I'm thinking of running a relay, and i've a few questions regarding the requirements and the general setup. So far this is just planning.
The hardware would be clean and in my possession, but the connection would go through a Swedish-based VPN provider because i'm not interested in running it through my own IP address. The provider endorses Tor and places no limits whatsoever on the services run through their connection, has port forwarding and allows exits, so no issues there. They also have a strict no-logging policy, but words are cheap so you never know.
I guess the first question should be whether such a relay would be welcome on the Tor network in the first place? I am aware that connecting to Tor through a VPN isn't generally recommended, but what about running a relay through one? Better idea, or a ridiculously bad one?
Second, while it would run on a (nearly) dedicated 100mbit connection, i do not have dedicated equipment. The machine needs to be taken offline between every 2-4 weeks, for some days at a time. Frequent OS updates also often require reboots in addition to this downtime. So much for a stable flag, but more importantly i need to know if this behavior is undesirable for running middle/exit relays? If so, would a bridge be better suitable with the tools i have at hand?
Third, regarding running bridges. The Tor Project FAQ states running your own bridge might improve your own anonymity. I assume this means you would manually set up your TBB to connect to *your own* bridge, is this correct? And finally, since the bridge would run on a separate (VPN) IP address, would this make a difference (re:anonymity) for better or worse if you connected through it yourself? I'm likely missing something here because it seems it would basically be the same as simply connecting to Tor through the VPN client alone.
Thanks.
"I guess the first question should be whether such a relay would be
welcome on the Tor network in the first place? I am aware that connecting to Tor through a VPN isn't generally recommended, but what about running a relay through one? Better idea, or a ridiculously bad one?" It isn't a better idea, certainly; but it isn't so bad as to throw it out entirely. Since all non-exit communications are encrypted, there wouldn't be any huge "no-nos" as far as that is concerned.
However, with an exit node, (some) communications aren't encrypted. It really boils down to whether or not you trust your provider. However, the same can be said with a VPS provider! I would not be concerned about it; please add your relay to the network.
"Second, while it would run on a (nearly) dedicated 100mbit connection, i
do not have dedicated equipment. The machine needs to be taken offline between every 2-4 weeks, for some days at a time. Frequent OS updates also often require reboots in addition to this downtime. So much for a stable flag, but more importantly i need to know if this behavior is undesirable for running middle/exit relays? If so, would a bridge be better suitable with the tools i have at hand?"
The main reason we strive for stable, rock-solid relays is for connectivity. If you have ever used SSH/IRC via Tor, you know how annoying it is when you get disconnected. This is likely because one of the 3 relays went offline. I would say a machine that goes offline every 2-4 days would be beyond acceptable; but one that goes offline every few hours is ridiculous. Just keep in mind that everytime you shut down your system, you close a lot of folk's connections, and some software wasn't made to handle that without it being a pain in the ass (ie PuTTY; you'll have to retype your password).
You shouldn't have to power off that often. If so, consider reconfiguring your OS or switching your OS to a more stable one; my favorite is FreeBSD, never have to reboot for anything, but I'm not going to start preaching here.
bridges
I have no experience running a bridge, and I don't feel rather comfortable telling you the wrong information. I would perform a few more searches.
Feel free to reply and I should be able to get back to you in a timely manner.
On Fri, Dec 5, 2014 at 4:43 PM, TT tbr66@riseup.net wrote:
I'm thinking of running a relay, and i've a few questions regarding the requirements and the general setup. So far this is just planning.
The hardware would be clean and in my possession, but the connection would go through a Swedish-based VPN provider because i'm not interested in running it through my own IP address. The provider endorses Tor and places no limits whatsoever on the services run through their connection, has port forwarding and allows exits, so no issues there. They also have a strict no-logging policy, but words are cheap so you never know.
I guess the first question should be whether such a relay would be welcome on the Tor network in the first place? I am aware that connecting to Tor through a VPN isn't generally recommended, but what about running a relay through one? Better idea, or a ridiculously bad one?
Second, while it would run on a (nearly) dedicated 100mbit connection, i do not have dedicated equipment. The machine needs to be taken offline between every 2-4 weeks, for some days at a time. Frequent OS updates also often require reboots in addition to this downtime. So much for a stable flag, but more importantly i need to know if this behavior is undesirable for running middle/exit relays? If so, would a bridge be better suitable with the tools i have at hand?
Third, regarding running bridges. The Tor Project FAQ states running your own bridge might improve your own anonymity. I assume this means you would manually set up your TBB to connect to *your own* bridge, is this correct? And finally, since the bridge would run on a separate (VPN) IP address, would this make a difference (re:anonymity) for better or worse if you connected through it yourself? I'm likely missing something here because it seems it would basically be the same as simply connecting to Tor through the VPN client alone.
Thanks.
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
"I guess the first question should be whether such a relay would be
welcome on the Tor network in the first place? I am aware that connecting to Tor through a VPN isn't generally recommended, but what about running a relay through one? Better idea, or a ridiculously bad one?" It isn't a better idea, certainly; but it isn't so bad as to throw it out entirely. Since all non-exit communications are encrypted, there wouldn't be any huge "no-nos" as far as that is concerned.
However, with an exit node, (some) communications aren't encrypted. It really boils down to whether or not you trust your provider. However, the same can be said with a VPS provider! I would not be concerned about it; please add your relay to the network.
"Second, while it would run on a (nearly) dedicated 100mbit
connection, i do not have dedicated equipment. The machine needs to be taken offline between every 2-4 weeks, for some days at a time. Frequent OS updates also often require reboots in addition to this downtime. So much for a stable flag, but more importantly i need to know if this behavior is undesirable for running middle/exit relays? If so, would a bridge be better suitable with the tools i have at hand?"
The main reason we strive for stable, rock-solid relays is for connectivity. If you have ever used SSH/IRC via Tor, you know how annoying it is when you get disconnected. This is likely because one of the 3 relays went offline. I would say a machine that goes offline every 2-4 days would be beyond acceptable; but one that goes offline every few hours is ridiculous. Just keep in mind that everytime you shut down your system, you close a lot of folk's connections, and some software wasn't made to handle that without it being a pain in the ass (ie PuTTY; you'll have to retype your password).
You shouldn't have to power off that often. If so, consider reconfiguring your OS or switching your OS to a more stable one; my favorite is FreeBSD, never have to reboot for anything, but I'm not going to start preaching here.
bridges
I have no experience running a bridge, and I don't feel rather comfortable telling you the wrong information. I would perform a few more searches.
Feel free to reply and I should be able to get back to you in a timely manner.
Thanks for the reply. Regarding the downtime, it isn't about issues with stability or performance, it's about physically removing the device for a couple days at a time. The machine will be incapable of running the relay during that period, and i'm afraid there is simply no other way around that currently. As i said, this would only happen once or twice a month so the average uptime should be around 22-25 days out of every 30. I have tested running a relay a year or two ago, and i recall Vidalia giving you an option to shutdown gracefully. Is this behavior present in the current Tor installation as well, when shutting down from the terminal? Naturally this would be the preferred way to shutdown a node.
Regarding trust issues, i suppose you could say the same about running any cloud instances with Amazon, yet this is endorsed by the Tor Project. Only, in that case you cannot even guarantee physical safety for the machines, which in this case i could. But isn't it the same otherwise, you have no idea whether the cloud host is or is not snooping around exit traffic? My information about this is very limited, feel free to correct me anytime i go astray.
I'll continue reading about bridges, but i welcome anyone knowledgeable about them to contribute their experiences. I find tech talk very difficult to digest, even though the Tor Project documents are laid out in an orderly fashion.
Is it possible that your relay can be online for those 22-25 days straight and then hibernate for the rest of the month instead, or must it be the case of every few days? If it could be online for that period as a single block that would be far better.
Also you are correct on the physical safety of the device, which is why running it at home or in a secure environment (ie a good datacenter) is the best approach. However, physical and even server security isn't the threat to anonymity, the intelligence agencies can gather almost as much information from tapping the backbone cables and IXP's as they would running their own or hijacking yours. Generally datacenters are recommended rather than running it at home as it is usually cheaper, lower risk of your door being busted down (of which I have experience in being the target of raids) and it more stable.
I would not at all recommend you use a VPN to route your relay traffic through as this merely passes the burden onto somebody else who may not be entirely comfortable with you doing this without asking in advance. Furthermore, it offers no more security to the circuits your relay is a part of and I would argue it could actually hurt anonymity since you are giving a third party access to the traffic information of your server.
Also, Tor Project only really recommends bridges be run in the Amazon cloud due to the small deployment and low cost, with the IP included in that and for bridges the IP is the real resource as opposed to disk space, bandwidth or CPU power. Therefore it enables lots of new bridges to be brought online easily, cheaply and without the complications or additional considerations that would be required in bringing online an exit relay for example.
-T
On 2014-12-05 22:13, TT wrote:
"I guess the first question should be whether such a relay would be welcome on the Tor network in the first place? I am aware that connecting to Tor through a VPN isn't generally recommended, but what about running a relay through one? Better idea, or a ridiculously bad one?"
It isn't a better idea, certainly; but it isn't so bad as to throw it out entirely. Since all non-exit communications are encrypted, there wouldn't be any huge "no-nos" as far as that is concerned.
However, with an exit node, (some) communications aren't encrypted. It really boils down to whether or not you trust your provider. However, the same can be said with a VPS provider! I would not be concerned about it; please add your relay to the network.
"Second, while it would run on a (nearly) dedicated 100mbit connection, i do not have dedicated equipment. The machine needs to be taken offline between every 2-4 weeks, for some days at a time. Frequent OS updates also often require reboots in addition to this downtime. So much for a stable flag, but more importantly i need to know if this behavior is undesirable for running middle/exit relays? If so, would a bridge be better suitable with the tools i have at hand?"
The main reason we strive for stable, rock-solid relays is for connectivity. If you have ever used SSH/IRC via Tor, you know how annoying it is when you get disconnected. This is likely because one of the 3 relays went offline. I would say a machine that goes offline every 2-4 days would be beyond acceptable; but one that goes offline every few hours is ridiculous. Just keep in mind that everytime you shut down your system, you close a lot of folk's connections, and some software wasn't made to handle that without it being a pain in the ass (ie PuTTY; you'll have to retype your password).
You shouldn't have to power off that often. If so, consider reconfiguring your OS or switching your OS to a more stable one; my favorite is FreeBSD, never have to reboot for anything, but I'm not going to start preaching here.
bridges
I have no experience running a bridge, and I don't feel rather comfortable telling you the wrong information. I would perform a few more searches.
Feel free to reply and I should be able to get back to you in a timely manner.
Thanks for the reply. Regarding the downtime, it isn't about issues with stability or performance, it's about physically removing the device for a couple days at a time. The machine will be incapable of running the relay during that period, and i'm afraid there is simply no other way around that currently. As i said, this would only happen once or twice a month so the average uptime should be around 22-25 days out of every 30. I have tested running a relay a year or two ago, and i recall Vidalia giving you an option to shutdown gracefully. Is this behavior present in the current Tor installation as well, when shutting down from the terminal? Naturally this would be the preferred way to shutdown a node.
Regarding trust issues, i suppose you could say the same about running any cloud instances with Amazon, yet this is endorsed by the Tor Project. Only, in that case you cannot even guarantee physical safety for the machines, which in this case i could. But isn't it the same otherwise, you have no idea whether the cloud host is or is not snooping around exit traffic? My information about this is very limited, feel free to correct me anytime i go astray.
I'll continue reading about bridges, but i welcome anyone knowledgeable about them to contribute their experiences. I find tech talk very difficult to digest, even though the Tor Project documents are laid out in an orderly fashion. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Is it possible that your relay can be online for those 22-25 days straight and then hibernate for the rest of the month instead, or must it be the case of every few days? If it could be online for that period as a single block that would be far better.
Also you are correct on the physical safety of the device, which is why running it at home or in a secure environment (ie a good datacenter) is the best approach. However, physical and even server security isn't the threat to anonymity, the intelligence agencies can gather almost as much information from tapping the backbone cables and IXP's as they would running their own or hijacking yours. Generally datacenters are recommended rather than running it at home as it is usually cheaper, lower risk of your door being busted down (of which I have experience in being the target of raids) and it more stable.
I would not at all recommend you use a VPN to route your relay traffic through as this merely passes the burden onto somebody else who may not be entirely comfortable with you doing this without asking in advance. Furthermore, it offers no more security to the circuits your relay is a part of and I would argue it could actually hurt anonymity since you are giving a third party access to the traffic information of your server.
Also, Tor Project only really recommends bridges be run in the Amazon cloud due to the small deployment and low cost, with the IP included in that and for bridges the IP is the real resource as opposed to disk space, bandwidth or CPU power. Therefore it enables lots of new bridges to be brought online easily, cheaply and without the complications or additional considerations that would be required in bringing online an exit relay for example.
-T
Hi, i might have explained the scenario a bit poorly. The machine doesn't go offline every few days but every few weeks, and then for a few days at a time. Nothing to be done about that.
Busting down doors is pretty much spot on about the reason i am unwilling to run the relay on my own IP address: i've read enough news about overzealous law enforcement in my country (non-Tor related, but still), and i'm certainly not going to face the public harassment and general fuss of an unnecessary and very embarrassing seizure.
Regarding the VPN provider's consent - i have asked for permission and they fully endorse running a Tor relay through their services, which means they are ready and willing to handle any and all abuse issues. I'm not sure about the anonymity side of things, which is exactly why i came here asking for opinions, experiences and general advice. All input is very much appreciated.
In the end, in my case, it comes down to either contributing a VPN-tunneled machine for ~25 days a month to the Tor network, or keeping it away from it. If the VPN part is too compromising i'll have to put the thought on hold, but i'll keep on reading in the meantime.
On Sat, Dec 6, 2014, at 12:10 AM, TT wrote:
Busting down doors is pretty much spot on about the reason i am unwilling to run the relay on my own IP address: i've read enough news about overzealous law enforcement in my country (non-Tor related, but still), and i'm certainly not going to face the public harassment and general fuss of an unnecessary and very embarrassing seizure.
I don't know exactly how VPNs work, but it seems to me that if you run an exit relay at home and tunnel all connections through the VPN, the VPN provider (and LE when they take an interest) will have no way of distinguishing between your exit relay accessing illegal content via the VPN tunnel, and *you* accessing the illegal content via the VPN tunnel. Therefore you are at the same risk of raid and seizure (once the VPN provider tells LE where to find you) as if you used your own IP. Someone correct me if I'm wrong. GD
On 12/05/2014 05:41 PM, Geoff Down wrote:
On Sat, Dec 6, 2014, at 12:10 AM, TT wrote:
Busting down doors is pretty much spot on about the reason i am unwilling to run the relay on my own IP address: i've read enough news about overzealous law enforcement in my country (non-Tor related, but still), and i'm certainly not going to face the public harassment and general fuss of an unnecessary and very embarrassing seizure.
I don't know exactly how VPNs work, but it seems to me that if you run an exit relay at home and tunnel all connections through the VPN, the VPN provider (and LE when they take an interest) will have no way of distinguishing between your exit relay accessing illegal content via the VPN tunnel, and *you* accessing the illegal content via the VPN tunnel. Therefore you are at the same risk of raid and seizure (once the VPN provider tells LE where to find you) as if you used your own IP. Someone correct me if I'm wrong. GD
Yes, that is an issue. It's not enough that the VPN provider allows you to run a Tor exit. You must also trust that they won't reveal your identity to LEA, when pressed. And you must trust that LEA can't get logs from the VPN provider's ISP or hosting provider.
There's also the issue that all Tor traffic will traverse the VPN link in both directions. That adds latency, and doubles your traffic cost. It's also a very distinctive traffic signature.
You could hide your identity from the VPN provider, by connecting through some impromptu mix network, and paying with well-mixed Bitcoins. You could use a nested chain of VPNs, and perhaps add JonDonym to the mix for better anonymity. That would increase latency and reduce bandwidth even more. But it might increase anonymity.
Overall, using a hosted VPS is probably best.
Yes, that is an issue. It's not enough that the VPN provider allows you to run a Tor exit. You must also trust that they won't reveal your identity to LEA, when pressed. And you must trust that LEA can't get logs from the VPN provider's ISP or hosting provider.
There's also the issue that all Tor traffic will traverse the VPN link in both directions. That adds latency, and doubles your traffic cost. It's also a very distinctive traffic signature.
You could hide your identity from the VPN provider, by connecting through some impromptu mix network, and paying with well-mixed Bitcoins. You could use a nested chain of VPNs, and perhaps add JonDonym to the mix for better anonymity. That would increase latency and reduce bandwidth even more. But it might increase anonymity.
Overall, using a hosted VPS is probably best. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
I believe i understand. My logic for using the VPN was that it would offer me one layer of potential protection, in case my relay would attract unwanted attention. I have nothing to fear in terms of being found with illegal content whatsoever, but a raid can still possibly ruin one's life because, well, some accusations are never forgotten no matter how unwarranted they were later found to be.
This appears to be one of the most inhibiting factors for people to run Tor relays. It's a shame, but i'll bury the idea for now then. I need the VPN service for myself with or without Tor, paying for additional hosting is not possible.
Thanks all for your replies.
A VPS in a foreign country can be very cheap hired on an annual basis.
I'm paying $14 for 5 TB a month with little trouble and nil risk.
Rob
On 12/05/2014 10:57 PM, Austin Bentley wrote:
The main reason we strive for stable, rock-solid relays is for connectivity. If you have ever used SSH/IRC via Tor, you know how annoying it is when you get disconnected. This is likely because one of the 3 relays went offline. I would say a machine that goes offline every 2-4 days would be beyond acceptable;
I do follow closely the latest hardened Gentoo linux kernel, therefore I do reboot every 1-2 weeks (when is KPatch/K>Graft alive ???). For that I shutdown Tor "gracefully" (--signal INT -R 60). I wa in the mood, that this would mean, that Tor closes their connections gracefully, so a new relay will "replace" my current tor relays connections :-/
tor-relays@lists.torproject.org
-
Austin Bentley -
Geoff Down -
I -
Mirimir -
thomaswhite@riseup.net -
Toralf Förster -
TT