Setting up a TOR bridge

by Yorik on 09.03.2022 in linux , opensouce

Recent events show how important it is for all worlds citizens to have a reliable, unmonitored, uncensored way to access the internet. The TOR projects offers just that. TOR is made of a series of interconnected computers called TOR nodes.

When you make a normal connection to a website, both the website and your internet provider (and therefore the government) can know what your IP is (and therefore who you are, as the provider has a list of which of their clients is using which IP) and what IP you are visiting. So your internet activities can be monitored and some of them made inaccessible.

When using TOR to visit the same website, your computer is only communicating with a TOR node. Then, that TOR node will encrypt your request and transfer it to any number of intermediary TOR nodes. Each of them only knows the IP of the previous and the next node. The last node connects to the website you are trying to visit.

Even more, the communication between you and the first TOR node is camouflaged so it looks like, say, a Skype conversation. TOR uses many different applications to camouflage, so it is pretty hard for someone to figure out that it is in fact TOR traffic.

The website doesn't know who is visiting them. They only have the IP of the last TOR node. Your internet provider only knows you visited the IP of the first TOR node, and it looks to them as normal internet traffic.

The TOR project is very serious about all this and the efficiency of all I wrote above is regularly tested and assessed.

Only problem, what if your government has the list of all IPs of all TOR nodes? Then they could know you are using TOR, and maybe block it. That's where bridges come in. Bridges are TOR nodes whose IP address is unpublished. Nobody is able to obtain the complete list. If you request a bridge IP from TOR, you will get only a couple, and new bridges get added all the time. For that, it is useful that people with a few Megabits to spare on their broadband internet connection help the system by setting up a TOR bridge. Since I have a spare laptop here doing nothing and a comfortable fiber internet connection, I set up a TOR bridge. Here it goes:

1. Install Debian

Debian is my distro of choice, but this should work for any Linux distribution. The instructions below should work out of the box for any Debian-based distro such as Ubuntu or Mint.

The standard way is to install Debian from a minimal ISO, which will then download all necessary packages during the install, but I would recommend using an alternative minimal ISO that includes firmwares to overcome wifi setup problems.

Install everything the standard way, with Gnome or your favourite desktop environment, but as we will use it as a server we'll disable the graphical login later.

2. System setup

Set a new hostname to recognize the machine on the network:

sudo hostnamectl set-hostname new_hostname

Add your user to sudoers, so you can use sudo from it:

su
/sbin/usermod -a -G sudo YourUserName
exit

You need to restart or logoff/login for this to take effect. Verify that your user is in the sudo group with:

groups

Install ssh so you can access your server from another computer:

sudo apt install ssh

Verify that ssh is running:

sudo systemctl status ssh

Normally installing ssh will automatically have activated it, but if not, enable & start ssh:

sudo systemctl enable --now ssh

Install tmux, which is useful to launch processes from an ssh session that need to continue running after you closed the ssh session:

sudo apt install tmux

I prefer micro over nano, so I also installed micro:

sudo apt install micro

Install vbetool to be able to switch the display on/off:

sudo apt install vbetool

You can then turn the laptop display on/off with:

sudo vbetool dpms off
sudo vbetool dpms on

To prevent the laptop lid to suspend the computer when closed, edit /etc/systemd/logind.conf and change:

HandleLidSwitch=suspend

to:

HandleLidSwitch=ignore

And then restart the service:

sudo systemctl restart systemd-logind.service

If using SSH keys, from another computer, copy your SSH key to the server:

ssh-copy-id username@remote_host

Verify that it is working:

ssh username@remote_host

Optionally, disable password authentication (recommended) by editing /etc/ssh/ssh_config and setting:

PasswordAuthentication no

Then restart ssh:

sudo systemctl restart ssh

3. Enable automatic updates

First enable automatic, unattended software updates: Put the lines below into the configuration file /etc/apt/apt.conf.d/50unattended-upgrades, and add "origin=TorProject"under the other "oriign=" lines in Unattended-Upgrade::Origins-Pattern:

Unattended-Upgrade::Origins-Pattern {
...
    "origin=Debian,codename=${distro_codename},label=Debian-Security";
    "origin=TorProject";
...
};

Edit the file /etc/apt/apt.conf.d/20auto-upgrades and add the following content:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::AutocleanInterval "5";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Verbose "1";

You can test your unattended-upgrades setup with the following command:

unattended-upgrade --debug

If you just want to see the debug output but don't change anything use:

unattended-upgrade --debug --dry-run

4. Install and configure TOR

First install all the TOR packages and the obfs4 camouflager:

sudo apt install tor
sudo apt install obfs4proxy

Now choose two port numbers as you like. Both will need to be reachable from outside your network. Avoid 9001 because it's commonly associated with Tor and censors may be scanning the Internet for this port. I chose 29008 and 29009 just because. The ContactInfo is not visible to outside people, only to TOR people.

To set your computer up as a TOR node (by default it doesn't do anything), edit your TOR config file, usually located at /etc/tor/torrc and replace:

BridgeRelay 0

with:

BridgeRelay 1

Then add the following lines at the end of the file:

ORPort 29008
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
ServerTransportListenAddr obfs4 0.0.0.0:29009
ExtORPort auto
ContactInfo address@email.com
Nickname ANickNameForYourBridge

And if you want to limit the bandwidth user by TOR, add these lines:

AccountingStart day 0:00
AccountingMax 50 GBytes
RelayBandwidthRate 1000 KBytes
RelayBandwidthBurst 5000 KBytes

To work around systemd hardening, you will also need to set NoNewPrivileges=no in both /lib/systemd/system/tor@default.service and /lib/systemd/system/tor@.service

Then restart the system daemon:

 sudo systemctl daemon-reload

Enable and start your TOR node:

sudo systemctl enable --now tor.service

Verify that it is running:

sudo systemctl status tor.service

To confirm your bridge is running with no issues, run:

sudo journalctl -e -u tor@default`

You should see something like this:

[notice] Your Tor server's identity key fingerprint is '<NICKNAME> <FINGERPRINT>'
[notice] Your Tor bridge's hashed identity key fingerprint is '<NICKNAME> <HASHED FINGERPRINT>'
[notice] Registered server transport 'obfs4' at '[::]:46396'
[notice] Tor has successfully opened a circuit. Looks like client functionality is working.
[notice] Bootstrapped 100%: Done
[notice] Now checking whether ORPort <redacted>:3818 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
[notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.

5. Open both TOR ports on your router

This means basically redirecting traffic between your external IP, port 29008 and the laptop IP, port 29008

You need to refer to the operation manual of your router, but it usually involves accessing "port sharing" or "port forwarding" functionality in the web admin panel of your router, and setup two ports forwarding, one for each of the TOR ports we defined above.

We can now test if our TOR bridge works by visiting the TCP reachability test page at https://bridges.torproject.org/scan/

6. Switch to console mode

When all the initial setup is done, we don't need the graphical interface anymore, so we can set our laptop to start in console mode, and access it from SSH from now on:

sudo systemctl set-default multi-user.target

If needed after that, you can always start the graphical interfce by issuing startx.

References: