Run TOR in Relay mode?

[Cherubael]

Though I don't regularly make use of TOR while at home, I'd be interested in supporting those who do by running a non-exit relay from my home network. Currently I'm looking at running an RPi for this, but all the better if I can do it from the router. For those who do use TOR, running as a relay helps hide your TOR use. Deanonymising attacks based on analysing your traffic vs exit node traffic becomes more difficult when you're passing traffic from within the network, too.

 

[wh7qq]

Though I don't regularly make use of TOR while at home, I'd be interested in supporting those who do by running a non-exit relay from my home network. Currently I'm looking at running an RPi for this, but all the better if I can do it from the router. For those who do use TOR, running as a relay helps hide your TOR use. Deanonymising attacks based on analysing your traffic vs exit node traffic becomes more difficult when you're passing traffic from within the network, too.

Some of the TomatoUSB firmware support TOR. I know Shibby has it...can't say about Toastman. It is probably not a good idea to run an exit relay...magnet for spook scrutiny and bad guys too.

 

[cockytrumpet]

I'm running 378.51. I guess newer firmwares come with tor?

What I do:

• opkg install tor
• edit /opt/etc/tor/torrc to your liking (make sure you add ExitPolicy reject *:* so you won't run an exit relay)
• chown -R nobody:nobody /opt/var/lib/tor
• chown -R nobody:nobody /opt/var/log/tor
• echo "tor" >> /jffs/scripts/wan-start

 

[finite9]

I followed cockytrumpet's guide above so that I have a TOR Relay running in the router, but system log shows that all packets to port 443 are getting dropped and I dont get a confirmation message in tor log that it is reachable from outside.

Now maybe I can open a port forward rule in the router to port 443 on 192.168.1.254, but wont these kind of open my firewall to my whole LAN for this port? do I really need a NAT rule when the service is running on the router? And if I do, can I point the port rule to 127.0.0.1 instead of the LAN IP of the router.

Running 378.56_02 on ASUS RT-AC68U

torrc looks like this:

ORPort 9001
Exitpolicy reject *:*
Nickname finite9
ContactInfo hidden@address
AccountingStart day 0:00
AccountingMax 50 GBytes
RelayBandwidthRate 2048 KBytes
RelayBandwidthBurst 6144 KBytes # allow higher bursts but maintain average
Log notice file /opt/var/log/tor

and log says...

Jan 14 14:00:38.000 [notice] Tor 0.2.6.10 (git-58c51dc6087b0936) opening log file.
Jan 14 14:00:38.205 [notice] Tor v0.2.6.10 (git-58c51dc6087b0936) running on Linux with Libevent 2.0.22-stable, OpenSSL 1.0.2d and Zlib 1.2.8.
Jan 14 14:00:38.205 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jan 14 14:00:38.206 [notice] Read configuration file "/opt/etc/tor/torrc".
Jan 14 14:00:38.217 [notice] Based on detected system memory, MaxMemInQueues is set to 256 MB. You can override this by setting MaxMemInQueues by hand.
Jan 14 14:00:38.222 [notice] Opening Socks listener on 127.0.0.1:9050
Jan 14 14:00:38.222 [notice] Opening OR listener on 0.0.0.0:9001
Jan 14 14:00:38.000 [warn] Failed to unlink /opt/var/lib/tor/bw_accounting: No such file or directory
Jan 14 14:00:41.000 [notice] Your Tor server's identity key fingerprint is 'finite9 EFACDD7329B43B3552347E8C8FCE674BA168FF56'
Jan 14 14:00:41.000 [notice] Configured hibernation. This interval begins at 2016-01-14 00:00:00 and ends at 2016-01-15 00:00:00. We have no prior estimate for bandwidth, so we will start out awake and hibernate when we exhaust our quota.
Jan 14 14:00:41.000 [notice] Configured to measure directory request statistics, but no GeoIP database found. Please specify a GeoIP database using the GeoIPFile option.
Jan 14 14:00:41.000 [notice] Bootstrapped 0%: Starting
Jan 14 14:00:50.000 [notice] Bootstrapped 80%: Connecting to the Tor network
Jan 14 14:00:51.000 [notice] Bootstrapped 85%: Finishing handshake with first hop
Jan 14 14:00:51.000 [notice] We weren't able to find support for all of the TLS ciphersuites that we wanted to advertise. This won't hurt security, but it might make your Tor (if run as a client) more easy for censors to block.
Jan 14 14:00:51.000 [notice] To correct this, use a version of OpenSSL built with none of its ciphers disabled.
Jan 14 14:00:51.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
Jan 14 14:00:52.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Jan 14 14:00:52.000 [notice] Bootstrapped 100%: Done
Jan 14 14:00:52.000 [notice] Now checking whether ORPort 89.160.75.121:9001 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)


and Routers system log shows dropped packets:

Jan 14 15:00:06 kernel: DROP IN=vlan2 OUT= MAC=ac:9e:17:7e:09:f0:00:0b:45:b6:f0:40:08:00:45:00:00:3c SRC=124.6.36.194 DST=89.160.75.121 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=27106 DF PROTO=TCP SPT=38472 DPT=443 SEQ=2354748024 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080ABE766CBD0000000001030309)

 

[finite9]

I opened port 9001 (cant be port 443 because if you use hibernation then it might not re-open such a low port) in the routers NAT port forwarding and set it to 127.0.0.1 and since then I dont get any dropped packets in system log, but i dont get a confirmation message either:

"Self-testing indicates your ORPort is reachable from the outside. Excellent"