Raspberry Pi as TOR Middle Relay

Flattr this!

The onion Router – Tor is a service that helps you to protect your anonymity while using the Internet.

The goal of the Tor project is to provide a censorship-resistant & safer access to the Internet. It is the most widely used free & open source anonymization technique in existence. It also makes it possible to host services like websites in a secure and anonymous fashion (“hidden services”)

Obviously, TOR needs a large amount of servers. As the TOR network is not a commercial organisation, it requires voluntary supporters. But this support can be easy achieved with your Raspberry Pi.

How it Works

Tor helps to reduce the risks of both simple and sophisticated traffic analysis by distributing your transactions over several places on the Internet, so no single point can link you to your destination. The idea is similar to using a twisty, hard-to-follow route in order to throw off somebody who is tailing you — and then periodically erasing your footprints. Instead of taking a direct route from source to destination, data packets on the Tor network take a random pathway through several relays that cover your tracks so no observer at any single point can tell where the data came from or where it’s going.

https://blog.cavebeat.org/wp-content/uploads/2013/08/TorPosterOriginalLarge-739x1024.jpg
 Art by Molly Crabapple & Words by John Leavitt

“Octopus Not So Great!”

WHAT IS A TOR RELAY? description from EFF.org

Tor relays are also referred to as “routers” or “nodes.” They receive traffic on the Tor network and pass it along. Check out the Tor website for a more detailed explanation of how Tor works.
There are three kinds of relays that you can run in order to help the Tor network: middle relays, exit relays, and bridges.

MIDDLE RELAY
For greater security, all Tor traffic passes through at least three relays before it reaches its destination. The first two relays are middle relays which receive traffic and pass it along to another relay. Middle relays add to the speed and robustness of the Tor network without making the owner of the relay look like the source of the traffic. Middle relays advertise their presence to the rest of the Tor network, so that any Tor user can connect to them. Even if a malicious user employs the Tor network to do something illegal, the IP address of a middle relay will not show up as the source of the traffic. That means a middle relay is generally safe to run in your home, in conjunction with other services, or on a computer with your personal files. See our legal FAQ on Tor for more info.

EXIT RELAY
An exit relay is the final relay that Tor traffic passes through before it reaches its destination. Exit relays advertise their presence to the entire Tor network, so they can be used by any Tor users. Because Tor traffic exits through these relays, the IP address of the exit relay is interpreted as the source of the traffic. If a malicious user employs the Tor network to do something that might be objectionable or illegal, the exit relay may take the blame. People who run exit relays should be prepared to deal with complaints, copyright takedown notices, and the possibility that their servers may attract the attention of law enforcement agencies. If you aren’t prepared to deal with potential issues like this, you might want to run a middle relay instead. We recommend that an exit relay should be operated on a dedicated machine in a hosting facility that is aware that the server is running an exit node. The Tor Project blog has these excellent tips for running an exit relay. See our legal FAQ on Tor for more info.

BRIDGE
Bridges are Tor relays which are not publicly listed as part of the Tor network. Bridges are essential censorship-circumvention tools in countries that regularly block the IP addresses of all publicly listed Tor relays, such as China. A bridge is generally safe to run in your home, in conjunction with other services, or on a computer with your personal files.

Setting up a TOR Middle Relay on a Raspberry Pi

It is really easy to set up a Raspberry Pi Tor Relay to help the TOR Project by gifting some of your Bandwidth from your internet connection and CPU-Power of your Raspberry Pi and a little bit of your electricity.

We need:

  • 1x 2-4 GB SD-Card  from your old digicam (a 8GB class10 is available for 7€ at amazon)
  • 1x a small Power Cable (pigtail or 3ft. 0.99$ on china-ebay)
  • 1x a short ethernet cable (8″ – 3ft. 0.99$ on china-ebay)
  • 1x Raspberry Pi (from Farnell 43€ including shipping to europe in ~5days)
  • a Punnet case out Paper for 0$, selfbuilt with Lego ?$, cheapest plastic case on eBay for 8.9$, my case is the Pibow from Pimoroni for 17.95£

SUM:  45-50€ to run a Tor middle relay to boost and strenghten the TOR Project.

I am powering my Pi from my Router USB-Port, which saves me another micro-USB Power Supply Unit. Booting to the GUI (LXDE in Raspbian) is disabled. And the RAM for the GPU is set to a minimum. Maximum RAM for the ARM CPU.

https://blog.cavebeat.org/wp-content/uploads/2013/08/pi_router-1024x768.jpg

First you need to install Raspbian. HowTo#1& HowTo#2 is on my Blog available. Then set a static IP Address on your Pi.

Install TOR on your Raspberry Pi. Tor is available as a Debian Package which makes this step very easy.

$ sudo apt-get update 
 $ sudo apt-get install tor

When the installations is done, you have to edit the TOR configuration file.

Configuration FILE torrc

The file is available at location /etc/tor/ .

First make a backup of your torrc configuration file!

$ sudo cp /etc/tor/torrc /etc/tor/torrc.backup

Edit the configuration file.

  $ sudo vi /etc/tor/torrc

You need to edit/change up to ~10 variables.

SocksPort 0
## Tor opens a socks proxy on port 9050 by default — even if you don’t
## configure one below. Set “SocksPort 0” if you plan to run Tor only
## as a relay, and not make any local application connections yourself.

Log notice file /var/log/tor/notices.log

## Logs go to stdout at level “notice” unless redirected by something
## else, like one of the below lines. You can have as many Log lines as
## you want.
## We advise using “notice” in most cases, since anything more verbose
## may provide sensitive information to an attacker who obtains the logs.
## Send all messages of level ‘notice’ or higher to /var/log/tor/notices.log

RunAsDaemon 1
## Uncomment this to start the process in the background… or use
## –runasdaemon 1 on the command line. This is ignored on Windows;
## see the FAQ entry if you want Tor to run as an NT service.

ORPort 9001
## Required: what port to advertise for incoming Tor connections.

DirPort 9030 # what port to advertise for directory connections
## Uncomment this to mirror directory information for others. Please do
## if you have enough bandwidth.

ExitPolicy reject *:* # no exits allowed
This is necessary to run the TOR Node as a Relay only without the Exit-node functionality.

Nickname rasptorxxx  # (you can chose whatever you like)
## A handle for your relay, so people don’t have to refer to it by key.

RelayBandwidthRate 100 KB  # Throttle traffic to 100KB/s (800Kbps)
RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps)
## Define these to limit how much relayed traffic you will allow. Your
## own traffic is still unthrottled. Note that RelayBandwidthRate must
## be at least 20 KB.
## Note that units for these config options are bytes per second, not bits
## per second, and that prefixes are binary prefixes, i.e. 2^10, 2^20, etc.

ControlPort 9051
## The port on which Tor will listen for local connections from Tor
## controller applications, as documented in control-spec.txt.
This is necessary for the Command Line Gui Tool TOR-ARM

After Changing of the settings you have to restart your Tor Server.

$ sudo /etc/init.d/tor restart

Now check if your Server is up and running. Check your logfile for a Success notice.

$ cat /var/log/tor/log

If your installation and configuration was successful there should be a entry with “[notice] Tor has successfully opened a circuit. Looks like client functionality is working.” .

$ cat /var/log/tor/notices.log
Look out for “[notice] Self-testing indicates your DirPort is reachable from the outside. Excellent.”

Thanks, you are now volunteering to the TOR-Project. Karma Points are raising!

You should be able to find now your Tor-Relay on a Torstatus List after a few hours.

Installing the ARM – TOR Status Monitor

title_arm

The anonymizing relay monitor (arm) is a terminal status monitor for Tor, intended for command-line aficionados, ssh connections, and anyone with a tty terminal. This works much like top does for system usage, providing real time statistics for:

rasptor

It shows several useful informations.

  • the running tor-version
  • tor-flags
  • used ports
  • nickname if set
  • fingerprint of your node
  • uptime of your server
  • process id of tor
  • CPU usage of TOR and ARM process
  • memory usage of TOR process
  • bandwith and limits
  • in and outgoing bandwith monitor
  • events in logfiles
  • editing configuration
  • many many more

Installing TOR-ARM

You ned to set the Control Port in your Tor configuration file as described above! The Monitor Program needs this Port to control the tor-process and receive data.

$ sudo apt-get install tor-arm

Starting

$ sudo arm
This starts arm as root, better is to start the Status Monitor with the user the TOR Server is using.
[ARM_NOTICE] Arm is currently running with root permissions. This is not a good idea, and  will still work perfectly well if it’s run with the same user as Tor (ie, starting with “sudo -u debian-tor arm”).
Start arm with the TOR user.
$ sudo -u debian-tor arm

Some Useful Links:
http://www.instructables.com/id/Raspberry-Pi-Tor-relay/?ALLSTEPS
http://blog.epsilontik.de/?page_id=5
http://www.eric-scheibler.de/blog/index.php?/archives/21-Howto-Einen-Tor-Middle-Node-bzw.-eine-Bridge-unter-Debian-5.0-betreiben.html
http://www.atagar.com/arm/
http://www.darkcoding.net/society/running-a-tor-relay-node-server-on-ubuntu/
http://olb.dyndns.info/notizen/2011/05/3-tor-server/

Installing Bodhi Linux on Raspberry Pi

Flattr this!

Bodhi Linux is a Linux Distribution leveraging the fast, customizable, and beautiful Enlightenment Desktop. Enlightenment coupled with a minimal set of utilities such as a browser, text editor, and package management tools form the solid foundation of Bodhi Linux.

This should also work for other distributions like Raspbian, Occidentalis, etc … which are available as SD-Card image.

First download the Bodhi Linux ARMHF Image from Bodhi Linux

The files are hosted on Sourceforge and are available there: http://sourceforge.net/projects/bodhilinux/files/ARMHF/Pi/

There are also the md5sums and SHA1 checksums available to check your downloaded files, if the download worked correctly.
On any Linux machine there should be the md5sum command available.
For windows user are also programs like winmd5sum available to do this check. If this check was successful, can extract the *.tar.gz file.

Writing the image to Sd-Card

For windows user there is the tool win32-image-writer available. You can download it from https://launchpad.net/win32-image-writer/+download. Do not try to drag and drop or otherwise copy over the image without using dd or Win32DiskImager – it won’t work. If this explanation doesn’ t helped you, there is a beginners guide on http://elinux.org/RPi_Easy_SD_Card_Setup .

For the Linux/*nix Users:
Check your devices directory with

$ ls /dev/sd*

Insert your SD-Card to your sd-card slot on your computer.
Then check again your devices directory, the new device (your SD-card) should now be listed as a new entry in this directory. Your first Harddisk is normally /dev/sda, and /dev/sda1, /dev/sda2 for your partitions.
Your SD-Card should be something like /dev/sdb.

We can easily use the old unix tool dd.

The command needs the parameters InputFile and OutputFile and BlockSize.

  dd if=image.img of=/path/to/drive bs=1M

Take care to don’t mismatch if and of, or take the wrong device-path.

Then unmount the sd-card and insert it to your Raspberry Pi.

Your Raspberry Pi should boot now with Bodhi.

Check my other Tutorials for First Steps after Install

overclocking Raspberry Pi & config.txt

Flattr this!

There are a few settings in the config.txt file available to overclock the Raspberry Pi.

The Standard Settings should be 700MHz ARM CPU, 250MHz Core, 400Mhz SDRAM without overvolting.

The easiest and fastest way is too use the raspi-config tool to overclock your Board. There is an overclock section, where you can set the maximum frequency for the CPU.

If your board is supporting the highest Turbo Mode, there is a performance improvement up to 50% compared to the 700Mhz. This is not only the

300Mhz+ CPU Speed, but also the faster RAM+25% and Core+100%.

A good and reliable power supply is suggested when you try overclocking.

The raspi-config tool has 5 overclock presets. It is not guaranteed to work flawless. But it is improving. Try the modest or medium one for some weeks. If there are no problems you can take the next step. I have tested mine, with different Distributions and now it is running in Turbo (=highest) Mode without problems. Temperature in 24/7 mode stays at ~55°C in a Pibow case.

If you choose too high an overclock, your Pi may fail to boot, in which case holding down the shift key during boot up will disable the overclock for that boot, allowing you to select a lower level.

https://blog.cavebeat.org/wp-content/uploads/2013/08/overclock.jpg

The Raspberry Pi enables dynamically overclocking and overvolting when the CPU is busy. !!!without affecting your warranty!!! If the BCM2835 is getting too hot (85°C) it limits the Turbo mode and the Raspberry Pi is running only in the normal mode. This should only happen, in really hot environments.

config.txt or overclocking by hand

The config.txt file is stored on the first partition on the SD-Card. Your Raspi Linux System mounts the first partition to /boot , then config.txt is stored on /boot/config.txt. It is read by the GPU before the ARM Core is started. It is used to set system configuration parameters like, overscan, overclocking, display_modes, additional licenses for MPG-2/VC-1 codecs, …

Common Used parameters:

  • arm_freq Frequency of ARM in MHz. Default 700
  • core_freq Frequency of GPU processor core in MHz. It have an impact on ARM performance since it drives L2 cache. Default 250
  • sdram_freq Frequency of SDRAM in MHz. Default 400
  • over_voltage ARM/GPU core voltage adjust. [-16,8] equates to [0.8V,1.4V] with 0.025V steps. force_turbo will allow values higher than 6. Default 0 (1.2V)
  • force_turbo Disables dynamic cpufreq driver and minimum settings below. Enables h264/v3d/isp overclock options. Default 0
  • initial_turbo Enables turbo mode from boot for the given value in seconds (up to 60) or until cpufreq sets a frequency. Can help with sdcard corruption if overclocked. Default 0

Detailed List is Here for more different Settings like arm_freq_min, core_freq_min or other settings to underclock, higher values or other tweaks.

Be carefull with overriding limits (current and temperature)!!!

Voiding Warranty

You will loose your warranty for your device if you use following settings combined.

(force_turbo || current_limit_override || temp_limit>85) && over_voltage>0

 

Forcing the Turbo Mode together with OverVoltag will set the Sticky Bit.

OR

Disabling the current limit together with overvoltage will set the Sticky Bit.

OR

Increasing the Templimit over 85°C together with overvoltage will set the Sticky Bit.

 

Sticky Bit

The Sticky Bit is a bit which is only readable in the CPU and gets set when some dangerous settings are combined. If you send your Raspberry Pi back to your seller because it is broken, they can find out if you have used too dangerous overclock settings. Then there will be no refund.

You can check your sticky bit with

$ cat /proc/cpuinfo

 

In the line with revision there should be something like this, which shows which manufacturing revision you are holding in your hand.

Revision    : 0002

If the sticky bit is set it looks like this:

Revision    : 1000002

Checking Temperature and CPU Speed

If you want to know your CPU speed which is at the moment used, you can find out with following commands:

$ cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq

700000
pi@raspberrypi ~ $ cat /sys/class/thermal/thermal_zone0/temp
55148

The speed is measured in KHz, and has to be divided by 1000 to get the MHz. The temperature has also to be divided by 1000, to get the temperature in °C, which is in this example 55°C.

To test if the Raspberry Pi is using the CPU_driver when needed open a second SSH shell and type in the first something which needs really much CPU power, like:

$ sudo apt-get update

In the other window check your speed a ten times.

pi@raspberrypi ~ $ cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq
1000000

It should sometimes show the overclocked speed when needed. Only if there is Load on the CPU.

 

http://qdosmsq.dunbar-it.co.uk/blog/2012/09/give-your-raspberry-pi-turbo-mode/

Post from DOM in the Raspberry Pi Forum

static IP address for Raspberry Pi and Debian GNU/Linux

Flattr this!

Connect to your Raspberry Pi with SSH

If you don’t know your IP address, you can either use the hostname. The ipscanner from my former post should help you finding out the IP address from your Raspberry Pi.

# ssh pi@yourIPaddress
pi@raspberrypi.lan's password: 

pi@raspberrypi ~ $ cd /etc/network
pi@raspberrypi /etc/network $ sudo vi interfaces

 

The output should look similar like this.

auto lo

iface lo inet loopback
iface eth0 inet dhcp

auto wlan0
allow-hotplug wlan0
iface wlan0 inet dhcp
        wpa-ssid "my-network-ssid"
        wpa-psk "my-wifi-password"

now change the line”iface lo inet loopback” to your demands:

iface eth0 inet static
# your IP Address 
        address 10.0.0.220
# your netmask 
        netmask 255.255.255.0
 # your router/modem used as your gateway
        gateway 10.0.0.138

Lines starting with `#’ are ignored. Note that end-of-line comments are NOT supported, comments must be on a line of their own.
Then make a reboot:

 pi@raspberrypi ~ $ sudo reboot

 

Your Pi should reboot now with the new ip address.

pi@raspberrypi ~ $ man interfaces  There is a good manual available for the interface.

The static Method
This method may be used to define Ethernet interfaces with statically allocated IPv4 addresses.

Options

  • address address Address (dotted quad/netmask) required
  • netmask mask Netmask (dotted quad or CIDR)
  • broadcast broadcast_address Broadcast address (dotted quad, + or -). Default value: “+”
  • gateway address – Default gateway (dotted quad)

To-Do after install on Raspberry Pi

Flattr this!

First check your IP which your Raspberry Pi has got in your network from your DHCP Server or Router.

Angry IP Scanner (or simply ipscan) is an open-source and cross-platform network scanner designed to be fast and simple to use. It scans IP addresses and ports as well as has many other features.

https://blog.cavebeat.org/wp-content/uploads/2013/08/angryipscanner.png

https://blog.cavebeat.org/wp-content/uploads/2013/08/angry_scan.jpg

If you found out your IP address connect with SSH to your Raspberry Pi.

with hostname

# ssh pi@raspberry.lan 

or with ip

# ssh pi@yourIPaddress

Standard Login:

User:pi Password: raspberry

cave@cave:~> ssh pi@raspberrypi.lan
pi@raspberrypi.lan's password: 
Linux raspberrypi 3.2.27+ #160 PREEMPT Mon Sep 17 23:18:42 BST 2012 armv6l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

Type 'startx' to launch a graphical session
Last login: Sun Oct 21 15:03:41 2012 from cave.lanpi@raspberrypi ~ $ 

 

make an update for your Operating System.

# sudo apt-get update
# sudo apt-get upgrade

then you can run

# sudo raspi-config

https://blog.cavebeat.org/wp-content/uploads/2013/08/raspi_config.jpg

Start the update at first. Then change your settings for following points.

  • change_pass – sets the password for your User “pi”
  • expand_rootfs – to grow the second partition and fill the SD-Card
  • keyboard
  • locales
  • timezone
  • memory split – define the amount of RAM CPU and GPU
  • update – update the raspi-config tool.
  • overclock – sets 5 different overclock settings. With this tool it should not void your warranty. After your system is running without problems, try out some

After that, make a reboot, and connect again with SSH.

 

Now your system is updated and ready for use. You have also learned how to use the raspi-config tool.

Install Raspberry Pi images on SD-Card

Flattr this!

The Raspberry Pi is supported from several different Linux distributions.Here is a list of the most available distributions.

Debian

  • Bodhi Linux  – derived from Raspbian featuring the Enlightenment Desktop. Enlightenment is a lightweight Desktop Environment but also nice looking

https://blog.cavebeat.org/wp-content/uploads/2013/08/Bodhi_linux_logo.png

  • Occidentalis – derived from Raspbian, Hardware-Hacking friendly. Comes with support for SPI, I2C, PWM, kernel Modules…

https://blog.cavebeat.org/wp-content/uploads/2013/08/adafruit_pi.png

  • Arch

Arch Linux ARM is based on Arch Linux, which aims for simplicity and full control to the end user. Note that this distribution may not be suitable for beginners. The latest version of this image uses the hard-float ABI, and boots to a command prompt in around ten seconds.

https://blog.cavebeat.org/wp-content/uploads/2013/08/archarm.png

HTPC

The Raspberry Pi can also be used as a Home Theater PC. The XBMC developers were provided with early Alpha Boards to port XBMC to the Raspberry Pi Board and support the Videocore IV GPU.

  • OpenELEC – Open Embedded Linux Entertainment Center, Image Download, distribution only developed for XBMC. Fast running

https://blog.cavebeat.org/wp-content/uploads/2013/08/openelec_raspberry.jpg

  •  RaspBMC – Raspbmc is a minimal Linux distribution based on Debian that brings XBMC to your Raspberry Pi.
    https://blog.cavebeat.org/wp-content/uploads/2013/08/raspbmclogo.png

Installation with a Linux/Unix PC

  • Download and check the MD5SUM/SHA256SUM from the image after downloading.
  • put the SD-Card into your computer
  • check your actually mounted partitions with “ls /dev/sd*”
  • run the command “dmesg | tail” to see on witch path your sd-card is available.
  • now there should be the new device available. check it with “ls /dev/sd*”
  • One thing worth noting though is that /path/to/drive should not include any partition number. An example path would be something like: /dev/sdb
  • sudo dd if=image.img of=/path/to/drive bs=1M  

    DD is a tool which reads data from if(Input File) and writes it to of(Output File). Please take care to not mix up the if & of parameters!!!

Repartitioning

After writing the image file onto the SD-Card there are two partitions on it. The first partiton /dev/sdb1 is a ~65MB FAT32 partition with the bootloader and ELF and config.txt files, etc … . The second partition is mostly a ext partition with the root filesystem. But this partition is not as big as the SD-Card size. In Raspbian there is the Raspi-config tool, which offers a possibility to resize and grow the partition to use the whole SD-Card.

There are several partitioning tools available. But i mostly use the Program Gparted.

For this tool are 2 specialised LIVE Distros available.

With these tools it is easy to repartition the SD-Card, and grow and resize the second partition.

https://blog.cavebeat.org/wp-content/uploads/2013/08/libparted.jpg

openWRT Bridge with Relayd (Pseudobridge)

Flattr this!

Recipe for Bridging with Atheros Chipsets

Works for TP-Link TL-WR703n as an example.

based on this two links

http://trac.gateworks.com/wiki/relayd

http://wiki.openwrt.org/doc/recipes/relayclient

https://forum.openwrt.org/viewtopic.php?pid=173467#p173467

 

Connect your Router with your WAN-Router Device (modem, switch, … )

root@OpenWrt:~# opkg update
root@OpenWrt:~# opkg install relayd
root@OpenWrt:~# opkg install luci-proto-relay
root@OpenWrt:~# opkg install wpad
root@OpenWrt:~# /etc/init.d/relayd enable

set ip Address of the LAN to something different

root@OpenWrt:/etc/config vi network
config interface lan
        option ifname   eth0
        option type     bridge
        option proto    static
        option ipaddr   10.0.1.1 
        option netmask  255.255.255.0

reboot or restart network.

root@OpenWrt:~# /etc/init.d/network restart

Set your IP Address of your PC to 10.0.1.2

Connect your Router with your PC.

disable any DHCP.

Connect to Luci with your browser to 10.0.1.1

Go to network, wifi make a scan

join your wifi

make all your settings for the Wifi device, at this part a new interface is created

Go to Network->Interfaces

Edit the new created interface (WWAN) for example

Make a static or dhcp adress here.

disable any DHCP.

Create a new Interface “stabridge” in the Interface section.

use the “relay bridge” protocol

Relay between networks WWAN and LAN.

check

lan/wwan is set to IP address in a different net

interface stabridge is set to relay between lan/eth0 and wwan/wlan0

wlan0/wwan is interface is assigned

change Firewall rules

Zone Forwarding, set to Accept

DONE

Hello world!

Flattr this!

Hallo Welt

older posts are available on http://cavebeat.blogspot.co.at/

##########################
##########################
##########################
##########################
##########################
##########################
##########################
##########################
##########################
##########################
##########################
##########################
##########################
##########################
##########################
##########################
##########################
##########################
##########################
##########################
##########################
##########################
##########################
##########################
##########################
##########################
##########################
##########################
##########################
##########################

blog