Hi folks,
Bridges serve as "unknown" entry points to the TOR network. For this, part of the TOR network nodes are reserved and unlisted. This is not good for the performance of the network, and because the network is relatively small i think the unlisted-nodes strategy will only be a short term solution.
At the moment i'm working on my own FreedomBox. From this work i got the following idea: Why not use the DNAT function of a router to forward TOR traffic to a TOR node? This way you don't need unlisted nodes anymore. A router-bridge does not have to be a full TOR node....
Unfortunately the standard DNAT functionality of most routers only support DNAT from the internet to internal addresses. So you need modified firmware to make this work. Maybe a (slightly modified?) version of OpenWRT will work.
Router-bridges have a second advantage over real TOR nodes. They can be easily moved. If a router-bridge gets blocked, you can simply give the router-bridge to a friend.
To give you an example of internet-internet DNAT i have configured one of my systems to forward traffic to the TOR website. The URL is:
https://wordpress.hoevenstein.nl/
(If you try the URL you get a message about an invalid certificate of course)
Let me know what you think about this idea... Rob van der Hoeven. http://freedomboxblog.nl
On Thu, Jul 14, 2011 at 1:03 PM, Rob van der Hoeven robvanderhoeven@ziggo.nl wrote:
Hi folks,
Hi,
Bridges serve as "unknown" entry points to the TOR network. For this, part of the TOR network nodes are reserved and unlisted. This is not good for the performance of the network, and because the network is relatively small i think the unlisted-nodes strategy will only be a short term solution.
Roger wrote a good blog post about strategies for getting more bridge addresses: https://blog.torproject.org/blog/strategies-getting-more-bridge-addresses (you may have seen this already, it was written three months ago).
At the moment i'm working on my own FreedomBox. From this work i got the following idea: Why not use the DNAT function of a router to forward TOR traffic to a TOR node? This way you don't need unlisted nodes anymore. A router-bridge does not have to be a full TOR node....
Unfortunately the standard DNAT functionality of most routers only support DNAT from the internet to internal addresses. So you need modified firmware to make this work. Maybe a (slightly modified?) version of OpenWRT will work.
Have you heard about the Torouter project? We are currently working on two versions; the DreamPlug for technical users who don't mind doing some hacking on their own, and the Excito B3 for non-tech users. We have documented the project here: https://trac.torproject.org/projects/tor/wiki/doc/Torouter - Maybe this is something you'd like to help with?
Router-bridges have a second advantage over real TOR nodes. They can be easily moved. If a router-bridge gets blocked, you can simply give the router-bridge to a friend.
You could also just change the IP address of the Tor relay (probably easier to do if it's a VPS than if you have it at home).
On Thu, 2011-07-14 at 13:22 +0100, Runa A. Sandvik wrote:
On Thu, Jul 14, 2011 at 1:03 PM, Rob van der Hoeven robvanderhoeven@ziggo.nl wrote:
Hi folks,
Hi,
Bridges serve as "unknown" entry points to the TOR network. For this, part of the TOR network nodes are reserved and unlisted. This is not good for the performance of the network, and because the network is relatively small i think the unlisted-nodes strategy will only be a short term solution.
Roger wrote a good blog post about strategies for getting more bridge addresses: https://blog.torproject.org/blog/strategies-getting-more-bridge-addresses (you may have seen this already, it was written three months ago).
As a FreedomBox builder i'm very interested in TOR. I am not very up-to-date however, so i have not read this article.
At the moment i'm working on my own FreedomBox. From this work i got the following idea: Why not use the DNAT function of a router to forward TOR traffic to a TOR node? This way you don't need unlisted nodes anymore. A router-bridge does not have to be a full TOR node....
Unfortunately the standard DNAT functionality of most routers only support DNAT from the internet to internal addresses. So you need modified firmware to make this work. Maybe a (slightly modified?) version of OpenWRT will work.
Have you heard about the Torouter project? We are currently working on two versions; the DreamPlug for technical users who don't mind doing some hacking on their own, and the Excito B3 for non-tech users. We have documented the project here: https://trac.torproject.org/projects/tor/wiki/doc/Torouter - Maybe this is something you'd like to help with?
The beauty of the DNAT solution is that the router does not have to run TOR at all. Much more lightweight. To give you an example: configuring my firewall to do internet-internet DNAT only involved 3 lines in the configuration files (see Shorewall FAQ 1g)
Rob.
On Thu, 2011-07-14 at 13:22 +0100, Runa A. Sandvik wrote:
On Thu, Jul 14, 2011 at 1:03 PM, Rob van der Hoeven robvanderhoeven@ziggo.nl wrote:
Hi folks,
Hi,
Bridges serve as "unknown" entry points to the TOR network. For
this,
part of the TOR network nodes are reserved and unlisted. This is not good for the performance of the network, and because the network is relatively small i think the unlisted-nodes strategy will only be a short term solution.
Roger wrote a good blog post about strategies for getting more bridge addresses:
https://blog.torproject.org/blog/strategies-getting-more-bridge-addresses
(you may have seen this already, it was written three months ago).
As a FreedomBox builder i'm very interested in TOR. I am not very up-to-date however, so i have not read this article.
At the moment i'm working on my own FreedomBox. From this work i got
the
following idea: Why not use the DNAT function of a router to forward
TOR
traffic to a TOR node? This way you don't need unlisted nodes
anymore. A
router-bridge does not have to be a full TOR node....
Unfortunately the standard DNAT functionality of most routers only support DNAT from the internet to internal addresses. So you need modified firmware to make this work. Maybe a (slightly modified?) version of OpenWRT will work.
Have you heard about the Torouter project? We are currently working on two versions; the DreamPlug for technical users who don't mind doing some hacking on their own, and the Excito B3 for non-tech users. We have documented the project here: https://trac.torproject.org/projects/tor/wiki/doc/Torouter - Maybe this is something you'd like to help with?
The beauty of the DNAT solution is that the router does not have to run TOR at all. Much more lightweight. To give you an example: configuring my firewall to do internet-internet DNAT only involved 3 lines in the configuration files (see Shorewall FAQ 1g)
Rob.
On Thu, Jul 14, 2011 at 02:03:34PM +0200, Rob van der Hoeven wrote:
Hi folks,
Bridges serve as "unknown" entry points to the TOR network. For this, part of the TOR network nodes are reserved and unlisted. This is not good for the performance of the network, and because the network is relatively small i think the unlisted-nodes strategy will only be a short term solution.
At the moment i'm working on my own FreedomBox. From this work i got the following idea: Why not use the DNAT function of a router to forward TOR traffic to a TOR node? This way you don't need unlisted nodes anymore. A router-bridge does not have to be a full TOR node....
Unfortunately the standard DNAT functionality of most routers only support DNAT from the internet to internal addresses. So you need modified firmware to make this work. Maybe a (slightly modified?) version of OpenWRT will work.
Router-bridges have a second advantage over real TOR nodes. They can be easily moved. If a router-bridge gets blocked, you can simply give the router-bridge to a friend.
To give you an example of internet-internet DNAT i have configured one of my systems to forward traffic to the TOR website. The URL is:
https://wordpress.hoevenstein.nl/
(If you try the URL you get a message about an invalid certificate of course)
Let me know what you think about this idea... Rob van der Hoeven. http://freedomboxblog.nl
What's happening to the reply packets? Do you also SNAT so that the replies come back to you, or is it doing triangle routing?
- Ian
To give you an example of internet-internet DNAT i have configured one of my systems to forward traffic to the TOR website. The URL is:
https://wordpress.hoevenstein.nl/
(If you try the URL you get a message about an invalid certificate of course)
Let me know what you think about this idea... Rob van der Hoeven. http://freedomboxblog.nl
What's happening to the reply packets? Do you also SNAT so that the replies come back to you, or is it doing triangle routing?
Good question. I'm no firewall expert, so i am not sure how this works in my simple example. Maybe someone wants to comment? I'm usung Shorewall and used the setup from FAQ 1g
Rob.
Rob van der Hoeven robvanderhoeven@ziggo.nl writes:
Hi folks,
Bridges serve as "unknown" entry points to the TOR network. For this, part of the TOR network nodes are reserved and unlisted. This is not good for the performance of the network, and because the network is relatively small i think the unlisted-nodes strategy will only be a short term solution.
At the moment i'm working on my own FreedomBox. From this work i got the following idea: Why not use the DNAT function of a router to forward TOR traffic to a TOR node? This way you don't need unlisted nodes anymore. A router-bridge does not have to be a full TOR node....
Unfortunately the standard DNAT functionality of most routers only support DNAT from the internet to internal addresses. So you need modified firmware to make this work. Maybe a (slightly modified?) version of OpenWRT will work.
Router-bridges have a second advantage over real TOR nodes. They can be easily moved. If a router-bridge gets blocked, you can simply give the router-bridge to a friend.
To give you an example of internet-internet DNAT i have configured one of my systems to forward traffic to the TOR website. The URL is:
https://wordpress.hoevenstein.nl/
(If you try the URL you get a message about an invalid certificate of course)
Let me know what you think about this idea... Rob van der Hoeven. http://freedomboxblog.nl
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Just mentioning that more-or-less your idea is the matter of discussion of Tor trac ticket #2764.