose 29008 and 29009 just because. The `ContactInfo` is not visible to outside people, only to TOR people. To set your computer up as a TOR node (by default it doesn't do anything), edit your TOR config file, usually located at `/etc/tor/torrc` and replace: ```bash BridgeRelay 0 ``` with: ```bas BridgeRelay 1 ``` Then add the following lines at the end of the file: ```bash ORPort 29008 ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy ServerTransportListenAddr obfs4 0.0.0.0:29009 ExtORPort auto ContactInfo address@email.com Nickname ANickNameForYourBridge ``` And if you want to limit the bandwidth user by TOR, add these lines: ```bash AccountingStart day 0:00 AccountingMax 50 GBytes RelayBandwidthRate 1000 KBytes RelayBandwidthBurst 5000 KBytes ``` To work around systemd hardening, you will also need to set `NoNewPrivileges=no` in both `/lib/systemd/system/tor@default.service` and `/lib/systemd/system/tor@.service` Then restart the system daemon: ````bash sudo systemctl daemon-reload ```` Enable and start your TOR node: ```bash sudo systemctl enable --now tor.service ``` Verify that it is running: ```bash sudo systemctl status tor.service ``` To confirm your bridge is running with no issues, run: ```bash sudo journalctl -e -u tor@default` ``` You should see something like this: ``` [notice] Your Tor server's identity key fingerprint is ' ' [notice] Your Tor bridge's hashed identity key fingerprint is ' ' [notice] Registered server transport 'obfs4' at '[::]:46396' [notice] Tor has successfully opened a circuit. Looks like client functionality is working. [notice] Bootstrapped 100%: Done [notice] Now checking whether ORPort :3818 is reachable... (this may take up to 20 minutes -- look for log messages indicating success) [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor. ``` ### 5. Open both TOR ports on your router This means basically redirecting traffic between your external IP, port 29008 and the laptop IP, port 29008 You need to refer to the operation manual of your router, but it usually involves accessing "port sharing" or "port forwarding" functionality in the web admin panel of your router, and setup two ports forwarding, one for each of the TOR ports we defined above. We can now test if our TOR bridge works by visiting the TCP reachability test page at https://bridges.torproject.org/scan/ ### 6. Switch to console mode When all the initial setup is done, we don't need the graphical interface anymore, so we can set our laptop to start in console mode, and access it from SSH from now on: ```bash sudo systemctl set-default multi-user.target ``` If needed after that, you can always start the graphical interfce by issuing `startx`. ### References: 1. [New life for an old laptop as a Linux home server](https://www.dwarmstrong.org/laptop-home-server/) 1. [How to Change Hostname in Debian](https://linuxhandbook.com/debian-change-hostname/) 2. [How to Add User to Sudoers in Debian](https://linuxize.com/post/how-to-add-user-to-sudoers-in-debian/) 3. [How To Boot To Console (Text) Mode Using Debian / Ubuntu, Fedora, Arch Linux / Manjaro And More](https://www.linuxuprising.com/2020/01/how-to-boot-to-console-text-mode-in.html?m=1) 4. [Linux List All IP Addresses on the Interface](https://linuxhint.com/list-ip-addresses-interface-linux/) 5. [How To Install and Enable SSH Server on Debian 10](https://devconnected.com/how-to-install-and-enable-ssh-server-on-debian-10/) 6. [How to Set Up SSH Keys on Debian 11](https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys-on-debian-11) 7. [Enable automatic updates on Debian/Ubuntu](https://community.torproject.org/relay/setup/guard/debian-ubuntu/updates/) 8. [Setting up a TOR bridge on Debian/Ubuntu](https://community.torproject.org/relay/setup/bridge/debian-ubuntu/) 9. [Setting up a MyFRITZ! sharing](https://en.avm.de/service/knowledge-base/dok/FRITZ-Box-7530/1376_Setting-up-MyFRITZ-sharings/) 10. [How To Disable WiFi on Linux System: GUI and CLI Methods](https://www.ubuntupit.com/how-to-disable-wifi-on-linux-system-gui-and-cli-methods/?amp=1) 10. [How can I limit the total amount of bandwidth used by my Tor relay?](https://support.torproject.org/relay-operators/limit-total-bandwidth/) 10. [Prioritizing internet access for important network applications and devices on fritzbox](https://en.avm.de/service/knowledge-base/dok/FRITZ-Box-7530/228_Prioritizing-internet-access-for-important-network-applications-and-devices/)