Hi all,
I've got an issue that I'm seeking help with. I'm with a small group out of RIT that's trying to construct a private TOR network for research purposes, but we've hit a bit of a snag.
I've worked with both liu fengyun's ( http://liufengyun.chaos-lab.com/prog/2015/01/09/private-tor-network.html) and Ritter's write up (https://ritter.vg/blog-run_your_own_tor_network.html), but when trying to set up authority directories the whole thing really falls apart.
Trying to edit the torrc file gives errors where it doesn't attempt to bind to the correct ports and trying to set --dirserver or --datadirectory results in errors that there isn't permission to access /var/lib/tor regardless of the owner of the directory (we've tried leaving it as being owned by _tor, tried changing ownership to root, etc) so we can't get the authority directories off the ground.
I'd really appreciate any thoughts
Nicholas R. Parker Rochester Institute of Technology 5thYear, BS/MS Computing Security
On 9 Apr 2016, at 04:21, Nicholas R. Parker (RIT Student) nrp7859@rit.edu wrote:
Hi all,
I've got an issue that I'm seeking help with. I'm with a small group out of RIT that's trying to construct a private TOR network for research purposes, but we've hit a bit of a snag.
I've worked with both liu fengyun's (http://liufengyun.chaos-lab.com/prog/2015/01/09/private-tor-network.html) and Ritter's write up (https://ritter.vg/blog-run_your_own_tor_network.html), but when trying to set up authority directories the whole thing really falls apart.
Depending on your research needs, you might find chutney helpful: https://gitweb.torproject.org/chutney.git
chutney configures and launches a tor network on the local machine. It's designed to quickly smoke-test tor's key functionality, so it has a lot of torrc options set that speed things up.
You should be able to get it to run using: 1. git clone https://git.torproject.org/chutney.git 2. git clone https://git.torproject.org/tor.git 3. cd tor 4. make test-network-all
You might find this useful to test your code changes, or to give you a set of starting configurations that you can then modify to your own needs (including putting various nodes on different IP addresses).
Trying to edit the torrc file gives errors where it doesn't attempt to bind to the correct ports and trying to set --dirserver or --datadirectory results in errors that there isn't permission to access /var/lib/tor regardless of the owner of the directory (we've tried leaving it as being owned by _tor, tried changing ownership to root, etc) so we can't get the authority directories off the ground.
At the high level of detail your provided, these sound like typical network daemon configuration issues. Have you tried consulting a network daemon FAQ for your OS?
Typically, ports under 1024 shouldn't be used, because they often require root permissions or OS-specific capabilities. Each tor authority has a configured IP and ports, and these need to be consistent in each authority, relay, and client's torrc. Multiple tor instances on the same machine should not use the same ports - this includes default ports like SOCKSPort. (Set to 0 to disable). Do you have any other services running on these machines? Do you have old tor processes still running?
Typically, network daemons need to be run as the user that owns the directory (or, at the very least, the user needs permission to modify it). Have you tried using a user / permissions FAQ for your OS to help you configure the user and permissions correctly? Tor also has more specific requirements for security reasons, this protects the keys from other users on the system.
It's hard to give more advice without more specific details. If this advice doesn't help, please copy and paste the configuration options you used, and the errors you got, and then tell us what you've tried to do to fix them.
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B ricochet:ekmygaiu4rzgsk6n
Thanks a lot Tim.
We've looked into Chutney, but we're looking at building out a whole network for various research purposes (I'm just the grad grunt, whatever research plans they have are above me!) It looks like you're saying that we could use chutney to at least generate all of the base configuration files, is that right?
We've been running into these issues with completely clean installs of CentOS, no new/extraneous services running with single instances of the tor service going at any one time.
Nicholas R. Parker Rochester Institute of Technology 5thYear, BS/MS Computing Security 585-794-0029 / nrp7859@rit.edu dmg9645@rit.edu
On Fri, Apr 8, 2016 at 8:34 PM, Tim Wilson-Brown - teor teor2345@gmail.com wrote:
On 9 Apr 2016, at 04:21, Nicholas R. Parker (RIT Student) <
nrp7859@rit.edu> wrote:
Hi all,
I've got an issue that I'm seeking help with. I'm with a small group out
of RIT that's trying to construct a private TOR network for research purposes, but we've hit a bit of a snag.
I've worked with both liu fengyun's (
http://liufengyun.chaos-lab.com/prog/2015/01/09/private-tor-network.html) and Ritter's write up ( https://ritter.vg/blog-run_your_own_tor_network.html), but when trying to set up authority directories the whole thing really falls apart.
Depending on your research needs, you might find chutney helpful: https://gitweb.torproject.org/chutney.git
chutney configures and launches a tor network on the local machine. It's designed to quickly smoke-test tor's key functionality, so it has a lot of torrc options set that speed things up.
You should be able to get it to run using:
- git clone https://git.torproject.org/chutney.git
- git clone https://git.torproject.org/tor.git
- cd tor
- make test-network-all
You might find this useful to test your code changes, or to give you a set of starting configurations that you can then modify to your own needs (including putting various nodes on different IP addresses).
Trying to edit the torrc file gives errors where it doesn't attempt to
bind to the correct ports and trying to set --dirserver or --datadirectory results in errors that there isn't permission to access /var/lib/tor regardless of the owner of the directory (we've tried leaving it as being owned by _tor, tried changing ownership to root, etc) so we can't get the authority directories off the ground.
At the high level of detail your provided, these sound like typical network daemon configuration issues. Have you tried consulting a network daemon FAQ for your OS?
Typically, ports under 1024 shouldn't be used, because they often require root permissions or OS-specific capabilities. Each tor authority has a configured IP and ports, and these need to be consistent in each authority, relay, and client's torrc. Multiple tor instances on the same machine should not use the same ports - this includes default ports like SOCKSPort. (Set to 0 to disable). Do you have any other services running on these machines? Do you have old tor processes still running?
Typically, network daemons need to be run as the user that owns the directory (or, at the very least, the user needs permission to modify it). Have you tried using a user / permissions FAQ for your OS to help you configure the user and permissions correctly? Tor also has more specific requirements for security reasons, this protects the keys from other users on the system.
It's hard to give more advice without more specific details. If this advice doesn't help, please copy and paste the configuration options you used, and the errors you got, and then tell us what you've tried to do to fix them.
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B ricochet:ekmygaiu4rzgsk6n
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
On 11 Apr 2016, at 09:28, Nicholas R. Parker (RIT Student) nrp7859@rit.edu wrote:
We've looked into Chutney, but we're looking at building out a whole network for various research purposes (I'm just the grad grunt, whatever research plans they have are above me!) It looks like you're saying that we could use chutney to at least generate all of the base configuration files, is that right?
I'm suggesting you use chutney to generate a working network on a single machine, and then move tor instances on that network to other machines one at a time. If you start with a working network, then it's obvious when you do something that breaks the network.
If you can't get a working network using chutney on localhost, then that's useful information, too. (Perhaps your tor install is broken.)
That said, you could use chutney to just generate the config files, but it's harder to work out what went wrong if things fail.
We've been running into these issues with completely clean installs of CentOS, no new/extraneous services running with single instances of the tor service going at any one time.
I can't really provide any specific help, because I don't have enough detail.
However, here's one guess at some information that might be useful: Tor authorities will run on their own, and they also act as relays. Tor relays (including exits and bridges) need authorities. Tor clients (including onion (hidden) services) need authorities and relays and likely exits.
Start by getting one authority running on one machine. It will serve a consensus consisting of itself. Then, get another authority running on another machine. Make sure they talk to one another and agree that they're both valid. Then, get a few relays running. Make sure they all appear in the consensus. Then get a few exits running. Then try clients. Then test that clients can use the exits to talk to a test web server or something. (Chutney automates this entire process.)
If you want help with any failures, copy and paste the torrc, and the error messages you're getting, and tell us what you've tried already. (You can anonymise IP addresses if you need to, as long as it's clear which ones are the same.)
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B ricochet:ekmygaiu4rzgsk6n
Managed to successfully generate all necessary certificates, keys, etc. but I'm having a problem with changes to the torrc file.
The tor process starts up without any issue using the default torrc file (as one would expect), but no longer starts after the file has been edited with the directory authority configuration options.
When starting the tor process via *service tor start* it shows the process as active, but a *netstat -anlp | grep tor* shows no tor processes running anywhere at all
####Edited Torrc###
TestingTorNetwork 1 DataDirectory /root/Downloads/tor RunAsDaemon 1 ConnLimit 60 Nickname testAuth ShutdownWaitLength 0 PidFile /var/lib/tor/pid Log notice file /root/Downloads/tor/notice.log Log info file /root/Downloads/tor/info.log ProtocolWarnings 1 SafeLogging 0 DisableDebuggerAttachment 0 DirAuthority Unnamed orport=5000 no-v2 hs v3ident=11B12259013712F46B22A38BBA83F8E68DB48800 192.168.136.129:7000 456CD98153967845CE13084A193F69016281DCAD
SocksPort 0 OrPort 5000 Address 192.168.136.129 DirPort 7000
# An exit policy that allows exiting to IPv4 LAN ExitPolicy accept 192.168.1.0/24:*
# An exit policy that allows exiting to IPv6 localhost ExitPolicy accept [::1]:* IPv6Exit 1
AuthoritativeDirectory 1 V3AuthoritativeDirectory 1 ContactInfo auth0@test.test ExitPolicy reject *:* TestingV3AuthInitialVotingInterval 300 TestingV3AuthInitialVoteDelay 20 TestingV3AuthInitialDistDelay 20
Nicholas R. Parker Rochester Institute of Technology 5thYear, BS/MS Computing Security 585-794-0029 / nrp7859@rit.edu dmg9645@rit.edu
On Sun, Apr 10, 2016 at 11:41 PM, Tim Wilson-Brown - teor < teor2345@gmail.com> wrote:
On 11 Apr 2016, at 09:28, Nicholas R. Parker (RIT Student) <
nrp7859@rit.edu> wrote:
We've looked into Chutney, but we're looking at building out a whole
network for various research purposes (I'm just the grad grunt, whatever research plans they have are above me!)
It looks like you're saying that we could use chutney to at least
generate all of the base configuration files, is that right?
I'm suggesting you use chutney to generate a working network on a single machine, and then move tor instances on that network to other machines one at a time. If you start with a working network, then it's obvious when you do something that breaks the network.
If you can't get a working network using chutney on localhost, then that's useful information, too. (Perhaps your tor install is broken.)
That said, you could use chutney to just generate the config files, but it's harder to work out what went wrong if things fail.
We've been running into these issues with completely clean installs of
CentOS, no new/extraneous services running with single instances of the tor service going at any one time.
I can't really provide any specific help, because I don't have enough detail.
However, here's one guess at some information that might be useful: Tor authorities will run on their own, and they also act as relays. Tor relays (including exits and bridges) need authorities. Tor clients (including onion (hidden) services) need authorities and relays and likely exits.
Start by getting one authority running on one machine. It will serve a consensus consisting of itself. Then, get another authority running on another machine. Make sure they talk to one another and agree that they're both valid. Then, get a few relays running. Make sure they all appear in the consensus. Then get a few exits running. Then try clients. Then test that clients can use the exits to talk to a test web server or something. (Chutney automates this entire process.)
If you want help with any failures, copy and paste the torrc, and the error messages you're getting, and tell us what you've tried already. (You can anonymise IP addresses if you need to, as long as it's clear which ones are the same.)
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B ricochet:ekmygaiu4rzgsk6n
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
On 30 Apr 2016, at 04:05, Nicholas R. Parker (RIT Student) nrp7859@rit.edu wrote:
Managed to successfully generate all necessary certificates, keys, etc. but I'm having a problem with changes to the torrc file.
The tor process starts up without any issue using the default torrc file (as one would expect), but no longer starts after the file has been edited with the directory authority configuration options.
When starting the tor process via service tor start it shows the process as active, but a netstat -anlp | grep tor shows no tor processes running anywhere at all
What does the tor log say? What did you do to try and fix it?
####Edited Torrc###
TestingTorNetwork 1 DataDirectory /root/Downloads/tor RunAsDaemon 1 ConnLimit 60 Nickname testAuth ShutdownWaitLength 0 PidFile /var/lib/tor/pid Log notice file /root/Downloads/tor/notice.log Log info file /root/Downloads/tor/info.log ProtocolWarnings 1 SafeLogging 0 DisableDebuggerAttachment 0 DirAuthority Unnamed orport=5000 no-v2 hs v3ident=11B12259013712F46B22A38BBA83F8E68DB48800 192.168.136.129:7000 456CD98153967845CE13084A193F69016281DCAD
SocksPort 0 OrPort 5000 Address 192.168.136.129 DirPort 7000
# An exit policy that allows exiting to IPv4 LAN ExitPolicy accept 192.168.1.0/24:*
# An exit policy that allows exiting to IPv6 localhost ExitPolicy accept [::1]:* IPv6Exit 1
AuthoritativeDirectory 1 V3AuthoritativeDirectory 1 ContactInfo auth0@test.test ExitPolicy reject *:* TestingV3AuthInitialVotingInterval 300 TestingV3AuthInitialVoteDelay 20 TestingV3AuthInitialDistDelay 20
Nicholas R. Parker Rochester Institute of Technology 5thYear, BS/MS Computing Security 585-794-0029 / nrp7859@rit.edu
On Sun, Apr 10, 2016 at 11:41 PM, Tim Wilson-Brown - teor teor2345@gmail.com wrote:
On 11 Apr 2016, at 09:28, Nicholas R. Parker (RIT Student) nrp7859@rit.edu wrote:
We've looked into Chutney, but we're looking at building out a whole network for various research purposes (I'm just the grad grunt, whatever research plans they have are above me!) It looks like you're saying that we could use chutney to at least generate all of the base configuration files, is that right?
I'm suggesting you use chutney to generate a working network on a single machine, and then move tor instances on that network to other machines one at a time. If you start with a working network, then it's obvious when you do something that breaks the network.
If you can't get a working network using chutney on localhost, then that's useful information, too. (Perhaps your tor install is broken.)
That said, you could use chutney to just generate the config files, but it's harder to work out what went wrong if things fail.
We've been running into these issues with completely clean installs of CentOS, no new/extraneous services running with single instances of the tor service going at any one time.
I can't really provide any specific help, because I don't have enough detail.
However, here's one guess at some information that might be useful: Tor authorities will run on their own, and they also act as relays. Tor relays (including exits and bridges) need authorities. Tor clients (including onion (hidden) services) need authorities and relays and likely exits.
Start by getting one authority running on one machine. It will serve a consensus consisting of itself. Then, get another authority running on another machine. Make sure they talk to one another and agree that they're both valid. Then, get a few relays running. Make sure they all appear in the consensus. Then get a few exits running. Then try clients. Then test that clients can use the exits to talk to a test web server or something. (Chutney automates this entire process.)
If you want help with any failures, copy and paste the torrc, and the error messages you're getting, and tell us what you've tried already. (You can anonymise IP addresses if you need to, as long as it's clear which ones are the same.)
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B ricochet:ekmygaiu4rzgsk6n
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B ricochet:ekmygaiu4rzgsk6n