[tor-relays] How to use our own TOR relay as entry node for local network hosts

s7r s7r at sky-ip.org
Wed May 20 11:05:13 UTC 2015

Hash: SHA256


On 5/20/2015 12:07 PM, Tor User wrote:
> Hello,
> We have been operating a moderately successful public tor relay for
> a while now.   Having read about how TOR works back a couple of
> years ago, I was more or less sold on the idea that if traffic
> originating on your local network uses your own TOR relay as the
> first hop (entry node), then by the time your traffic has left your
> tor relay, people in the middle can't tell the difference between
> traffic originating from your network and other (relayed) traffic
> passing through your TOR relay.

It's Tor, not TOR or tor.

> I also understand that this still doesn't protect you from an exit
> node being able to see your traffic (and why you should use HTTPS
> with a high-quality cipher if it's really important), and that
> there are other ways your traffic can be analyzed -- but all in
> all, I would rather our TOR traffic enter the TOR network through a
> relay I *KNOW* I can trust (mine!) than leave it to chance.

You could run your own *Exit* node on your network, and use that as a
static exit point, which will mix the traffic in your local network
with the traffic of other Tor users, and you won't have to fear that
the Exit node you are using is malicious and is logging your traffic
or doing strange stuff with it.

> We have polipo running on our public TOR relay, configured to
> accept traffic from our local subnets.  We've basically followed
> the info in this TOR doco:
> https://trac.torproject.org/projects/tor/wiki/doc/CentralizedTorServer
>  The TOR browser bundle appears to function correctly, ie, it is
> able to start up, open circuits, etc. and we get the expected
> Congratulations! page opening a new browser window.  But when
> clicking the green onion to show the circuit of relays handling the
> browser's connection, our relay is never the first hop.
> I'm using TBB 5.01a on one particular system, and for an example,
> it shows this for the circuit:
> - This browser - Austria (aa.bb.cc.dd) - Germany (ee.ff.gg.hh) -
> Guatemala (ii.jj.kk.ll) - Internet

The way I understand it, it looks to me that you are confusing 2
things. When you enabled polipo on the Tor relay in your network, you
just enabled a http-proxy which forwards the requests to the Socks5
proxy opened by the Tor client running on that relay (same Tor
instance). When you run a Tor relay, the client functionality is also
enabled by default, unless you specify SocksPort 0 in the torrc file.

The Centralized Tor Server allows you to have one Tor client/instance
for multiple computers in the same network. You need to run only one
Tor instance on one server, and the other users in the network do not
need to run own local Tor client instances, otherwise they will just
be using Tor-through-Tor which is a terrible idea and it hurts
anonymity in an unknown way.

The relay you are running can never be the first hop, because the
second Tor client running on your workstation is selecting another
first hop and it is using it through the polipo proxy you've provided.
In simple words, you are doing Tor-through-Tor and it is very very wrong

> I have tried defining an EntryNodes statement with the $fingerprint
> of our TOR relay and setting StrictNodes 1 in the TBB's torrc file,
> but it can't ever establish a circuit when I try this.  We get
> messages like this logged on the browser's tor:
> 05/20/2015 04:21:20.700 [WARN] Failed to find node for hop 0 of our
> path. Discarding this circuit. 05/20/2015 04:21:20.700 [WARN]
> Failed to find node for hop 0 of our path. Discarding this
> circuit. 05/20/2015 04:21:20.900 [NOTICE] Closing
> no-longer-configured Socks listener on 05/20/2015
> 04:21:20.900 [NOTICE] DisableNetwork is set. Tor will not make or
> accept non-control network connections. Shutting down all existing 
> connections. 05/20/2015 04:21:20.900 [NOTICE] Closing old Socks
> listener on 05/20/2015 04:21:21.700 [NOTICE]
> Delaying directory fetches: DisableNetwork is set.

Of course, you are trying to connect to server let's call it 'Bob' via
a polipo proxy running also on the same server 'Bob', e.g. trying to
connect back to self in a strange way which Tor forbids for security

> Is it possible to define your desired entry node via IP address and
> port, or some other way that does not require a successful
> directory connection/circuit first?  (so it can find the relay by
> its fingerprint)? It seems like a chicken vs. egg problem...  Or
> what about defining a directory for the client to use by its
> IP/port?  We are operating a public directory as well.

No, that is not possible. Does your relay have the Guard flag so it
can be used as the first hop? Check on https://atlas.torproject.org/
and let us know what flags you have for your relay. It needs to be
fast and up most of the time in order to get the Guard flag.

> I can't find any info about this or other approaches anywhere.
> So I always end up removing the EntryNodes and StrictNodes
> statement from TBB's torrc file, leaving only the HTTPSProxy 
> aa.bb.cc.dd:<polipo-listen-port> statement in there with the 
> DataDirectory, GeoIPFile, and GeoIPv6File statements.  It gets the
> TBB's on our network to the local polipo proxy, which in turn
> forwards the traffic to our public TOR relay.  TBB works fine, but
> I don't think our TOR relay is the one getting to see our traffic
> with the original source address with this setup.

I explained above why. You are using Tor through Tor. Running a Tor
client on a computer in your network via another Tor client running in
the same instance with the Tor relay (and polipo proxy).

> It is definitely possible, likely even, that I am misunderstanding
> parts of how this is supposed to work or how a central TOR
> relay/proxy is supposed to be configured.  But it doesn't seem to
> me that proxying our local network's TBB clients' traffic through
> the polipo instance on our public TOR relay means that our TOR
> traffic is being "anonymized" as to where it originated from before
> it gets to the first node in the circuit - or we would be seeing
> our TOR relay as the first hop when we look at the circuit in "the
> green onion button".
> If I'm wrong about this, that's great - I'd love to see some
> documentation to explain it better if you have any links handy.
> But if I'm right, how can I configure our TBB clients to actually
> MAKE them use our TOR proxy as their entry node?

I do not see any benefits in using a Guard on your local network, I
just don't see the point of it. You can do the following:

1. The centralized Tor server, as explained above, means you have to
run only one Tor instance for all the computers in your network. This
means you don't need Tor on all of the other computers in your
network, and the entry point (Guard) needs to be defined on the Tor
centralized server (in your case relay) only, and it will affect all
the clients in the network using it. You will not be able to see
circuit info (such as path) on the computers using this centralized
Tor server because they won't have access to the Tor control port,
which is totally normal.

On the computers in your network you can just use Firefox with some
privacy plugins and route all traffic (including DNS) through the
polipo proxy, running on the Tor centralized server / relay.

If the centralized Tor server is also a relay, it cannot also be its
first hop. E.r. client -> relay-on-the-same-instance-as-client ->
middle -> exit ;; this will not work for obvious reasons.

Want a centralized Tor server and a Guard relay at the same time? Just
run the relay someplace else, and use StrictNodes and EntryNode on
that server. I doubt this is what you want since you installed Tor
Browser on the computers in the network as well.

You can run a centralized Tor server with polipo and a Tor relay on
the same server, but that Tor client cannot use its relay
functionality running on the same machine as the first hop.

2. Disable the polipo proxy on your Tor relay, you do not need that.
Use Tor Browser on every computer in your network with normal
settings, no proxy setup, just direct connection and StrictNodes and
EntryNode $fingerprint-of-your-relay. For this, your relay needs the
Guard flag. If you are behind NAT, it will use the public IP to
connect to the relay on your network since that is what your Tor
client(s) will understand from the consensus data file.

3. Disable the polipo proxy on the Tor relay in your network,  you do
not need that. Run a bridge instead of a relay. Make it a non public
bride (PublishServerDescriptor 0) and run Tor Browser on all the
computers in your network with UseBridges 1 and define the ip:port of
your bridge and connect it directly, no proxy setting. This way other
'strangers' won't be able to use your bridge and you will also not
need the Guard flag or uptime and bandwidth requirements.

Hope this helps. If you don't understand something, please ask again,
it's important for you to understand what you are doing not just
follow instructions.

> Thanks, Tor User
> _______________________________________________ tor-relays mailing
> list tor-relays at lists.torproject.org 
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Version: GnuPG v2.0.22 (MingW32)


More information about the tor-relays mailing list