Montag, 5. November 2012

Raspberry Pi as TOR Middle Relay

The onion Router - Tor is a service that helps you to protect your anonymity while using the Internet. 

The goal of the Tor project is to provide a censorship-resistant & safer access to the Internet. It is the most widely used free & open source anonymization technique in existence. It also makes it possible to host services like websites in a secure and anonymous fashion ("hidden services")

Obviously, TOR needs a large amount of servers. As the TOR network is not a commercial organisation, it requires voluntary supporters. But this support can be easy achieved with your Raspberry Pi.

How it Works

Tor helps to reduce the risks of both simple and sophisticated traffic analysis by distributing your transactions over several places on the Internet, so no single point can link you to your destination. The idea is similar to using a twisty, hard-to-follow route in order to throw off somebody who is tailing you — and then periodically erasing your footprints. Instead of taking a direct route from source to destination, data packets on the Tor network take a random pathway through several relays that cover your tracks so no observer at any single point can tell where the data came from or where it's going.
 Art by Molly Crabapple & Words by John Leavitt
"Octopus Not So Great!"

WHAT IS A TOR RELAY? description from

Tor relays are also referred to as "routers" or "nodes." They receive traffic on the Tor network and pass it along. Check out the Tor website for a more detailed explanation of how Tor works.
There are three kinds of relays that you can run in order to help the Tor network: middle relays, exit relays, and bridges.

For greater security, all Tor traffic passes through at least three relays before it reaches its destination. The first two relays are middle relays which receive traffic and pass it along to another relay. Middle relays add to the speed and robustness of the Tor network without making the owner of the relay look like the source of the traffic. Middle relays advertise their presence to the rest of the Tor network, so that any Tor user can connect to them. Even if a malicious user employs the Tor network to do something illegal, the IP address of a middle relay will not show up as the source of the traffic. That means a middle relay is generally safe to run in your home, in conjunction with other services, or on a computer with your personal files. See our legal FAQ on Tor for more info.

An exit relay is the final relay that Tor traffic passes through before it reaches its destination. Exit relays advertise their presence to the entire Tor network, so they can be used by any Tor users. Because Tor traffic exits through these relays, the IP address of the exit relay is interpreted as the source of the traffic. If a malicious user employs the Tor network to do something that might be objectionable or illegal, the exit relay may take the blame. People who run exit relays should be prepared to deal with complaints, copyright takedown notices, and the possibility that their servers may attract the attention of law enforcement agencies. If you aren't prepared to deal with potential issues like this, you might want to run a middle relay instead. We recommend that an exit relay should be operated on a dedicated machine in a hosting facility that is aware that the server is running an exit node. The Tor Project blog has these excellent tips for running an exit relay. See our legal FAQ on Tor for more info.

Bridges are Tor relays which are not publicly listed as part of the Tor network. Bridges are essential censorship-circumvention tools in countries that regularly block the IP addresses of all publicly listed Tor relays, such as China. A bridge is generally safe to run in your home, in conjunction with other services, or on a computer with your personal files.

Setting up a TOR Middle Relay on a Raspberry Pi

It is really easy to set up a Raspberry Pi Tor Relay to help the TOR Project by gifting some of your Bandwidth from your internet connection and CPU-Power of your Raspberry Pi and a little bit of your electricity.

We need:

  • 1x 2-4 GB SD-Card  from your old digicam (a 8GB class10 is available for 7€ at amazon)
  • 1x a small Power Cable (pigtail or 3ft. 0.99$ on china-ebay)
  • 1x a short ethernet cable (8" - 3ft. 0.99$ on china-ebay)
  • 1x Raspberry Pi (from Farnell 43€ including shipping to europe in ~5days)
  • a Punnet case out Paper for 0$, selfbuilt with Lego ?$, cheapest plastic case on eBay for 8.9$, my case is the Pibow from Pimoroni for 17.95£
SUM:  45-50€ to run a Tor middle relay to boost and strenghten the TOR Project.

I am powering my Pi from my Router USB-Port, which saves me another micro-USB Power Supply Unit. Booting to the GUI (LXDE in Raspbian) is disabled. And the RAM for the GPU is set to a minimum. Maximum RAM for the ARM CPU.

First you need to install Raspbian. HowTo#1& HowTo#2 is on my Blog available. Then set a static IP Address on your Pi.

Install TOR on your Raspberry Pi. Tor is available as a Debian Package which makes this step very easy.

$ sudo apt-get update
$ sudo apt-get install tor

When the installations is done, you have to edit the TOR configuration file.

Configuration FILE torrc

The file is available at location /etc/tor/ .

First make a backup of your torrc configuration file!

$ sudo cp /etc/tor/torrc /etc/tor/torrc.backup

Edit the configuration file.

$ sudo vi /etc/tor/torrc

You need to edit/change up to ~10 variables.

SocksPort 0
## Tor opens a socks proxy on port 9050 by default -- even if you don't
## configure one below. Set "SocksPort 0" if you plan to run Tor only
## as a relay, and not make any local application connections yourself.

Log notice file /var/log/tor/notices.log

## Logs go to stdout at level "notice" unless redirected by something
## else, like one of the below lines. You can have as many Log lines as
## you want.
## We advise using "notice" in most cases, since anything more verbose
## may provide sensitive information to an attacker who obtains the logs.
## Send all messages of level 'notice' or higher to /var/log/tor/notices.log

RunAsDaemon 1
## Uncomment this to start the process in the background... or use
## --runasdaemon 1 on the command line. This is ignored on Windows;
## see the FAQ entry if you want Tor to run as an NT service.

ORPort 9001
## Required: what port to advertise for incoming Tor connections.

DirPort 9030 # what port to advertise for directory connections
## Uncomment this to mirror directory information for others. Please do
## if you have enough bandwidth.

ExitPolicy reject *:* # no exits allowed
This is necessary to run the TOR Node as a Relay only without the Exit-node functionality. 

Nickname rasptorxxx  # (you can chose whatever you like)
## A handle for your relay, so people don't have to refer to it by key.

RelayBandwidthRate 100 KB  # Throttle traffic to 100KB/s (800Kbps)
RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps)
## Define these to limit how much relayed traffic you will allow. Your
## own traffic is still unthrottled. Note that RelayBandwidthRate must
## be at least 20 KB.
## Note that units for these config options are bytes per second, not bits
## per second, and that prefixes are binary prefixes, i.e. 2^10, 2^20, etc.

ControlPort 9051
## The port on which Tor will listen for local connections from Tor
## controller applications, as documented in control-spec.txt.
This is necessary for the Command Line Gui Tool TOR-ARM

After Changing of the settings you have to restart your Tor Server.

$ sudo /etc/init.d/tor restart

Now check if your Server is up and running. Check your logfile for a Success notice.

$ cat /var/log/tor/log

If your installation and configuration was successful there should be a entry with "[notice] Tor has successfully opened a circuit. Looks like client functionality is working." .

$ cat /var/log/tor/notices.log
Look out for "[notice] Self-testing indicates your DirPort is reachable from the outside. Excellent."

Thanks, you are now volunteering to the TOR-Project. Karma Points are raising!

You should be able to find now your Tor-Relay on a Torstatus List after a few hours.

Installing the ARM - TOR Status Monitor

The anonymizing relay monitor (arm) is a terminal status monitor for Tor, intended for command-line aficionados, ssh connections, and anyone with a tty terminal. This works much like top does for system usage, providing real time statistics for: 

It shows several useful informations.
  • the running tor-version
  • tor-flags
  • used ports
  • nickname if set
  • fingerprint of your node
  • uptime of your server
  • process id of tor
  • CPU usage of TOR and ARM process
  • memory usage of TOR process
  • bandwith and limits
  • in and outgoing bandwith monitor
  • events in logfiles
  • editing configuration
  • many many more
Installing TOR-ARM

You ned to set the Control Port in your Tor configuration file as described above! The Monitor Program needs this Port to control the tor-process and receive data.

$ sudo apt-get install tor-arm


$ sudo arm
This starts arm as root, better is to start the Status Monitor with the user the TOR Server is using.
[ARM_NOTICE] Arm is currently running with root permissions. This is not a good idea, and  will still work perfectly well if it's run with the same user as Tor (ie, starting with "sudo -u debian-tor arm").
Start arm with the TOR user.
$ sudo -u debian-tor arm

Some Useful Links: