roothorick
Tux's lil' helper
Joined: 30 May 2004
Posts: 83
|
 Posted: Thu Feb 28, 2008 7:54 am Post subject: Keep your identity while running a Tor exit node |
 |
|
Always wanted to run a Tor exit node, but didn't want to be magically banned from IRC networks because you're "using Tor" when you're really not? Read on.
I'm assuming you have a NAT machine running Linux that's fully up and operational, connected to your broadband modem via Ethernet, and that's the machine you have Tor on. I'm also going to assume you have Tor fully configured. I'm also assuming you use dhcpcd to configure your outgoing NIC. Finally, I assume that your ISP gives you at least two dynamic IPs (which is typical for residential ISPs). If you have two static IPs, there's a much simpler way to do this, but I'll leave that as an exercise to the reader.
This is the result of my third, and only successful, attempt at getting this whole mess working. It's an ugly workaround, but it does in fact work, and is about as elegant as you can get without making direct modifications to Tor code and/or the kernel routing code.
Hardware Setup
What you need:
- A spare NIC in your NAT box
- A spare Ethernet hub
- Two spare Ethernet cables
Plug in and power up the hub, unplug your modem from the computer and plug it directly into the hub. Now take those two spare Ethernet cables and plug one end of each into the hub. Where's the other end going? You bet. Plug in that spare NIC and your original outgoing NIC. You should now have something like this:
| Code: |
|-----| NIC 1 |-----|
NIC 3 | |----------| | |-------|
LAN----------| NAT | NIC 2 | hub |----------| modem |
| |----------| | |-------|
|-----| |-----|
|
Got everything all fine and toasty? Excellent.
Software setup
NIC 1 and NIC 3 should have the same network setup they always did; just configure NIC 2 the same way you did NIC 1, and bring it up. If you run ifconfig at this point, you'll notice that NIC 1 and NIC 2 have different IPs. We want this; your personal traffic will originate from one IP, and Tor traffic on the other. As an aside, save yourself a lot of headache, and make absolutely sure that the NIC's order (eth0, eth1, etc.) does not change between reboots; however, that's another article.
First of all, you need two kernel options enabled:
| Code: |
Networking --->
Networking options --->
[*] TCP/IP networking
[*] IP: advanced router
[*] IP: policy routing
|
You know the drill. Save, compile, install, reboot.
Second, you need iproute2 utils installed. Just do:
And as long as it doesn't outright fail, you're set.
Now, go into /etc/tor and rename your torrc to torrc.static. From now on, you will modify torrc.static and NOT torrc. That's because the script below generates torrc on the fly each time your IP changes, and then tells Tor that a new configfile is waiting for it.
Finally, copy this entire code snippet down, and save it as /etc/dhcpcd.sh. Make sure it's executable (chmod +x). Change TORDEV if needed.
| Code: |
#!/bin/bash
# Tor routing script. Creates a routing table that gives eth1 details instead of eth0,
# and then tells Tor the new IP.
TORDEV="eth1" # Device Tor traffic will go out.
TORTABLE=1 # Routing table for Tor traffic.
eval `cat $1`
if [ $INTERFACE != $TORDEV ]; then exit 0; fi
if [ $2 == "up" -o $2 == "new" ]; then
# Rebuild the routing table
ip route flush table $TORTABLE
ip route list table main | while read line
do
if echo $line | grep $TORDEV &>/dev/null; then
ip route add table $TORTABLE $line
fi
done
for gw in $GATEWAYS; do
ip route add table $TORTABLE default via $gw dev $TORDEV
done
# Reset the rule
ip rule del lookp $TORTABLE
ip rule add from $IPADDR lookup $TORTABLE
# Tell Tor about the new IP
rm /etc/tor/torrc
echo '# DYNAMICALLY GENERATED. DO NOT EDIT.' > /etc/tor/torrc
echo '# Modify /etc/tor/torrc.static instead.' >> /etc/tor/torrc
cat /etc/tor/torrc.static >> /etc/tor/torrc
echo "Address $IPADDR" >> /etc/tor/torrc
echo "OutboundBindAddress $IPADDR" >> /etc/tor/torrc
/etc/init.d/tor reload &> /dev/null
else # $2 == "down"
ip rule del lookup $TORTABLE
ip route flush table $TORTABLE
fi
|
To make sure the changes take effect immediately, restart your Tor interface, and restart Tor (/etc/init.d/eth# restart; /etc/init.d/tor restart).
You'll know it's working if you see this in /var/log/tor/tor.log:
| Code: |
Mar 01 04:03:53.569 [notice] Tor 0.1.2.19 opening log file.
Mar 01 04:03:54.137 [notice] Your Tor server's identity key fingerprint is '[redacted]'
Mar 01 04:04:01.122 [notice] We now have enough directory information to build circuits.
Mar 01 04:04:03.693 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Mar 01 04:04:03.693 [notice] Now checking whether ORPort [Tor IP]:9001 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
Mar 01 04:04:04.053 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Mar 01 04:04:14.121 [notice] Performing bandwidth self-test...done.
|
And that's it! Each time your Tor interface gets a new IP, dhcpcd will call dhcpcd.sh which will rebuild the routing table from scratch and tell Tor about the new IP. Completely and totally automated. Just the way I like it.
_________________
Note: This user has been arrested under the DMCA for copyright infringement based on a complaint from The Inernational Cliche Company. He is also facing charges for violating US patents describing the encoding of text in digital form. |
|
Documentation, Tips & Tricks
