tor-commits March 2021

tor-commits@lists.torproject.org

17 participants
2169 discussions

[community/staging] Import document Response template for Tor relay operator to ISP from old website
by hiro＠torproject.org 21 Mar '21

21 Mar '21

commit 5bdc7b7d40f7687dcc60dafbfa597e027aeed141 Author: gus <gus(a)torproject.org> Date: Thu Aug 8 11:50:22 2019 -0400 Import document Response template for Tor relay operator to ISP from old website --- .../tor-dmca-response/contents.lr | 47 ++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/content/relay-operations/community-resources/eff-tor-legal-faq/tor-dmca-response/contents.lr b/content/relay-operations/community-resources/eff-tor-legal-faq/tor-dmca-response/contents.lr new file mode 100644 index 0000000..659eafe --- /dev/null +++ b/content/relay-operations/community-resources/eff-tor-legal-faq/tor-dmca-response/contents.lr @@ -0,0 +1,47 @@ +_model: page +--- +title: Response template for Tor relay operator to ISP +--- +body: + +Written by the Electronic Frontier Foundation ([EFF](https://www.eff.org/)). Last updated May 31, 2011. + +Note to Tor relay operators: In this litigious era, anyone providing routing services may face copyright complaints for transmitted content. Fortunately, the Digital Millennium Copyright Act safe harbors should provide protections from many of them both to you and to your upstream provider. If your Internet host forwards a DMCA copyright complaint to you, you can use this template to write a response, though you will need to customize it to your situation. Please also ensure all the statements are true for you. (The Tor Project has an [abuse collection of templates](/tor-abuse-templates/) to help you respond to other types of abuse complaints, too.) Before sending any response to your ISP, you may want to seek the advice of an attorney licensed to practice in your jurisdiction. + +This template letter is for informational purposes only and does not constitute legal advice. Whether and how you should respond when you or your ISP has received a DMCA notice will turn on the particular facts of your situation. This template is intended as a starting point, but you should tailor it to your own circumstances. In addition, it's up to you to comply with your ISP's terms of service. If you're not comfortable including so much legal explanation, feel free to invite the ISP to contact EFF for a fuller discussion. + +If you do not believe the safe harbors apply to your particular situation, don't use this template as a basis for your response. Specific information about safe harbor qualification for "transitory digital network communications" is provided on the Chilling Effects website [here](https://www.chillingeffects.org/dmca512/faq.cgi#QID586) and also in the template, below. + +Also, if you received this document from anywhere other than the EFF web site or [tor-dmca-response](/tor-dmca-response), it may be out of date. Follow the link to get the latest version. + +``` + +Dear [ISP]: + +Thank you for forwarding me the notice you received from [copyright claimant] regarding [content]. I would like to assure you that I am not hosting the claimed infringing materials, and furthermore, the Digital Millennium Copyright Act's ("DMCA") safe harbors likely protect you from liability arising from this complaint. The notice is likely based upon misunderstandings about the law and about some of the software I run. + + +As you know, the DMCA creates four "safe harbors" for service providers to protect them from copyright liability for the acts of their users, when the ISPs fulfill certain requirements. (17 U.S.C. 512) The DMCA's requirements vary depending on the ISP's role. You may be familiar with the "notice and takedown" provisions of section 512(c) of the DMCA; however, those do not apply when an ISP merely acts as a conduit. Instead, the "conduit" safe harbor of section 512(a) of the DMCA has different and less burdensome eligibility requirements, as the D.C. Circuit Court of Appeals held in RIAA v. Verizon (see https://www.eff.org/sites/default/files/filenode/RIAA_v_Verizon/20030121-ri…) and the Eighth Circuit Court of Appeals confirmed in RIAA v. Charter (see https://w2.eff.org/IP/P2P/Charter/033802P.pdf). + +Under DMCA 512(a), service providers like you are typically protected from damages for copyright infringement claims if you also maintain "a policy that provides for termination in appropriate circumstances of subscribers and account holders of the service provider's system or network who are repeat infringers." If you have and implement such a policy, and you otherwise qualify for the safe harbor, you should be free from fear of copyright damages. + +As for what makes a reasonable policy, as the law says, it's one that terminates subscribers who are repeat infringers. The notification you received is certainly not proof of the "repeat infringement" that is required under the law before you need to terminate my account. In fact, it's not even proof of any copyright infringement; a notice claiming infringement is not the same as a determination of infringement. I have not infringed any copyrights and do not intend to do so. Therefore, you should continue to be protected under the DMCA 512(a) safe harbor without taking any further action. + +You may be curious about what prompted the faulty notice. It was likely triggered by a program I run called Tor. Tor is network software that helps users to enhance their privacy, security, and safety online. It does not host any content. Rather, it is part of a network of nodes on the Internet that simply pass packets among themselves before sending them to their destinations, just as any Internet intermediary does. The difference is that Tor tunnels the connections such that no hop can learn both the source and destination of the packets, giving users protection from nefarious snooping on network traffic. The result is that, unlike most other Internet traffic, the final IP address that the recipient receives is not the IP address of the sender. Tor protects users against hazards such as harassment, spam, and identity theft. Initial development of Tor, including deployment of a public-use Tor network, was a project of the U.S. Naval Research Laboratory, with funding from ONR and DA RPA. (For more on Tor, see https://www.torproject.org/.) I hope, as an organization committed to protecting the privacy of its customers, you'll agree that this is a valuable technology. + +Thank you for working with me on this matter. As a loyal subscriber, I appreciate your notifying me of this issue and hope that the protections of DMCA 512 put any concerns you may have to rest. If not, please contact me with any further questions. + +Very truly yours, +Your customer, [User] +``` + +--- +html: two-columns-page.html +--- +key: 1 +--- +section: Community and legal resources +--- +section_id: community-resources +--- +subtitle: Got a DMCA notice? Check out our sample response letter!

1 0

[community/staging] apply lost dip patches overwritten by torpusher
by hiro＠torproject.org 21 Mar '21

21 Mar '21

commit 2098893df56f4239cd0730fba42a50d937d93dba Author: emma peel <emma.peel(a)riseup.net> Date: Fri Aug 9 13:32:19 2019 +0200 apply lost dip patches overwritten by torpusher --- content/localization/pick-a-project/contents.lr | 10 +++--- .../technical-considerations/contents.lr | 39 +++++++++++----------- .../relay-operations/technical-setup/contents.lr | 2 +- 3 files changed, 26 insertions(+), 25 deletions(-) diff --git a/content/localization/pick-a-project/contents.lr b/content/localization/pick-a-project/contents.lr index 7d18464..d5fe0af 100644 --- a/content/localization/pick-a-project/contents.lr +++ b/content/localization/pick-a-project/contents.lr @@ -15,10 +15,12 @@ key: 3 html: two-columns-page.html --- body: -We have some statistics to help you choose a project. Here you have the current situation for all languages: +We want our tools to be available and localized for anyone who wants to use them and appreciate your help. To find out where your knowledge may be most helpful, take a look at the translation progress for the Tor ecosystem of tools so far: <img class="col-lg-6" src="../../static/images/localization/stats.png"> -* The Tor Browser is translated in many different Transifex resources, but you can see the [Tor Browser total strings translated per language](https://torpat.ch/locales). -* The Tor Browser User Manual is a very useful resource for new users that do not speak English, see [Tor Browser User Manual translation statistics](https://torpat.ch/manual-locales) or [translate](https://www.transifex.com/otf/tor-project-support-community-port… -* Same with the support portal, see [Tor Support Portal translation statistics](https://torpat.ch/support-locales) or [translate](https://www.transifex.com/otf/tor-project-support-community-port… +Although we would value your contribution to any of the projects above, the most critical are Tor Browser, the Tor Browser User Manual, and our Support Portal: + +* Tor Browser is translated in many different Transifex resources, but you can see the [Tor Browser total strings translated per language](https://torpat.ch/locales) to see where help is needed. +* The Tor Browser User Manual is a very useful resource for new users that do not speak English, see [Tor Browser User Manual translation statistics](https://torpat.ch/manual-locales) or [translate](https://www.transifex.com/otf/tor-project-support-community-port…. +* The Support Portal is also a valuable resource for all Tor users, see [Tor Support Portal translation statistics](https://torpat.ch/support-locales) or [translate](https://www.transifex.com/otf/tor-project-support-community-port… diff --git a/content/relay-operations/technical-considerations/contents.lr b/content/relay-operations/technical-considerations/contents.lr index df9ce12..9884bc3 100644 --- a/content/relay-operations/technical-considerations/contents.lr +++ b/content/relay-operations/technical-considerations/contents.lr @@ -6,12 +6,12 @@ _template: layout.html --- body: -# Considerations when choosing a hosting provider +# Choosing a hosting provider -If you have access to a high speed internet connection (>=100 Mbit/s in both directions) and a physical piece of computer hardware, this is the best way to run a relay. +Having access to a high speed internet connection (>=100 Mbit/s in both directions) and a physical piece of computer hardware is the best way to run a relay. Having full control over the hardware and connection gives you a more controllable and (if done correctly) secure environment. You can host your own physical hardware at home (do NOT run a Tor exit relay from your home) or in a data center. -Sometimes this is referred to as installing the relay on "bare metal". +Sometimes this is referred to as installing the relay on "bare metal." If you do not own physical hardware, you could run a relay on a rented dedicated server or virtual private server (VPS). This can cost anywhere between $3.00/month and thousands per month, depending on your provider, hardware configuration, and bandwidth usage. @@ -19,30 +19,30 @@ Many VPS providers will not allow you to run exit relays. You must follow the VPS provider's terms of service, or risk having your account disabled. For more information on hosting providers and their policies on allowing Tor relays, please see this list maintained by the Tor community: [GoodBadISPs](FIXME). -## Questions to consider when choosing a hoster +## Questions to consider when choosing a host -* How much monthly traffic is included? (Is bandwidth "unmetered"?) -* Does the hoster provide IPv6 connectivity? (it is recommended, but not required) -* What virtualization / hypervisor (if any) does the provider use? (anything but OpenVZ should be fine) +* How much monthly traffic is included? Is bandwidth "unmetered"? +* Does the hoster provide IPv6 connectivity? It is recommended, but not required. +* What virtualization / hypervisor (if any) does the provider use? Anything but OpenVZ should be fine. * Does the hoster start to throttle bandwidth after a certain amount of traffic? -* How well connected is the autonomous system of the hoster? To answer this question you can use the AS rank of the autonomous systems if you want to compare: http://as-rank.caida.org/ (a lower value is better) +* How well connected is the autonomous system of the hoster? To answer this question you can use the AS rank of the autonomous systems if you want to compare: (a lower value is better) http://as-rank.caida.org/ -## If you plan to run Exit Relays +## If you plan to run exit relays -* Does the hoster allow Tor exit relays? (explicitly ask them before starting an exit relay there) +* Does the hoster allow Tor exit relays? We recommend you explicitly ask them before getting started. * Does the hoster allow custom WHOIS records for your IP addresses? This helps reduce the amount of abuse sent to the hoster instead of you. * Does the hoster allow you to set a custom DNS reverse entry? (DNS PTR record) - This are probably things you will need to ask the hoster in a Pre-Sales ticket + You can usually ask these questions in a Pre-Sales ticket. # AS/location diversity When selecting your hosting provider, consider network diversity on an autonomous system (AS) and country level. A more diverse network is more resilient to attacks and outages. Sometimes it is not clear which AS you are buying from in case of resellers. -To be sure it is best to ask the hoster about the AS number before ordering a server. +To be sure, ask the host about the AS number before ordering a server. -It is best to avoid hosters where many Tor relays are already hosted, but it is still better to add one there than to run no relay at all. +It is best to avoid hosts where many Tor relays are already hosted, but it is still better to add one there than to run no relay at all. **Try to avoid** the following hosters: @@ -51,16 +51,15 @@ It is best to avoid hosters where many Tor relays are already hosted, but it is * Hetzner Online GmbH (AS24940) * DigitalOcean, LLC (AS14061) -To find out which hoster and countries are already used by many other operators (that should be avoided) you can use Relay Search: +To find out which host and countries are already used by many other operators (that should be avoided) you can use Relay Search: * [Autonomous System Level Overview](https://metrics.torproject.org/rs.html#aggregate/as) * [Country Level Overview](https://metrics.torproject.org/rs.html#aggregate/cc) # Choosing an Operating System -We recommend you use the operating system you are most familiar with. - -Please keep in mind that since most relays run on Debian and we want to avoid a monoculture, BSD and other non-Linux based relays are greatly needed. +We recommend using the operating system you are most familiar with, but if you're able, the network would most benefit from BSD and other non-Linux based relays. +Most relays currently run on Debian. The following table shows the current OS distribution on the Tor network to give you an idea of how much more non-Linux relays we should have: @@ -68,7 +67,7 @@ The following table shows the current OS distribution on the Tor network to give # OS Level Configuration -OS configuration is outside the scope of this guide but the following points are crucial for a Tor relay, so we want to mention them here nonetheless. +OS configuration is outside the scope of this guide, but the following points are crucial for a Tor relay, so we want to mention them here nonetheless. ## Time Synchronization (NTP) @@ -76,8 +75,8 @@ Correct time settings are essential for Tor relays. It is recommended that you u ## Automatic Software Updates -One of the most imported things to keeps your relay secure is to install security updates timely and ideally automatically so you can not forget about it. -We collected the steps to enable automatic software updates for different operating systems: +One of the most important things to keeps your relay secure is to immediately install security updates. We recommend setting updates to install automatically. +Here's how to enable automatic software updates for different operating systems: * [RPM-based distributions](FIXME) (RHEL, CentOS, Fedora, openSUSE) * [Debian/Ubuntu](FIXME) diff --git a/content/relay-operations/technical-setup/contents.lr b/content/relay-operations/technical-setup/contents.lr index 886bacc..71bd65a 100644 --- a/content/relay-operations/technical-setup/contents.lr +++ b/content/relay-operations/technical-setup/contents.lr @@ -8,7 +8,7 @@ key: 4 --- _template: layout.html --- -title: Technical setup +title: Technical Setup --- subtitle: Installing and configuring your Tor relay: Bridge, Guard / Middle node, Exit. ---

1 0

[community/staging] Replace FIXME to EFF Tor legal FAQ
by hiro＠torproject.org 21 Mar '21

21 Mar '21

commit 66c08f801fc4f0ec908bba8a07c4630233973ba2 Author: gus <gus(a)torproject.org> Date: Fri Aug 9 06:24:14 2019 -0400 Replace FIXME to EFF Tor legal FAQ --- .../community-resources/tor-abuse-templates/contents.lr | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/relay-operations/community-resources/tor-abuse-templates/contents.lr b/content/relay-operations/community-resources/tor-abuse-templates/contents.lr index 949df7f..2af9f6b 100644 --- a/content/relay-operations/community-resources/tor-abuse-templates/contents.lr +++ b/content/relay-operations/community-resources/tor-abuse-templates/contents.lr @@ -212,8 +212,8 @@ If a serious abuse complaint not covered by this template set arrives, the best ## Other Template Sets - * [DMCA Response template for Tor node maintainer to ISP](FIXME) as written by the [EFF](http://www.eff.org). - * Moritz Bartl, the operator of some of our fastest Tor exit nodes, has begun compiling a [set of abuse response template emails](https://www.torservers.net/wiki/abuse/templates) as well. + * [DMCA Response template for Tor node maintainer to ISP](community-resources/eff-tor-legal-faq/) as written by the [EFF](http://www.eff.org). + * Torservers [response template emails](https://www.torservers.net/wiki/abuse/templates). --- html: two-columns-page.html ---

1 0

[community/staging] Remove instructions for manual invokation.
by hiro＠torproject.org 21 Mar '21

21 Mar '21

commit 226dd761fc037507d7dfbc96d31a1a5aaeba5d10 Author: Philipp Winter <phw(a)nymity.ch> Date: Fri Aug 9 09:42:20 2019 -0700 Remove instructions for manual invokation. The instructions stopped working because docker messed up its command line parsing: <https://github.com/docker/cli/issues/1962> Besides, lektor doesn't like backslashes in code blocks. --- .../technical-setup/bridge/docker/contents.lr | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/content/relay-operations/technical-setup/bridge/docker/contents.lr b/content/relay-operations/technical-setup/bridge/docker/contents.lr index 9ff4a6e..ca3d7f7 100644 --- a/content/relay-operations/technical-setup/bridge/docker/contents.lr +++ b/content/relay-operations/technical-setup/bridge/docker/contents.lr @@ -8,22 +8,11 @@ We are maintaining a docker container that allows you to quickly set up an obfs4 `docker pull phwinter/obfs4-bridge:0.1` -Now, it's time to run the container. You have two options: - -1. We maintain a script that automatically determines a free OR and obfs4 port for you. The script only requires your email address as argument: +Now, it's time to run the container. We maintain a script that automatically determines a free OR and obfs4 port for you. The script only requires your email address as argument: ``` $ curl https://dip.torproject.org/torproject/anti-censorship/docker-obfs4-bridge/r… > deploy-container.sh $ bash deploy-container.sh address(a)email.com ``` -2. If you would rather provide your own ports, run the following command and replace `XXX` with your OR port, `YYY` with your obfs4 port, and `address(a)example.com` with your email address. Don't forget the semicolon after the environment variables. - - ``` - OR_PORT=XXX PT_PORT=YYY EMAIL=address(a)example.com; \\ - docker run -d \\ - -e "OR_PORT=$OR_PORT" -e "PT_PORT=$PT_PORT" -e "EMAIL=$EMAIL" \\ - -p "$OR_PORT":"$OR_PORT" -p "$PT_PORT":"$PT_PORT" \\ - phwinter/obfs4-bridge:0.1 - ``` That's it! Your container should now be bootstrapping your new obfs4 Tor bridge. ---

1 0

[community/staging] apply lost dip patches overwritten by torpusher
by hiro＠torproject.org 21 Mar '21

21 Mar '21

commit a85d586cf220ff7b09442078d8851d6585aa28cc Author: emma peel <emma.peel(a)riseup.net> Date: Fri Aug 9 12:47:22 2019 +0200 apply lost dip patches overwritten by torpusher --- content/outreach/contents.lr | 2 +- .../community-resources/contents.lr | 41 +++++++++++++++------- content/training/contents.lr | 4 +-- templates/localization.html | 4 +-- 4 files changed, 34 insertions(+), 17 deletions(-) diff --git a/content/outreach/contents.lr b/content/outreach/contents.lr index 40a16af..e6d65ef 100644 --- a/content/outreach/contents.lr +++ b/content/outreach/contents.lr @@ -20,4 +20,4 @@ body: ##Tell the world about Tor -We love it when people bring information about Tor to their community events, conferences, and meetups, and so we've curated some beautiful materials for in-person and social media outreach. +We love it when people bring information about Tor to their community events, conferences, and meetups. We've curated some beautiful materials for sharing in-person and on social media we welcome you to use. \ No newline at end of file diff --git a/content/relay-operations/community-resources/contents.lr b/content/relay-operations/community-resources/contents.lr index eb905fc..bfdcfcb 100644 --- a/content/relay-operations/community-resources/contents.lr +++ b/content/relay-operations/community-resources/contents.lr @@ -16,11 +16,15 @@ html: two-columns-page.html --- body: -Exit relay operators should understand the potential risks associated with running an exit relay. For the majority of operators in most countries, bridges and guard/middle relays are very low risk. Exits are the ones that present some legal concerns, but operators under most circumstances will be able to handle legal matters by having an abuse response letter, running the exit from a location that isn't their home, and reading through some of the legal resources that Tor-supportive lawyers have put together. +Exit relay operators should understand the potential risks associated with running an exit relay. +For the majority of operators in most countries, bridges and guard/middle relays are very low risk. +Exits are the ones that present some legal concerns, but operators under most circumstances will be able to handle legal matters by having an abuse response letter, running the exit from a location that isn't their home, and reading through some of the legal resources that Tor-supportive lawyers have put together. # Legal resources -The [EFF Tor Legal FAQ](https://www.torproject.org/eff/tor-legal-faq.html.en) answers many common questions about relay operation and the law. We also like [Noisebridge's wiki](https://www.noisebridge.net/wiki/Noisebridge_Tor/FBI) for additional legal resources. In general it's a good idea to consult with a lawyer before deciding to operate an exit relay, especially if you live in a place where exit relay operators have been harassed, or if you're the only exit relay operator in your region. Get in touch with your local digital rights organization to see if they have recommendations about legal assistance, and if you're not sure what organizations are working in your region, [write to EFF](https://www.eff.org/about/contact) and see if they can help connect you. +The [EFF Tor Legal FAQ](https://www.torproject.org/eff/tor-legal-faq.html.en) answers many common questions about relay operation and the law. We also like [Noisebridge's wiki](https://www.noisebridge.net/wiki/Noisebridge_Tor/FBI) for additional legal resources. +In general it's a good idea to consult with a lawyer before deciding to operate an exit relay, especially if you live in a place where exit relay operators have been harassed, or if you're the only exit relay operator in your region. +Get in touch with your local digital rights organization to see if they have recommendations about legal assistance, and if you're not sure what organizations are working in your region, [write to EFF](https://www.eff.org/about/contact) and see if they can help connect you. Also see the [Tor Exit Guidelines](tor-exit-guidelines). @@ -28,7 +32,8 @@ Also see the [Tor Exit Guidelines](tor-exit-guidelines). Operators can put together their own abuse complaint template responses from one of many templates that Tor has created: [Tor Abuse Templates](tor-abuse-templates). -It is important to respond to abuse complaints in a timely manner (usually within 24 hours). If the hoster gets annoyed by the amount of abuse you can reduce the amount of ports allowed in your exit policy. Please document your experience with new hosters on the following wiki page: [GoodBadISPs](good-bad-isps) +It is important to respond to abuse complaints in a timely manner (usually within 24 hours). If the hoster gets annoyed by the amount of abuse you can reduce the amount of ports allowed in your exit policy. +Please document your experience with new hosters on the following wiki page: [GoodBadISPs](good-bad-isps) Other docs we like: @@ -39,29 +44,41 @@ Other docs we like: Running relays is more fun with other people! You can work with your university department, your employer or institution, or an organization like [Torservers.net](https://torservers.net) to run a relay. -## Torservers.net +## Torservers.net -Torservers is an independent, global network of organizations that help the Tor network by running high bandwidth Tor relays. Becoming a Torservers partner is a good way to become more involved in the Tor relay community, and can help you connect with dedicated relay operators around the world for solidarity and support. To start a Torservers partner, the most important thing is to have a group of people (3-5 suggested to start) interested in helping with the various activities required for running relays. There should be mutual trust between the people in the group, and members should commit to running relays for the long term. If you do not know anyone in your social network interested in running relays, one place to meet people is [your local hackerspace](https://wiki.hackerspaces.org/Hackerspaces). +Torservers is an independent, global network of organizations that help the Tor network by running high bandwidth Tor relays. +Becoming a Torservers partner is a good way to become more involved in the Tor relay community, and can help you connect with dedicated relay operators around the world for solidarity and support. +To start a Torservers partner, the most important thing is to have a group of people (3-5 suggested to start) interested in helping with the various activities required for running relays. +There should be mutual trust between the people in the group, and members should commit to running relays for the long term. +If you do not know anyone in your social network interested in running relays, one place to meet people is [your local hackerspace](https://wiki.hackerspaces.org/Hackerspaces). -Once you have a trusted group of people, depending on your region, it is often advised to create some type of non-profit corporation. This is useful for having a bank account, shared ownership, grant applications, etc. In many countries operating as a corporation instead of as an individual can also get you certain legal protections. +Once you have a trusted group of people, depending on your region, it is often advised to create some type of non-profit corporation. +This is useful for having a bank account, shared ownership, grant applications, etc. +In many countries operating as a corporation instead of as an individual can also get you certain legal protections. -The next steps are figuring out hardware, transit, and server hosting. Depending on your location and connections within the technical community of the area, the last one may be the hardest step. Small local ISPs often have extra bandwidth, and may be interested in supporting your group with some bandwidth or rackspace. It is extremely important to maintain good relationships with these ISPs. +The next steps are figuring out hardware, transit, and server hosting. +Depending on your location and connections within the technical community of the area, the last one may be the hardest step. +Small local ISPs often have extra bandwidth, and may be interested in supporting your group with some bandwidth or rackspace. +It is extremely important to maintain good relationships with these ISPs. -## At your university +## At your university -Many computer science departments, university libraries, and individual students and faculty run relays from university networks. These universities include the Massachusetts Institute of Technology (MIT CSAIL), Boston University, the University of Waterloo, the University of Washington, Northeastern University, Karlstad University, Universitaet Stuttgart, and Friedrich-Alexander University Erlangen-Nuremberg. To learn more about how to get support for a relay on your university's network, check out EFF's resources: [Tor on campus](https://www.eff.org/torchallenge/tor-on-campus.html). +Many computer science departments, university libraries, and individual students and faculty run relays from university networks. +These universities include the Massachusetts Institute of Technology (MIT CSAIL), Boston University, the University of Waterloo, the University of Washington, Northeastern University, Karlstad University, Universitaet Stuttgart, and Friedrich-Alexander University Erlangen-Nuremberg. +To learn more about how to get support for a relay on your university's network, check out EFF's resources: [Tor on campus](https://www.eff.org/torchallenge/tor-on-campus.html). ## At your company or organization -If you work at a Tor-friendly company or organization, that's another ideal place to run a relay. Some companies running relays include Brass Horn Communications, Quintex Alliance Consulting, and OmuraVPN. Some organizations running Tor relays include Digital Courage, [Access Now](https://www.accessnow.org/), [Derechos Digitales](https://tor.derechosdigitales.org), [Enjambre Digital](https://tor.enjambre.net/) and Lebanon Libraries in New Hampshire. +If you work at a Tor-friendly company or organization, that's another ideal place to run a relay. +Some companies running relays include Brass Horn Communications, Quintex Alliance Consulting, and OmuraVPN. +Some organizations running Tor relays include Digital Courage, [Access Now](https://www.accessnow.org/), [Derechos Digitales](https://tor.derechosdigitales.org), [Enjambre Digital](https://tor.enjambre.net/) and Lebanon Libraries in New Hampshire. # More resources -Congratulations, you're officially a Tor relay operator! What now? +Congratulations, you're officially a Tor relay operator! What now? * You can check out traffic and other statistics for your relay at our [Relay Search](https://metrics.torproject.org/rs.html) (your relay will appear on "Relay Search" about 3 hours after you started it). * There is also more info about running a relay at the [Tor FAQ](https://2019.www.torproject.org/docs/faq.html.en#HowDoIDecide). * And, most importantly, make sure to email tshirt(a)torproject.org and [claim your swag](swags). It's our way of saying thanks for defending privacy and free speech online. - diff --git a/content/training/contents.lr b/content/training/contents.lr index 06c4259..9024fb8 100644 --- a/content/training/contents.lr +++ b/content/training/contents.lr @@ -18,9 +18,9 @@ html: training.html --- body: -## We want to teach the world about Tor. Will you help? +## We want to teach the world about Tor. Can you help? Are you a Tor trainer or interested in becoming one? Looking for resources to help your community learn the most about Tor? We've got you covered. -For some users with serious threat models, using Tor and other privacy tools can be risky if not done with care. +For some users with serious threat models, teaching Tor and other privacy tools can be risky if not done with care. If this describes your community, or if you're not sure, please [contact our community team](https://trac.torproject.org/projects/tor/wiki/org/teams/CommunityTeam… for more help. diff --git a/templates/localization.html b/templates/localization.html index bfafcea..7a17aba 100644 --- a/templates/localization.html +++ b/templates/localization.html @@ -24,9 +24,9 @@ {% endfor %} </div> <div class="row py-5 text-center mx-auto"> - <h2 class="display-4 text-primary text-center mx-auto my-3">{{ _('Help us to improve our translations!') }}</h2> + <h2 class="display-4 text-primary text-center mx-auto my-3">{{ _('Can you help us improve our translations?') }}</h2> <p class="text-center"> - {{ _('Localization is a continuous process across our applications. Notice any improvements we could make to our translations? Open a ticket, reach out to us, or become part of our translators army!') }} + {{ _('Localization is a continuous process across our applications. Notice any improvements we could make to our translations? Open a ticket, reach out to us, or become part of our translators squad.') }} </p> <a class="btn btn-lg btn-outline-primary mx-auto my-3" href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-l10n"> {{ _('Translators mailing list') }}<i class="ml-3 pt-2 fas fa-arrow-right"></i>

1 0

[community/staging] will-fix: #56. Merge remote-tracking branch 'gus/eff-legal-faq'
by hiro＠torproject.org 21 Mar '21

21 Mar '21

commit 15c90a7265f03e7778c42fc1f0ab8dd19edf06fe Merge: 2098893 66c08f8 Author: emma peel <emma.peel(a)riseup.net> Date: Fri Aug 9 14:38:16 2019 +0200 will-fix: #56. Merge remote-tracking branch 'gus/eff-legal-faq' .../eff-tor-legal-faq/contents.lr | 102 +++++++++++++++++++++ .../tor-dmca-response/contents.lr | 47 ++++++++++ .../tor-abuse-templates/contents.lr | 4 +- 3 files changed, 151 insertions(+), 2 deletions(-)

1 0

[community/staging] Removed unnecessary new lines at the end and extras blank lines
by hiro＠torproject.org 21 Mar '21

21 Mar '21

commit 3463c58630c9cdfbae44ee9a02a1cbbae5da7d56 Author: gus <gus(a)torproject.org> Date: Thu Aug 15 10:45:39 2019 -0400 Removed unnecessary new lines at the end and extras blank lines --- content/relay-operations/community-resources/contents.lr | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/content/relay-operations/community-resources/contents.lr b/content/relay-operations/community-resources/contents.lr index 549b434..440aa3a 100644 --- a/content/relay-operations/community-resources/contents.lr +++ b/content/relay-operations/community-resources/contents.lr @@ -86,7 +86,7 @@ Some organizations running Tor relays include Digital Courage, [Access Now](http # Bad relays -A bad relay is one that either doesn't work properly or tampers with our users' connections. This can be either through maliciousness or misconfiguration. Many bad relays are caught thanks to our wider community, so many thanks for all your help and vigilance! Learn how you can report [bad relays](bad-relays). +A bad relay is one that either do not work properly or tamper with our users' connections. This can be either through maliciousness or misconfiguration. Many bad relays are caught thanks to our wider community, so many thanks for all your help and vigilance! Learn how you can report [bad relays](bad-relays). # Other resources @@ -97,5 +97,3 @@ Congratulations, you're officially a Tor relay operator! What now? * There is also more info about running a relay at the [Tor FAQ](https://2019.www.torproject.org/docs/faq.html.en#HowDoIDecide). * And, most importantly, make sure to email tshirt(a)torproject.org and [claim your swag](swag). It's our way of saying thanks for defending privacy and free speech online. - -

1 0

[community/staging] State that FreeBSD's firewall may get in the way.
by hiro＠torproject.org 21 Mar '21

21 Mar '21

commit 3ddf6ec11b9b83e1278b42c669c61607a7daeac6 Author: Philipp Winter <phw(a)nymity.ch> Date: Mon Aug 12 13:06:45 2019 -0700 State that FreeBSD's firewall may get in the way. --- content/relay-operations/technical-setup/bridge/freebsd/contents.lr | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/relay-operations/technical-setup/bridge/freebsd/contents.lr b/content/relay-operations/technical-setup/bridge/freebsd/contents.lr index 3fdee50..2ec5c8e 100644 --- a/content/relay-operations/technical-setup/bridge/freebsd/contents.lr +++ b/content/relay-operations/technical-setup/bridge/freebsd/contents.lr @@ -51,6 +51,8 @@ Don't forget to change the `ORPort`, `ServerTransportListenAddr`, `ContactInfo`, * Note that both Tor's OR port and its obfs4 port must be reachable. If your bridge is behind a firewall or NAT, make sure to open both ports. You can use [our reachability test](https://bridges.torproject.org/scan/) to see if your obfs4 port is reachable from the Internet. +* Are you using FreeBSD's firewall with a "default deny" policy? If so, make sure that your obfs4proxy can talk to your Tor process over the loopback interface. Don't forget to whitelist Tor's `ExtORPort`. + ### 3. Ensure that the `random_id` sysctl setting is enabled: ```

1 0

[community/staging] Update assets and content files
by hiro＠torproject.org 21 Mar '21

21 Mar '21

commit e1b27a81b3b588c91130143cd741c1300416d421 Author: hiro <hiro(a)torproject.org> Date: Tue Aug 20 18:58:30 2019 +0200 Update assets and content files --- .../static/files/tor-network-2019-b.odp | 0 .../static/files}/tor-network-2019.odp | Bin .../static/files}/tor-network-2019.pdf | Bin .../static/files}/tor-network-2019.pdf.lr | 0 .../static/files/tor-slides-full-deck-2019-b.odp | 0 .../static/files/tor-slides-full-deck-2019-b.pdf | 0 .../static/files}/tor-slides-full-deck-2019.odp | Bin .../static/files}/tor-slides-full-deck-2019.pdf | Bin content/localization/translate-strings/contents.lr | 19 +++ content/outreach/speakers/contents.lr | 19 +++ .../centos-rhel-opensuse/contents.lr | 101 ++++++++++++ .../bridge-deployment-guide/contents.lr | 23 +++ .../debian-ubuntu/contents.lr | 80 +++++++++ .../bridge-deployment-guide/freebsd/contents.lr | 98 +++++++++++ .../bridge-deployment-guide/openbsd/contents.lr | 74 +++++++++ .../post-install/contents.lr | 22 +++ .../technical-setup/centosrhel/contents.lr | 19 +++ .../technical-setup/debianubuntu/contents.lr | 19 +++ .../technical-setup/exit-relay/contents.lr | 181 +++++++++++++++++++++ .../technical-setup/fedora/contents.lr | 19 +++ .../technical-setup/freebsd/contents.lr | 19 +++ .../middleguard-relay/centosrhel/contents.lr | 56 +++++++ .../technical-setup/middleguard-relay/contents.lr | 15 ++ .../middleguard-relay/debianubuntu/contents.lr | 46 ++++++ .../middleguard-relay/fedora/contents.lr | 37 +++++ .../middleguard-relay/freebsd/contents.lr | 73 +++++++++ .../contents.lr | 179 ++++++++++++++++++++ content/user-testing/current/contents.lr | 19 +++ content/user-testing/signup/contents.lr | 19 +++ lego | 2 +- 30 files changed, 1138 insertions(+), 1 deletion(-) diff --git a/content/training/resources/tor-network-2019.odp.lr b/assets/static/files/tor-network-2019-b.odp similarity index 100% rename from content/training/resources/tor-network-2019.odp.lr rename to assets/static/files/tor-network-2019-b.odp diff --git a/content/training/resources/tor-network-2019.odp b/assets/static/files/tor-network-2019.odp similarity index 100% rename from content/training/resources/tor-network-2019.odp rename to assets/static/files/tor-network-2019.odp diff --git a/content/training/resources/tor-network-2019.pdf b/assets/static/files/tor-network-2019.pdf similarity index 100% rename from content/training/resources/tor-network-2019.pdf rename to assets/static/files/tor-network-2019.pdf diff --git a/content/training/resources/tor-network-2019.pdf.lr b/assets/static/files/tor-network-2019.pdf.lr similarity index 100% rename from content/training/resources/tor-network-2019.pdf.lr rename to assets/static/files/tor-network-2019.pdf.lr diff --git a/content/training/resources/tor-slides-full-deck-2019.odp.lr b/assets/static/files/tor-slides-full-deck-2019-b.odp similarity index 100% rename from content/training/resources/tor-slides-full-deck-2019.odp.lr rename to assets/static/files/tor-slides-full-deck-2019-b.odp diff --git a/content/training/resources/tor-slides-full-deck-2019.pdf.lr b/assets/static/files/tor-slides-full-deck-2019-b.pdf similarity index 100% rename from content/training/resources/tor-slides-full-deck-2019.pdf.lr rename to assets/static/files/tor-slides-full-deck-2019-b.pdf diff --git a/content/training/resources/tor-slides-full-deck-2019.odp b/assets/static/files/tor-slides-full-deck-2019.odp similarity index 100% rename from content/training/resources/tor-slides-full-deck-2019.odp rename to assets/static/files/tor-slides-full-deck-2019.odp diff --git a/content/training/resources/tor-slides-full-deck-2019.pdf b/assets/static/files/tor-slides-full-deck-2019.pdf similarity index 100% rename from content/training/resources/tor-slides-full-deck-2019.pdf rename to assets/static/files/tor-slides-full-deck-2019.pdf diff --git a/content/localization/translate-strings/contents.lr b/content/localization/translate-strings/contents.lr new file mode 100644 index 0000000..6f88833 --- /dev/null +++ b/content/localization/translate-strings/contents.lr @@ -0,0 +1,19 @@ +section: localization +--- +section_id: localization +--- +color: primary +--- +_template: layout.html +--- +title: Translate strings +--- +subtitle: How to translates +--- +key: 4 +--- +html: two-columns-page.html +--- +body: + +### How to translates diff --git a/content/outreach/speakers/contents.lr b/content/outreach/speakers/contents.lr new file mode 100644 index 0000000..36e278d --- /dev/null +++ b/content/outreach/speakers/contents.lr @@ -0,0 +1,19 @@ +section: outreach +--- +section_id: outreach +--- +color: primary +--- +_template: layout.html +--- +title: Speakers +--- +subtitle: Speakers +--- +key: 2 +--- +html: two-columns-page.html +--- +body: + +## Speakers diff --git a/content/relay-operations/technical-setup/bridge-deployment-guide/centos-rhel-opensuse/contents.lr b/content/relay-operations/technical-setup/bridge-deployment-guide/centos-rhel-opensuse/contents.lr new file mode 100644 index 0000000..5849e5a --- /dev/null +++ b/content/relay-operations/technical-setup/bridge-deployment-guide/centos-rhel-opensuse/contents.lr @@ -0,0 +1,101 @@ +_model: page +--- +title: CentOS / RHEL / OpenSUSE +--- +body: + +# 1. Install tor and dependencies + +* Redhat / RHEL: + +``` +yum install epel-release +yum install git golang tor +``` + +* OpenSUSE: + +``` +zypper install tor go git +``` + +# 2. Build obfs4proxy and move it into place. + +Heavily outdated versions of git can make `go get` fail, so try upgrading to a more recent git version if you're running into this problem. + +* CentOS / RHEL: + +``` +export GOPATH=`mktemp -d` +go get gitlab.com/yawning/obfs4.git/obfs4proxy +sudo cp $GOPATH/bin/obfs4proxy /usr/local/bin/ +chcon --reference=/usr/bin/tor /usr/local/bin/obfs4proxy +``` + +* OpenSUSE: + +``` +export GOPATH=`mktemp -d` +go get gitlab.com/yawning/obfs4.git/obfs4proxy +sudo cp $GOPATH/bin/obfs4proxy /usr/local/bin/ +``` + +# 3. Edit your Tor config file, usually located at `/etc/tor/torrc` and add the following lines: + +``` +#Bridge config +RunAsDaemon 1 +ORPort auto +BridgeRelay 1 +ServerTransportPlugin obfs4 exec /usr/local/bin/obfs4proxy +# For a fixed obfs4 port (e.g. 34176), uncomment the following line. +#ServerTransportListenAddr obfs4 0.0.0.0:34176 +# Local communication port between Tor and obfs4. Always set this to "auto". "Ext" means +# "extended", not "external". Don't try to set a specific port number, nor listen on 0.0.0.0. +ExtORPort auto + +# Contact information that allows us to get in touch with you in case of +# critical updates or problems with your bridge. This is optional, so you +# don't have to provide an email address if you don't want to. +ContactInfo <address(a)email.com> +# Pick a nickname that you like for your bridge. +Nickname PickANickname +``` + +Don't forget to change the ContactInfo and Nickname options. + +* Note that both Tor's OR port **and** its obfs4 port must be reachable. If your bridge is behind a firewall or NAT, make sure to open both ports. + +# 4. Restart tor + +`systemctl restart tor` + +# 5. Monitor your logs (usually in your syslog) + +To confirm your bridge is running with no issues, you should see something like this: + +``` +[notice] Your Tor server's identity key fingerprint is '<NICKNAME> <FINGERPRINT>' +[notice] Your Tor bridge's hashed identity key fingerprint is '<NICKNAME> <HASHED FINGERPRINT>' +[notice] Registered server transport 'obfs4' at '[::]:46396' +[notice] Tor has successfully opened a circuit. Looks like client functionality is working. +[notice] Bootstrapped 100%: Done +[notice] Now checking whether ORPort <redacted>:9001 is reachable... (this may take up to 20 minutes -- look for log messages indicating success) +[notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor. +``` + +Remember to open the random port associated with your bridge. You can find it in your tor log; in the above example it is 46396. To use a fixed port, uncomment the [ServerTransportListenAddr](https://www.torproject.org/docs/tor-manual.html.… option in your torrc. You can use [our reachability test](https://bridges.torproject.org/scan/) to see if your obfs4 port is reachable from the Internet. + + +--- +html: two-columns-page.html +--- +key: + +2 +--- +color: primary +--- +subtitle: How to deploy obfs4proxy Bridge on CentOS / RHEL / OpenSUSE +--- +_template: layout.html diff --git a/content/relay-operations/technical-setup/bridge-deployment-guide/contents.lr b/content/relay-operations/technical-setup/bridge-deployment-guide/contents.lr new file mode 100644 index 0000000..c83b3e6 --- /dev/null +++ b/content/relay-operations/technical-setup/bridge-deployment-guide/contents.lr @@ -0,0 +1,23 @@ +_model: page +--- +title: + + Bridge +--- +body: + +This guide will help you run an obfs4 bridge to help censored users connect to the Tor network. The requirements are 1) 24/7 Internet connectivity and 2) the ability to expose TCP ports to the Internet (make sure that NAT doesn't get in the way). + +Note: If you're running platforms that are not listed on this page, you should probably [compile obfs4 from source](https://gitlab.com/yawning/obfs4#installation). +--- +html: two-columns-page.html +--- +key: 2 +--- +section: Bridge operations +--- +section_id: bridge-operations +--- +subtitle: Run an obfs4 bridge to help censored users connect to the Tor network +--- +_slug: {{bridge}} diff --git a/content/relay-operations/technical-setup/bridge-deployment-guide/debian-ubuntu/contents.lr b/content/relay-operations/technical-setup/bridge-deployment-guide/debian-ubuntu/contents.lr new file mode 100644 index 0000000..8900995 --- /dev/null +++ b/content/relay-operations/technical-setup/bridge-deployment-guide/debian-ubuntu/contents.lr @@ -0,0 +1,80 @@ +_model: page +--- +title: Debian / Ubuntu +--- +body: + +# 1. Install Tor + +Get the latest version of Tor. If you're on Debian stable, `sudo apt-get install tor` should give you the latest stable version of Tor. + +* Note:''' Ubuntu users need to get it from Tor repository. Please see [Download instructions for Ubuntu](https://www.torproject.org/docs/debian.html.en#ubuntu). + +# 2. Install obfs4proxy + +On [Debian](https://packages.debian.org/search?keywords=obfs4proxy), the `obfs4proxy` package is available in sid, buster, and stretch. On [https://packages.ubuntu.com/search?keywords=obfs4proxy Ubuntu], bionic, cosmic, disco, and eoan have the package. If you're running any of them, `sudo apt-get install obfs4proxy` should work. + +If not, you can [build it from source](https://gitlab.com/yawning/obfs4#installation). + +# 3. Edit your Tor config file, usually located at `/etc/tor/torrc` and add the following lines: + +``` +#Bridge config +RunAsDaemon 1 +ORPort auto +BridgeRelay 1 +ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy +# For a fixed obfs4 port (e.g. 34176), uncomment the following line. +#ServerTransportListenAddr obfs4 0.0.0.0:34176 +# Local communication port between Tor and obfs4. Always set this to "auto". "Ext" means +# "extended", not "external". Don't try to set a specific port number, nor listen on 0.0.0.0. +ExtORPort auto + +# Contact information that allows us to get in touch with you in case of +# critical updates or problems with your bridge. This is optional, so you +# don't have to provide an email address if you don't want to. +ContactInfo <address(a)email.com> +# Pick a nickname that you like for your bridge. +Nickname PickANickname +``` + +Don't forget to change the ContactInfo and Nickname options. + +* If you decide to use a fixed obfs4 port smaller than 1024 (for example 80 or 443), you will need to give obfs4 `CAP_NET_BIND_SERVICE` capabilities to bind the port with a non-root user: + +``` +sudo setcap cap_net_bind_service=+ep /usr/bin/obfs4proxy +``` + +* Under Debian, you will also need to set `NoNewPrivileges=no` in `/lib/systemd/system/tor(a)default.service` and `/lib/systemd/system/tor@.service` and then run `systemctl daemon-reload`. [bug #18356](https://trac.torproject.org/projects/tor/ticket/18356) + +* Note that both Tor's OR port **and** its obfs4 port must be reachable. If your bridge is behind a firewall or NAT, make sure to open both ports. + +# 4. Restart tor + +`systemctl restart tor` + +# 5. Monitor your logs + +To confirm your bridge is running with no issues, you should see something like this (usually in `/var/log/tor/log` or `/var/log/syslog`): + + +``` +[notice] Your Tor server's identity key fingerprint is '<NICKNAME> <FINGERPRINT>' +[notice] Your Tor bridge's hashed identity key fingerprint is '<NICKNAME> <HASHED FINGERPRINT>' +[notice] Registered server transport 'obfs4' at '[::]:46396' +[notice] Tor has successfully opened a circuit. Looks like client functionality is working. +[notice] Bootstrapped 100%: Done +[notice] Now checking whether ORPort <redacted>:9001 is reachable... (this may take up to 20 minutes -- look for log messages indicating success) +[notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor. +``` + +Remember to open the random port associated with your bridge. You can find it in your tor log; in the above example it is 46396. To use a fixed port, uncomment the [ServerTransportListenAddr](https://www.torproject.org/docs/tor-manual.html.… option in your torrc. You can use [our reachability test](https://bridges.torproject.org/scan/) to see if your obfs4 port is reachable from the Internet. + + +--- +key: 1 +--- +html: two-columns-page.html +--- +subtitle: How to deploy an obfs4proxy Bridge on Debian / Ubuntu diff --git a/content/relay-operations/technical-setup/bridge-deployment-guide/freebsd/contents.lr b/content/relay-operations/technical-setup/bridge-deployment-guide/freebsd/contents.lr new file mode 100644 index 0000000..01adcd2 --- /dev/null +++ b/content/relay-operations/technical-setup/bridge-deployment-guide/freebsd/contents.lr @@ -0,0 +1,98 @@ +_model: page +--- +title: FreeBSD +--- +html: two-columns-page.html +--- +key: 3 +--- +body: + +# 1. Install packages + +``` +pkg install obfs4proxy-tor tor ca_root_nss +``` + +# 2. Edit your Tor config file, usually located at `/usr/local/etc/tor` and add the following lines + +``` +#Bridge config +RunAsDaemon 1 +ORPort auto +BridgeRelay 1 +ServerTransportPlugin obfs4 exec /usr/local/bin/obfs4proxy +# For a fixed obfs4 port (e.g. 34176), uncomment the following line. +#ServerTransportListenAddr obfs4 0.0.0.0:34176 +# Local communication port between Tor and obfs4. Always set this to "auto". "Ext" means +# "extended", not "external". Don't try to set a specific port number, nor listen on 0.0.0.0. +ExtORPort auto + +# Contact information that allows us to get in touch with you in case of +# critical updates or problems with your bridge. This is optional, so you +# don't have to provide an email address if you don't want to. +ContactInfo <address(a)email.com> +# Pick a nickname that you like for your bridge. +Nickname PickANickname + +Log notice file /var/log/tor/notices.log +``` + +Don't forget to change the ContactInfo and Nickname options. + +* Note that both Tor's OR port **and** its obfs4 port must be reachable. If your bridge is behind a firewall or NAT, make sure to open both ports. + +# 3. Ensure that the `random_id` sysctl setting is enabled: + +``` +echo "net.inet.ip.random_id=1" >> /etc/sysctl.conf +sysctl net.inet.ip.random_id=1 +``` + +# 4. Start the tor daemon and make sure it starts at boot: + +``` +sysrc tor_enable=YES +service tor start +``` + +# 5. Monitor your logs + +To confirm your bridge is running with no issues, you should see something like this in `/var/log/tor/notices.log`: + +``` +[notice] Your Tor server's identity key fingerprint is '<NICKNAME> <FINGERPRINT>' +[notice] Your Tor bridge's hashed identity key fingerprint is '<NICKNAME> <HASHED FINGERPRINT>' +[notice] Registered server transport 'obfs4' at '[::]:46396' +[notice] Tor has successfully opened a circuit. Looks like client functionality is working. +[notice] Bootstrapped 100%: Done +[notice] Now checking whether ORPort <redacted>:9001 is reachable... (this may take up to 20 minutes -- look for log messages indicating success) +[notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor. +``` + +Remember to open the random port associated with your bridge. You can find it in your tor log; in the above example it is 46396. To use a fixed port, uncomment the [ ServerTransportListenAddr](https://www.torproject.org/docs/tor-manual.html.… option in your torrc. You can use[our reachability test] (https://bridges.torproject.org/scan/) to see if your obfs4 port is reachable from the Internet. + +# 6. To get the fastest package updates, switch from the "quarterly" package repo to the "latest" repo. + +Create the following folder: + +``` +mkdir -p /usr/local/etc/pkg/repos +``` + +Create the file `/usr/local/etc/pkg/repos/FreeBSD.conf` with the following content: + +``` +FreeBSD: { enabled: no } + +FreeBSDlatest: { + url: "pkg+https://pkg.FreeBSD.org/${ABI}/latest", + mirror_type: "srv", + signature_type: "fingerprints", + fingerprints: "/usr/share/keys/pkg", + enabled: yes +} +``` + +--- +subtitle: How to deploy obfs4proxy Bridge on FreeBSD diff --git a/content/relay-operations/technical-setup/bridge-deployment-guide/openbsd/contents.lr b/content/relay-operations/technical-setup/bridge-deployment-guide/openbsd/contents.lr new file mode 100644 index 0000000..ae682d9 --- /dev/null +++ b/content/relay-operations/technical-setup/bridge-deployment-guide/openbsd/contents.lr @@ -0,0 +1,74 @@ +_model: page +--- +title: OpenBSD +--- +html: two-columns-page.html +--- +key: 4 +--- +body: + +# 1. Install packages +``` +pkg_add tor obfs4proxy +``` + +# 2. Edit your Tor config file + +Usually located at `/etc/tor/torrc`, add the following lines: + +``` +#Bridge config +RunAsDaemon 1 +ORPort auto +BridgeRelay 1 +ServerTransportPlugin obfs4 exec /usr/local/bin/obfs4proxy +# For a fixed obfs4 port (e.g. 34176), uncomment the following line. +#ServerTransportListenAddr obfs4 0.0.0.0:34176 +# Local communication port between Tor and obfs4. Always set this to "auto". "Ext" means +# "extended", not "external". Don't try to set a specific port number, nor listen on 0.0.0.0. +ExtORPort auto + +# Contact information that allows us to get in touch with you in case of +# critical updates or problems with your bridge. This is optional, so you +# don't have to provide an email address if you don't want to. +ContactInfo <address(a)email.com> +# Pick a nickname that you like for your bridge. +Nickname PickANickname + +Log notice file /var/log/tor/notices.log + +User _tor +``` + +Don't forget to change the ContactInfo and Nickname options. + +Note that both Tor's OR port and its obfs4 port must be reachable. If your bridge is behind a firewall or NAT, make sure to open both ports. + +# 3. Start the tor daemon and make sure it starts at boot: + +``` +rcctl enable tor +rcctl start tor +``` +# 4. Monitor your logs + +To confirm your bridge is running with no issues, you should see something like this (`/var/log/tor/notices.log`): + +``` +[notice] Your Tor server's identity key fingerprint is '<NICKNAME> <FINGERPRINT>' +[notice] Your Tor bridge's hashed identity key fingerprint is '<NICKNAME> <HASHED FINGERPRINT>' +[notice] Registered server transport 'obfs4' at '[::]:46396' +[notice] Tor has successfully opened a circuit. Looks like client functionality is working. +[notice] Bootstrapped 100%: Done +[notice] Now checking whether ORPort <redacted>:9001 is reachable... (this may take up to 20 minutes -- look for log messages indicating success) +[notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor. +``` + +Remember to open the random port associated with your bridge. You can find it in your tor log; in the above example it is 46396. To use a fixed port, uncomment the [ServerTransportListenAddr](https://www.torproject.org/docs/tor-manual.html.… option in your torrc. You can use [our reachability test](https://bridges.torproject.org/scan/) to see if your obfs4 port is reachable from the Internet. +--- +subtitle: How to deploy obfs4proxy Bridge on OpenBSD +--- +section: Bridge +--- +section_id: bridge diff --git a/content/relay-operations/technical-setup/bridge-deployment-guide/post-install/contents.lr b/content/relay-operations/technical-setup/bridge-deployment-guide/post-install/contents.lr new file mode 100644 index 0000000..e7f19cd --- /dev/null +++ b/content/relay-operations/technical-setup/bridge-deployment-guide/post-install/contents.lr @@ -0,0 +1,22 @@ +_model: page +--- +title: Post-install +--- +body: + +Congrats! If you get to this point, it means that your obfs4 bridge is running and is being distributed by BridgeDB to censored users. If you want to connect to your bridge manually, you will need to know the bridge's obfs4 certificate. See the file `/var/lib/tor/pt_state/obfs4_bridgeline.txt` and paste the entire bridge line into Tor Browser: + +``` +Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> cert=<CERTIFICATE> iat-mode=0 +``` + +You'll need to replace `<IP ADDRESS>`, `<PORT>`, and `<FINGERPRINT>` with the actual values, which you can find in the tor log. Make sure to use `<FINGERPRINT>`, not `<HASHED FINGERPRINT>`; and that `<PORT>` is the one from the log line `Registered server transport 'obfs4'`, not the one from the line `Now checking whether ORPort ... is reachable`. + +Finally, you can monitor your obfs4 bridge's usage on [Relay Search](https://metrics.torproject.org/rs.html#search). Just enter your bridge's `<HASHED FINGERPRINT>` in the form and click "Search". After having set up the bridge, it takes approximately three hours for the bridge to show up in Relay Search. + +--- +html: two-columns-page.html +--- +key: 5 +--- +subtitle: How to find your Bridge in Relay Search and connect manually diff --git a/content/relay-operations/technical-setup/centosrhel/contents.lr b/content/relay-operations/technical-setup/centosrhel/contents.lr new file mode 100644 index 0000000..28f5d71 --- /dev/null +++ b/content/relay-operations/technical-setup/centosrhel/contents.lr @@ -0,0 +1,19 @@ +_model: page +--- +title: CentOS +--- +html: two-columns-page.html +--- +section: relay operations +--- +section_id: relay-operations +--- +key: 3 +--- +body: + + +--- +subtitle: CentOS +--- +_slug: {{centos}} diff --git a/content/relay-operations/technical-setup/debianubuntu/contents.lr b/content/relay-operations/technical-setup/debianubuntu/contents.lr new file mode 100644 index 0000000..28f5d71 --- /dev/null +++ b/content/relay-operations/technical-setup/debianubuntu/contents.lr @@ -0,0 +1,19 @@ +_model: page +--- +title: CentOS +--- +html: two-columns-page.html +--- +section: relay operations +--- +section_id: relay-operations +--- +key: 3 +--- +body: + + +--- +subtitle: CentOS +--- +_slug: {{centos}} diff --git a/content/relay-operations/technical-setup/exit-relay/contents.lr b/content/relay-operations/technical-setup/exit-relay/contents.lr new file mode 100644 index 0000000..7c57eeb --- /dev/null +++ b/content/relay-operations/technical-setup/exit-relay/contents.lr @@ -0,0 +1,181 @@ +_model: page +--- +title: Exit +--- +html: two-columns-page.html +--- +section: relay operations +--- +section_id: relay-operations +--- +key: 3 +--- +body: + +We assume you read through the [relay guide](..) already. This subpage is for operators that want to turn on exiting on their relay. + +It is recommended that you setup exit relays on servers dedicated to this purpose. +It is not recommended to install Tor exit relays on servers that you need for other services as well. +Do not mix your own traffic with your exit relay traffic. + +## Reverse DNS and WHOIS record + +Before turning your non-exit relay into an exit relay, ensure that you have set a reverse DNS record (PTR) to make it more obvious that this is a tor exit relay. Something like "tor-exit" it its name is a good start. + +If your provider offers it, make sure your WHOIS record contains clear indications that this is a Tor exit relay. + +## Exit Notice HTML page + +To make it even more obvious that this is a Tor exit relay you should serve a Tor exit notice HTML page. +Tor can do that for you if your DirPort is on TCP port 80, you can make use of tor's DirPortFrontPage feature to display a HTML file on that port. +This file will be shown to anyone directing his browser to your Tor exit relay IP address. + +``` +DirPort 80 +DirPortFrontPage /path/to/html/file +``` + +We offer a sample Tor exit notice HTML file, but you might want to adjust it to your needs: +https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html + +Here are some more tips for running a reliable exit relay: +https://blog.torproject.org/tips-running-exit-node + +## Exit Policy + +Defining the [exit policy](https://www.torproject.org/docs/tor-manual.html.en#ExitPolicy) is one of the most important parts of an exit relay configuration. +The exit policy defines which destination ports you are willing to forward. +This has an impact on the amount of abuse emails you will get (less ports means less abuse emails, but an exit relay allowing only few ports is also less useful). +If you want to be a useful exit relay you must **at least allow destination ports 80 and 443**. + +As a new exit relay - especially if you are new to your hoster - it is good to start with a reduced exit policy (to reduce the amount of abuse emails) and further open it up as you become more experienced. +The reduced exit policy can be found on the [ReducedExitPolicy](https://trac.torproject.org/projects/tor/wiki/doc/Reduce… wiki page. + +To become an exit relay change ExitRelay from 0 to 1 in your torrc configuration file and restart the tor daemon. + +``` +ExitRelay 1 +``` + +## DNS on Exit Relays + +Unlike other types of relays, exit relays also do DNS resolution for Tor clients. +DNS resolution on exit relays is crucial for Tor clients, it should be reliable and fast by using caching. + +* DNS resolution can have a significant impact on the performance and reliability your exit relay provides. + Poor DNS performance will result in less traffic going through your exit relay. +* Don't use any of the big DNS resolvers as your primary or fallback DNS resolver to avoid centralization (Google, OpenDNS, Quad9, Cloudflare, 4.2.2.1-6) +* We recommend running a local caching and DNSSEC-validating resolver without using any forwarders (specific instructions follow bellow for each operating systems) +* if you want to add a second DNS resolver as a fallback to your /etc/resolv.conf configuration, try to choose a resolver within your autonomous system and make sure it is not your first entry in that file (the first entry should be your local resolver) +* if a local resolver like unbound is not an option for you try to use a resolver that your provider runs in the same autonomous system (to find out if an IP address is in the same AS as your relay, you can look it up, using for example https://bgp.he.net). +* try to avoid adding too many resolvers to your /etc/resolv.conf file to limit exposure on an AS-level (try to not use more than two entries) + +There are multiple options for DNS server software, unbound has become a popular one but **feel free to use any other you are comfortable with**. +When choosing your DNS resolver software try to ensure it supports DNSSEC validation and QNAME minimisation (RFC7816). +In every case the software should be installed using the OS package manager to ensure it is updated with the rest of the system. + +By using your own DNS resolver you are less vulnerable to DNS-based censorship that your upstream resolver might impose. + +Here follow specific instructions on how to install and configure unbound on your exit - a DNSSEC-validating and caching resolver. unbound has many configuration and tuning nobs but we try to keep these instructions as simple and short as possible and the basic setup will do just fine for most operators. + +After switching to unbound verify it works as expected by resolving a valid hostname, if it does not work, you can restore the old resolv.conf file. + +### Debian/Ubuntu + +The following 3 commands install unbound, backup your DNS configuration and tell the system to use the local unbound: + +``` +apt install unbound +cp /etc/resolv.conf /etc/resolv.conf.backup +echo nameserver 127.0.0.1 > /etc/resolv.conf +``` + +To avoid that the configuration gets changed (for example by the DHCP client): + +``` +chattr +i /etc/resolv.conf +``` + +The Debian configuration ships with QNAME minimisation (RFC7816) enabled by default so you don't need to enable it explicitly. +The unbound resolver you just installed does also DNSSEC validation. + +### CentOS/RHEL + +Install the unbound package: + +``` +yum install unbound +``` + +in /etc/unbound/unbound.conf replace the line + +``` +# qname-minimisation: no +``` + +with: + +``` +qname-minimisation: yes +``` + +enable and start unbound: + +``` +systemctl enable unbound +systemctl start unbound +``` + +Tell the system to use the local unbound server: + +``` +cp /etc/resolv.conf /etc/resolv.conf.backup +echo nameserver 127.0.0.1 > /etc/resolv.conf +``` + +To avoid that the configuration gets changed (for example by the DHCP client): + +``` +chattr +i /etc/resolv.conf +``` + +### FreeBSD + +FreeBSD ships unbound in the base system but the one in ports is usually following upstream more closely so we install the unbound package: + +``` +pkg install unbound +``` + +Replace the content in /usr/local/etc/unbound/unbound.conf with the following lines: + +``` +server: + verbosity: 1 + qname-minimisation: yes +``` + +enable and start the unbound service: + +``` +sysrc unbound_enable=YES +service unbound start +``` + +Tell the system to use the local unbound server: + +``` +cp /etc/resolv.conf /etc/resolv.conf.backup +echo nameserver 127.0.0.1 > /etc/resolv.conf +``` + +To avoid that the configuration gets changed (for example by the DHCP client): + +``` +chflags schg /etc/resolv.conf +``` + +--- +subtitle: How to deploy an Exit node +--- +_slug: {{exit}} diff --git a/content/relay-operations/technical-setup/fedora/contents.lr b/content/relay-operations/technical-setup/fedora/contents.lr new file mode 100644 index 0000000..9236220 --- /dev/null +++ b/content/relay-operations/technical-setup/fedora/contents.lr @@ -0,0 +1,19 @@ +_model: page +--- +title: Fedora +--- +html: two-columns-page.html +--- +section: relay operations +--- +section_id: relay-operations +--- +key: 3 +--- +body: + + +--- +subtitle: Fedora +--- +_slug: {{fedora}} diff --git a/content/relay-operations/technical-setup/freebsd/contents.lr b/content/relay-operations/technical-setup/freebsd/contents.lr new file mode 100644 index 0000000..28f5d71 --- /dev/null +++ b/content/relay-operations/technical-setup/freebsd/contents.lr @@ -0,0 +1,19 @@ +_model: page +--- +title: CentOS +--- +html: two-columns-page.html +--- +section: relay operations +--- +section_id: relay-operations +--- +key: 3 +--- +body: + + +--- +subtitle: CentOS +--- +_slug: {{centos}} diff --git a/content/relay-operations/technical-setup/middleguard-relay/centosrhel/contents.lr b/content/relay-operations/technical-setup/middleguard-relay/centosrhel/contents.lr new file mode 100644 index 0000000..27b6031 --- /dev/null +++ b/content/relay-operations/technical-setup/middleguard-relay/centosrhel/contents.lr @@ -0,0 +1,56 @@ +_model: page +--- +title: CentOS/RHEL +--- +body: + +# 1. Enable the EPEL repository + +To install `tor` package on CentOS/RHEL, you need to install the [EPEL](https://fedoraproject.org/wiki/EPEL) repository first: + +`yum install epel-release` + +# 2. Install the tor package and verify the EPEL signing key + +`yum install tor` + +When you install the first package from the EPEL repository you will be asked about verifying the EPEL GPG signing key. Please ensure the key matches with the one available on the [Fedora Project website](https://getfedora.org/keys/). + +# 3. Put the tor configuration file `/etc/tor/torrc` in place + +``` +#change the nickname "myNiceRelay" to a name that you like +Nickname myNiceRelay +ORPort 9001 +SocksPort 0 +ExitRelay 0 +# Change the email address bellow and be aware that it will be published +ContactInfo tor-operator@your-emailaddress-domain +``` + +# 4. Enable and start your Tor relay + +CentOS 7 / RHEL 7: + +``` +systemctl enable tor +systemctl start tor +``` + +CentOS 6 / RHEL 6: + +``` +service tor enable +service tor start +``` + +--- +html: two-columns-page.html +--- +key: 5 +--- +section: relay operations +--- +section_id: relay-operations +--- +subtitle: How to deploy a middle/Guard node on CentOS/RHEL diff --git a/content/relay-operations/technical-setup/middleguard-relay/contents.lr b/content/relay-operations/technical-setup/middleguard-relay/contents.lr new file mode 100644 index 0000000..7cfa3dd --- /dev/null +++ b/content/relay-operations/technical-setup/middleguard-relay/contents.lr @@ -0,0 +1,15 @@ +_model: page +--- +title: Middle/Guard relay +--- +body: In this guide we describe how to setup a new Middle/Guard relay. Please choose your platform below. +--- +html: two-columns-page.html +--- +key: 1 +--- +section: relay operations +--- +section_id: relay-operations +--- +subtitle: Run a Middle/Guard relay diff --git a/content/relay-operations/technical-setup/middleguard-relay/debianubuntu/contents.lr b/content/relay-operations/technical-setup/middleguard-relay/debianubuntu/contents.lr new file mode 100644 index 0000000..f7992dd --- /dev/null +++ b/content/relay-operations/technical-setup/middleguard-relay/debianubuntu/contents.lr @@ -0,0 +1,46 @@ +_model: page +--- +title: Debian/Ubuntu +--- +body: + +# 1. Configure Tor Package Repository + +Enable the Torproject package repository by following the instructions **[here](https://2019.www.torproject.org/docs/debian.html.en#ubuntu)**. + +# 2. Package Installation + +Install the `tor` package: + +`apt update && apt install tor` + +# 3. Configuration File + +Put the configuration file `/etc/tor/torrc` in place: + +``` +#change the nickname "myNiceRelay" to a name that you like +Nickname myNiceRelay +ORPort 443 +ExitRelay 0 +SocksPort 0 +ControlSocket 0 +# Change the email address bellow and be aware that it will be published +ContactInfo tor-operator@your-emailaddress-domain +``` + +# 4. Restart the Service + +Restart the tor daemon so your configuration changes take effect: + +`systemctl restart tor@default` +--- +html: two-columns-page.html +--- +key: 1 +--- +section: relay operations +--- +section_id: relay-operations +--- +subtitle: How to deploy a middle/Guard node on Debian/Ubuntu diff --git a/content/relay-operations/technical-setup/middleguard-relay/fedora/contents.lr b/content/relay-operations/technical-setup/middleguard-relay/fedora/contents.lr new file mode 100644 index 0000000..cc984cc --- /dev/null +++ b/content/relay-operations/technical-setup/middleguard-relay/fedora/contents.lr @@ -0,0 +1,37 @@ +_model: page +--- +title: Fedora +--- +body: + +# 1. Install the tor package: + +`dnf install tor` + +# 2. Put the tor configuration file `/etc/tor/torrc` in place: + +``` +#change the nickname "myNiceRelay" to a name that you like +Nickname myNiceRelay +ORPort 9001 +ExitRelay 0 +# Change the email address bellow and be aware that it will be published +ContactInfo tor-operator@your-emailaddress-domain +``` + +# 3. Start the tor daemon and make sure it starts at boot: + +``` +systemctl enable tor +systemctl start tor +``` +--- +html: two-columns-page.html +--- +key: 3 +--- +section: relay operations +--- +section_id: relay-operations +--- +subtitle: How to deploy a middle/Guard node on Fedora diff --git a/content/relay-operations/technical-setup/middleguard-relay/freebsd/contents.lr b/content/relay-operations/technical-setup/middleguard-relay/freebsd/contents.lr new file mode 100644 index 0000000..a47dfc8 --- /dev/null +++ b/content/relay-operations/technical-setup/middleguard-relay/freebsd/contents.lr @@ -0,0 +1,73 @@ +_model: page +--- +title: FreeBSD +--- +body: + +## 1. Install the tor package + +`pkg install tor ca_root_nss` + +or for alpha releases: + +`pkg install tor-devel ca_root_nss` + +## 2. Put the configuration file `/usr/local/etc/tor/torrc` in place + +``` +#change the nickname "myNiceRelay" to a name that you like +Nickname myNiceRelay +ORPort 9001 +ExitRelay 0 +SocksPort 0 +# Change the email address bellow and be aware that it will be published +ContactInfo tor-operator@your-emailaddress-domain +Log notice syslog +``` + +## 3. Ensure that the `random_id` sysctl setting is enabled: + +``` +echo "net.inet.ip.random_id=1" >> /etc/sysctl.conf +sysctl net.inet.ip.random_id=1 +``` + +## 4. Start the tor daemon and make sure it starts at boot: + +``` +sysrc tor_enable=YES +service tor start +``` + +### Optional but recommended + +To get package updates faster after they have been build it is best to switch from the "quarterly" with "latest" repository. + +Create the following folder: + +`mkdir -p /usr/local/etc/pkg/repos` + +and create the file `/usr/local/etc/pkg/repos/FreeBSD.conf` with the following content: + +``` +FreeBSD: { enabled: no } + +FreeBSDlatest: { + url: "pkg+https://pkg.FreeBSD.org/${ABI}/latest", + mirror_type: "srv", + signature_type: "fingerprints", + fingerprints: "/usr/share/keys/pkg", + enabled: yes +} +``` + +--- +html: two-columns-page.html +--- +key: 2 +--- +section: relay operations +--- +section_id: relay-operations +--- +subtitle: How to deploy a middle/Guard node on FreeBSD diff --git a/content/relay-operations/technical-setup/relays-post-install-and-good-practices/contents.lr b/content/relay-operations/technical-setup/relays-post-install-and-good-practices/contents.lr new file mode 100644 index 0000000..af321d6 --- /dev/null +++ b/content/relay-operations/technical-setup/relays-post-install-and-good-practices/contents.lr @@ -0,0 +1,179 @@ +_model: page +--- +title: Relay Post-install and good practices +--- +body: + +#1. Make sure relay ports can be reached + +If you are using a firewall, open a hole in your firewall so incoming connections can reach the ports you will use for your relay (ORPort, plus DirPort if you enabled it). + +Also, make sure you allow all outgoing connections too, so your relay can reach the other Tor relays, clients and destinations. + +You can find the specific ORPort TCP port number in the torrc configuration samples bellow (in the OS specific sections). + +# 2. Verify that your relay works + +If your logfile (syslog) contains the following entry after starting your tor daemon your relay should be up and running as expected: + +``` +Self-testing indicates your ORPort is reachable from the outside. Excellent. +Publishing server descriptor. +``` + +About 3 hours after you started your relay it should appear on [Relay Search](https://metrics.torproject.org/rs.html). +You can search for your relay using your nickname or IP address. + +# 3. Read about Tor relay lifecycle + +It takes some time for relay traffic to ramp up, this is especially true for guard relays but to a lesser extend also for exit relays. To understand this process, read about the [lifecycle of a new relay](https://blog.torproject.org/lifecycle-new-relay). + +# 4. Configuration Management + +If you plan to run more than a single relay, or you want to run a high capacity relay (multiple Tor instances per server) or want to use strong security features like [Offline Master Keys](https://trac.torproject.org/projects/tor/wiki/doc/TorRelaySecurity/Of… without performing additional steps manually, you may want to use a configuration management for better maintainability. + +There are multiple configuration management solutions for Unix based operating systems (Ansible, Puppet, Salt, ...). + +The following Ansible Role has specifically been build for Tor relay operators and supports multiple operating systems: [Ansible Relayor](http://github.com/nusenu/ansible-relayor). + +# 5. Important: if you run more than one Tor instance + +To avoid putting Tor clients at risk when operating multiple relays you must set a proper [MyFamily](https://2019.www.torproject.org/docs/tor-manual.html.en#MyFamily) value and have a valid [ContactInfo](https://2019.www.torproject.org/docs/tor-manual.html.en#Contac… in your torrc configuration. +The MyFamily setting is simply telling Tor clients what Tor relays are controlled by a single entity/operator/organization, so they are not used in multiple positions in a single circuit. + +If you run two relays and they have fingerprints AAAAAAAAAA and BBBBBBBB, you would add the following configuration to set MyFamily: + +``` +MyFamily AAAAAAAAAA,BBBBBBBB +``` + +to both relays. To find your relays fingerprint you can look into the log files when tor starts up or find the file named "fingerprint" in your tor DataDirectory. + +Instead of doing so manually for big operators we recommend to automate the MyFamily setting via a configuration management solution. +Manually managing MyFamily for big relay groups is error prone and can put Tor clients at risk. + +# 6. Optional: Limiting bandwidth usage (and traffic) + +Tor will not limit its bandwidth usage by default, but supports multiple ways to restrict the used bandwidth and the amount of traffic. +This can be handy if you want to ensure that your Tor relay does not exceed a certain amount of bandwidth or total traffic per day/week/month. +The following torrc configuration options can be used to restrict bandwidth and traffic: + +* AccountingMax +* AccountingRule +* AccountingStart +* BandwidthRate +* BandwidthBurst +* RelayBandwidthRate + +Having a fast relay for some time of the month is preferred over a slow relay for the entire month. + +Also see the bandwidth entry in the [FAQ](https://www.torproject.org/docs/faq.html.en#BandwidthShaping). + +# 7. Check IPv6 availability + +We encourage everyone to enable IPv6 on their relays. This is especially valuable on exit and guard relays. + +Before enabling your tor daemon to use IPv6 in addition to IPv4 you should do some basic IPv6 connectivity tests. + +The following command line will ping the IPv6 addresses of Tor directory authorities from your server: + +``` +ping6 -c2 2001:858:2:2:aabb:0:563b:1526 && ping6 -c2 2620:13:4000:6000::1000:118 && ping6 -c2 2001:67c:289c::9 && ping6 -c2 2001:678:558:1000::244 && ping6 -c2 2607:8500:154::3 && ping6 -c2 2001:638:a000:4140::ffff:189 && echo OK. +``` + +At the end of the output you should see "OK." if that is not the case do not enable IPv6 in your torrc configuration file before IPv6 is indeed working. +If you enable IPv6 without working IPv6 connectivity your entire relay will not be used, regardless if IPv4 is working. + +If it worked fine, make your Tor relay reachable via IPv6 by adding an additional ORPort line to your configuration (example for ORPort 9001): + +``` +ORPort [IPv6-address]:9001 +``` + +The location of that line in the configuration file does not matter you can simply add it next to the first ORPort lins in your torrc file. + +Note: You have to explicitly specify your IPv6 address in square brackets, you can not tell tor to bind to any IPv6 (like you do for IPv4). +If you have a global IPv6 address you should be able to find it in the output of the following command: + +``` +ip addr|grep inet6|grep global +``` + +If you are an exit relay with IPv6 connectivity, tell your tor daemon to allow exiting via IPv6 so clients can reach IPv6 destinations: + +``` +IPv6Exit 1 +``` + +Note: Tor requires IPv4 connectivity, you can not run a Tor relay on IPv6-only. + +# 8. Maintaining a relay + +## Backup Tor Identity Keys + +After your initial installation and start of the tor daemon it is a good idea to make a backup of your relay's long term identity keys. +They are located in the "keys" subfolder of your DataDirectory (simply make a copy of the entire folder and store it in a secure location). +Since relays have a ramp-up time it makes sense to backup the identity key to be able to restore your relay's reputation after a disk failure - otherwise you would have to go through the ramp-up phase again. + +Default locations of the keys folder: + +* Debian/Ubuntu: `/var/lib/tor/keys` +* FreeBSD: `/var/db/tor/keys` + +## Subscribe to the tor-announce mailing list + +This is a very low traffic mailing list and you will get information about new stable tor releases and important security update information: [tor-announce](https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-ann…. + +## Setting up outage notifications + +Once you setup your relay it will likely run without much work from your side. +If something goes wrong it is good to get notified automatically. +We recommend you use one of the free services that allow you to check your relay's ORPorts for reachability and send you an email should they become unreachable for what ever reason. + +[UptimeRobot](https://uptimerobot.com/) is one of these services that allow you to monitor TCP listeners on arbitrary ports. +This service can check your configured ports once every 5 minutes and send you an email should your tor process die or become unreachable. +This checks only for the listener but does not speak the Tor protocol. + +A good way to monitor a relay for its health state is to have a look at its bandwidth graphs. + +## System Health Monitoring + +To ensure your relay is healthy and not overwhelmed it makes sense to have some basic system monitoring in place to keep an eye on the following metrics: + +* Bandwidth +* Established TCP Connections +* Memory +* Swap +* CPU + +There are many tools for monitoring this kind of data, [munin](http://munin-monitoring.org/) is one of them and is relatively easy to setup. + +Note: **Do not make your private monitoring data graphs public since this could help attackers with deanonymizing Tor users.** + +Some practical advice: + +* If you want to publish traffic statistics, you should aggregate all your relays' traffic over at least a week, then round that to the nearest 10 TiB (terabytes). +* Reporting individual relays is worse than reporting totals for groups of relays. In future, tor will securely aggregate bandwidth statistics, so any individual relay bandwidth reporting will be less secure than tor's statistics. +* Smaller periods are worse. +* Numbers are worse than graphs. +* Real-time data is worse than historical data. +* Data in categories (IP version, in/out, etc.) is worse than total data. + +## Tools + + This section lists a few tools that you might find handy as a Tor relay operator. + +* [Nyx](https://nyx.torproject.org/): is a Tor Project tool (formerly arm) that allows you to see real time data of your relay. + +* vnstat: vnstat is a command-line tool that shows the amount of data going through your network connection. +You can also use it to generate PNG pictures showing traffic graphs. [vnstat documentation](https://humdi.net/vnstat/) and [demo output](https://humdi.net/vnstat/cgidemo/). +--- +html: two-columns-page.html +--- +key: 4 +--- +section: Relay operations +--- +section_id: relay-operations +--- +subtitle: diff --git a/content/user-testing/current/contents.lr b/content/user-testing/current/contents.lr new file mode 100644 index 0000000..1d10937 --- /dev/null +++ b/content/user-testing/current/contents.lr @@ -0,0 +1,19 @@ +section: user testing +--- +section_id: user-testing +--- +color: primary +--- +image: clipboard +--- +_template: layout.html +--- +title: Currently Testing Stuffs +--- +subtitle: Link to somewhere we csan update more than this webpage, even banners will be tedious if we do testing all the time. We can even oput some thing puilled from there and have it populated here. +--- +key: 1 +--- +html: user-testing.html +--- +body: diff --git a/content/user-testing/signup/contents.lr b/content/user-testing/signup/contents.lr new file mode 100644 index 0000000..e238096 --- /dev/null +++ b/content/user-testing/signup/contents.lr @@ -0,0 +1,19 @@ +section: user testing +--- +section_id: user-testing +--- +color: primary +--- +image: eye +--- +_template: layout.html +--- +title: Sign up to be in our testing pool +--- +subtitle: Will you help us by becoming a Tor tester? Sign up for the user testing mailing list and we'll email you when there's a new test. We will never use your email for any other purposes. +--- +key: 2 +--- +html: user-testing.html +--- +body: diff --git a/lego b/lego index 4436f9b..9c33e2b 160000 --- a/lego +++ b/lego @@ -1 +1 @@ -Subproject commit 4436f9bd93387785ad92f49bfeecda2d3d57df15 +Subproject commit 9c33e2b8740728dc9de4c64915460b76fc7c4061

1 0

[community/staging] Add a paragraph explaining about bad relays
by hiro＠torproject.org 21 Mar '21

21 Mar '21

commit c9c3d20694b7187cbb23a36c47cb0dad99da1e08 Author: gus <gus(a)torproject.org> Date: Wed Aug 14 15:08:27 2019 -0400 Add a paragraph explaining about bad relays --- .../community-resources/contents.lr | 29 +++++++++++++++++----- 1 file changed, 23 insertions(+), 6 deletions(-) diff --git a/content/relay-operations/community-resources/contents.lr b/content/relay-operations/community-resources/contents.lr index bfdcfcb..549b434 100644 --- a/content/relay-operations/community-resources/contents.lr +++ b/content/relay-operations/community-resources/contents.lr @@ -16,13 +16,14 @@ html: two-columns-page.html --- body: +# Legal resources + Exit relay operators should understand the potential risks associated with running an exit relay. For the majority of operators in most countries, bridges and guard/middle relays are very low risk. Exits are the ones that present some legal concerns, but operators under most circumstances will be able to handle legal matters by having an abuse response letter, running the exit from a location that isn't their home, and reading through some of the legal resources that Tor-supportive lawyers have put together. -# Legal resources +The [EFF Tor Legal FAQ](/eff-tor-legal-faq) answers many common questions about relay operation and the law. We also like [Noisebridge's wiki](https://www.noisebridge.net/wiki/Noisebridge_Tor/FBI) for additional legal resources. -The [EFF Tor Legal FAQ](https://www.torproject.org/eff/tor-legal-faq.html.en) answers many common questions about relay operation and the law. We also like [Noisebridge's wiki](https://www.noisebridge.net/wiki/Noisebridge_Tor/FBI) for additional legal resources. In general it's a good idea to consult with a lawyer before deciding to operate an exit relay, especially if you live in a place where exit relay operators have been harassed, or if you're the only exit relay operator in your region. Get in touch with your local digital rights organization to see if they have recommendations about legal assistance, and if you're not sure what organizations are working in your region, [write to EFF](https://www.eff.org/about/contact) and see if they can help connect you. @@ -33,7 +34,7 @@ Also see the [Tor Exit Guidelines](tor-exit-guidelines). Operators can put together their own abuse complaint template responses from one of many templates that Tor has created: [Tor Abuse Templates](tor-abuse-templates). It is important to respond to abuse complaints in a timely manner (usually within 24 hours). If the hoster gets annoyed by the amount of abuse you can reduce the amount of ports allowed in your exit policy. -Please document your experience with new hosters on the following wiki page: [GoodBadISPs](good-bad-isps) +Please document your experience with new hosters on the following page: [GoodBadISPs](good-bad-isps) Other docs we like: @@ -47,33 +48,47 @@ Running relays is more fun with other people! You can work with your university ## Torservers.net Torservers is an independent, global network of organizations that help the Tor network by running high bandwidth Tor relays. + Becoming a Torservers partner is a good way to become more involved in the Tor relay community, and can help you connect with dedicated relay operators around the world for solidarity and support. + To start a Torservers partner, the most important thing is to have a group of people (3-5 suggested to start) interested in helping with the various activities required for running relays. + There should be mutual trust between the people in the group, and members should commit to running relays for the long term. + If you do not know anyone in your social network interested in running relays, one place to meet people is [your local hackerspace](https://wiki.hackerspaces.org/Hackerspaces). Once you have a trusted group of people, depending on your region, it is often advised to create some type of non-profit corporation. + This is useful for having a bank account, shared ownership, grant applications, etc. In many countries operating as a corporation instead of as an individual can also get you certain legal protections. The next steps are figuring out hardware, transit, and server hosting. Depending on your location and connections within the technical community of the area, the last one may be the hardest step. + Small local ISPs often have extra bandwidth, and may be interested in supporting your group with some bandwidth or rackspace. + It is extremely important to maintain good relationships with these ISPs. ## At your university Many computer science departments, university libraries, and individual students and faculty run relays from university networks. + These universities include the Massachusetts Institute of Technology (MIT CSAIL), Boston University, the University of Waterloo, the University of Washington, Northeastern University, Karlstad University, Universitaet Stuttgart, and Friedrich-Alexander University Erlangen-Nuremberg. + To learn more about how to get support for a relay on your university's network, check out EFF's resources: [Tor on campus](https://www.eff.org/torchallenge/tor-on-campus.html). ## At your company or organization If you work at a Tor-friendly company or organization, that's another ideal place to run a relay. -Some companies running relays include Brass Horn Communications, Quintex Alliance Consulting, and OmuraVPN. +Some companies running relays include [Brass Horn Communications](https://brasshorncommunications.uk/), [Quintex Alliance Consulting](https://www.quintex.com/), [Private Internet Access](https://www.privateinternetaccess.com/), [Boing Boing](https://boingboing.net/) and OmuraVPN. + Some organizations running Tor relays include Digital Courage, [Access Now](https://www.accessnow.org/), [Derechos Digitales](https://tor.derechosdigitales.org), [Enjambre Digital](https://tor.enjambre.net/) and Lebanon Libraries in New Hampshire. -# More resources +# Bad relays + +A bad relay is one that either doesn't work properly or tampers with our users' connections. This can be either through maliciousness or misconfiguration. Many bad relays are caught thanks to our wider community, so many thanks for all your help and vigilance! Learn how you can report [bad relays](bad-relays). + +# Other resources Congratulations, you're officially a Tor relay operator! What now? @@ -81,4 +96,6 @@ Congratulations, you're officially a Tor relay operator! What now? * There is also more info about running a relay at the [Tor FAQ](https://2019.www.torproject.org/docs/faq.html.en#HowDoIDecide). -* And, most importantly, make sure to email tshirt(a)torproject.org and [claim your swag](swags). It's our way of saying thanks for defending privacy and free speech online. +* And, most importantly, make sure to email tshirt(a)torproject.org and [claim your swag](swag). It's our way of saying thanks for defending privacy and free speech online. + +

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-commits March 2021