A couple of notes on running a Tor relay

Chroot Tor

I found the instructions of building a chrooted Tor server (0.2.2.*) on Debian 6.0.6 (Squeeze) to work fine https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorInChroot

Libevent2

Debian stable only has libevent 1 in the repositories, I downloaded and installed 2 from source on my system.

./configure
make
make install
# added this line to libc.conf make sure this library can be found:
echo "/usr/local/include" >> /etc/ld.so.conf.d/libc.conf

Tor

My compile options are a little different from those in the tutorial:

$ ./configure --prefix=/tor --with-tor-user=debian-tor --with-tor-group=debian-tor \
--enable-gcc-hardening --enable-linker-hardening \
 --enable-static-openssl --with-openssl-dir=/usr/local/ssl \
--enable-static-libevent --with-libevent-dir=/usr/local/include

I’m not sure why using gcc and linker hardening is not shown in the tutorial. I see there is a ticket that has been completed for enabling gcc hardening by default when building 0.2.3.*. This is currently an issue yet to be resolved for the tor browser bundle.

You can use the tool checksec.sh on the compiled Tor binary to show the extra hardening.

Pax flags

I use a Grsecurity hardened kernel. Here are the Pax flags that I make use of:

$ paxctl -c /home/chroot_tor/tor/tor/bin/tor
$ paxctl -C /home/chroot_tor/tor/tor/bin/tor
$ paxctl -PSmxER /home/chroot_tor/tor/tor/bin/tor
$ paxctl -v /home/chroot_tor/tor/tor/bin/tor
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: P-S--m-xE-R- [/home/chroot_tor/tor/tor/bin/tor]
        PAGEEXEC is enabled
        SEGMEXEC is enabled
        MPROTECT is disabled
        RANDEXEC is disabled
        EMUTRAMP is enabled
        RANDMMAP is enabled

Enabling MPROTECT only allows one process to start, set “NumCPUs 1” in torrc when using this option. Unfortunately enabling this hammered performance on my relay and Tor throws up warning messages about it:

[warn] Your computer is too slow to handle this many circuit creation requests! Please consider using the MaxAdvertisedBandwidth config option or choosing a more restricted exit policy. [3 similar message(s) suppressed in last 60 seconds]

Monitoring

Sign for Tor Weather at https://weather.torproject.org/ To receive email when:

  • Your version of Tor is out of date
  • The router has low bandwidth capacity
  • Are able to claim a Tor t-shirt (conditions)

Vnstat shows my monthly contributions:

 eth0  /  monthly

       month        rx      |     tx      |    total    |   avg. rate
    ------------------------+-------------+-------------+---------------
      Aug '13    590.28 GiB |  641.61 GiB |    1.20 TiB |    3.86 Mbit/s
      Sep '13      1.69 TiB |    1.90 TiB |    3.60 TiB |   11.91 Mbit/s
      Oct '13    938.36 GiB |    1.13 TiB |    2.04 TiB |    6.55 Mbit/s
      Nov '13    921.40 GiB |    1.01 TiB |    1.91 TiB |    6.32 Mbit/s
      Dec '13      1.24 TiB |    1.35 TiB |    2.59 TiB |    8.29 Mbit/s
      Jan '14      1.60 TiB |    1.78 TiB |    3.38 TiB |   10.85 Mbit/s
      Feb '14    985.56 GiB |    1.04 TiB |    2.00 TiB |    9.83 Mbit/s
    ------------------------+-------------+-------------+---------------
    estimated      1.33 TiB |    1.44 TiB |    2.77 TiB |

Last Tor log heartbeat:

[notice] Heartbeat: Tor's uptime is 24 days 0:00 hours, with 1318 circuits open. I've sent 1224.07 GB and received 1131.20 GB