Categories:
-
3d 96 articles
-
animations 16 articles
-
architecture 47 articles
-
blender 98 articles
-
bédé 19 articles
-
techdrawing 24 articles
-
freecad 190 articles
-
gaming 1 articles
-
idsampa 8 articles
-
inthepress 8 articles
-
linux 57 articles
-
music 1 articles
-
nativeifc 31 articles
-
opensource 267 articles
-
orange 4 articles
-
photo 16 articles
-
projects 35 articles
-
receitas 176 articles
-
saopaulo 18 articles
-
sketches 163 articles
-
talks 25 articles
-
techdrawing 24 articles
-
textes 7 articles
-
trilhas 3 articles
-
urbanoids 1 articles
-
video 47 articles
-
webdesign 7 articles
-
works 151 articles
Archives:
-
2007 22 articles
-
2008 32 articles
-
2009 66 articles
-
2010 74 articles
-
2011 74 articles
-
2012 47 articles
-
2013 31 articles
-
2014 38 articles
-
2015 28 articles
-
2016 36 articles
-
2017 41 articles
-
2018 46 articles
-
2019 59 articles
-
2020 18 articles
-
2021 20 articles
-
2022 7 articles
-
2023 25 articles
-
2024 15 articles
Setting up a TOR bridge
Recent events show how important it is for all worlds citizens to have a reliable, unmonitored, uncensored way to access the internet. The TOR projects offers just that. TOR is made of a series of interconnected computers called TOR nodes.
When you make a normal connection to a website, both the website and your internet provider (and therefore the government) can know what your IP is (and therefore who you are, as the provider has a list of which of their clients is using which IP) and what IP you are visiting. So your internet activities can be monitored and some of them made inaccessible.
When using TOR to visit the same website, your computer is only communicating with a TOR node. Then, that TOR node will encrypt your request and transfer it to any number of intermediary TOR nodes. Each of them only knows the IP of the previous and the next node. The last node connects to the website you are trying to visit.
Even more, the communication between you and the first TOR node is camouflaged so it looks like, say, a Skype conversation. TOR uses many different applications to camouflage, so it is pretty hard for someone to figure out that it is in fact TOR traffic.
The website doesn't know who is visiting them. They only have the IP of the last TOR node. Your internet provider only knows you visited the IP of the first TOR node, and it looks to them as normal internet traffic.
The TOR project is very serious about all this and the efficiency of all I wrote above is regularly tested and assessed.
Only problem, what if your government has the list of all IPs of all TOR nodes? Then they could know you are using TOR, and maybe block it. That's where bridges come in. Bridges are TOR nodes whose IP address is unpublished. Nobody is able to obtain the complete list. If you request a bridge IP from TOR, you will get only a couple, and new bridges get added all the time. For that, it is useful that people with a few Megabits to spare on their broadband internet connection help the system by setting up a TOR bridge. Since I have a spare laptop here doing nothing and a comfortable fiber internet connection, I set up a TOR bridge. Here it goes:
1. Install Debian
Debian is my distro of choice, but this should work for any Linux distribution. The instructions below should work out of the box for any Debian-based distro such as Ubuntu or Mint.
The standard way is to install Debian from a minimal ISO, which will then download all necessary packages during the install, but I would recommend using an alternative minimal ISO that includes firmwares to overcome wifi setup problems.
Install everything the standard way, with Gnome or your favourite desktop environment, but as we will use it as a server we'll disable the graphical login later.
2. System setup
Set a new hostname to recognize the machine on the network:
sudo hostnamectl set-hostname new_hostname
Add your user to sudoers, so you can use sudo from it:
su
/sbin/usermod -a -G sudo YourUserName
exit
You need to restart or logoff/login for this to take effect. Verify that your user is in the sudo group with:
groups
Install ssh so you can access your server from another computer:
sudo apt install ssh
Verify that ssh is running:
sudo systemctl status ssh
Normally installing ssh will automatically have activated it, but if not, enable & start ssh:
sudo systemctl enable --now ssh
Install tmux, which is useful to launch processes from an ssh session that need to continue running after you closed the ssh session:
sudo apt install tmux
I prefer micro over nano, so I also installed micro:
sudo apt install micro
Install vbetool to be able to switch the display on/off:
sudo apt install vbetool
You can then turn the laptop display on/off with:
sudo vbetool dpms off
sudo vbetool dpms on
To prevent the laptop lid to suspend the computer when closed, edit /etc/systemd/logind.conf
and change:
HandleLidSwitch=suspend
to:
HandleLidSwitch=ignore
And then restart the service:
sudo systemctl restart systemd-logind.service
If using SSH keys, from another computer, copy your SSH key to the server:
ssh-copy-id username@remote_host
Verify that it is working:
ssh username@remote_host
Optionally, disable password authentication (recommended) by editing /etc/ssh/ssh_config
and setting:
PasswordAuthentication no
Then restart ssh:
sudo systemctl restart ssh
3. Enable automatic updates
First enable automatic, unattended software updates: Put the lines below into the configuration file /etc/apt/apt.conf.d/50unattended-upgrades
, and add "origin=TorProject"
under the other "oriign="
lines in Unattended-Upgrade::Origins-Pattern
:
Unattended-Upgrade::Origins-Pattern {
...
"origin=Debian,codename=${distro_codename},label=Debian-Security";
"origin=TorProject";
...
};
Edit the file /etc/apt/apt.conf.d/20auto-upgrades
and add the following content:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::AutocleanInterval "5";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Verbose "1";
You can test your unattended-upgrades setup with the following command:
unattended-upgrade --debug
If you just want to see the debug output but don't change anything use:
unattended-upgrade --debug --dry-run
4. Install and configure TOR
First install all the TOR packages and the obfs4 camouflager:
sudo apt install tor
sudo apt install obfs4proxy
Now choose two port numbers as you like. Both will need to be reachable from outside your network. Avoid 9001 because it's commonly associated with Tor and censors may be scanning the Internet for this port. I chose 29008 and 29009 just because. The ContactInfo
is not visible to outside people, only to TOR people.
To set your computer up as a TOR node (by default it doesn't do anything), edit your TOR config file, usually located at /etc/tor/torrc
and replace:
BridgeRelay 0
with:
BridgeRelay 1
Then add the following lines at the end of the file:
ORPort 29008
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
ServerTransportListenAddr obfs4 0.0.0.0:29009
ExtORPort auto
ContactInfo address@email.com
Nickname ANickNameForYourBridge
And if you want to limit the bandwidth user by TOR, add these lines:
AccountingStart day 0:00
AccountingMax 50 GBytes
RelayBandwidthRate 1000 KBytes
RelayBandwidthBurst 5000 KBytes
To work around systemd hardening, you will also need to set NoNewPrivileges=no
in both /lib/systemd/system/tor@default.service
and /lib/systemd/system/tor@.service
Then restart the system daemon:
sudo systemctl daemon-reload
Enable and start your TOR node:
sudo systemctl enable --now tor.service
Verify that it is running:
sudo systemctl status tor.service
To confirm your bridge is running with no issues, run:
sudo journalctl -e -u tor@default`
You should see something like this:
[notice] Your Tor server's identity key fingerprint is '<NICKNAME> <FINGERPRINT>'
[notice] Your Tor bridge's hashed identity key fingerprint is '<NICKNAME> <HASHED FINGERPRINT>'
[notice] Registered server transport 'obfs4' at '[::]:46396'
[notice] Tor has successfully opened a circuit. Looks like client functionality is working.
[notice] Bootstrapped 100%: Done
[notice] Now checking whether ORPort <redacted>:3818 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
[notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
5. Open both TOR ports on your router
This means basically redirecting traffic between your external IP, port 29008 and the laptop IP, port 29008
You need to refer to the operation manual of your router, but it usually involves accessing "port sharing" or "port forwarding" functionality in the web admin panel of your router, and setup two ports forwarding, one for each of the TOR ports we defined above.
We can now test if our TOR bridge works by visiting the TCP reachability test page at https://bridges.torproject.org/scan/
6. Switch to console mode
When all the initial setup is done, we don't need the graphical interface anymore, so we can set our laptop to start in console mode, and access it from SSH from now on:
sudo systemctl set-default multi-user.target
If needed after that, you can always start the graphical interfce by issuing startx
.
References:
- New life for an old laptop as a Linux home server
- How to Change Hostname in Debian
- How to Add User to Sudoers in Debian
- How To Boot To Console (Text) Mode Using Debian / Ubuntu, Fedora, Arch Linux / Manjaro And More
- Linux List All IP Addresses on the Interface
- How To Install and Enable SSH Server on Debian 10
- How to Set Up SSH Keys on Debian 11
- Enable automatic updates on Debian/Ubuntu
- Setting up a TOR bridge on Debian/Ubuntu
- Setting up a MyFRITZ! sharing
- How To Disable WiFi on Linux System: GUI and CLI Methods
- How can I limit the total amount of bandwidth used by my Tor relay?
- Prioritizing internet access for important network applications and devices on fritzbox