Mastodon Systeemkabouter.nl – Deploying ten new tor bridges

Deploying ten new tor bridges

Posted on vr 19 november 2021 in webapps

The tor project needs more bridges

Privacy is a human right

Some time has passed since I removed my last tor relay node. But apparently the tor project is facing a declining number of tor bridges, special nodes used by people unable to connect to the tor system in a more convenient/open way. So after relaying their call to arms for more bridges, I figured I was in a position to do my part.

Source: Help Censored Users, Run a Tor Bridge

I'm doing my part

Basic setup

For quick deployments I mostly rely on German based Hetzner.de. So I deployed five virtual machines over four datacenters. It already had my SSH public key on deployment, so I just point my ansible code in their general direction and expect it to work.

I have some baseline setup that makes it more or less secure to run a virtual machine on the Internet. At least I fix automatic patch installs and configure a hardened ssh + iptables firewall. The linux distro used is Ubuntu 20.04.

Tor setup

For guidance I took their excellent document on https://community.torproject.org/relay/setup/bridge/debian-ubuntu/ and used it to quickly assemble a ansible role/playbook for the tor specific stuff. I extended the tor configuration with some statements limiting traffic to certain amounts, just to be sure it does not go all crazy on me. I might need raise this quite a bit later.

ansible screenshot

Playbook

This is the tor specific part.

---

- name: "support third party repos"
  package:
    name: "apt-transport-https"
    state: present
  tags:
    - tor

- name: "tor project GPG key"
  ansible.builtin.apt_key:
    url: https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc
    state: present
  tags:
    - tor

- name: Add specified repository into sources list
  ansible.builtin.apt_repository:
    repo: deb https://deb.torproject.org/torproject.org focal main
    state: present
  tags:
    - tor

- name: "ensure tor keyring package is installed"
  package:
    name: "deb.torproject.org-keyring"
    state: present
  tags:
    - tor

- name: "ensure tor package is installed"
  package:
    name: "tor"
    state: latest
  tags:
    - tor

- name: "ensure bridge package is installed"
  package:
    name: "obfs4proxy"
    state: present
  tags:
    - tor

- name: "make sure service is enabled"
  service:
    name: "tor"
    enabled: true
    state: started
  tags:
    - tor

- name: "tor config"
  template:
    src: "torrc.j2"
    dest: "/etc/tor/torrc"
  notify: "restart tor"
  tags:
    - tor

My torrc

Not really sure if using tcp port 8080 for the bridge part is actually a good choice, I will find out soon enough. Using port 80 will result in a permission denied on the port bind.

root@node01:/etc/logcheck# cat /etc/tor/torrc
Nickname    [REDACTED] # Change "myNiceBridge" to something you like
ContactInfo [REDACTED]  # Write your e-mail and be aware it will be published
ORPort      443          # You might use a different port, should you want to
ExitRelay   0
SocksPort   0
BridgeRelay 1
ExtORPort   auto
Log notice  syslog
ServerTransportPlugin     obfs4 exec /usr/bin/obfs4proxy
ServerTransportListenAddr obfs4 0.0.0.0:8080

## Define these to limit how much relayed traffic you will allow. Your
## own traffic is still unthrottled. Note that RelayBandwidthRate must
## be at least 20 KB.
## Note that units for these config options are bytes per second, not bits
## per second, and that prefixes are binary prefixes, i.e. 2^10, 2^20, etc.
RelayBandwidthRate 250 KB  # Throttle traffic to 250KB/s 
RelayBandwidthBurst 500 KB # But allow bursts up to 500KB/s 

## Use these to restrict the maximum traffic per day, week, or month.
## Note that this threshold applies separately to sent and received bytes,
## not to their sum: setting "4 GB" may allow up to 8 GB total before
## hibernating.
##
## Set a maximum of 4 gigabytes each way per period.
AccountingMax 200 GB
## Each period starts daily at midnight (AccountingMax is per day)
AccountingStart day 00:00
## Each period starts on the 3rd of the month at 15:00 (AccountingMax
## is per month)
AccountingStart month 3 15:00

## Uncomment this to mirror directory information for others. Please do
## if you have enough bandwidth.
DirPort 9030 # what port to advertise for directory connections

Monitoring and next steps

With the machines deployed I added them to my monitoring setup so I can watch things like network and cpu usage over time. Last step was joining the tor-relays mailinglist to make sure I'm in the loop when issues arise.

At first I started with a couple of nodes. After a couple of days I scaled it up to ten nodes. In retrospect a terraform plan would have been useful. But all in all it was done pretty swiftly.