How to Set Up a Tor Relay on CentOS 6

From steamWiki
Jump to: navigation, search

This how to covers setting up a Tor Relay under CentOS 6.

  1. Installing Tor
    2. Add the Tor Project Repositories to the Yum repos list
      1. Run sudo vi /etc/yum.repos.d/torproject.repo
      2. Add the following to the file
    3. Install tor
      1. Run sudo yum install tor
      2. Yum will ask if it is ok to install the GPG Key from, say yes
    4. Install ntp & set it up as a daemon to keep your clock, date, & timezone accurate.
      1. Run sudo yum install ntp
      2. Start ntpd by running sudo service ntpd restart
      3. Enable ntpd to start at boot time by running sudo chkconfig ntpd on
    5. At this point you can reboot your system and hit Esc after entering your HDD Encryption Password and watch for ntpd and tor to start toward the end of the boot process if you want.
    6. Configure Tor to act as a Relay
      1. Create a Control Password (you'll use this later) by running sudo tor --hash-password '<yourpasswordhere>' > TempPassFile DON'T FORGET THE SINGLE QUOTES!
      2. Delete the record of your Control Password from your History
        1. Run history to see a numbered list of the commands you executed
        2. Find the entry for sudo tor --hash-password <yourpasswordhere> > TempPassFile and note the <LineNumber>
        3. Run history -d <LineNumber> to remove that line from your history
      3. Open your TempPassFile with vi /path/to/TempPassFile
      4. Arrow down to the last line and "yank" (copy) the line by hitting yy
      5. Open your /etc/tor/torrc from within vi by executing :e /etc/tor/torrc
      6. Uncomment HashedControlPassword ... to use a password to secure the ControlPort
      7. Hit p to "paste" the hashed password your yanked a few minutes ago. Erase the original long hash replacing it with your pasted hash. This now make the Control Password the one you typed in earlier.
      8. Uncomment ORPort 9001 to enable the system as a Relay
      9. Uncomment ExitPolicy reject *:* to configure the Relay as a "common" Middle Relay
      10. Uncomment ContactInfo Random Person <nobody AT example dot com and replace the Random Person with an email address you create specifically for the Relay and forward to your standard email account
      11. Ucomment Nickname ididntedittheconfig and replace with a suitable nickname for your Relay
      12. Uncomment Address & update it if you have domain that identifies your Relay
      13. Uncomment DataDirectory /var/lib/tor if you want your keys/etc to be saved here. I prefer this since tor is typically run as a _tor user
      14. Uncomment ControlPort 9051 if you intend to use arm to monitor your Relay (I recommend this and will describe the installation below)
      15. Uncomment RelayBandwidthRate and RelayBandwidthBurst and set them to something suitable for your connection. I recommend running a speedtest and taking half of the upload value. Keep in mind that the configuration is in KiloBytes. This particular speedtest returns results in MegaBits. This means you must take the Mb result from the speedtest, multiply by 1000 (to convert to Kb) and then divide by 8 (to convert to KB). Then divide by 2 to get half of this value.
      16. Save and exit your editor
      17. Delete the TempPassFile with sudo rm TempPassFile
    7. Setup any Firewalls to pass your 9001 ORPort (and possibly 9051 ControlPort)
      1. Router: DD-WRT
        1. I use DD-WRT for my Router Firmware. It allows me to run multiple PCs on my network and direct traffic to the correct computer based on Port. We will need to give the Tor Relay Server a static IP and ensure that Tor traffic is forwarded to that machine. If you use another router you can learn more about port forwarding here.
        2. Login to your Router and Navigate to Services -> Services
        3. Under the Static Leases section hit the Add button and fill in your Tor server's MAC Address, Host Name, and a desired IP Address that it will always get. I leave Client Lease Time blank. Scroll to the bottom and hit Save then Apply Settings
        4. Navigate to NAT/QOS -> Port Forwarding
        5. Hit the Add button and fill in the information as follows (no quotes):
          • Application: "<ServerName>Tor"
          • Port from: "9001"
          • Protocol: "TCP"
          • IP Address: "<TheStaticIpYouJustChose>"
          • Port to": "9001"
          • Enable: <checked>
        6. If you want to be able to monitor your relay remotely using arm (instead of only at the console) then add a similar line forwarding port 9051 as well.
        7. Hit Save and Apply Settings
      2. SELinux
        1. CentOS comes preinstalled with SELinux to help harden and protect the OS.
        2. If you choose a non-standard port (ie: not 9001) for your ORPort then you will have to add the exception to SELinux
        3. Run sudo yum install policycoreutils-python to install the tools you need to manage SELinux. It can take several minutes to install this package. Be patient.
        4. You can run sudo semanage port -l | more to see what ports SELinux already allows. There is a entry for tor_port_t already which contains tcp 6969, 9001, 9030, & 9051 along with a tor_socks_port_t entry containing tcp 9050
        5. If you need to use a different port you will have to run a command like sudo semanage port -a -t tor_port_t -p tcp <your_port>. Don't forget to forward the correct port in DD-WRT (above) and IPTables (below)
      3. IPTables
        1. If you follow my guide for Setting Up a Secure CentOS 6 Server then you will have setup a rather restrictive IPTables configuration. We need to add an exception for tor.
        2. Edit /etc/sysconfig/iptables
        3. Right above # Log and drop everything else add the following lines:
          • # Accept Tor traffic
          • -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9001 -j ACCEPT
        4. If you want to be able to monitor your relay remotely using arm (instead of only at the console) add the following line as well.
          • -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9051 -j ACCEPT
        5. Run sudo service iptables restart to force your new rules to take effect
    8. Setup Arm
      1. Arm is a nice "graphical" command line program that can give you status information on your Tor Relay. It is a lot more fun to look at than log files ;)
      2. Navigate to your home folder: cd ~
      3. Install wget via sudo yum install wget
      4. Download arm: wget --no-check-certificate. --no-check-certificate is required because atagar's HTTPS website (creator of Arm) is self-signed.
      5. Download the arm signature: wget --no-check-certificate
      6. Download atagar's (Damian Johnson's) PGP Key: wget --no-check-certificate
      7. Import Damian Johnson's PGP Key: gpg --import damianJohnson.asc
      8. Test the RPM against Damian's PGP Key: gpg --verify arm-
        • The results will say that the Signaure is good but that the key is not certified. This is normal and fine.
      9. Test the RPM signature: rpm --checksig arm-
      10. Install arm: sudo rpm -ivh arm- (i = install, h = print progress bar, v = verbose)
      11. Add yourself to to the _tor group: sudo usermod -a -G _tor <username> so you can run arm and interact with tor properly. Logout and back in for the group modification to take effect.
      12. You should now be able to run arm by typing arm at the command line. In addition, soon you should be able to find your relay at Atlas, Globe, and Tor Status. Type your relay's Nickname into the search box in Atlasand Globe. Do a "find" with your browser at Tor Status.
      13. Even though arm works it throws some warnings. Lets fix those now.
        1. [ARM_WARN] The torrc differs from what tor's using. You can issue a sighup to reload teh torrc values by pressing x. - configuration values are missing from the torrc: Log, PidFile, RunAsDaemon, User
          1. Edit /etc/tor/torrc
          2. Uncomment Log notice file /var/log/tor/tor.log (If you are having issue then, temporarily, uncomment the Log debug line)
          3. Underneath DataDirectory /var/lib/tor add the following lines
            • ## Path for a file tor writes containing its process id
            • PidFile /var/run/tor/
          4. Uncomment RunAsDaemon 1
          5. Underneath RunAsDaemon 1 add the following lines
            • ## UID for the process when started
            • User _tor
        2. [ARM_NOTICE] Tor is preventing system utilities like netstat and lsof from working. This means that arm can't provide you with connection information. You can change this by adding 'DisableDebuggerAttachment 0' to your torrc and restarting tor. For more information see... THIS STILL DOESN'T WORK FOR THE NON-TOR NON-ROOT USER
          1. Under the Log section add the following lines
            • ## Allow tor to use netstat and other utilities
            • DisableDebuggerAttachment 0
        3. [ARM_NOTICE] Unable to get the descriptions of Tor's configuration options from its man page ('man' is unavailable)
          1. Install man by running sudo yum install man
        4. [ARM_NOTICE] No armrc loaded, using defaults. You can customize arm by placing a configuration file at '/home/<username>/.arm/armrc' (see the armrc.sample for its options).
          1. Run cp /usr/share/doc/arm/armrc.sample ~/.arm/armrc
          2. Edit ~/.arm/armrc
          3. Comment out queries.refreshRate.rate or arm will throw a notice ([ARM_NOTICE] Unused configuration entry: queries.refreshRate.rate)