Hello dear friends
I'm running a non exit relay on a debian machine (in the next few months I will switch to *BSD) on a Lime2. I'm running an exit relay too on a remote VM.
I would turn my non-exit relay in an exit one, but for obvious reasons, I don't want to run It from my shitty ISP IP. I could give 10-14 mbps from my home connection, so I think that the lime2 would be powerful enough to run It properly.
Do you think would be feasible to use SSH to forward all connections, except DNS queries, between my Lime2 and the remote VM in order to use an additional VM's IP?
Could you give me some tips please?
cheers
Gigi
tor-relay@riseup.net:
I'm running a non exit relay on a debian machine (in the next few months I will switch to *BSD) on a Lime2.
I assume you are referring to a relay run at home.
I'm running an exit relay too on a remote VM.
I would turn my non-exit relay in an exit one, but for obvious reasons, I don't want to run It from my shitty ISP IP. I could give 10-14 mbps from my home connection, so I think that the lime2 would be powerful enough to run It properly.
I would discourage such a setup for the following reasons:
- this setup includes the risk that users will exit through your home broadband IP address (bad!) if tunnels break down - such setups that introduce an additional hop decrease the user-experience - most users will not be happy with an "10-14mbps" exit at a home broadband connection - it is not clear to me why you would involve your home IP at all for your exit if you have a VM in a datacenter
nonetheless, thanks for running relays, nusenu
I think that a network based to much on remotes VMs, with closed source software running on the most deep machine level, is not very resilient and secure.
So the reason why I was thinking to do so is that I wanted to run a small exit relay on a device running only open source software, like Olimex Lime2 does, and under my direct control.
The latency from my home and the VM is not so high (45-50 ms), and I was pretty sure that with a proper configuration I didn't risk that users exit through my home connection. But If you say that with a so small bandwidth It can't run properly, I trust you, so I keep a non-exit relay.
Anyway thanks for your advices
Il 22/05/19 11:05, nusenu ha scritto:
tor-relay@riseup.net:
I'm running a non exit relay on a debian machine (in the next few months I will switch to *BSD) on a Lime2.
I assume you are referring to a relay run at home.
I'm running an exit relay too on a remote VM.
I would turn my non-exit relay in an exit one, but for obvious reasons, I don't want to run It from my shitty ISP IP. I could give 10-14 mbps from my home connection, so I think that the lime2 would be powerful enough to run It properly.
I would discourage such a setup for the following reasons:
- this setup includes the risk that users will exit
through your home broadband IP address (bad!) if tunnels break down
- such setups that introduce an additional hop decrease the user-experience
- most users will not be happy with an "10-14mbps" exit at a home broadband connection
- it is not clear to me why you would involve your home IP at all for your exit
if you have a VM in a datacenter
nonetheless, thanks for running relays, nusenu
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On May 23, 2019, at 3:54 AM, tor-relay@riseup.net wrote:
I think that a network based to much on remotes VMs, with closed source software running on the most deep machine level, is not very resilient and secure.
Actually, it’s very secure. By default, Tor doesn’t log anything but simple notice messages. In addition, if you use Offline Master Keys (https://trac.torproject.org/projects/tor/wiki/doc/TorRelaySecurity/OfflineKe...) the security of your node is greatly enhanced. As long as you have direct root access to the VM, you’re fine. Also, most VM use OSS HyperVisors such as KVM or Xen.
So the reason why I was thinking to do so is that I wanted to run a small exit relay on a device running only open source software, like Olimex Lime2 does, and under my direct control.
If you really want to use this device as an exit, I would strongly suggest that you don’t do it at home, there’s actually a few companies that specialize in colocation for small hardware platforms such as the Lime2.
The latency from my home and the VM is not so high (45-50 ms), and I was pretty sure that with a proper configuration I didn't risk that users exit through my home connection. But If you say that with a so small bandwidth It can't run properly, I trust you, so I keep a non-exit relay.
That’s actually very high latency to add to the hop because you’re going to add SSH encryption on top of it, which will add more latency, just to get to the VM? I wouldn’t consider it feasible.
Now that I’m thinking about it, you could try finding a VPN provider that allows Tor and using that VPN provider on your Lime2.
-Conrad
Anyway thanks for your advices
Il 22/05/19 11:05, nusenu ha scritto:
tor-relay@riseup.net :
I'm running a non exit relay on a debian machine (in the next few months I will switch to *BSD) on a Lime2.
I assume you are referring to a relay run at home.
I'm running an exit relay too on a remote VM.
I would turn my non-exit relay in an exit one, but for obvious reasons, I don't want to run It from my shitty ISP IP. I could give 10-14 mbps from my home connection, so I think that the lime2 would be powerful enough to run It properly.
I would discourage such a setup for the following reasons:
- this setup includes the risk that users will exit
through your home broadband IP address (bad!) if tunnels break down
- such setups that introduce an additional hop decrease the user-experience
- most users will not be happy with an "10-14mbps" exit at a home broadband connection
- it is not clear to me why you would involve your home IP at all for your exit
if you have a VM in a datacenter
nonetheless, thanks for running relays, nusenu
tor-relays mailing list
tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On May 22, 2019, at 1:24 AM, tor-relay@riseup.net wrote:
Hello dear friends
I'm running a non exit relay on a debian machine (in the next few months I will switch to *BSD) on a Lime2. I'm running an exit relay too on a remote VM.
I would turn my non-exit relay in an exit one, but for obvious reasons, I don't want to run It from my shitty ISP IP. I could give 10-14 mbps from my home connection, so I think that the lime2 would be powerful enough to run It properly.
Do you think would be feasible to use SSH to forward all connections, except DNS queries, between my Lime2 and the remote VM in order to use an additional VM's IP?
Could you give me some tips please?
I would highly advise against this, namely because you’re exposing yourself the risk of the tunnel going down and exit traffic possibly going out the default route, which is your home ISP connection, or a misconfiguration occurring, which would mean your home is detected as a Tor exit, or so forth. If you want to run a relay at home, run an entry or middle. If you want an exit, get a VM, a Colo, or a Dedicated Server. Just my $0.02.
cheers
Gigi
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hi,
On 22 May 2019, at 16:24, tor-relay@riseup.net wrote:
Do you think would be feasible to use SSH to forward all connections, except DNS queries, between my Lime2 and the remote VM in order to use an additional VM's IP?
I just wanted to highlight the DNS queries from your home address.
It's risky for you to allow anyone on the internet to use your home DNS. Your ISP may terminate you or report you to the police for looking up some sites. (Or they may block your exit users *from* looking up some sites.) The DNS load might also be more than your ISP can handle.
There is also the risk that your forwarding fails, and all the exit traffic comes from your home IP.
T
tor-relays@lists.torproject.org
-
Conrad Rockenhaus -
nusenu -
teor -
tor-relay@riseup.net