-
Notifications
You must be signed in to change notification settings - Fork 8
/
obsd-relays-adv.html
174 lines (112 loc) · 7.69 KB
/
obsd-relays-adv.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<title>OpenBSD Guide to Configuring Tor Relays</title>
<link type="text/css" rel="stylesheet" href="torbsd.css"/>
<meta name="author" content="gman999"/>
<meta name="editors" content=""/>
<meta name="date" content="20150505"/>
<meta name="note" content="These lines are at the top are multimarkdown metadata; leave them."/>
<meta name="sep" content="⋔"/>
</head>
<body>
<h1 id="thetorbsddiversityprojecttdp"><a href="index.html">The Tor BSD Diversity Project (TDP)</a></h1>
<p>⋔ <a href="blog.html">Blog</a> ⋔ <a href="faq.html">FAQ</a> ⋔ <a href="resources.html">Resources</a> ⋔ <a href="https://github.com/torbsd/">GitHub</a> ⋔ <a href="contact.html">Contact</a> ⋔ <a href="http://bptfp7py2wclht26.onion/">TDP Onion</a> ⋔</p>
<p><strong><a href="projects.html">The TDP Projects</a>:</strong><br/>
⋔ <a href="https://github.com/torbsd/openbsd-ports/">Tor Browser for OpenBSD</a> ⋔ <a href="relay-guides.html">BSD Relay Guides</a> ⋔ <a href="corp-relays.html">Corporate Relays</a> ⋔ <a href="porting-pets.html">Ports for PETs</a> ⋔ <a href="oostats.html">Statistics</a> ⋔</p>
<h2 id="openbsdguidetoconfiguringtorrelays">OpenBSD Guide to Configuring Tor Relays</h2>
<p><strong>THIS IS PRELIMINARY WORK AT AN EARLY STAGE. ANONYMITY IS NOT A GAME, SO PLEASE DO NOT JUST ASSUME THESE GUIDES ARE FINE AS-IS. YOU HAVE BEEN WARNED.</strong></p>
<h2 id="introduction">Introduction</h2>
<p><a href="http://www.openbsd.org" title="OpenBSD Project">OpenBSD</a> is a Unix-derived operating system focused on security and the adherence to standards. It is considered among the most secure systems available. OpenBSD developers rebuilt SSH from the ground up, until the omnipresent adoption of OpenSSH. OpenBSD developers are now building LibreSSL as a replacement for OpenSSL, frustrated by the accumulated laundry list of vulnerabilities.</p>
<p>With its default install, OpenBSD is not a high-bandwidth relay due to its secure configuration. Allowing a large number of open files on a system is a short route to a compromised device. This guide provides a number of simple changes to the default OpenBSD install.</p>
<p>For installing applications, OpenBSD’s <a href="http://www.openbsd.org/faq/faq15.html#Intro" title="The OpenBSD packages and ports system">recommended method</a> is the <a href="http://www.openbsd.org/faq/faq15.html#PkgMgmt" title="pkg_add system">pkg_add(1)</a> system, as opposed to using ports build from source. pkg_add uses pre-compiled binary files with set options. Rarely should a user have an issue with the defaults. There are cases in which a more experienced OpenBSD user would opt for the ports system.</p>
<p>This guide is based on OpenBSD 5.7, which was released on May 1, 2015.</p>
<h3 id="syntax">Syntax</h3>
<p>Refer to the <a href="doc-guide.html">Documentation Style Guide</a> for information about syntax in this document.</p>
<h3 id="openbsddocumentation">OpenBSD Documentation</h3>
<p>OpenBSD documentation, both its <a href="http://www.openbsd.org/faq/index.html" title="OpenBSD FAQ">FAQ</a> and <a href="http://www.openbsd.org/cgi-bin/man.cgi" title="OpenBSD Manual Pages">manual pages</a>, are comprehensive and accurate. The vast majority of questions faced by a user are answered there. The manual pages are also available directly on an OpenBSD system.</p>
<h3 id="somepreliminaryissues:openbsd-stable-currentorsnapshotsportsorpackages">Some Preliminary Issues: OpenBSD -STABLE -CURRENT or snapshots? Ports or Packages?</h3>
<p>OpenBSD’s -STABLE branch is released every six months. The -CURRENT branch, in the form of snapshots, are updated as often, sometimes on a daily basis. Upgrading OpenBSD is easiest with either physical or serial console access to the server. Without immediate access, the -STABLE version is the recommended route.</p>
<p>OpenBSD’s [pkg_add] system is reliable and errors are rare. For most users, the <a href="http://www.openbsd.org/faq/faq15.html#Ports" title="ports system">ports</a> system is not recommended. However, it is important to note that OpenBSD does not include the alpha or unstable versions of Tor in its packages. In one case, OpenBSD did use the alpha version as its default package due to a significant Tor vulnerability.</p>
<h2 id="thequickandshortversion">The Quick and Short Version</h2>
<p>These are the basic steps to configure a Tor relay with OpenBSD, based on the default install. This will create a relay. For more detailed instructions and for additional tips on securing and optimizing the relay</p>
<ol>
<li><p>Install OpenBSD, then reboot</p></li>
<li><p>Add the following section to <em>/etc/login.conf</em> file:</p></li>
</ol>
<blockquote>
<p><code>tor:\</code></p>
<blockquote>
<p><code>:openfiles-max=8192:\</code>
<code>:tc=daemon:</code></p>
</blockquote>
</blockquote>
<ol>
<li>Increase the kernel limit on maximum files:</li>
</ol>
<blockquote>
<p>$ sysctl kern.maxfiles=20000</p>
</blockquote>
<ol>
<li>To make that sysctl change remains after rebooting, add the following to the <em>/etc/sysctl.conf</em> file:</li>
</ol>
<blockquote>
<blockquote>
<p>kern.maxfiles=20000</p>
</blockquote>
</blockquote>
<ol>
<li>Install Tor:</li>
</ol>
<blockquote>
<p>$ pkg_add -r tor</p>
</blockquote>
<ol>
<li>Copy the torrc.sample file to torrc:</li>
</ol>
<blockquote>
<p>$</p>
</blockquote>
<ol>
<li><p>Edit <em>/etc/tor/torrc</em> appropriately</p></li>
<li><p>Add the line tor_flags=“-f /etc/tor/torrc” in the /etc/rc.conf.local file</p></li>
<li><p>Start Tor with /etc/rc.d/tor start</p></li>
<li><p>Watch the Tor log with “tail -f /var/log/tor/notices.log”</p></li>
</ol>
<h2 id="someadditionalconfigurationconsiderationsoptions">Some Additional Configuration Considerations & Options</h2>
<p>Installing OpenBSD</p>
<p>System Configuration</p>
<p>RAM-based disks such as tmpfs or are useful for avoiding writes to the hard disk, which limits residual data after reboots and can increase the longevity of sensitive disk media, particularly compact flash cards.</p>
<h4 id="layoutoftorfilesonopenbsd">Layout of Tor Files on OpenBSD</h4>
<p>The torrc file is located in /etc/tor/torrc.</p>
<p>The sample file is in /usr/local/share/examples/tor/torrc.sample</p>
<p>Log</p>
<p>/var/log/tor/notices.log</p>
<h3 id="toronstartup">Tor on Startup</h3>
<p>$ cat /etc/rc.conf.local</p>
<blockquote>
<p>tor_flags=“-f /etc/tor/torrc”</p>
<p>ntpd_flags=“-s”</p>
<p>sndiod_flags=NO</p>
</blockquote>
<p>/etc/sysctl.conf</p>
<p>kern.maxfiles=20000 default is 7030</p>
<p>/etc/login.conf</p>
<p>By default, OpenBSD maintains limits for kernel functions with an eye on security. For higher-bandwidth on an array of kernel functions. One in particular that will significantly throttle a Tor relay’s operation is the number of open files allowed. This raises the number of open files for the Tor daemon:</p>
<p><code>tor:\</code></p>
<blockquote>
<p><code>:openfiles-max=8192:\</code></p>
<p><code>:tc=daemon:</code></p>
</blockquote>
<h3 id="encryptingswap">Encrypting Swap</h3>
<p>By default, OpenBSD enables encrypted swap in /etc/sysctl.conf:</p>
<p><code>#vm.swapencrypt.enable=0 # 0=Do not encrypt pages that go to swap</code></p>
<h2 id="future">Future</h2>
<h3 id="whytouseportsasopposedtopackages">Why To Use Ports as Opposed to Packages</h3>
<p>OpenBSD’s pkg_add system is easy to use and smooth in operation. However, the pkg_add restricts the install to the current Tor package with </p>
<p><hr></p>
<p><em>Copyright © 2018 by The Tor BSD Diversity Project (TDP). All Rights Reserved.</em></p>
<p><code>last updated: Tue Jun 13 19:25:38 2017 UTC</code></p>
</body>
</html>