[tor-dev] The Torouter and the DreamPlug
jacob at appelbaum.net
Thu Jun 9 19:50:09 UTC 2011
On Thu, Jun 9, 2011 at 7:34 PM, Runa A. Sandvik <runa.sandvik at gmail.com>wrote:
> On Thu, Jun 9, 2011 at 4:55 PM, Jacob Appelbaum <jacob at appelbaum.net>
> > On Thu, Jun 9, 2011 at 2:57 PM, Runa A. Sandvik <runa.sandvik at gmail.com>
> > wrote:
> >> On Wed, Jun 8, 2011 at 4:02 PM, Andrew Lewman <andrew at torproject.org>
> >> wrote:
> >> > On Tue, 7 Jun 2011 15:36:45 -0700
> >> > Jacob Appelbaum <jacob at appelbaum.net> wrote:
> >> >
> >> >> > We would also need a way for users to easily change the hashed
> >> >> > password. I can't remember if this is a feature that is already
> >> >> > present in Vidalia.
> >> >> Yes, we do need a way to change the password. We will also need a way
> >> >> to reset the password if the user is locked out of the control port.
> >> >> generally think that this means we'll need a web UI... :-)
> >> >
> >> > It's built into vidalia. Just click Advanced and you can change the
> >> > password all you want.
> >> >
> >> >> I think the best thing is to make an autoconfiguring device with a
> >> >> web UI; we can easily rate limit Tor to something reasonable and make
> >> >> it a middle node by default. In all cases it stands alone and simply
> >> >> plugging it into a wall (power/ethernet) will provide more capacity
> >> >> to the network if the OR port is reachable (ala tor-fw-helper + tor +
> >> >> init.d scripts to start Tor on boot).
> >> >
> >> > Most of me wants to wait for the freedombox people to derive their web
> >> > interface, and then we can plug tor into it. I realize this could be
> >> > years at the current rate of progress. If someone whips up a quick
> >> > interface that isn't a security nightmare, we could use that until
> >> > freedombox has something tangible.
> >> Yeah, I was hoping the freedombox people would have something we could
> >> use. Doesn't seem like it, though. I think that, at some point, we
> >> should create a web ui for the dreamplug. But not having one right now
> >> should not be a blocker for the dreamplug-torouter.
> > Well, I'm not sure what you mean... The FB is just a Debian machine. Pick
> > web server, write a cgi and perhaps that will be the main interface? :-)
> > email the FBF list and ask. Perhaps the best web UI is one that is
> > written? Is the web UI for the Excito free software?
> I was hoping there would be an existing ui what we could just plug Tor
> into, just like we did with the Excito B3 interface.
I think it's fine to ship one web interface for us now and later find a good
integration point with the Freedom Box later...
> >> > I suggest we ship the dreamplug with cli access only for those who
> >> > a cheap device to be a bridge or relay.
> >> I guess we can set up dreamplugs as bridges by default and include a
> >> leaflet explaining the steps to take to change the configuration. Do
> >> you think we should touch the default setup of the dreamplug (it
> >> serves an open wifi by default, for example)?
> > I believe that by default we should be shipping middle relays and we
> > be shipping 0.2.3.x with tor-fw-helper enabled by default as well.
> > I think the boxes should be re-flashed to have Debian or a modern Ubuntu
> > locked down except with Tor and OpenSSH as listening services. We also
> > things to sync time and so on.
> Sounds like a plan. I prefer bridge by default, but we can discuss that
What's the rational there? While we certainly need more bridges, I'd like to
see an increase in relays and encourage more Friend of Friend bridge
sharing. We should include a bunch of common configs and make it easy to
setup. Also, a public relay will be much easier to help with in terms of
setup, I suspect.
> >> > I suggest we ship the excito with the web ui as the easy to use
> >> > option.
> >> Yep, the Tor web ui for the Excito B3 should be ready at the end of the
> >> month.
> > Is it Free Software? Can we use it on the DreamPlug until we have
> > else?
> Yes, it's free software and will be available in the Excito GitHub
> repository when it's released (not sure if it's there already, I don't
> think so). The web interface is probably a bit too "heavy" (and
> includes a good mix of php and perl) for the dreamplug, so we should
> probably look for something else.
Can we rip out everything except the basics? If so, I think their web front
end is perfect and it already has a Tor UI thanks to you... :-)
> >> > In either case, we need to start testing, not keep thinking about what
> >> > we could do. We're going to get a flood of feedback from actual
> >> > testing the excito or dreamplug.
> >> Valid point.
> > I think we need to talk about what we need for the OS. I suspect we need
> > OpenSSH + Tor (tor-fw-helper, etc) + a few stock configuration files +
> > syncing (clockskew for example) + a randomly generated password that we
> > uniquely key for each router in some non-silly way.
> > Is there a trac ticket for the OS part of the Torouter?
> There is now: https://trac.torproject.org/projects/tor/ticket/3374
> We can move the discussion to #3374 if you want.
I'm happy to keep hammering stuff out here and the we can dump the results
into the bug report.
What do you think about a DreamPlug with Debian or Ubuntu? Do we have a
What other software do we need beyond ntp, ssh, tor and a web UI?
Do we want to support a transparent Tor wifi network by default?
I think Ubuntu's latest release is the best in terms of security and in
theory support. It is however not as beloved as Debian for a number of solid
reasons. I think NTP, OpenSSH with key auth (and perhaps fail2ban or
something similar) and password auth, a very minimal web UI but still
functional for real Tor configuration and that's about all we'll need.
I also like the idea of a Tor wifi network by default for laptops like the
CR-48 that I'm using right now. I'd kill to have a way to Torify the laptop
because my main concern isn't privacy from my local network, it's data
retention from the remote hosts... :-/
All the best,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the tor-dev