Introduction: Tor-Pi Exit Relay (without Getting Raided)
Firstly I know there is a similar instructable that has already been posted. This instructable differs in that it has up to date instructions and is focused on keeping you out of trouble with law enforcement.
What is Tor? Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.
What is an exit node/relay? An exit node is the last hop in the network of relays, their IP is actually one of the many that are displayed when someone using Tor visit a website.
Why do Tor exit nodes get raided by law enforcement? Inevitably some people use Tor to avoid detection while they are involved in criminal activity online e.g. child pornography and organised crime. If law enforcement were indeed watching the unencrypted traffic that was involved with said criminal activity they would raid the volunteer who is hosting the exit node on the Tor network. For this reason I have set up a Tor exit node that only allows limited traffic making it much less likely to be used in the transfer of illegal material.
To tackle this instructable you should have a pretty good understanding of networking and computing, some linux experience wouldn’t go astray but is not really necessary. If you run into something you don't understand just remember google search is your friend.
Equipment you will need:
- Network and internet connection
- Raspberry Pi model B (for ethernet port)
- SD card 2GB or larger
- AC Adaptor (I used a USB wall charger for mobile phones check here http://elinux.org/RPi_VerifiedPeripherals#Power_adapters)
- Micro USB cable
- USB keyboard and mouse
- HDMI cable
- HDMI capable monitor or any monitor with some kind of HDMI converter
Step 1: Setup Your Pi
First we'll setup the Raspberry Pi, to do this you'll need to have Raspbian installed. You can buy a Pi with Raspbian pre-installed or you can use a 2GB or larger SD card that you already have.
I am using an SD card I already have. Plug the SD card into your computer and download the latest Raspbian http://downloads.raspberrypi.org/raspbian_latest
I'm using windows so I unzipped the file and used win32diskimager (http://sourceforge.net/projects/win32diskimager) to write the Raspbian image to the SD card.
If you are still not sure there is a tutorial here http://elinux.org/RPi_Easy_SD_Card_Setup
Ok now we have Raspbian installed it's time to get our Pi up and running, plug in your SD card, USB keyboard, Ethernet cable to your router, HDMI to your monitor and lastly the micro USB cable to the power socket. The first time you boot up you'll end up with the configuration screen.
The changes you need to make are:
- Expand the filesystem so Raspbian utilises the entire SD card
- Change your password
- Set your language, region and time zone
Go into advanced options
- Change your hostname so you can recognise your Pi on the network.
- Enable SSH so you can access your PI from a computer on your network.
Select finish which should restart your Pi.
Step 2: Keyboard & Updates
If you are in the US or Australia like me you will want to change the keyboard layout to US.
To do this you’ll need to change a file by opening your terminal and entering the command:
sudo nano /etc/default/keyboard
Use the arrow keys to move the cursor and change the gb to us.
Then save the file by pressing ctrl + X then Y and enter to save your changes.
Now to update your Pi, type the following command and hit enter:
sudo apt-get update && sudo apt-get upgrade
When prompted press Y and hit enter to download updates (this will take ages so go have a coffee/beer).
Step 3: Networking & SSH
Next I always give my Pi a static IP by adjusting the LAN settings on my router. I set static IP addressed in the router to avoid IP conflicts.
Giving your Pi a static IP address makes it easier to remember the address when we connect via SSH. Also this makes it fault tolerant when we setup port forwarding.
While we are in the router settings we’ll need to forward the ports 9001 and 9030 to the Pi these ports need to be open for your Tor exit relay to work properly.
I am not going into this because every router is different.
I suggest using google to search for “your routers model number” static IP/port forwarding.
Now the network is up and running I like to use a SSH client like PuTTY to control the Pi.
That way you can copy and paste from this instructable if you’re feeling too lazy to type it out.
To copy use ctrl + c as usual but to paste into PuTTY click the right mouse button.
Download and run PuTTY then type in the IP address of your Pi and press open.
Login as pi and the password is whatever you changed it to in the initial setup.
Step 4: Tor Installation and Configuration
Install Tor with the following command
sudo apt-get install tor
Now we can edit our Tor configuration file:
sudo nano /etc/tor/torrc
First we will uncomment “#RunAsDaemon 1” by removing the # (pound/hash symbol)
Next go down and uncomment “#ORPort 9001”
Next go down further and uncomment “#Nickname” and give it a name eg
Uncomment “#DirPort 9030”
The next step is one of the most important, I have selected a list of ports I feel are safe and will not get my house raided with accusations of downloading child pornography.
Add the following lines:
ExitPolicy accept *:22 # SSH ExitPolicy accept *:43 # WHOIS
ExitPolicy accept *:53 # DNS
ExitPolicy accept *:389 # LDAP
ExitPolicy accept *:443 # HTTPS
ExitPolicy accept *:464 # kpasswd
ExitPolicy accept *:531 # IRC/AIM
ExitPolicy accept *:543-544 # Kerberos
ExitPolicy accept *:554 # RTSP
ExitPolicy accept *:563 # NNTP over SSL
ExitPolicy accept *:636 # LDAP over SSL
ExitPolicy accept *:706 # SILC
ExitPolicy accept *:749 # kerberos
ExitPolicy accept *:873 # rsync
ExitPolicy accept *:902-904 # VMware ExitPolicy accept *:981 # Remote HTTPS management for firewall
ExitPolicy accept *:989-995 # FTP over SSL, Netnews Administration System, telnets, IMAP over SSL, ircs, POP3 over SSL
ExitPolicy accept *:1194 # OpenVPN
ExitPolicy accept *:1220 # QT Server Admin
ExitPolicy accept *:1293 # PKT-KRB-IPSec
ExitPolicy accept *:1500 # VLSI License Manager
ExitPolicy accept *:1533 # Sametime
ExitPolicy accept *:1677 # GroupWise
ExitPolicy accept *:1723 # PPTP
ExitPolicy accept *:1755 # RTSP
ExitPolicy accept *:1863 # MSNP
ExitPolicy accept *:4244 # whatsapp
ExitPolicy accept *:5222-5223 # XMPP/Google Talk/Jabber/Apple iChat
ExitPolicy accept *:5228-5230 # Google Cloud Messaging/Whatsapp/threema
ExitPolicy accept *:6679 # IRC SSL
ExitPolicy accept *:6697 # IRC SSL
ExitPolicy accept *:8332-8333 # BitCoin
ExitPolicy accept *:8443 # PCsync HTTPS
ExitPolicy accept *:10000 # Network Data Management Protocol
ExitPolicy accept *:11371 # OpenPGP hkp (http keyserver protocol)
ExitPolicy accept *:19294 # Google Voice TCP
ExitPolicy accept *:64738 # MumbleExitPolicy reject *:*</sub>
Ok now the configuration is complete, save the changes with ctrl+x and then hit Y and enter
Now you will need to forward ports 9001 and 9030 to your pi in your router settings, every router is different so you'll have to use google and figure it out yourself.
Now reboot the pi:
now we check if it’s working
sudo nano /var/log/tor/log
move your cursor to the very bottom of the document and you are looking for the line:
[notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
That's it! You are now helping to preserve free speech, free journalism and stop injustice to whistle blowers all over the world.