[tor-relays] How to use our own TOR relay as entry node for local network hosts

s7r s7r at sky-ip.org
Sat May 23 18:38:35 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi

Glad you understood what you are doing wrong. In this case, you can
use your relay as a guard for the clients in your network. See in my
previous email suggestion #2, and all your clients will have the
desired guard. Install Tor browser on each client and don't use proxy
setting, connect directly with StrictNodes and EntryNode.

Cheers!



On 5/23/2015 3:14 PM, Tor User wrote:
> Hi s7r,
> 
> Thank you for your reply.  There's a lot of good info in it and
> I'll be reconfiguring the clients.
> 
> The fact that I've been doing Tor-through-Tor unawares explains a
> lot. It did seem odd to have polipo in the mix, but it makes sense
> now, that would only be if the LAN clients weren't already running
> their own Tor clients (running TBB).
> 
> Our public Tor relay is an entry guard.  We don't allow any exiting
> with it but it's stable, fast, HSDir, etc. and has the guard flag.
> 
> 
> 
> On 05/20/2015 07:05 AM, s7r wrote: Hello,
> 
> On 5/20/2015 12:07 PM, Tor User wrote:
>>>> Hello,
>>>> 
>>>> We have been operating a moderately successful public tor
>>>> relay for a while now.   Having read about how TOR works back
>>>> a couple of years ago, I was more or less sold on the idea
>>>> that if traffic originating on your local network uses your
>>>> own TOR relay as the first hop (entry node), then by the time
>>>> your traffic has left your tor relay, people in the middle
>>>> can't tell the difference between traffic originating from
>>>> your network and other (relayed) traffic passing through your
>>>> TOR relay.
>>>> 
> It's Tor, not TOR or tor.
> 
>>>> I also understand that this still doesn't protect you from an
>>>> exit node being able to see your traffic (and why you should
>>>> use HTTPS with a high-quality cipher if it's really
>>>> important), and that there are other ways your traffic can be
>>>> analyzed -- but all in all, I would rather our TOR traffic
>>>> enter the TOR network through a relay I *KNOW* I can trust
>>>> (mine!) than leave it to chance.
>>>> 
> You could run your own *Exit* node on your network, and use that as
> a static exit point, which will mix the traffic in your local
> network with the traffic of other Tor users, and you won't have to
> fear that the Exit node you are using is malicious and is logging
> your traffic or doing strange stuff with it.
> 
>>>> We have polipo running on our public TOR relay, configured
>>>> to accept traffic from our local subnets.  We've basically
>>>> followed the info in this TOR doco:
>>>> 
>>>> https://trac.torproject.org/projects/tor/wiki/doc/CentralizedTorSer
ver
>>>>
>>>>
>>>> 
The TOR browser bundle appears to function correctly, ie, it is
>>>> able to start up, open circuits, etc. and we get the
>>>> expected Congratulations! page opening a new browser window.
>>>> But when clicking the green onion to show the circuit of
>>>> relays handling the browser's connection, our relay is never
>>>> the first hop.
>>>> 
>>>> I'm using TBB 5.01a on one particular system, and for an
>>>> example, it shows this for the circuit:
>>>> 
>>>> - This browser - Austria (aa.bb.cc.dd) - Germany
>>>> (ee.ff.gg.hh) - Guatemala (ii.jj.kk.ll) - Internet
>>>> 
> The way I understand it, it looks to me that you are confusing 2 
> things. When you enabled polipo on the Tor relay in your network,
> you just enabled a http-proxy which forwards the requests to the
> Socks5 proxy opened by the Tor client running on that relay (same
> Tor instance). When you run a Tor relay, the client functionality
> is also enabled by default, unless you specify SocksPort 0 in the
> torrc file.
> 
> The Centralized Tor Server allows you to have one Tor
> client/instance for multiple computers in the same network. You
> need to run only one Tor instance on one server, and the other
> users in the network do not need to run own local Tor client
> instances, otherwise they will just be using Tor-through-Tor which
> is a terrible idea and it hurts anonymity in an unknown way.
> 
> The relay you are running can never be the first hop, because the 
> second Tor client running on your workstation is selecting another 
> first hop and it is using it through the polipo proxy you've
> provided. In simple words, you are doing Tor-through-Tor and it is
> very very wrong .
> 
> 
>>>> I have tried defining an EntryNodes statement with the
>>>> $fingerprint of our TOR relay and setting StrictNodes 1 in
>>>> the TBB's torrc file, but it can't ever establish a circuit
>>>> when I try this.  We get messages like this logged on the
>>>> browser's tor:
>>>> 
>>>> 05/20/2015 04:21:20.700 [WARN] Failed to find node for hop 0
>>>> of our path. Discarding this circuit. 05/20/2015 04:21:20.700
>>>> [WARN] Failed to find node for hop 0 of our path. Discarding
>>>> this circuit. 05/20/2015 04:21:20.900 [NOTICE] Closing 
>>>> no-longer-configured Socks listener on 127.0.0.1:9150
>>>> 05/20/2015 04:21:20.900 [NOTICE] DisableNetwork is set. Tor
>>>> will not make or accept non-control network connections.
>>>> Shutting down all existing connections. 05/20/2015
>>>> 04:21:20.900 [NOTICE] Closing old Socks listener on
>>>> 127.0.0.1:9150 05/20/2015 04:21:21.700 [NOTICE] Delaying
>>>> directory fetches: DisableNetwork is set.
>>>> 
> Of course, you are trying to connect to server let's call it 'Bob'
> via a polipo proxy running also on the same server 'Bob', e.g.
> trying to connect back to self in a strange way which Tor forbids
> for security reasons.
> 
>>>> Is it possible to define your desired entry node via IP
>>>> address and port, or some other way that does not require a
>>>> successful directory connection/circuit first?  (so it can
>>>> find the relay by its fingerprint)? It seems like a chicken
>>>> vs. egg problem...  Or what about defining a directory for
>>>> the client to use by its IP/port?  We are operating a public
>>>> directory as well.
>>>> 
> No, that is not possible. Does your relay have the Guard flag so
> it can be used as the first hop? Check on
> https://atlas.torproject.org/ and let us know what flags you have
> for your relay. It needs to be fast and up most of the time in
> order to get the Guard flag.
> 
>>>> I can't find any info about this or other approaches
>>>> anywhere.
>>>> 
>>>> So I always end up removing the EntryNodes and StrictNodes 
>>>> statement from TBB's torrc file, leaving only the HTTPSProxy 
>>>> aa.bb.cc.dd:<polipo-listen-port> statement in there with the 
>>>> DataDirectory, GeoIPFile, and GeoIPv6File statements.  It
>>>> gets the TBB's on our network to the local polipo proxy,
>>>> which in turn forwards the traffic to our public TOR relay.
>>>> TBB works fine, but I don't think our TOR relay is the one
>>>> getting to see our traffic with the original source address
>>>> with this setup.
>>>> 
> I explained above why. You are using Tor through Tor. Running a
> Tor client on a computer in your network via another Tor client
> running in the same instance with the Tor relay (and polipo
> proxy).
> 
> 
>>>> It is definitely possible, likely even, that I am
>>>> misunderstanding parts of how this is supposed to work or how
>>>> a central TOR relay/proxy is supposed to be configured.  But
>>>> it doesn't seem to me that proxying our local network's TBB
>>>> clients' traffic through the polipo instance on our public
>>>> TOR relay means that our TOR traffic is being "anonymized" as
>>>> to where it originated from before it gets to the first node
>>>> in the circuit - or we would be seeing our TOR relay as the
>>>> first hop when we look at the circuit in "the green onion
>>>> button".
>>>> 
>>>> If I'm wrong about this, that's great - I'd love to see some 
>>>> documentation to explain it better if you have any links
>>>> handy. But if I'm right, how can I configure our TBB clients
>>>> to actually MAKE them use our TOR proxy as their entry node?
>>>> 
> I do not see any benefits in using a Guard on your local network,
> I just don't see the point of it. You can do the following:
> 
> 1. The centralized Tor server, as explained above, means you have
> to run only one Tor instance for all the computers in your network.
> This means you don't need Tor on all of the other computers in
> your network, and the entry point (Guard) needs to be defined on
> the Tor centralized server (in your case relay) only, and it will
> affect all the clients in the network using it. You will not be
> able to see circuit info (such as path) on the computers using this
> centralized Tor server because they won't have access to the Tor
> control port, which is totally normal.
> 
> On the computers in your network you can just use Firefox with
> some privacy plugins and route all traffic (including DNS) through
> the polipo proxy, running on the Tor centralized server / relay.
> 
> If the centralized Tor server is also a relay, it cannot also be
> its first hop. E.r. client -> relay-on-the-same-instance-as-client
> -> middle -> exit ;; this will not work for obvious reasons.
> 
> Want a centralized Tor server and a Guard relay at the same time?
> Just run the relay someplace else, and use StrictNodes and
> EntryNode on that server. I doubt this is what you want since you
> installed Tor Browser on the computers in the network as well.
> 
> You can run a centralized Tor server with polipo and a Tor relay
> on the same server, but that Tor client cannot use its relay 
> functionality running on the same machine as the first hop.
> 
> 2. Disable the polipo proxy on your Tor relay, you do not need
> that. Use Tor Browser on every computer in your network with
> normal settings, no proxy setup, just direct connection and
> StrictNodes and EntryNode $fingerprint-of-your-relay. For this,
> your relay needs the Guard flag. If you are behind NAT, it will use
> the public IP to connect to the relay on your network since that is
> what your Tor client(s) will understand from the consensus data
> file.
> 
> 3. Disable the polipo proxy on the Tor relay in your network,  you
> do not need that. Run a bridge instead of a relay. Make it a non
> public bride (PublishServerDescriptor 0) and run Tor Browser on all
> the computers in your network with UseBridges 1 and define the
> ip:port of your bridge and connect it directly, no proxy setting.
> This way other 'strangers' won't be able to use your bridge and you
> will also not need the Guard flag or uptime and bandwidth
> requirements.
> 
> 
> Hope this helps. If you don't understand something, please ask
> again, it's important for you to understand what you are doing not
> just follow instructions.
> 
>>>> Thanks, Tor User
>>>> 
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________ tor-relays
>>>> mailing list tor-relays at lists.torproject.org 
>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>>
>>
>>>> 
_______________________________________________
>> tor-relays mailing list tor-relays at lists.torproject.org 
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>> 
> 
> _______________________________________________ tor-relays mailing
> list tor-relays at lists.torproject.org 
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBCAAGBQJVYMkrAAoJEIN/pSyBJlsRqxgH/jDCZLkFSzX6xcLje8npVnW4
70gEy5UPufyeE6oGvWEK3of9lFTFOHyYy5jWk33vDVLOYnHzZiecoHHpxtSH/vno
6C7SpGN7u6FkVwoYQdACDaswkkDLCCZTZbJ/BD4rpdPVkstd1NiObHeXrwZSQT0U
hgKPZGwUrOuotnzLLdu4g7PBRuAqD1CUBbKaLOg77GG9d+luP2yhtWCJ/zQlarK+
PohH9k/IE7dAxUUBiwJV2JeZDadxt4FgRMYuwmD2sCXAvzGvPoqDhdAOBa90vpr+
d9m328C+d+3FHmy9dy8j9a9jLwUAIOIGezZrRaOoBEAku4ExF3WWm0eojQski3c=
=1r4z
-----END PGP SIGNATURE-----

More information about the tor-relays mailing list