Samstag, 4. Februar 2012

Setting up a Tor Bridge Relay on illumos

Times are getting rough again. There are regimes out there that censor the ability of their citizens to express themselves or communicate with each other, sometimes even lives are at stake. Communication isn't a luxury, it's what makes us human, it empowers us, tears down walls between people and helps us to understand each other. Censorship and total surveillance is a violation of human rights, it's something we need to fight. One way of doing this is to support the Tor Project. In this blogpost I will show how to set up a so called bridge relay on illumos, an entry point to the tor network which empowers people that suffer under the influence of censorship and surveillance to access the internet.

Step 1: Building Tor under illumos

Building Tor is easy as pie. All you need is the libevent src and the Tor src.

Step 2: Setting up an illumos zone

Since illumos inherits all the awesome features of OpenSolaris we can isolate our Tor bridge inside of a zone. We will create a zone with the name "tor".

Before we start we need to create a zfs dataset for our zone. I usually put mine in /export/zones (which itself is a dataset) like so:
[root@lain:~]> zfs create rpool/export/zones/tor
Now, let's set up the zone:
[root@lain:~]> zonecfg -z tor
tor: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:test> create
zonecfg:test> set zonepath=/export/zones/tor
zonecfg:test> verify
zonecfg:test> commit
zonecfg:test> exit
[root@lain:~]> zoneadm list -cv                      
  ID NAME             STATUS     PATH                           BRAND    IP    
   0 global           running    /                              native   shared
   - test             configured /export/zones/tor              ipkg     shared
Now we install our virtual illumos inside of the zone, this might take a few minutes.
[root@lain:~]> zoneadm -z tor install
And boot the bugger.
[root@lain:~]> zoneadm -z tor boot
Everything is set up and ready to go. We have a virtual instance of illumos running inside of a container. Time to log into it.

[root@lain:~]> zlogin -C tor

Step 3: Setup TOR

Time to get serious. After building Tor and putting it into our zone we now need to configure Tor to function as a Bridge Relay. Here we set up our bridge to listen on port 443. Since Tor traffic looks a lot like SSL it's a good place to run. Our torrc should look like this:

SocksPort 0
ORPort 443
BridgeRelay 1
Exitpolicy reject *:*

I recommend that you set up a tor user to avoid running as root. The problem is that you cannot run run a server on a privileged port when you are a mere user. We can use RBAC to give the tor user a profile that allows it to run services on such ports.

[root@tor:~]> usermod -K defaultpriv=basic,net_privaddr tor
To start up tor simple we simply issue:

[tor@tor:~]> pfexec tor -f torrc
We are ready to go! If you've got questions or more ideas, leave me a comment.

If you want to know more about the Tor Project, I recommend you this talk: