search

toralf / torutils

Few tools for a Tor relay.
https://zwiebeltoralf.de/torserver.html
GNU General Public License v3.0
43 stars 6 forks source link

Feature Request: support multiple IPs on single Tor relay #8

Closed yawnbox closed 1 year ago

yawnbox commented 1 year ago

Hello,

Our (@emeraldonion) Tor relays use 20 IPv4 and 20 IPv6 addresses on a single bare-metal Ubuntu server using Netplan. @Enkidu-6 kindly wrote a rough script (https://github.com/Enkidu-6/tor-ddos/tree/main/multiple) for us to try but I'm hoping it can be matured to automatically detect all IPs on a system, or, perhaps, utilize a single /25 or /64 subnets, instead of manually having to put in individual IPs.

Below is one of our Netplan configs, for reference:

user@relay:~$ sudo cat /etc/netplan/00-installer-config.yaml 
# This is the network config written by 'subiquity'
network:
  ethernets:
    ens1f0:
      accept-ra: no
      addresses:
                    - 23.129.64.130/25
                    - 23.129.64.131/25
                    - 23.129.64.132/25
                    - 23.129.64.133/25
                    - 23.129.64.134/25
                    - 23.129.64.135/25
                    - 23.129.64.136/25
                    - 23.129.64.137/25
                    - 23.129.64.138/25
                    - 23.129.64.139/25
                    - 23.129.64.140/25
                    - 23.129.64.141/25
                    - 23.129.64.142/25
                    - 23.129.64.143/25
                    - 23.129.64.144/25
                    - 23.129.64.145/25
                    - 23.129.64.146/25
                    - 23.129.64.147/25
                    - 23.129.64.148/25
                    - 23.129.64.149/25
                    - 23.129.64.150/25
                    - 23.129.64.151/25
                    - 23.129.64.152/25
                    - 23.129.64.153/25
                    - 23.129.64.154/25
                    - 23.129.64.155/25
                    - 23.129.64.156/25
                    - 23.129.64.157/25
                    - 23.129.64.158/25
                    - 23.129.64.159/25
                    - 23.129.64.160/25
                    - 23.129.64.161/25
                    - 23.129.64.162/25
                    - 23.129.64.163/25
                    - 23.129.64.164/25
                    - 23.129.64.165/25
                    - 23.129.64.166/25
                    - 23.129.64.167/25
                    - 23.129.64.168/25
                    - 23.129.64.169/25
                    - 2620:18c:0:192::169/64
                    - 2620:18c:0:192::168/64
                    - 2620:18c:0:192::167/64
                    - 2620:18c:0:192::166/64
                    - 2620:18c:0:192::165/64
                    - 2620:18c:0:192::164/64
                    - 2620:18c:0:192::163/64
                    - 2620:18c:0:192::162/64
                    - 2620:18c:0:192::161/64
                    - 2620:18c:0:192::160/64
                    - 2620:18c:0:192::159/64
                    - 2620:18c:0:192::158/64
                    - 2620:18c:0:192::157/64
                    - 2620:18c:0:192::156/64
                    - 2620:18c:0:192::155/64
                    - 2620:18c:0:192::154/64
                    - 2620:18c:0:192::153/64
                    - 2620:18c:0:192::152/64
                    - 2620:18c:0:192::151/64
                    - 2620:18c:0:192::150/64
                    - 2620:18c:0:192::149/64
                    - 2620:18c:0:192::148/64
                    - 2620:18c:0:192::147/64
                    - 2620:18c:0:192::146/64
                    - 2620:18c:0:192::145/64
                    - 2620:18c:0:192::144/64
                    - 2620:18c:0:192::143/64
                    - 2620:18c:0:192::142/64
                    - 2620:18c:0:192::141/64
                    - 2620:18c:0:192::140/64
                    - 2620:18c:0:192::139/64
                    - 2620:18c:0:192::138/64
                    - 2620:18c:0:192::137/64
                    - 2620:18c:0:192::136/64
                    - 2620:18c:0:192::135/64
                    - 2620:18c:0:192::134/64
                    - 2620:18c:0:192::133/64
                    - 2620:18c:0:192::132/64
                    - 2620:18c:0:192::131/64
                    - 2620:18c:0:192::130/64
      dhcp6: false
      gateway4: 23.129.64.129
      gateway6: 2620:18c:0:192::1

Ansible-relayor auto-generates torrc files based on random IPs from netplan. We end up with 20 individual torrc files on a single server. Here is one of our torrc files, for reference:

user@relay:~$ sudo cat /etc/tor/instances/23.129.64.130_443/torrc
# ansible-relayor generated torrc configuration file
# Note: manual changes will be OVERWRITTEN on the next ansible-playbook run

OfflineMasterKey 1
RunAsDaemon 0
Log notice syslog
OutboundBindAddress 23.129.64.130
SocksPort 0
User _tor-23.129.64.130_443
DataDirectory /var/lib/tor-instances/23.129.64.130_443
ORPort 23.129.64.130:443
ORPort [2620:18c:0:192::130]:443
OutboundBindAddress [2620:18c:0:192::130]

DirPort 23.129.64.130:80
Address 23.129.64.130

SyslogIdentityTag 23.129.64.130_443

ControlSocket /var/run/tor-instances/23.129.64.130_443/control GroupWritable RelaxDirModeCheck

Nickname ageis
ContactInfo url:emeraldonion.org proof:uri-rsa ciissversion:2 tech@emeraldonion.org

Sandbox 1
NoExec 1

# we are an exit relay!
ExitRelay 1
IPv6Exit 1
DirPort [2620:18c:0:192::130]:80 NoAdvertise
DirPortFrontPage /etc/tor/instances/tor-exit-notice.html

ExitPolicy reject 23.129.64.128/25:*,reject6 [2613:18c:0:192::]/64:*,accept *:*,accept6 *:*

MyFamily 09dca3360179c6c8a5a20ddde1c54662965ef1ba,0c6842ccf836de08efea0bd6c1471ae3463b9b71,0f6b61a697f6327bc2f535ac54e02b48331315cd,11948e49fa160f5e6fac73f15a6a71e519fcc04c,1228111a6d4afc619ed3a70079a3a0b678476a43,1dc6e52adb9fe4346cefc05c6916d8b8f7f66d1c,2184b5a3289c994b960f464169a968274b202fc7,251be7fb15a9b61903ee95c42c924e8ed2cd0db8,375aafd4e280b95136969e191af4d9a1fa7c4fd9,39150d8f6e5661f70f549c50f8222851c216d8cf,41c80c52ac82295a4d4308d30dccd3d4abc4f66c,4e2f7d3326fbce300557b9aff463cc434aadd120,5e82d5e2c21d1d1632bd61df78c77acb02d18cce,6214618c6c796abc4f075116e650bb7a18a4fe81,6a642caf73bdbec64dd9a44b9b973c70b3e74707,706b1ed9af5ccac90ad488ae2691b358fa598cbb,71fca424edfd2bb8e6f766f93490a88d71ac7814,7258793152ff8447a31c9344570f84eae3df4763,779019937414e5b63b77f0d460c8626b67f7093e,787047c813b8a61fcc38245a162040310d3648ca,7f0cf3d96c1c910020149eea5a10294117dc67aa,85300b26a8ed4d145bd2df5ac19978f803ed0380,89587dce6fee1e95b32c019b73364aecdc62552d,8b9b72d9613e1b674a17daa6a11fe336c3427191,9334d96083d3cf0c1ed5b373323c9927bfe5c9b3,9425164e47e7b8f2aa66944fbdc38cfafb3e0b7c,a0f27def0617ebb8671bddbb4d521d11af06c3d7,a2f580f93fa3d0da373769614bd9b0c8a6c4623e,ac28d573c16bd0c7d42aa70976bf36984a1e4de0,b0230fa330c6a8eb4b80b13853752e74ab5e6505,b2dc8cc5579a3f85121c1ab4a6c3aa38b5b0dc3e,b3bee41ac2562a0198f4b0df206c41c85d2f59a7,b65cc2b45ce9c934d1e1254736166d6ab64c2abc,c9df39aabf4e34309e04e1e56db9fa6cf37ae140,d38709329b73afa18e6923003f429a2fc65c0655,e0641145321185699a49b9d00ee2f22b5b77964a,eec43c685c0d0f7cf12d0f9e7481e09d03c6be6c,f27f9d7fc6d46e0f91533c68b572347435797cb0,f4c836a27bf192f3364a67166e8ee2b19693aed1,fc773d88785cf34cf0028ba13c5cbd32cab27ae2,fdc2d887b604872dbd0c0ba3f79b911d951d943b
# end of torrc

Cheers, yawnbox

toralf commented 1 year ago

https://github.com/toralf/torutils/tree/experimental should address the "auto-generates torrc files" behavior.

But currently only an ORPort is considered by the script. Handling the DirPort will take a little bit more effort. Will do it.

Update: Pls see below.

cybermonkee commented 1 year ago

Commit 2e9da64 of https://github.com/toralf/torutils/tree/experimental should address the "auto-generates torrc files" behavior.

But currently only the ORPort are considered by my scripts. Handling the DirPort will take a little bit more effort. Will do it.

I didn't think the Dir port was required anymore? https://blog.torproject.org/new-stable-security-releases-03515-0449-0459-0465/

toralf commented 1 year ago

I didn't think the Dir port was required anymore? https://blog.torproject.org/new-stable-security-releases-03515-0449-0459-0465/

Yes, but maybe the Tor exit notice still use it ? Even then that page should be served rather by eg. nginx than by Tor.

@yawnbox Why do you still have the DirPort configured ?

toralf commented 1 year ago

I tend to not handle DirPort, because it is deprecated for non-authority relays.

To serve the DirPortFrontPage just run accordingly to README.md something like:

    export ADD_LOCAL_SERVICES="23.129.64.130/25:80"
    export ADD_LOCAL_SERVICES6="[2620:18c:0:192::169/113]:80"

before the script itself.

yawnbox commented 1 year ago

perhaps we should turn it off :-) the web page notice is probably not important.

Great, so pls let me know, if the latest version in the experimental branch works for the "Ansible-relayor auto-generates torrc files ".

boldsuck commented 1 year ago

I tend to not handle DirPort, because it is deprecated for non-authority relays. +1

Quote from Roger:

Relays use IPv4 DirPorts and IPv4 ORPorts. There is no reason to configure an IPv6 DirPort.

If you configure IP + IPv6 DirPort you will find something like that in the syslog: tor [warn] Can't advertise more than one DirPort.

I always have it like that when Tor should display the DirPage:

Address 185.220.101.32
Address [2a0b:f4c2:2::32]
OutboundBindAddress 185.220.101.32
OutboundBindAddress [2a0b:f4c2:2::32]
ORPort 185.220.101.32:10032
ORPort [2a0b:f4c2:2::32]:10032
DirPort 185.220.101.32:80

ToDo @ me, configure nginx!