Hi,
As gus pointed out, Hetzner, OVH, Online S.A.S (now owned by and called Scaleway), and DigitalOcean should be avoided at all costs, and yes, even for bridges.
Please try to find a host that hosts as few (publicly listed) tor relays as possible for your bridge or relay.
- William
On 02/04/2021, Keifer Bly keifer.bly@gmail.com wrote:
Would running a bridge on ovh be ok? Thanks. --Keifer
On Thu, Apr 1, 2021 at 1:29 AM William Kane ttallink@googlemail.com wrote:
Hi,
no, OVH is the second most commonly used hosting provider, another relay hosted there would hurt the network more than it would help:
https://metrics.torproject.org/bubbles.html#as
We need to make the network as diverse as possible, in order to make it as hard as possible for law enforcement and other bad actors to de-anonymize tor circuits.
If you really want to help us out, here's what I advise you to do:
- Rent a dedicated machine, with a new-ish CPU (supporting VT-x and
AES-NI, and good single thread performance since tor is mostly single-threaded).
- Get your own subnet, it doesn't have to be huge, but make sure you
are allowed to change the abuse-mailbox field to an e-mail you own, so your host doesn't get flooded with automated and mostly useless abuse reports and terminates your service in response.
- Make use of QEMU/KVM and create one virtualized instance for each
set of two relays (maximum amount of relays sharing the same public address is 2).
- Make use of the CPU-pinning feature offered by libvirt, and the
isolcpus kernel argument to isolate all but two cores from the kernel's scheduler, and pin two cores to each VM.
- Disable all CPU mitigations (mitigations=off on the kernel command
line) to increase performance, since you are only installing signed packages anyway, there is no untrusted code running on the system, which means there is no need for any mitigations to be active.
- Make sure you have an unmetered traffic plan and at the very least
1, but best case 2 1Gbit/s uplinks.
With a somewhat modern CPU supporting hardware AES acceleration, this should get you 150 to 200 Mbps per tor instance, at least that's my experience when I ran the setup described above around 4 years ago.
On a last note, whatever you decide to do, please don't settle for some overused host just because it's easier or cheaper - you might as well not host a relay at all, then.
Look for a host, get it's AS ID, then input it here: https://metrics.torproject.org/rs.html#search/as:<AS_NUMBER>
Example:
https://metrics.torproject.org/rs.html#search/as:AS197019
If this was a bit too much, I apologize - I will gladly answer any questions you have.
- William
On 30/03/2021, Keifer Bly keifer.bly@gmail.com wrote:
Hi,
I am wondering if OVH is a safe VPS provider to run an exit relay on?
Thank
you.
--Keifer
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays