[tor-relays] 300mbps FreeBSD Tor relay on HPE MicroServer Gen10 (AMD X3421)

George george at queair.net
Sun Dec 30 18:12:00 UTC 2018


Felix:
> Hi Neel
> 
> 
>> My relay runs FreeBSD 11.2 and Tor runs in a "jail".
> 
> Jails are perfect for that! I observed the host Freebsd tcp stack is
> strong enough for more than 500Mbit/s in AND out.

Yes, jails are a perfect fit in many ways.

I haven't been a jail user since FreeBSD 7.x or 8.x, but one thing I'd
like to do at some point is sort out a bare minimum jail for a Tor node.
 Not that usual full-base system jail, but something that would look
like a chroot from the birds-eye view.

I think it should be very doable with EZjail, but I always prefer base
tools with shell scripts.

I should mention that I'm not a fan of virtualization solutions for many
use-cases, but FreeBSD jails aren't about bloat and just adding more
lines of code with more bugs. They are a tight solution that can really
mitigate compromises when used properly.

For those interested, go look up there original usage by phk@ as a web
site hosting solution. It was an instance where some Danish www hosting
company kept getting their site hacked, so he had a cron job which
diff'd the contents of the www-serving jail, and overwrote it if there
was change, or something like that.

I can't find the actual link but this helps:

http://phk.freebsd.dk/sagas/jails.html

> 
> 
>> I am using AESNI and Tor is configured to use OpenSSL cryptodev.
> 
> Does crypto run? On log info you should find the following entry during
> start:
> 
> [info] crypto_openssl_init_engines: Initializing dynamic OpenSSL engine
> "dynamic" acceleration support.
> [info] crypto_openssl_init_engines: Loaded dynamic OpenSSL engine
> "dynamic".
> 
> After finding this message you can switch to notice and restart.
> 
>>   * I want to keep using FreeBSD on my server and do not want to run
>> Linux
> 
> +1
> 

Addressing the general audience here...

I'm a long-time BSD person and have fought long and hard for OS
diversity in Tor, but everyone should stick to OSs they are most
comfortable with.

The only thing I fear more than OS monocultures is anyone running OSs
they can't admin systems which are public-facing and providing a vital
service.

A misconfigured BSD relay doesn't help anyone.


> 
>>   * I would prefer to have a single instance, but can use multiple if
>> I have to
> 
> It's BSD, so may-be consider to go for libressl from ports (which does
> not support the crypto engine). And then use 2 instances per ip. Better
> for diversity ;)
>

Yes, !OpenSSL should be considered, and LibreSSL is a good start.

I know LibreSSL doesn't support crypto engine, but not sure of the
consequences outside of the basics with it.


> 
>>   * My server supports hardware accelerated AES and SHA. I am using
>> this on FreeBSD with the aesni kernel module and Tor with
>> "HardwareAccel 1" and "AccelName cryptodev"
> 
> A toorc can look like:
>   RelayBandwidthRate  0
>   RelayBandwidthBurst 0
>   HardwareAccel 1
>   AccelName dynamic
>   Log info file /var/log/tor/info
> 

On that note, a lot of the Tor BSD docs have been migrated to the TPO
documentation, and we need to finish migrating the
https://wiki.torbsd.org there also.

But there continues to be a need for more, plus additional translations.
The BSDs have particularly large footprints in some countries that also
happen to lack many Tor relays such as Japan and the Balkan countries.

The "gateway" drug for most people running anything new is FAQs, how-tos
and documentation.  A good target might be optimizing BSD relays beyond
the obvious.

g


-- 

34A6 0A1F F8EF B465 866F F0C5 5D92 1FD1 ECF6 1682


More information about the tor-relays mailing list