Hello,
Thanks all for joining the Tor Relay Operator Meetup! You can find the meetup notes below. The next meetup will be at the beginning of April (1st or 8th, date TBD).
cheers, Gus
## Tor Relay Operator Meetup - 2023-03-04
### Before we start
Tor operators are recommended to read the Tor Code of Conduct and Expectations of Tor Operators.
Tor Code of Conduct: https://gitweb.torproject.org/community/policies.git/tree/code_of_conduct.tx...
Expectations for Relay Operators: https://gitlab.torproject.org/tpo/community/team/-/wikis/Expectations-for-Re...
### Announcements
1) The amount of Tor relays per IP address has been increased from 2 to 4. https://gitlab.torproject.org/tpo/core/tor/-/issues/40744. We will discuss further increasing this limitation during Questions & Answers section.
2) Tor version 0.4.5 has reached end-of-life status. There is no plan to create a new LTS (long term support) version. In 2-3 weeks Tor project starts the usual process of gathering the EOL relays and contacting their operators to ask if they would please upgrade. Do you run a EOL version yourself? Please update as soon as possible.
3) The aim of the Run a Tor relay (EFF Challenge @ Universities) is to give students and universities hands-on experience with Tor. For example letting students and/or labs run relays, proxies or experiment with Tor in other ways. The Tor Project made a letter to send to their closest contacts, but the difficulty is: what do you ask for?
There is a large difference between educational institutions, some of them for example work together with LEA (law enforcement agencies) to deanonymize Tor users while others work on new privacy-by-design technologies. If you're interested you can follow the mailinglist[1] or post on the forums. If you have pointers or specific input, you can also contact gman999 on IRC directly.
[1] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays-universitie...
4) The internet in Turkmenistan is mostly censored[1], to the point where even Snowflake[2] and most Obfs4 bridges are blocked (because most of the internet is actually blocked by their government). Obfs4 bridges running from residential IP address space seems to still work. Help is greatly needed appreciated.
[1] Information about censorship in Turkmenistan: https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issu... [2] Snowflake is blocked: https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issu...
### Collecting proposals for improving the health of Tor
The Tor Project want to invite[1] the community (which of course includes the Tor operators) to have a discussion and creating proposals to improve the health of the Tor network by creating a healthy and trustworthy Tor operator community. Bad actors are trying frequently to hurt Tor, Tor users and Tor's community and we should try to mitigate these efforts more effectively.
This effort is part of the Community and Network Health teams their 2023 roadmap. Some of these activities are also part of sponsor work[2]. This is only the start of this process and right now proposals are only gathered (and not yet discussed/considered).
Some relevant documents and currently gathered proposals are the Expectations for Relay Operators[3], proposal for Exit relay lifecycle[4], proposal for using CISS[5], proposal for verified physical address for large operators[6] and a proposal for limiting unverified relay families[7]. Note that this call of proposals is certainly not meant to yield only technical solutions, but also social, community and other solutions to improve the Tor network health and Tor's community.
The Tor Project wants a lot of involvement from the community during this process. Don't hesitate to submit your own proposals, ideas, opinions, discussions via the usual channels. Concrete proposals can be added to GitLab[8] or the tor-relays mailing list. The proposals will also be discussed and evaluated during Tor relay operator meetups (both online and offline).
Timeframe/planing (TBD): - March 2023 - June 2023: Call for proposals (collecting/gathering)
[1] https://gitlab.torproject.org/tpo/community/relays/-/issues/55 [2] Full project: https://gitlab.torproject.org/groups/tpo/-/milestones/44 [3] https://gitlab.torproject.org/tpo/community/relays/-/issues/18 [4] https://gitlab.torproject.org/tpo/network-health/team/-/issues/220 [5] https://lists.torproject.org/pipermail/tor-relays/2020-October/019024.html [6] https://lists.torproject.org/pipermail/tor-relays/2020-July/018643.html [7] https://lists.torproject.org/pipermail/tor-relays/2020-July/018656.html [8] https://gitlab.torproject.org/tpo/community/relays/-/issues/5
### Tor Weather release & beta testing
The Tor Weather notification service helped Tor operators to get notifications about incidents, issues, removal of flags etc. regarding their relays. This service has been offline and unmaintained for a while now because of a time shortage. Such monitoring service can be very valuable for Tor operators though, and would lower the bar for new Tor relay operators to start running Tor relays without having to worry about implementing advanced monitoring to check on their Tor relays.
For the Google Summer of Code (GSoc) Project 2022 the Tor Project found a mentee to revitalize Tor-weather. The current repository can be found on GitLab[1] and after improvements Tor would like to test these with Tor operators.
The Tor operators got a short demonstration of Tor Weather and are enthusiastic about it. :)
[1] https://gitlab.torproject.org/tpo/network-health/tor-weather
### DoS situation update
The Network Team isn't available today so instead the Tor Project asks the Tor operator community how they are experiencing and dealing with the DDoS situation. On Tor's side not much has changed but the implementation of the proof of work is coming along nicely[1]. There is no input from the Tor relay operators.
#### This might be a stupid question - but what is the TL;DR on the DDos? To be honest, I didn't notice anything really even though I run quite a few exits. Is it higher network usage only or high CPU or...? Sorry for asking such a basic question (Kristian - lokodlare)
There are different DDoS attacks, some are focused on guard/middle relays while others target exit relays. Some DDoS attacks are done via the Tor network itself while other DDoS attacks are plain old UDP/TCP flood attacks. Tor Project is working on more DDoS mitigation.
For a summary, read this blog post: https://blog.torproject.org/tor-network-ddos-attack/
[1] https://gitlab.torproject.org/tpo/core/tor/-/issues/40634
### Questions and topics
#### When is the next relay operator meetup?
Gus will pick a date between April 1 19:00 UTC and April 8 19:00 UTC.
#### What about bridge enumeration attackers and how to prevent it?
Censors already have their own tools and devices to block and/or enumerate Tor bridges and circumvention tech. That said, such projects exposing bridges aren't helping Tor in any way. If you know any potential issues with BridgeDB, or if you're one of the people collecting this data, please contact the Tor Project. Don't be a jerk, be awesome instead. :)
#### When a new workshop Sysadmin 101 will be organized?
We should find a new date and topics for the next Sysadmin workshop. Suggestions are welcome: https://gitlab.torproject.org/tpo/community/relays/-/issues/63
For BSD enthusiasts, the BSD community have a IRC (#bsd-privacy) channel and everyone is welcome to join and reach out.
#### Obfs4 is totally blocked in Iran and snowflake has very little speed if not blocked at some ISPs, are there any plans to upgrade the bridge software to circumvent the stricter kinds of censorships?
- Decline in Snowflake users from Iran during the second part of February, cause unknown: https://opencollective.com/censorship-circumvention/projects/snowflake-daily... - Investigating a possible misconfiguration https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf... - There is a second Snowflake bridge (snowflake-02), available in Tor Browser since 12.0: https://blog.torproject.org/new-release-tor-browser-120/ https://bugs.torproject.org/tpo/applications/tor-browser-build/40674 But most Snowflake users in Iran use Orbot, not Tor Browser, and the second Snowflake bridge is not in any released version of Orbot yet. http://meetbot.debian.net/tor-meeting/2023/tor-meeting.2023-02-16-15.58.log.... You can activate the second bridge in Orbot by manually pasting in a bridge line. https://github.com/net4people/bbs/issues/152 - There have been intermittent blocks of the domain fronting rendezvous in some ISPs in Iran. A workaround is to use the AMP cache rendezvous. https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/115
If you're from Iran, you might be able to help the Tor project. Please reach out to us if you can provide more information about how Iran is blocking Tor.
#### Can we move forward with increasing the relays per IP limit? 4 -> 8 -> 16? We are waiting for the final step because we don't want to do the IP renumbering dance multiple times. Also: If you stop at "8 relays per IP" please document why, so we at least know why we are spending money on IP addresses instead of faster hardware to deal with the DDoS pain.
https://gitlab.torproject.org/tpo/core/tor/-/issues/40744
The Tor project wants to check the impact of the change from 2 to 4 first before further increasing the limit. This will take at least a few more weeks and then further steps can be taken (based on the data).
#### Please document MetricsPort
https://gitlab.torproject.org/tpo/core/tor/-/issues/40762
#### I wish to collaborate on the Snowflake landing page revamp. Please give me Gitlab account access. I would love to learn more about The Tor Project. https://forum.torproject.net/t/collecting-feedback-on-snowflake-landing-page... - If you're a GSoC applicant, please talk with your project mentor first.
#### DDoS mitigation: Would you implement this as a patch only so we do measurements and come up with some data for a proposal that aims to make DDoS against non-guards harder? https://gitlab.torproject.org/tpo/core/tor/-/issues/40761
The Network Team isn't available, but Tor Project will discuss this in the next week. The proposal looks fine at first sight. Thanks for submitting a proposal to improve Tor.
#### dannenberg doesn't seem up to date wrt to AuthDirMaxServersPerAddr=4, it says a lot of relays are sybil. Any idea when it will get updated?
Tor Project contacted all Authorities but for the time being you have to live with it.
#### Please help us prevent downtimes with this easy addition to MetricsPort https://gitlab.torproject.org/tpo/core/tor/-/issues/40546
The Network Team is aware of this proposal.
#### I have a question about my Snowflake node running on a DigitalOcean droplet. Its log says "NAT type: restricted" but I do see connections and traffic being relayed. Where is a good place to go for help/support? Or is this a known issue/not an issue? - "NAT type: restricted" is not really a problem; it just means that there are some Snowflake clients your proxy will not be able to connect to. The Snowflake broker takes NAT compatibility into account, so it will not assign clients with an incompatible NAT to your proxy.
https://forum.torproject.net/t/snowflake-standalone-proxy-in-docker-how-to-m...
For a full documentation about Snowflake NAT matching, please read this wiki page: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf...
#### Do you know about an approach or hacking guide to store your ed25519_master_id_secret_key on a smartcard or hardware token like Nitrokey or Yubikey and use this smartcard in the signing process? I think this would a helpful approach to make offline key signing even more secure. (I know that there are different key formats, different firmware versions etc. - just wanted to know if someone has experiences with that).
This topic has come up a few times, but as far as is known no one really implemented this in practice.
#### will exit scanner support IPv6 anytime soon? (ExoneraTor) after the last relay meetup I realized it also affects us even without using the torrc setting to use a distinct exit IP
Not anytime soon probably.
#### I have some relays hosted on residential connection that change the IP 1-2 times per month. My ISP provides me DDNS. Can I use that to advertise my relays instead of the IP in order not repeat the lifecycle of a new relay every time IP is changed?
Yes! In theory, you can write your FQDN (dyndns address) in the "Address" field in your torrc, and Tor will resolve it periodically to see if it has changed. Also, in theory you should be able to just leave it all blank, and Tor will discover that your IP address has changed. You should maintain your relay reputation across IP address changes -- though we do count the change as a brief downtime, because client connections get cut when you change addresses.
#### Does the Tor Weather support Bridges too?
It could look at the bridgestrap output, rather than needing to scan the bridges itself.
On Wed, Mar 01, 2023 at 12:19:31PM -0300, gus wrote:
Hello,
Just a friendly reminder that the Tor Relay Operator meetup will happen this Saturday, March 4, 2023 at 19 UTC (view in your timezone: https://timee.io/20230304T1900?tl=Next%20Tor%20Relay%20Operator%20Meetup%20-... ).
cheers, Gus
On Tue, Feb 14, 2023 at 11:48:56AM -0300, gus wrote:
Hi,
The next Tor Relay Operator Meetup will happen on March 4, 2023, at 19 UTC!
We're still working on the agenda, feel free to add your topics and/or questions on the pad: https://pad.riseup.net/p/tor-relay-op-meetup-m4-keep onionsite: http://kfahv6wfkbezjyg4r6mlhpmieydbebr5vkok5r34ya464gqz6c44bnyd.onion/p/tor-...
WHERE Room link: https://tor.meet.coop/gus-og0-x74-dzn
Registration
No need for a registration or anything else, just use the room-link above. We will open the room 10 minutes before so you can test your mic setup.
Please share with your friends, social media and other mailing lists!
Gus
The Tor Project Community Team Lead
-- The Tor Project Community Team Lead