Deploying ten new tor bridges
Posted on Fri 19 November 2021 in webapps
The tor project needs more bridges
Some time has passed since I removed my last tor relay node. But apparently the tor project is facing a declining number of tor bridges, special nodes used by people unable to connect to the tor system in a more convenient/open way. So after relaying their call to arms for more bridges, I figured I was in a position to do my part.
Source: Help Censored Users, Run a Tor Bridge
For quick deployments I mostly rely on German based Hetzner.de. So I deployed five virtual machines over four datacenters. It already had my SSH public key on deployment, so I just point my ansible code in their general direction and expect it to work.
I have some baseline setup that makes it more or less secure to run a virtual machine on the Internet. At least I fix automatic patch installs and configure a hardened ssh + iptables firewall. The linux distro used is Ubuntu 20.04.
For guidance I took their excellent document on https://community.torproject.org/relay/setup/bridge/debian-ubuntu/ and used it to quickly assemble a ansible role/playbook for the tor specific stuff. I extended the tor configuration with some statements limiting traffic to certain amounts, just to be sure it does not go all crazy on me. I might need raise this quite a bit later.
This is the tor specific part.
--- - name: "support third party repos" package: name: "apt-transport-https" state: present tags: - tor - name: "tor project GPG key" ansible.builtin.apt_key: url: https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc state: present tags: - tor - name: Add specified repository into sources list ansible.builtin.apt_repository: repo: deb https://deb.torproject.org/torproject.org focal main state: present tags: - tor - name: "ensure tor keyring package is installed" package: name: "deb.torproject.org-keyring" state: present tags: - tor - name: "ensure tor package is installed" package: name: "tor" state: latest tags: - tor - name: "ensure bridge package is installed" package: name: "obfs4proxy" state: present tags: - tor - name: "make sure service is enabled" service: name: "tor" enabled: true state: started tags: - tor - name: "tor config" template: src: "torrc.j2" dest: "/etc/tor/torrc" notify: "restart tor" tags: - tor
Not really sure if using tcp port 8080 for the bridge part is actually a good choice, I will find out soon enough. Using port 80 will result in a permission denied on the port bind.
root@node01:/etc/logcheck# cat /etc/tor/torrc Nickname [REDACTED] # Change "myNiceBridge" to something you like ContactInfo [REDACTED] # Write your e-mail and be aware it will be published ORPort 443 # You might use a different port, should you want to ExitRelay 0 SocksPort 0 BridgeRelay 1 ExtORPort auto Log notice syslog ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy ServerTransportListenAddr obfs4 0.0.0.0:8080 ## Define these to limit how much relayed traffic you will allow. Your ## own traffic is still unthrottled. Note that RelayBandwidthRate must ## be at least 20 KB. ## Note that units for these config options are bytes per second, not bits ## per second, and that prefixes are binary prefixes, i.e. 2^10, 2^20, etc. RelayBandwidthRate 250 KB # Throttle traffic to 250KB/s RelayBandwidthBurst 500 KB # But allow bursts up to 500KB/s ## Use these to restrict the maximum traffic per day, week, or month. ## Note that this threshold applies separately to sent and received bytes, ## not to their sum: setting "4 GB" may allow up to 8 GB total before ## hibernating. ## ## Set a maximum of 4 gigabytes each way per period. AccountingMax 200 GB ## Each period starts daily at midnight (AccountingMax is per day) AccountingStart day 00:00 ## Each period starts on the 3rd of the month at 15:00 (AccountingMax ## is per month) AccountingStart month 3 15:00 ## Uncomment this to mirror directory information for others. Please do ## if you have enough bandwidth. DirPort 9030 # what port to advertise for directory connections
Monitoring and next steps
With the machines deployed I added them to my monitoring setup so I can watch things like network and cpu usage over time. Last step was joining the tor-relays mailinglist to make sure I'm in the loop when issues arise.
At first I started with a couple of nodes. After a couple of days I scaled it up to ten nodes. In retrospect a terraform plan would have been useful. But all in all it was done pretty swiftly.