Difference between revisions of "How to Set Up a Tor Relay on CentOS 6"
From steamWiki
| Line 42: | Line 42: | ||
###Uncomment ''RelayBandwidthRate'' and ''RelayBandwidthBurst'' and set them to something suitable for your connection. I recommend running a [http://www.speedtest.net/ speedtest] and taking half of the upload value. Keep in mind that the configuration is in KiloBytes. This particular speedtest returns results in MegaBits. This means you must take the Mb result from the speedtest, multiply by 1000 (to convert to Kb) and then divide by 8 (to convert to KB). Then divide by 2 to get half of this value. | ###Uncomment ''RelayBandwidthRate'' and ''RelayBandwidthBurst'' and set them to something suitable for your connection. I recommend running a [http://www.speedtest.net/ speedtest] and taking half of the upload value. Keep in mind that the configuration is in KiloBytes. This particular speedtest returns results in MegaBits. This means you must take the Mb result from the speedtest, multiply by 1000 (to convert to Kb) and then divide by 8 (to convert to KB). Then divide by 2 to get half of this value. | ||
##Setup any Firewalls to pass your 9001 ORPort | ##Setup any Firewalls to pass your 9001 ORPort | ||
| − | ###I use [http://www.dd-wrt.com/site/index DD-WRT] for my Router Firmware. It allows me to run multiple PCs on my network and direct traffic to the correct computer based on Port. | + | ###Router: [http://www.dd-wrt.com/site/index DD-WRT] |
| − | ### | + | ####I use [http://www.dd-wrt.com/site/index DD-WRT] for my Router Firmware. It allows me to run multiple PCs on my network and direct traffic to the correct computer based on Port. We will need to give the Tor Relay Server a static IP and ensure that Tor traffic is forwarded to that machine. If you use another router you can learn more about port forwarding [http://portforward.com/english/routers/port_forwarding/ here]. |
| + | ####Login to your Router and Navigate to ''Services'' -> ''Services'' | ||
| + | ####Under the ''Static Leases'' section hit the ''Add'' button and fill in your Tor server's ''MAC Address'', ''Host Name'', and a desired ''IP Address'' that it will always get. I leave ''Client Lease Time'' blank. Scroll to the bottom and hit ''Save'' then ''Apply Settings'' | ||
| + | ####Navigate to ''NAT/QOS'' -> ''Port Forwarding'' | ||
| + | ####Hit the ''Add'' button and fill in the information as follows (no quotes): | ||
| + | ####*''Application'': "<ServerName>Tor" | ||
| + | ####*''Port from'': "9001" | ||
| + | ####*''Protocol'': "TCP" | ||
| + | ####*''IP Address'': "<TheStaticIpYouJustChose>" | ||
| + | ####*''Port to": "9001" | ||
| + | ####*''Enable'': <checked> | ||
| + | ####If you want to be able to monitor your relay remotely using ''arm'' (instead of only at the console) then add a similar line forwarding port 9051 as well. | ||
| + | ####Hit ''Save'' and ''Apply Settings'' | ||
| + | ###[http://selinuxproject.org/page/Main_Page SELinux] | ||
| + | ####CentOS comes preinstalled with [http://selinuxproject.org/page/Main_Page SELinux] to help harden and protect the OS. | ||
| + | ####If you choose a non-standard port (ie: not 9001) for your ORPort then you will have to add the exception to SELinux | ||
| + | ####Run ''sudo yum install policycoreutils-python'' to install the tools you need to manage SELinux. It can take several minutes to install this package. Be patient. | ||
| + | ####You can run ''sudo semanage port -l | more'' to see what ports SELinux already allows. There is a entry for ''tor_port_t'' already which contains ''tcp 6969, 9001, 9030, & 9051'' along with a ''tor_socks_port_t'' entry containing ''tcp 9050'' | ||
| + | ####If you need to use a different port you will have to run a command like ''sudo semanage port -a -t tor_port_t -p tcp <your_port>''. Don't forget to forward the correct port in DD-WRT (above) and IPTables (below) | ||
| + | ###IPTables | ||
| + | ####If you follow my guide for [[Setting Up a Secure CentOS 6 Server]] then you will have setup a rather restrictive IPTables configuration. We need to add an exception for tor. | ||
| + | ####Edit ''/etc/sysconfig/iptables'' | ||
| + | ####Right above ''# Log and drop everything else'' add the following lines: | ||
| + | ####*''<nowiki>#</nowiki> Accept Tor traffic'' | ||
| + | ####*''-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9001 -j ACCEPT'' | ||
| + | ####If you want to be able to monitor your relay remotely using ''arm'' (instead of only at the console) add the following line as well. | ||
| + | ####*''-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9051 -j ACCEPT'' | ||
| + | |||
*Resources | *Resources | ||
| Line 49: | Line 76: | ||
*#https://www.torproject.org/docs/tor-relay-debian.html.en | *#https://www.torproject.org/docs/tor-relay-debian.html.en | ||
*#https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sect-Date_and_Time_Configuration-Command_Line_Configuration-Network_Time_Protocol.html | *#https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sect-Date_and_Time_Configuration-Command_Line_Configuration-Network_Time_Protocol.html | ||
| + | *#http://wiki.centos.org/HowTos/SELinux | ||
Revision as of 08:30, 28 June 2014
UNDER CONSTRUCTION
- Setting up the OS
- Follow my guide for Setting Up a Secure CentOS 6 Server
- Installing Tor
- BACKUP ANY FILES YOU MODIFY. I TYPICALLY CREATE A COPY NAMED <originalname>_bak_defaults
- Add the Tor Project Repositories to the Yum repos list
- Run sudo vi /etc/yum.repos.d/torproject.repo
- Add the following to the file
- [tor]
- name=Tor experimental repo
- enabled=1
- baseurl=http://deb.torproject.org/torproject.org/rpm/el/6/$basearch/
- gpgcheck=1
- gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc
- [tor-source]
- name=Tor experimental source repo
- enabled=1
- autorefresh=0
- baseurl=http://deb.torproject.org/torproject.org/rpm/el/6/SRPMS
- gpgcheck=1
- gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc
- Install tor
- Run sudo yum install tor
- Yum will ask if it is ok to install the GPG Key from torproject.org, say yes
- Install ntp & set it up as a daemon to keep your clock, date, & timezone accurate.
- Run sudo yum install ntp
- Start ntpd by running sudo service ntpd restart
- Enable ntpd to start at boot time by running sudo chkconfig ntpd on
- At this point you can reboot your system and hit Esc after entering your HDD Encryption Password and watch for ntpd and tor to start toward the end of the boot process if you want.
- Configure Tor to act as a Relay
- Edit /etc/tor/torrc
- Uncomment ORPort 9001 to enable the system as a Relay
- Uncomment ExitPolicy reject *:* to configure the Relay as a "common" Middle Relay
- Uncomment ContactInfo Random Person <nobody AT example dot com and replace the Random Person with an email address you create specifically for the Relay and forward to your standard email account
- Ucomment Nickname ididntedittheconfig and replace with a suitable nickname for your Relay
- Uncomment Address noname.example.com & update it if you have domain that identifies your Relay
- Uncomment DataDirectory /var/lib/tor if you want your keys/etc to be saved here. I prefer this since tor is typically run as a _tor user
- Uncomment ControlPort 9051 if you intend to use arm to monitor your Relay (I recommend this and will describe the installation below)
- Uncomment HashedControlPassword ... to use a password to secure the ControlPort. We will setup this password later
- Uncomment RelayBandwidthRate and RelayBandwidthBurst and set them to something suitable for your connection. I recommend running a speedtest and taking half of the upload value. Keep in mind that the configuration is in KiloBytes. This particular speedtest returns results in MegaBits. This means you must take the Mb result from the speedtest, multiply by 1000 (to convert to Kb) and then divide by 8 (to convert to KB). Then divide by 2 to get half of this value.
- Setup any Firewalls to pass your 9001 ORPort
- Router: DD-WRT
- I use DD-WRT for my Router Firmware. It allows me to run multiple PCs on my network and direct traffic to the correct computer based on Port. We will need to give the Tor Relay Server a static IP and ensure that Tor traffic is forwarded to that machine. If you use another router you can learn more about port forwarding here.
- Login to your Router and Navigate to Services -> Services
- Under the Static Leases section hit the Add button and fill in your Tor server's MAC Address, Host Name, and a desired IP Address that it will always get. I leave Client Lease Time blank. Scroll to the bottom and hit Save then Apply Settings
- Navigate to NAT/QOS -> Port Forwarding
- Hit the Add button and fill in the information as follows (no quotes):
- Application: "<ServerName>Tor"
- Port from: "9001"
- Protocol: "TCP"
- IP Address: "<TheStaticIpYouJustChose>"
- Port to": "9001"
- Enable: <checked>
- If you want to be able to monitor your relay remotely using arm (instead of only at the console) then add a similar line forwarding port 9051 as well.
- Hit Save and Apply Settings
- SELinux
- CentOS comes preinstalled with SELinux to help harden and protect the OS.
- If you choose a non-standard port (ie: not 9001) for your ORPort then you will have to add the exception to SELinux
- Run sudo yum install policycoreutils-python to install the tools you need to manage SELinux. It can take several minutes to install this package. Be patient.
- You can run sudo semanage port -l | more to see what ports SELinux already allows. There is a entry for tor_port_t already which contains tcp 6969, 9001, 9030, & 9051 along with a tor_socks_port_t entry containing tcp 9050
- If you need to use a different port you will have to run a command like sudo semanage port -a -t tor_port_t -p tcp <your_port>. Don't forget to forward the correct port in DD-WRT (above) and IPTables (below)
- IPTables
- If you follow my guide for Setting Up a Secure CentOS 6 Server then you will have setup a rather restrictive IPTables configuration. We need to add an exception for tor.
- Edit /etc/sysconfig/iptables
- Right above # Log and drop everything else add the following lines:
- # Accept Tor traffic
- -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9001 -j ACCEPT
- If you want to be able to monitor your relay remotely using arm (instead of only at the console) add the following line as well.
- -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9051 -j ACCEPT
- Router: DD-WRT
- Resources
- https://www.torproject.org/docs/rpms.html.en
- https://www.torproject.org/docs/tor-relay-debian.html.en
- https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sect-Date_and_Time_Configuration-Command_Line_Configuration-Network_Time_Protocol.html
- http://wiki.centos.org/HowTos/SELinux
