Deploying ten new tor bridges
Posted on vr 19 november 2021 in webapps
The tor project needs more bridges
Some time has passed since I removed my last tor relay node. But apparently the tor project is facing a declining number of tor bridges, special nodes used by people unable to connect to the tor system in a more convenient/open way. So after relaying their call to arms for more bridges, I figured I was in a position to do my part.
Source: Help Censored Users, Run a Tor Bridge
Basic setup
For quick deployments I mostly rely on German based Hetzner.de. So I deployed five virtual machines over four datacenters. It already had my SSH public key on deployment, so I just point my ansible code in their general direction and expect it to work.
I have some baseline setup that makes it more or less secure to run a virtual machine on the Internet. At least I fix automatic patch installs and configure a hardened ssh + iptables firewall. The linux distro used is Ubuntu 20.04.
Tor setup
For guidance I took their excellent document on https://community.torproject.org/relay/setup/bridge/debian-ubuntu/ and used it to quickly assemble a ansible role/playbook for the tor specific stuff. I extended the tor configuration with some statements limiting traffic to certain amounts, just to be sure it does not go all crazy on me. I might need raise this quite a bit later.
Playbook
This is the tor specific part.
---
- name: "support third party repos"
package:
name: "apt-transport-https"
state: present
tags:
- tor
- name: "tor project GPG key"
ansible.builtin.apt_key:
url: https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc
state: present
tags:
- tor
- name: Add specified repository into sources list
ansible.builtin.apt_repository:
repo: deb https://deb.torproject.org/torproject.org focal main
state: present
tags:
- tor
- name: "ensure tor keyring package is installed"
package:
name: "deb.torproject.org-keyring"
state: present
tags:
- tor
- name: "ensure tor package is installed"
package:
name: "tor"
state: latest
tags:
- tor
- name: "ensure bridge package is installed"
package:
name: "obfs4proxy"
state: present
tags:
- tor
- name: "make sure service is enabled"
service:
name: "tor"
enabled: true
state: started
tags:
- tor
- name: "tor config"
template:
src: "torrc.j2"
dest: "/etc/tor/torrc"
notify: "restart tor"
tags:
- tor
My torrc
Not really sure if using tcp port 8080 for the bridge part is actually a good choice, I will find out soon enough. Using port 80 will result in a permission denied on the port bind.
root@node01:/etc/logcheck# cat /etc/tor/torrc
Nickname [REDACTED] # Change "myNiceBridge" to something you like
ContactInfo [REDACTED] # Write your e-mail and be aware it will be published
ORPort 443 # You might use a different port, should you want to
ExitRelay 0
SocksPort 0
BridgeRelay 1
ExtORPort auto
Log notice syslog
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
ServerTransportListenAddr obfs4 0.0.0.0:8080
## Define these to limit how much relayed traffic you will allow. Your
## own traffic is still unthrottled. Note that RelayBandwidthRate must
## be at least 20 KB.
## Note that units for these config options are bytes per second, not bits
## per second, and that prefixes are binary prefixes, i.e. 2^10, 2^20, etc.
RelayBandwidthRate 250 KB # Throttle traffic to 250KB/s
RelayBandwidthBurst 500 KB # But allow bursts up to 500KB/s
## Use these to restrict the maximum traffic per day, week, or month.
## Note that this threshold applies separately to sent and received bytes,
## not to their sum: setting "4 GB" may allow up to 8 GB total before
## hibernating.
##
## Set a maximum of 4 gigabytes each way per period.
AccountingMax 200 GB
## Each period starts daily at midnight (AccountingMax is per day)
AccountingStart day 00:00
## Each period starts on the 3rd of the month at 15:00 (AccountingMax
## is per month)
AccountingStart month 3 15:00
## Uncomment this to mirror directory information for others. Please do
## if you have enough bandwidth.
DirPort 9030 # what port to advertise for directory connections
Monitoring and next steps
With the machines deployed I added them to my monitoring setup so I can watch things like network and cpu usage over time. Last step was joining the tor-relays mailinglist to make sure I'm in the loop when issues arise.
At first I started with a couple of nodes. After a couple of days I scaled it up to ten nodes. In retrospect a terraform plan would have been useful. But all in all it was done pretty swiftly.