[tor-relays] forward relay connections

Conrad Rockenhaus conrad at rockenhaus.com
Thu May 23 11:11:48 UTC 2019 

> On May 23, 2019, at 3:54 AM, tor-relay at riseup.net wrote:
> 
> I think that a network based to much on remotes VMs, with closed source software running on the most deep machine level, is not very resilient and secure.
> 

Actually, it’s very secure. By default, Tor doesn’t log anything but simple notice messages. In addition, if you use Offline Master Keys (https://trac.torproject.org/projects/tor/wiki/doc/TorRelaySecurity/OfflineKeys) the security of your node is greatly enhanced. As long as you have direct root access to the VM, you’re fine. Also, most VM use OSS HyperVisors such as KVM or Xen.

> So the reason why I was thinking to do so is that I wanted to run a small exit relay on a device running only open source software, like Olimex Lime2 does, and under my direct control.
> 
If you really want to use this device as an exit, I would strongly suggest that you don’t do it at home, there’s actually a few companies that specialize in colocation for small hardware platforms such as the Lime2.

> The latency from my home and the VM is not so high (45-50 ms), and I was pretty sure that with a proper configuration I didn't risk that users exit through my home connection.  But If you say that with a so small bandwidth It can't run properly, I trust you, so I keep a non-exit relay.

That’s actually very high latency to add to the hop because you’re going to add SSH encryption on top of it, which will add more latency, just to get to the VM? I wouldn’t consider it feasible.

Now that I’m thinking about it, you could try finding a VPN provider that allows Tor and using that VPN provider on your Lime2.

-Conrad

> 
> Anyway thanks for your advices
> 
> Il 22/05/19 11:05, nusenu ha scritto:
>> tor-relay at riseup.net
>> :
>> 
>>> I'm running a non exit relay on a debian machine (in the next few
>>> months I will switch to *BSD) on a Lime2. 
>>> 
>> I assume you are referring to a relay run at home.
>> 
>> 
>>> I'm running an exit relay
>>> too on a remote VM.
>>> 
>>> I would turn my non-exit relay in an exit one, but for obvious
>>> reasons, I don't want to run It from my shitty ISP IP. I could give
>>> 10-14 mbps from my home connection, so I think that the lime2 would
>>> be  powerful enough to run It properly.
>>> 
>> I would discourage such a setup for the following reasons:
>> 
>> - this setup includes the risk that users will exit 
>> through your home broadband IP address (bad!) if tunnels break down
>> - such setups that introduce an additional hop decrease the user-experience
>> - most users will not be happy with an "10-14mbps" exit at a home broadband connection
>> - it is not clear to me why you would involve your home IP at all for your exit
>> if you have a VM in a datacenter
>> 
>> 
>> nonetheless, thanks for running relays,
>> nusenu
>> 
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> tor-relays mailing list
>> 
>> tor-relays at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1403 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20190523/9b172ac6/attachment.bin>

More information about the tor-relays mailing list