Felix:
Hi Neel
My relay runs FreeBSD 11.2 and Tor runs in a "jail".
Jails are perfect for that! I observed the host Freebsd tcp stack is strong enough for more than 500Mbit/s in AND out.
Yes, jails are a perfect fit in many ways.
I haven't been a jail user since FreeBSD 7.x or 8.x, but one thing I'd like to do at some point is sort out a bare minimum jail for a Tor node. Not that usual full-base system jail, but something that would look like a chroot from the birds-eye view.
I think it should be very doable with EZjail, but I always prefer base tools with shell scripts.
I should mention that I'm not a fan of virtualization solutions for many use-cases, but FreeBSD jails aren't about bloat and just adding more lines of code with more bugs. They are a tight solution that can really mitigate compromises when used properly.
For those interested, go look up there original usage by phk@ as a web site hosting solution. It was an instance where some Danish www hosting company kept getting their site hacked, so he had a cron job which diff'd the contents of the www-serving jail, and overwrote it if there was change, or something like that.
I can't find the actual link but this helps:
http://phk.freebsd.dk/sagas/jails.html
I am using AESNI and Tor is configured to use OpenSSL cryptodev.
Does crypto run? On log info you should find the following entry during start:
[info] crypto_openssl_init_engines: Initializing dynamic OpenSSL engine "dynamic" acceleration support. [info] crypto_openssl_init_engines: Loaded dynamic OpenSSL engine "dynamic".
After finding this message you can switch to notice and restart.
* I want to keep using FreeBSD on my server and do not want to run Linux
+1
Addressing the general audience here...
I'm a long-time BSD person and have fought long and hard for OS diversity in Tor, but everyone should stick to OSs they are most comfortable with.
The only thing I fear more than OS monocultures is anyone running OSs they can't admin systems which are public-facing and providing a vital service.
A misconfigured BSD relay doesn't help anyone.
* I would prefer to have a single instance, but can use multiple if I have to
It's BSD, so may-be consider to go for libressl from ports (which does not support the crypto engine). And then use 2 instances per ip. Better for diversity ;)
Yes, !OpenSSL should be considered, and LibreSSL is a good start.
I know LibreSSL doesn't support crypto engine, but not sure of the consequences outside of the basics with it.
* My server supports hardware accelerated AES and SHA. I am using this on FreeBSD with the aesni kernel module and Tor with "HardwareAccel 1" and "AccelName cryptodev"
A toorc can look like: RelayBandwidthRate 0 RelayBandwidthBurst 0 HardwareAccel 1 AccelName dynamic Log info file /var/log/tor/info
On that note, a lot of the Tor BSD docs have been migrated to the TPO documentation, and we need to finish migrating the https://wiki.torbsd.org there also.
But there continues to be a need for more, plus additional translations. The BSDs have particularly large footprints in some countries that also happen to lack many Tor relays such as Japan and the Balkan countries.
The "gateway" drug for most people running anything new is FAQs, how-tos and documentation. A good target might be optimizing BSD relays beyond the obvious.
g