Re: [tor-relays] Boosting throughput with own DNS resolvers
On Sun, 19 Jul 2015 13:52:32 -0700, Tom van der Woerdt i...@tvdw.eu wrote: All my exits run with pdns-recursor installed, because I don't want to be uploading people's DNS data to Google's search indexer :-) How does pdns-recursor stack up against unbound chained with dnscrypt-proxy? I've been running the latter but this is the first I've heard of using pdns on an exit node. The pdns + Tor configuration tweaks were very helpful, thanks. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] de-centralised bad exit list files - a bad and/or naive idea ?
On Fri, 03 Jul 2015 04:27:50 -0700, Toralf Förster toralf.foers...@gmx.de wrote: Reading [tor-relays] unflagged BAD EXIT nodes /me wonders, such a feature would makes sense. Technically this could yield to a ./torrc.d config directory, where tor users could store the (regular updated) list/s they do trusts. That would be nice, right now copying in the fingerprints of dozens of exit nodes into torrc is downright painful, especially since they can't be listed on their own lines. The ability to use nginx style include statements in torrc would also be helpful, that way values like 'ExitNodes' could be maintained in a separate file. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Please enable IPv6 on your relay!
On Tue, 12 May 2015 22:45:24 -0700, Brian Kroll br...@fiberoverethernet.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I just enabled four relays, who has the next two? ^_^ Sydney Australia's in the IPv6 house now, wut wut. https://atlas.torproject.org/#details/E1E1059D8C41FC48B823C6F09348EA89C4D4C9D4 ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Determining geographical locations for a new exit relay would help most
On Sun, 03 May 2015 11:50:25 -0700, nusenu nus...@openmailbox.org wrote: I'd say 7$ for 2TB/mo on 1GB RAM is expensive if you compare it with 100mbps unmetered and lets say you are able to saturate ~50% = ~30TB/mo (~50 mpbs* in one direction) for ~15$/mo with 1GB RAM (in HU, 0.6% CW). Can't argue with that. The difference in annual cost ($60 vs $180 USD) is the key factor for me right now. Don't want to pay $180/yr out of pocket right now. ..but anyway thanks for adding more OpenBSD relays. Aye, I'll be trying out your Ansible playbooks in a bit. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Determining geographical locations for a new exit relay would help most
On Sat, 02 May 2015 00:52:07 -0700, Geo Rift tim.cochrane.lap...@gmail.com wrote: I would love to see some more nodes in Australia. I'm located in Perth and the speed of the network it horrible. Tim, just deployed an exit node to Sydney location, feel free to test it out: https://atlas.torproject.org/#details/E1E1059D8C41FC48B823C6F09348EA89C4D4C9D4 ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Determining geographical locations for a new exit relay would help most
On Sat, 02 May 2015 14:37:04 -0700, nusenu nus...@openmailbox.org wrote: Is there a specific reason why you limit yourself to vultr? Yes, there are several. * Price (hardware bang for the buck. SSD, 1000GB bw/mo in most locations. Starter pkg is $5/mo) * Features/usability (really like their control panel and website design. Snapshots are key, ability to re-deploy snapshots anywhere. Two factor auth with Yubikey.) * OpenBSD supported via custom ISO install feature (This limits the field quickly) ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Determining geographical locations for a new exit relay would help most
I'm standing up a new exit relay on the VULTR network. How would a person go about determining which location is in most need of additional exit relay capacity? Available locations: https://www.vultr.com/locations/ * Miami, Florida * Chicago, Illinois * New York / New Jersey * Dallas, Texas * Seattle, Washington * Atlanta, Georgia * Los Angeles, California * Silicon Valley, California * (AU) Sydney, Australia * (Asia) Tokyo, Japan * (EU) Amsterdam, NL * (EU) London, UK * (EU) Paris, France * (EU) Frankfurt, DE Also, curious to hear people's thoughts on any potential jurisdictional arbitrage benefits to be gleaned by choosing a location other than ones country of residence or citizenship. For the sake of argument, consider a VULTR account opened by U.S. citizen residing in the U.S. Choopa LLC (VULTR parent company) is also a US based company. http://start.cortera.com/company/research/k5o8lvm2j/choopa-llc/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Determining geographical locations for a new exit relay would help most
On Fri, 01 May 2015 10:01:45 -0700, nusenu nus...@openmailbox.org wrote: It might be oversimplified but using compass with group by country ordered by consensus weight (or in your case exit probability) shows you where most of tor network capacity is currently located. The goal is to setup relays in new or rarely used locations. So by using compass your list would look like this, ordered from better to less good: * (AU) Sydney, Australia (0.01% CW) * (Asia) Tokyo, Japan (0.8% CW) * UK (4.6% CW) * US (10.1%) * NL (12.4% CW) * France (21.6%) * DE (25.7% CW) Note: the is a current snapshot and numbers change but AU or JP is better then DE (from a capacity divers. point of view) - this will also be the case in a week or a month. You might also want to consider the exit probability and use that in addition or instead of CW. I don't know if VULTR has multiple ASes but if they do you might also want to have a look at the group by AS results (if they allow you to choose). Thanks for the breakdown, that helps. The only hitch with the Sydney and Toyko locations is that instead of 1000GB/mo of bandwidth, you only get 200GB/mo. Would it be better (all things considered) to go with the UK location at 1000GB/mo vs Tokyo or Sydney at 200GB/mo? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Effectively donating bandwidth
On Wed, 29 Apr 2015 17:44:38 -0700, Curtis Gagliardi cur...@curtis.io wrote: Spreading it out feels like the right thing to do, but is it actually the most helpful? Maybe burning my bandwidth is faster bursts is more helpful. Also found these relevant threads by searching the archives for 'hibernate' : http://www.mail-archive.com/tor-relays%40lists.torproject.org/msg05002.html http://www.mail-archive.com/tor-relays@lists.torproject.org/msg05569.html There was some other discussion (can't remember exactly where off-hand, might have been another lits) disputing the Tor manual's stance of better have a fast relay part of the time than a slow relay all the time. Maybe this is case dependent on what the minimum bandwidth levels are, dunno. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Effectively donating bandwidth
On Wed, 29 Apr 2015 17:44:38 -0700, Curtis Gagliardi cur...@curtis.io wrote: I'm running a relay with the extra bandwidth on my VPS, but I'm unsure if it's optimally configured. I have 2.5TB of bandwidth I want to use every month. Given that, how do I configure my relay in the most helpful way? The docs mention dividing my bandwidth by 30 and setting an accounting max of 1 day. It also suggests You might also consider rate limiting to spread your usefulness over more of the day. What not use an accouting period of a month and spread it out over the full month? Spreading it out feels like the right thing to do, but is it actually the most helpful? Maybe burning my bandwidth is faster bursts is more helpful. If spreading it over the month using a low bandwidth rate and a monthly accounting period is ideal, is there a better way to configure it than busting out a calculator and coverting TB/month to KB/s? How should I determine my BandwidthBurstRate? I understand what it is, but should it be defined in relation to my bandwidth rate? I'm running an exit node on an entry level VULTR VPS which comes with 1000GB per month. This is all I put in the torrc file to limit bandwidth usage: # Bandwidth and data caps AccountingStart day 19:45 # calculate once a day at 7:45pm AccountingMax 33 GBytes It's surprisingly accurate. As of today VPS usage is at 98% of monthly allowance. I didn't bother with burst rate because it never seems to climb over 10Mbps usage, and the interface is a 100Mbps connection. As far as letting in run full steam and then shut down for potentially hours every day vs. finding a steady rate that it can burn bandwidth at for the entire month, that's been discussed already in the list archives here: http://www.mail-archive.com/tor-relays%40lists.torproject.org/msg05478.html ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Relay from home
On Wed, 08 Apr 2015 03:57:20 -0700, Jannis Wiese m...@janniswiese.com wrote: maybe this is a dumb question, but as I couldn’t find any real advise anywhere on the net: Does it make sense to start operating a non-exit relay from home for a longer term? I’m thinking about at least getting a T-Shirt (the more uptime, the better). However, my concerns are the daily disconnect and the dynamic IP. What do you think? Any first-hand tips are of course appreciated. Been running a relay at home for about 3-4 months now and like other poster barely notice the traffic. IIRC recommended upstream bandwidth is 2Mpbs or greater, if you run a relay on a connection without enough bandwidth (in either direction) it's not really helping the network, (Roger sez!). Sorry don't have a reference link handy for this factoid. Also make sure the connection is stable. Another reason I think it's a good idea to run a relay 24/7 is that it provides cover traffic. It becomes more difficult for an observer to determine when you yourself are using the Tor network, helping to thwart time of usage correlation attacks. Just _make sure_ that your exit policy is set to reject all, the default torrc config makes it an exit node with no outbound restrictions last time I checked. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Tor and Freenode
On Sat, 24 Jan 2015 18:06:40 -0800, Markus Hitter m...@jump-ing.de wrote: Thanks for describing what I meant with extra hassle. Makes also a more detailed description than what I could find on the web so far. It is sort a of pain in the neck I agree, especially when you have to go about figuring it out for yourself. I need to write this up anyway for my own personal reference, I'll post a HOWTO to the list if enough people are interested and feel that it's relevant. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Tor and Freenode
On Sat, 24 Jan 2015 12:32:24 -0800, David Serrano t...@dserrano5.es wrote: On 2015-01-24 20:16:13 (+), cacahuatl wrote: Markus Hitter: - It's a hassle to setup. Proxies and such stuff. Running Tor Browser and setting some options on your IRC client? Tor Browser isn't even needed. Once he has a relay in place, all he has to do is teach the IRC client to connect through it. I run a Tor relay 24/7 at home on a dedicated computer. I like to setup a ZNC IRC bouncer on the same host have have it connect the Tor relay's SOCKS5 port via Proxychains. You'll need to authenticate the ZNC Freenode server nick via SASL if memory serves correctly. Then configure your IRC client to connect to the ZNC bouncer. Set it and forget it. The only non Tor trafic exposure is registering the Freenode nick. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] building Tor against LibreSSL 2.1.1 fails with undefined reference to `EVP_aes_128_ctr' error
On Thu, 01 Jan 2015 10:55:18 -0800, Seth l...@sysfu.com wrote: On Sun, 28 Dec 2014 16:01:12 -0800, Nick Mathewson ni...@freehaven.net Maybe something like this would work? CFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib ./configure That resolves the tortls.o error, thanks! This is the line I used for OpenBSD: env CFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib ./configure --disable-asciidoc --sysconfdir=/etc ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] building Tor against LibreSSL 2.1.1 fails with undefined reference to `EVP_aes_128_ctr' error
On Sun, 28 Dec 2014 16:01:12 -0800, Nick Mathewson ni...@freehaven.net wrote: Maybe the autoconf script is looking at the headers in /usr/include, instead of /usr/local/include ? That would mess it up. Instead of using --with-openssl-dir=/usr/local, what happens if you set CFLAGS and LDFLAGS by hand when compiling? I tried to find out how to do this by myself but I don't understand very well how these flags work. Could you please provide some examples and I'll test? Also of note, I was able to get tor-0.2.6.2-alpha to build succesfully on a the release version of OpenBSD 5.6 which includes LibreSSL 2.0-something. When I tried to build tor-0.2.6.2-alpha against libressl 2.1.2 on the same system using ./configure --with-openssl-dir=/usr/local it bails out with same the tortls.o error. For the meantime, is there a compiler macro we can use to distinguish libressl from openssl at compile-time? Do not know. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Secure secure Shell update protocols
On Fri, 09 Jan 2015 12:46:11 -0800, 0x23 rus...@gmx.net wrote: wanna share some current insights regarding secure shell(ssh) on how to harden sys after the German 'Der Spiegel' disclosed documents.h https://stribika.github.io/2015/01/04/secure-secure-shell.html Before anyone goes and implements the above, you should probably read the related thread on the Applied Crypto Hardening mailing list discussing the pros and cons of this particular write-up. http://lists.cert.at/pipermail/ach/2015-January/001684.html ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Atlas / Globe backend appears to be down
On Sat, 10 Jan 2015 18:09:46 -0800, starlight.201...@binnacle.cx wrote: Can't pull anything up on either Atlas or Globe. My searches have been failing there for an hour or so too. Have you mailed a...@torproject.org? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Reminder: exit nodes probably shouldn't be using Google's DNS servers
On Thu, 08 Jan 2015 08:38:35 -0800, Paul Syverson paul.syver...@nrl.navy.mil wrote: The flip side is that, against such an adversary, using a DNS server that supports encryption of queries and responses is probably more important than it being local. I like to chain unbound up to dnscrypt-proxy in order to encrypt DNS traffic for this very reason. dnscrypt-proxy frequently is unable to keep up however, so I currently have unbound configured to make queries directly if dnscrypt-proxy is not responding. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] building Tor against LibreSSL 2.1.1 fails with undefined reference to `EVP_aes_128_ctr' error
On Sun, 28 Dec 2014 16:01:12 -0800, Nick Mathewson ni...@freehaven.net wrote: Instead of using --with-openssl-dir=/usr/local, what happens if you set CFLAGS and LDFLAGS by hand when compiling? Maybe something like this would work? CFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib ./configure ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Someone broke the tor-relay speed record?
On Wed, 31 Dec 2014 01:13:52 -0800, Justaguy justa...@riseup.net wrote: Oh wait? This is only advertised bandwith and not the actual bandwith. maybe the actual bandwith will reach the advertised bandwith some day. This relay is only running for 3 days so.. The advertised Tor bandwidth for the exit node that I control matches up well with the bandwidth graph provided by the ISP, so I believe it is fairly accurate. https://globe.torproject.org/#/relay/E1E1059D8C41FC48B823C6F09348EA89C4D4C9D4 Seems like it should be impossible however for a relay to jump to 149MB/s of advertised bandwidth in less than a week.___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] building Tor against LibreSSL 2.1.1 fails with undefined reference to `EVP_aes_128_ctr' error
On Tue, 23 Dec 2014 09:16:56 -0800, Nick Mathewson ni...@freehaven.net wrote: Strange! There is code in git master that is supposed to prevent this. Yes, I thought it had been fixed by your commit from this ticket https://trac.torproject.org/projects/tor/ticket/13325 The current Tor's find_cipher_by_id is supposed to avoid looking at the get_cipher_by_id field. Do you really get the same errors with master, or is the error different? Makes no difference, same error for master branch as the rest. latest Git - master branch - git clone https://git.torproject.org/git/tor - # cd tor; git status On branch master Your branch is up-to-date with 'origin/master'. nothing to commit, working directory clean # sh autogen.sh ; ./configure --with-openssl-dir=/usr/local --disable-asciidoc ; make src/common/tortls.c: In function 'find_cipher_by_id': src/common/tortls.c:1478: error: 'SSL_METHOD' has no member named 'get_cipher_by_char' src/common/tortls.c:1484: error: 'SSL_METHOD' has no member named 'get_cipher_by_char' *** [src/common/tortls.o] Error code 1 Alpha - https://www.torproject.org/dist/tor-0.2.6.1-alpha.tar.gz #./configure --with-openssl-dir=/usr/local --disable-asciidoc ; make src/common/tortls.c: In function 'find_cipher_by_id': src/common/tortls.c:1478: error: 'SSL_METHOD' has no member named 'get_cipher_by_char' src/common/tortls.c:1484: error: 'SSL_METHOD' has no member named 'get_cipher_by_char' *** [src/common/tortls.o] Error code 1 Stable - https://www.torproject.org/dist/tor-0.2.5.10.tar.gz # ./configure --with-openssl-dir=/usr/local --disable-asciidoc ; make src/common/tortls.c: In function 'find_cipher_by_id': src/common/tortls.c:1480: error: 'SSL_METHOD' has no member named 'get_cipher_by_char' src/common/tortls.c:1486: error: 'SSL_METHOD' has no member named 'get_cipher_by_char' *** [src/common/tortls.o] Error code 1 ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] building Tor against LibreSSL 2.1.1 fails with undefined reference to `EVP_aes_128_ctr' error
On Tue, 23 Dec 2014 06:33:44 -0800, Nick Mathewson ni...@freehaven.net wrote: What version of Tor are you using here? I think we have this fixed in 0.2.6.1-alpha with this commit: d1fa0163e571913b8e4972c5c8a2d46798f46156 And this ticket: https://trac.torproject.org/projects/tor/ticket/13325 I tried unsuccessfully with all three versions: stable, alpha and the latest from git. Tor builds no problem when using the previous LibreSSL version (2.1.1) on FreeBSD 9.3. As a side note, LibreSSL 2.1.2 also caused nginx builds using libressl as a dependency to fail. OpenSMTPD and Dovecot will still build successfully against LibreSSL 2.1.2 on the same system. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] building Tor against LibreSSL 2.1.1 fails with undefined reference to `EVP_aes_128_ctr' error
On Sat, 22 Nov 2014 17:33:59 -0800, Seth l...@sysfu.com wrote: Thanks for the information. I was able to get the latest git version of Tor build against the libressl-2.1.1 pkg in a fresh FreeBSD 9x jail using the following steps: pkg install libressl autoconf git gmake gettext mkdir /usr/local/src;cd /usr/local/src;git clone https://git.torproject.org/git/tor cd tor;sh autogen.sh;./configure --with-openssl-dir=/usr/local --disable-asciidoc make;make install;tor Unfortunately after upgrading LibreSSL from 2.1.1 to 2.1.2 this method now fails with the error: src/common/tortls.c: In function 'find_cipher_by_id': src/common/tortls.c:1480: error: 'SSL_METHOD' has no member named 'get_cipher_by_char' src/common/tortls.c:1486: error: 'SSL_METHOD' has no member named 'get_cipher_by_char' *** [src/common/tortls.o] Error code 1 I'll post a comment in the related Tor trac ticket ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Hibernation and Guard flag
On Sun, 21 Dec 2014 11:09:33 -0800, Filippo Valsorda h...@filippo.io wrote: 1. Is daily accounting preferable? That is, what's best, shorter or longer hibernation periods? This issued was touched on recently here: http://www.mail-archive.com/tor-relays%40lists.torproject.org/msg04996.html Excerpt: As the Tor manual says, it's better to have a fast relay available some of the time instead of having a slow relay available all the time. 2. How does hibernation play with the Guard flag? I know Guards rotation plays a crucial role in users privacy, and it seems to me hibernation would really hurt a client that selected you as its Guard, since it will have either to run with one less available Guard, or pick a new one and increase its risk. Also, I know there are talks about making only 1 Guard selected, how would that play with hibernation? Not sure but I think the configuration made to satisfy question #1 is going to override this concern. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] specifying your own entrance and exit nodes
Assuming there are certain Tor notes being run by parties hostile to my own interests, what are the pros and cons of specifying one's own list of trusted entrance and exit nodes? I run a Tor relay at home 24/7 and use that as my entrance point. I do this to provide cover traffic for my own Tor use as well as help out the network. I also try to use Tor for all my daily web browsing when possible. This has given be a lot of headaches. Besides the demoralizing barrage of Cloudfare captchas, I've had a lot of problems with dropped connections, timeouts, SSL cert warnings, fatal errors connecting to HTTPS sites. I started to get a gut feeling, warranted or not, that some exits nodes might be meddling with my traffic. To combat this I changed the configuration on my local Tor relay to use only exit nodes run by organizations or people that I felt I could trust. I didn't bother with specifying entrance nodes because I could not see what the gain would be. This seems to have curbed some of the problems, with the tradeoff that responsiveness is much more inconsistent. I'm just curious if restricting exit nodes to a few dozen that you trust effectively defeats most of the purpose of using Tor. What would be the bare minimum of Tor exit nodes a person would need to use in order to make life difficult for the Panopticon surveillor scum? If this post is more appropriate for Tor-talk, please let me know ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Fast Exit Node Operators - ISP in US
On Sat, 22 Nov 2014 22:42:15 -0800, Mirimir miri...@riseup.net wrote: How much throughput do you get with your VPS, 1000 GB/mo or 2000 GB/mo? The 1000 GB/mo applies to whichever value is greater, input or output. So far the Tor node is pushing less than 1.5GB per day. Takes a while for traffic to ramp up apparently. As I read comments in torrc, AccountingMax applies separately to sent and received bytes, not to their sum, and so setting '4 GB' may allow up to 8 GB total before hibernating. Yes, others have raised this issue as well and I will look into it. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Fast Exit Node Operators - ISP in US
On Sat, 22 Nov 2014 19:13:17 -0800, ZEROF secur...@netmajstor.com wrote: I saw some info just yesterday, but it's not in actual server configuration. Can you provide some good resource for setting dnscrypt-proxy? And no logging DNS's is good to protect end users A caveat: You should probably avoid using the default OpenDNS servers with dnscrypt-proxy. From the 'Bad Relays' wiki page https://trac.torproject.org/projects/tor/wiki/doc/badRelays The most common misconfiguration I have seen is using OpenDNS as a host's nameserver with what I think is the OpenDNS default config. Services such as OpenDNS lie to you, under the name of protecting you. The result is for instance getting redirected to their webpage when you want to visit evil sites such as https://www.torproject.org/.;___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Fast Exit Node Operators - ISP in US
On Sun, 23 Nov 2014 16:53:03 -0800, ZEROF secur...@netmajstor.com wrote: I'm not using opendns. OpenNic and OpenDNS are not same thing. I'm aware of the distinction. What I was trying to point out for the benefit of people just getting started with dnscrypt-proxy, is that by default it uses OpenDNS servers. At least it has in every environment that I've set it up in so far. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Fast Exit Node Operators - ISP in US
On Sat, 22 Nov 2014 16:35:18 -0800, I beatthebasta...@inbox.com wrote: So USA can be fast and cheap but beware when they agree Tor is acceptable because there are poor trade practices laws to get refunds and rights. FWIW I spun up a Tor exit node on VULTR. I pro-actively informed them I was doing so by creating a support ticket with this text: Just giving you guys a heads up that I've setup a new Tor exit node. It's using the ReducedExitPolicy detailed here: https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy The reduced exit policy has been successful in eliminating the vast majority of DMCA complains according to this Tor blog post: https://blog.torproject.org/running-exit-node If there are any complaints about traffic from this node, please alert me immediately so I can deal with them. I have a dedicated email setup for this purpose at t...@sysfu.com. Regards, Seth The response was a simple Thank you for the updateso they seem pretty cool about it. If you look at https://torstatus.rueckgr.at/ you'll see a half dozen other nodes running on VULTR. The starter $5/mo size gets you 1000GB of bandwidth per month, can't beat that with a stick. Another thing I like about VULTR is that you can install your own custom OS via an ISO or iPXE script. Also none of that fixed kernel nonsense I dealt with at Digital Ocean. And they accept Bitcoin. That fact that thousands of average joe sysadmins can now spin up a powerful Tor relay or exit node, on the operating system of their choice, for $5/mo payable in Bitcoin...I think that's a big deal. -- Seth I 3 nicely trimmed email replies ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Fast Exit Node Operators - ISP in US
On Sat, 22 Nov 2014 18:46:18 -0800, ZEROF secur...@netmajstor.com wrote: I use servernames without logging from this this list http://wiki.opennicproject.org/Tier2 (France). Great resource of logless DNS servers, I'm a big fan of OpenNIC. Have you bothered to encrypt DNS traffic by setting up dnscrypt-proxy or the like? These days it's something I include as standard.___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] building Tor against LibreSSL 2.1.1 fails with undefined reference to `EVP_aes_128_ctr' error
On Fri, 21 Nov 2014 09:10:11 -0800, David Stainton dstainton...@gmail.com wrote: I am also very interested in hearing from people who have built tor with LibreSSL... If you want to try building a FreeBSD port using LibreSSL instead of OpenSSL add this to /etc/make.conf OPENSSL_PORT=security/libressl WITH_OPENSSL_PORT=yes specifically I'd love it if someone worked out all the details to do this as a static build in OpenBSD. Not sure about static builds, what's the benefit? I do know OpenBSD 5.6 has LibreSSL baked in and it works with Tor. Just install the tor package, edit /etc/tor/torrc and you're up and running. Next time I stand up another relay or exit node on OpenBSD I think I'll kick it up a notch with some chroot and/or systrace sauce. https://trac.torproject.org/projects/tor/wiki/doc/OperationalSecurity#RunTorandOtherServicesinaRestrictedEnvironment Am also interested in hearing any tips for minimizing data retention. I thought about making a hardlink or symlink from /var/log to /dev/null, but I have a feeling there's more to it than that. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Re-installed Tor relay node as exit node with same name, different OS.
I recently re-installed the operating system for a VPS that was running Parabola GNU/Linux and acting as a Tor relay. The new OS is OpenBSD 5.6 running tor-0.2.5.10. Instead of running as a relay I modified torrc so it runs a ReducedExitPolicy policy. Initially there were several problems with Tor exit node traffic being blocked by the firewall which has since been resolved. The Tor status page however still does not list this router as an exit node. http://jlve2y45zacpbz6s.onion/router_detail.php?FP=e1e1059d8c41fc48b823c6f09348ea89c4d4c9d4 Any ideas why? -- Seth I 3 nicely trimmed email replies ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Re-installed Tor relay node as exit node with same name, different OS.
On Wed, 19 Nov 2014 12:50:16 -0800, Libertas liber...@mykolab.com wrote: Did you restore the relay's secret identity key when reinstalling? No, that's the part I flubbed. If you backed up your Linux system, you can restore the key from there. Linux system was buried somewhere in the cloud If not, that's fine, you'll just have to wait a little while for your new relay to build up consensus weight. This might even be a good thing, as you have forward secrecy (in terms of identity) if your Linux install was compromised. Interesting bit about consensus weight. I like the 'forward secrecy' aspect of just waiting it out. * More specifically, this is /var/lib/tor in Linux and /usr/local/lib/tor in OpenBSD by default, IIRC. Thanks, I'll take note of that for any future migrations. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] List of Relays' Available SSH Auth Methods
On Tue, 18 Nov 2014 09:40:13 -0800, Ryan Getz ry...@getzmail.com wrote: As, Libertas said, pub key auth is generally best... or even for some, disabling SSH altogether may be possible. If your relay is a VPS and you have access to a (java) console or some form of IPMI/drac/iLo management, you may not even need ssh access but these could open up additional security issues (particularly old firmware for out of band management). Another option is to install ZeroTier One and configure the SSH daemon to listen only on the zt0 device for your private network. https://www.zerotier.com/ -- Seth I 3 nicely trimmed email replies ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
