This site is now 100% read-only, and retired.

Setting up a Tor server

Posted by JacobAppelbaum on Tue 26 Dec 2006 at 11:46

This is a short guide on quickly setting up a Tor server in Debian Sarge. If you're looking for a way to use tor as a client, I suggest you read the article on that subject.

I highly suggest reading about anonymity in general and about the tor project specifically. It would also be prudent to read the server installation instructions. The rest of this document assumes that you've read at least the three previous documents and have a solid understanding of what you're doing. First we'll ensure that we have our clock in sync by using ntpdate:
root@nsa:~# apt-get install ntpdate
Reading Package Lists... Done
Building Dependency Tree... Done
Suggested packages:
  ntp
The following NEW packages will be installed:
  ntpdate
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 41.6kB of archives.
After unpacking 164kB of additional disk space will be used.
Get:1 http://mirror.bytemark.co.uk sarge/main ntpdate 1:4.2.0a+stable-2sarge1 [41.6kB]
Fetched 41.6kB in 0s (109kB/s)
Selecting previously deselected package ntpdate.
(Reading database ... 9295 files and directories currently installed.)
Unpacking ntpdate (from .../ntpdate_1%3a4.2.0a+stable-2sarge1_i386.deb) ...
Setting up ntpdate (4.2.0a+stable-2sarge1) ...
Running ntpdate to synchronize clock.
It should be noted that it's not proper to run ntpdate from cron or by hand on a server. I merely suggest ntpdate to quickly sync your clock. If you're really interested in running your clocks correctly you should investigate ntp-server. Ensure that your time is what you'd expect:
root@nsa:~# date
Fri Dec 22 22:55:43 UTC 2006
Ensure that your DNS is working properly. Let's test resolving tor.eff.org:
root@nsa:~# host tor.eff.org
tor.eff.org             CNAME   alcatraz.eff.org
alcatraz.eff.org        A       209.237.230.67
Add the correct lines for apt-get to use the Tor developer packages:
cat << 'EOF' >> /etc/apt/sources.list

#
# Tor developer package repository
#
deb     http://mirror.noreply.org/pub/tor sarge main
EOF
Alternatively, you can also use backports by using the following repository:
cat << 'EOF' >> /etc/apt/sources.list

# Sarge backports
#
deb http://www.backports.org/debian/ sarge-backports main
EOF
Both package repositories provide Tor. However, it's suggested to use the Tor developer package repository. It's run by people that are both Tor and Debian developers. It always has the freshest Tor packages. As there is no tor package in Sarge you don't need to add anything to your /etc/apt/preference file nor do you need to worry if you don't have one. Update your package sources:
root@nsa:~# apt-get update
Now we'll install the tor package:
root@nsa:~# apt-get install tor
Reading Package Lists... Done
Building Dependency Tree... Done
The following extra packages will be installed:
  libevent1
Suggested packages:
  mixmaster mixminion anon-proxy
Recommended packages:
  privoxy socat
The following NEW packages will be installed:
  libevent1 tor
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 788kB of archives.
After unpacking 1679kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://mirror.noreply.org sarge/main libevent1 1.1a-1~sarge.1 [18.8kB]
Get:2 http://mirror.noreply.org sarge/main tor 0.1.1.26-1~~sarge.1 [769kB]
Fetched 788kB in 0s (846kB/s)
Selecting previously deselected package libevent1.
(Reading database ... 10813 files and directories currently installed.)
Unpacking libevent1 (from .../libevent1_1.1a-1~sarge.1_i386.deb) ...
Selecting previously deselected package tor.
Unpacking tor (from .../tor_0.1.1.26-1~~sarge.1_i386.deb) ...
Setting up libevent1 (1.1a-1~sarge.1) ...

Setting up tor (0.1.1.26-1~~sarge.1) ...
debian-tor uid check: ok
debian-tor homedir check: ok
Raising maximum number of filedescriptors (ulimit -n) to 8192.
Starting tor daemon: tor...
Dec 23 16:32:47.689 [notice] Tor v0.1.1.26. This is experimental software. Do not rely on it for strong anonymity.
Dec 23 16:32:47.700 [notice] Initialized libevent version 1.1a using method epoll. Good.
Dec 23 16:32:47.701 [notice] connection_create_listener(): Opening OR listener on 0.0.0.0:9001
Dec 23 16:32:47.702 [notice] connection_create_listener(): Opening Socks listener on 127.0.0.1:9050
done.
The next step is to configure your tor server. Below I've included a configuration file that creates a middle node. This means that your node will only talk to other Tor nodes unless it is making DNS requests. Backup the default Tor configuration file. You should spend time reading this to learn about other options available to you as a server operator.
root@nsa:~# cd /etc/tor/
root@nsa:/etc/tor# mv torrc torrc-default
Install the very simple configuration file.
cat << 'EOF'> torrc
SocksPort 0 # what port to open for local application connections
SocksListenAddress 127.0.0.1 # accept connections only from localhost
## Required: A unique handle for this server
Nickname SteveKempIsMyHero
ORPort 9001
ExitPolicy reject *:* # middle node only -- no exits allowed
# See http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#Hibernation
# We have 400GB of traffic per month
# We want that to be about 100GB per week 
BandwidthRate 250 KB
BandwidthBurst 1MB
AccountingStart week 1 00:00
AccountingMax 100 GB
EOF
You'll want to change the Nickname included in the previous configuration file even if Steve is your hero. Also note that 100GB means 100GB in and 100GB out. You'll want to ensure that you calculate this correctly unless you have an unlimited amount of bandwidth. The accounting feature is quite handy when you know just how much you can afford to help the Tor project in terms of bandwidth. Restart Tor and ensure that it's working correctly:
root@nsa:~# /etc/init.d/tor restart
Stopping tor daemon: tor.
Raising maximum number of filedescriptors (ulimit -n) to 8192.
Starting tor daemon: tor...
Dec 22 23:51:34.504 [notice] Tor v0.1.1.23. This is experimental software. Do not rely on it for strong anonymity.
Dec 22 23:51:34.504 [notice] Your ContactInfo config option is not set. Please consider setting it, so we can contact you if your server is misconfigured or something else goes wrong.
Dec 22 23:51:34.506 [notice] Initialized libevent version 1.1a using method epoll. Good.
Dec 22 23:51:34.507 [notice] connection_create_listener(): Opening OR listener on 0.0.0.0:9001
done.
To see if your Tor server is up and running you can easily check with lsof (I've blocked my actual IP address with X.X.X.X):
root@nsa:~# lsof -ni|grep tor
tor     22732  debian-tor    4u  IPv4 124956       TCP X.X.X.X:60882->85.214.50.115:9001 (ESTABLISHED)
tor     22732  debian-tor    7u  IPv4 124951       TCP 127.0.0.1:9050 (LISTEN)
tor     22732  debian-tor    9u  IPv4 124986       TCP X.X.X.X:57322->65.111.168.165:9001 (ESTABLISHED)
tor     22732  debian-tor   10u  IPv4 124987       TCP X.X.X.X:40686->85.214.68.105:9001 (ESTABLISHED)
If you don't see processes in both LISTEN and ESTABLISHED states you probably have a problem. You should ensure that your firewall isn't blocking the Tor connections. I suggest that you investigate turning on very minimal logging to help debug your connection problems but be sure to disable it as soon as you've solved your problem. It's bad form to log and it's unneeded. An example of how to turn on logging comes from the default configuration file. Simply add the relevant lines to your configuration file but remember to remove them once everything is working:
## Logs go to stdout at level "notice" unless redirected by something
## else, like one of the below lines. You can have as many Log lines as
## you want.
##
## We advise using "notice" in most cases, since anything more verbose
## may provide sensitive information to an attacker who obtains the logs.
##
## Send all messages of level 'notice' or higher to /var/log/tor/notices.log
#Log notice file /var/log/tor/notices.log
## Send every possible message to /var/log/tor/debug.log
#Log debug file /var/log/tor/debug.log
## Use the system log instead of Tor's logfiles
#Log notice syslog
## To send all messages to stderr:
#Log debug stderr
At this point you have a very simple tor server that will relay only encrypted data between other tor nodes (both tor clients and other tor servers). This helps build the tor network and is useful to everyone. You should probably use a more complete file that at least includes your contact information and you should read. Here's an example of one of my tor server configuration files:
## Configuration file for a typical Tor user
## Last updated 9 February 2006 for Tor 0.1.1.13-alpha.
## (May or may not work for older or newer versions of Tor.)
##
## Lines that begin with "## " try to explain what's going on. Lines
## that begin with just "#" are disabled commands: you can enable them
## by removing the "#" symbol.
##
## See the man page, or http://tor.eff.org/tor-manual-cvs.html, for more
## options you can use in this file.
##
## On Unix, Tor will look for this file in someplace like "~/.tor/torrc" or
## "/etc/torrc"
##
## On Windows, Tor will look for the configuration file in someplace like
## "Application Data\tor\torrc" or "Application Data\\tor\torrc"
##
## With the default Mac OS X installer, Tor will look in ~/.tor/torrc or
## /Library/Tor/torrc


## Replace this with "SocksPort 0" if you plan to run Tor only as a
## server, and not make any local application connections yourself.
SocksPort 0 # what port to open for local application connections
SocksListenAddress 127.0.0.1 # accept connections only from localhost
#SocksListenAddress 192.168.0.1:9100 # listen on a chosen IP/port too

## Entry policies to allow/deny SOCKS requests based on IP address.
## First entry that matches wins. If no SocksPolicy is set, we accept
## all (and only) requests from SocksListenAddress.
#SocksPolicy accept 192.168.0.0/16
#SocksPolicy reject *

## Logs go to stdout at level "notice" unless redirected by something
## else, like one of the below lines. You can have as many Log lines as
## you want.
##
## We advise using "notice" in most cases, since anything more verbose
## may provide sensitive information to an attacker who obtains the logs.
##
## Send all messages of level 'notice' or higher to /var/log/tor/notices.log
#Log notice file /var/log/tor/notices.log
## Send every possible message to /var/log/tor/debug.log
#Log debug file /var/log/tor/debug.log
## Use the system log instead of Tor's logfiles
#Log notice syslog
## To send all messages to stderr:
#Log debug stderr

## Uncomment this to start the process in the background... or use
## --runasdaemon 1 on the command line. This is ignored on Windows;
## see the FAQ entry if you want Tor to run as an NT service.
RunAsDaemon 1

## The directory for keeping all the keys/etc. By default, we store
## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
DataDirectory /var/lib/tor

## The port on which Tor will listen for local connections from Tor
## controller applications, as documented in control-spec.txt.
#ControlPort 9051

############### This section is just for location-hidden services ###

## Look in .../hidden_service/hostname for the address to tell people.
## HiddenServicePort x y:z says to redirect a port x request from the
## client to y:z.

#HiddenServiceDir /var/lib/tor/hidden_service/
#HiddenServicePort 80 127.0.0.1:80

#HiddenServiceDir /var/lib/tor/other_hidden_service/
#HiddenServicePort 80 127.0.0.1:80
#HiddenServicePort 22 127.0.0.1:22
#HiddenServiceNodes moria1,moria2
#HiddenServiceExcludeNodes bad,otherbad

################ This section is just for servers #####################

## NOTE: If you enable these, you should consider mailing your identity
## key fingerprint to the tor-ops, so we can add you to the list of
## servers that clients will trust. See
## http://tor.eff.org/cvs/tor/doc/tor-doc-server.html for details.

## Required: A unique handle for this server
Nickname YOURUNIQUENICKNAMEHERE

## The IP or fqdn for this server. Leave commented out and Tor will guess.
OutboundBindAddress 1.2.3.4
#Address foo.bar.com
Address 1.2.3.4

## Contact info that will be published in the directory, so we can
## contact you if you need to upgrade or if something goes wrong.
## This is optional but recommended.
#ContactInfo Random Person 
## You might also include your PGP or GPG fingerprint if you have one:
ContactInfo 1024D/AA123456 First Last 

## Required: what port to advertise for tor connections
#ORPort 9001
ORPort 443
## If you want to listen on a port other than the one advertised
## in ORPort (e.g. to advertise 443 but bind to 9090), uncomment
## the line below. You'll need to do ipchains or other port forwarding
## yourself to make this work.
ORListenAddress 1.2.3.4:9090

## Uncomment this to mirror the directory for others. Please do
## if you have enough bandwidth: see the bottom of
## http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#LimitBandwidth
# DirPort 9030 # what port to advertise for directory connections
DirPort 80 # what port to advertise for directory connections
## If you want to listen on a port other than the one advertised
## in DirPort (e.g. to advertise 80 but bind 9091), uncomment the line
## below. You'll need to do ipchains or other port forwarding yourself
## to make this work.
DirListenAddress 1.2.3.4:9091

## Uncomment this if you run more than one Tor server, and add the
## nickname of each Tor server you control, even if they're on different
## networks. We declare it here so clients can avoid using more than
## one of your servers in a given circuit.
#MyFamily YourOtherServerNickNamesGoHere

## A comma-separated list of exit policies. They're considered first
## to last, and the first match wins. If you want to _replace_
## the default exit policy, end this with either a reject *:* or an
## accept *:*. Otherwise, you're _augmenting_ (prepending to) the
## default exit policy. Leave commented to just use the default, which is
## available in the man page or at http://tor.eff.org/documentation.html
##
## Look at http://tor.eff.org/faq-abuse.html#TypicalAbuses
## for issues you might encounter if you use the default exit policy.
##
## If certain IPs and ports are blocked externally, e.g. by your firewall,
## you should update your exit policy to reflect this -- otherwise Tor
## users will be told that those destinations are down.
##
#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more
#ExitPolicy accept *:119 # accept nntp as well as default exit policy
ExitPolicy reject *:* # middleman only -- no exits allowed

# See http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#Hibernation
# We have 400GB of traffic per month
# We want that to be about 100GB per week 
BandwidthRate 250 KB
BandwidthBurst 1MB
AccountingStart week 1 00:00
AccountingMax 100 GB
However it should be noted that the default configuration file that comes with Tor is the best file to use as a starting point. Per the FAQ you really only need to change two things from the default configuration file: Nickname and ORPort. In an ideal world, you'll also set your ContactInfo.

 

 


Re: Setting up a Tor server
Posted by Anonymous (65.92.xx.xx) on Tue 26 Dec 2006 at 19:38
hi there,

when i try to install tor on my sarge machine using the repository you specify, apt-get install tor returns the following:

Reading Package Lists... Done
Building Dependency Tree... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.

Since you only requested a single operation it is extremely likely that
the package is simply not installable and a bug report against
that package should be filed.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
  tor: Depends: libevent1 (>= 1.1a) but 1.0b-1.1 is to be installed
E: Broken packages


any idea as to what i should do now? i'm not too familiar with use of extra repositories..
thanks!

[ Parent ]

Re: Setting up a Tor server
Posted by Steve (62.30.xx.xx) on Tue 26 Dec 2006 at 21:37
[ View Weblogs ]

Weird. apt-get should manage the dependencies itself.

If you're using the Sarge-backports site try this:

apt-get install -t sarge-backports libevent1
apt-get install -t sarge-backports tor

Steve

[ Parent ]

Firehol rule
Posted by Anonymous (89.176.xx.xx) on Fri 10 Aug 2007 at 14:09
Helo, Do you somebody tor & firehol? Can you post pleas the firehol config for Tor server?? Thx
ieee airdump"

[ Parent ]

Tor server
Posted by Anonymous (80.78.xx.xx) on Sat 14 Jul 2007 at 01:52
Nice tuto.. thanks
a0

[ Parent ]