wiki:doc/CentralizedTorServer

Configuring and Running a Centralized Tor Server for Your Network

Introduction

Tor and Polipo can be easily configured to work as centralized proxy servers for a small network. This is especially convenient if you have many users that would like to use Tor but do not wish to maintain Tor on multiple computers. This method involves only maintaining Tor and Polipo on the server and applying regular updates to a web browser such as Firefox with the Torbutton add-on installed.

Requirements

  • *BSD/*nix type operating environment
  • Root/Administrator privileges
  • A basic understanding of your network configuration

Step One: Install Tor and Polipo

  1. Follow the Linux/BSD/Unix install guide up through and including step two: http://www.torproject.org/docs/tor-doc-unix.html.en
  2. Skip step three in the install guide for the moment - the web browser configuration will happen later once everything else is functioning.
  3. Download and install an appropriate version of torsocks for your OS at https://gitweb.torproject.org/torsocks.git/. Torsocks allows the use of most socks-friendly applications in a sane way from the command line. Torsocks provides the commands usewithtor and torsocks. Ubuntu includes this package in its repository.
  4. Test that Tor and Polipo are configured properly using torsocks:
$ usewithtor lynx https://check.torproject.org/

If everything is working properly, lynx should display a page similar to the one below:

                     Congratulations. You are using Tor.

   Please refer to the Tor website for further information about using Tor
                                   safely.
                           Additional information:
               Your IP address appears to be: 192.251.226.205

Double check your ACTUAL IP address against the address that the TorDetector reports. It should be different indicating that you accessed the TorDetector page through the tor network. If you are running a successfully registered exit, but not accessing the page through Tor, you will receive an erroneous positive message but your real IP address will be displayed rather than that of another Tor exit.

If the test fails, check /var/log/tor and /var/log/polipo for hints as to where the problem lies. If any changes were made to /etc/tor/torrc or /etc/polipo/config files restart the daemons to load the new configuration settings before continuing.

$ sudo /etc/init.d/tor restart
$ sudo /etc/init.d/polipo restart

Step Two: Configure Polipo

Configure polipo to accept connections from all hosts in your network. Use the suggested polipo configuration and modify settings shown below in /etc/polipo/config.

Basic Configuration

# Uncomment one of these if you want to allow remote clients to
# connect:

# proxyAddress = "::0"        # both IPv4 and IPv6
proxyAddress = "0.0.0.0"    # IPv4 only - Allow all connections - restrict the allowed clients below

# proxyAddress = "127.0.0.1"
proxyPort = 8118 # port on which to run the proxy

# If you do that, you'll want to restrict the set of hosts allowed to
# connect:

# allowedClients = "127.0.0.1, 134.157.168.57"
# allowedClients = "127.0.0.1, 134.157.168.0/24"

allowedClients = 127.0.0.1 # allow connections from the localhost
allowedClients = 192.168.X.0/24 # only allow connections from your network. Replace X with the appropriate network segment.
allowedPorts = 1-65535

# Uncomment this if there's only one user using this instance of Polipo:

#cacheIsShared = false

# Uncomment this if you want to use a parent SOCKS proxy:

socksParentProxy = "localhost:9050"
socksProxyType = socks5

Step Three: Configure Tor

Configure Tor to accept connections from all hosts in your network as well as act as a relay.

Basic Network Configuration

Start with the default configuration in /etc/tor/torrc; the following changes will allow all hosts within your network to connect to your Tor server.

# Replace this with "SocksPort 0" if you plan to run Tor only as a
## relay, and not make any local application connections yourself.
SocksPort 9050 # what port to open for local application connections
SocksListenAddress 127.0.0.1 # accept connections only from localhost
SocksListenAddress 192.168.X.Y:9100 # accept connections from the  internal interface as well (match this to your server's internal ip address)

## Entry policies to allow/deny SOCKS requests based on IP address.
## First entry that matches wins. If no SocksPolicy is set, we accept
## all (and only) requests from SocksListenAddress.
SocksPolicy accept 192.168.X.0/24 # accept connections from the local network; set X to match your network configuration
SocksPolicy accept 127.0.0.1 # accept local connections
SocksPolicy reject * # by default, reject all connections that have not matched one of the rules above'''
'''

Relay Configuration

Your Tor server can both act as a gateway to the Tor network for users on your network, and can also relay trafic from other users. Running a relay is a great service to the Tor network, but you should carefully consider whether or not it is right for you as there are many implications such as increased bandwidth usage, some sites will treat you differently due to the large amount of traffic routed through your IP. Check the TorFaq for more information about deciding if you should running a relay. Mike Perry also has a great piece about how to limit problems caused by running an exit node at his blog: https://blog.torproject.org/blog/tips-running-exit-node. If you choose to not set up Tor as a relay, consider running a bridge. If neither of these options is appealing, simply skip this step and move on to Step Five.

Change your torrc to match the segment below.

################ This section is just for relays #####################
#
## See https://www.torproject.org/docs/tor-doc-relay for details.

## Required: what port to advertise for incoming Tor connections.
ORPort 9001
## If you want to listen on a port other than the one advertised
## in ORPort (e.g. to advertise 443 but bind to 9090), uncomment the
## line below too. You'll need to do ipchains or other port forwarding
## yourself to make this work.
#ORListenAddress 0.0.0.0:9090

## A handle for your relay, so people don't have to refer to it by key.
Nickname your_nickname_here

## The IP address or full DNS name for your relay. Leave commented out
## and Tor will guess.
Address your.FQDN.here # Your domain name, or comment this out

## Define these to limit how much relayed traffic you will allow. Your
## own traffic is still unthrottled. Note that RelayBandwidthRate must
## be at least 20 KBytes.
RelayBandwidthRate 100 KBytes  # Throttle traffic to 100KB/s (800Kbps) - lower this if you need to
RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB/s (1600Kbps) - lower this if you need to

## Contact info to be published in the directory, so we can contact you
## if your relay is misconfigured or something else goes wrong. Google
## indexes this, so spammers might also collect it.
#ContactInfo Random Person
## You might also include your PGP or GPG fingerprint if you have one:
#ContactInfo 1234D/FFFFFFFF Random Person

## Uncomment this to mirror directory information for others. Please do
## if you have enough bandwidth.
DirPort 9030 # what port to advertise for directory connections

Restart tor and polipo to apply the changes.

$ sudo /etc/init.d/tor restart
$ sudo /etc/init.d/polipo restart

Step Four: Test the Configuration

Use torsocks to test your configuration again, making sure that the displayed IP address is different than your actual IP address.

$ usewithtor lynx https://check.torproject.org/

If the test fails, check your logs for suspicious errors such those shown below.

If polipo is not configured properly to accept connections from your network you will see errors such as this:

Refusing connection from unauthorised net

If tor is misconfigured, it may be denying connections from polipo. You will see an error such as this in the poliop log:

Connect to google.com:80 failed: Connection refused

Step Five: Configure Torbutton and Firefox

Torbutton is an addon for Firefox that allows users to quickly and easily use the Tor network at the click of a button.

Firefox

Download and install the latest version of Firefox from Mozilla: http://www.mozilla.com/en-US/firefox/firefox.html

Torbutton

Download and install the latest version of Torbutton: https://www.torproject.org/torbutton

Configuration

In Firefox open the addon management menu: Tools > Addons > Torbutton > Preferences and use the following settings:

* Use custom proxy settings:
HTTP Proxy: Port: 8118
SSL Proxy: Port: 8118
SOCKS Host: Port: 9100
* SOCKS v5
No Proxies for: 127.0.0.1

Click "Test Settings."

Torbutton may complain that there is a proxy error when you click "Test Settings." If this happens, try clicking OK and attempt to visit the Tor Detector Page. Check your detected IP address, if everything is working properly it should be different than your actual IP address indicating that your request was routed through the Tor network. If things are still not working, check the Troubleshooting Section below.

If everything works, simply repeat Step Four for every computer on your network you wish to run through Tor. If not, see the section on Troubleshooting.

Alternate Browser Configuration

If you choose not to use Torbutton with Firefox or wish to use another web browser, use the following settings for your proxy configuration:

HTTP Proxy: Port: 8118
SSL Proxy: Port: 8118
SOCKS Host: Port: 9100

Troubleshooting

In the event that something does not work, start with the logs. There is usually some useful information in /var/log/tor/log and /var/log/polipo/polipo.log.

If Torbutton refuses to pass its test, or does not seem to be working, manually setting the proxy in Firefox is a good way to glean more information about what is broken. In Firefox, Preferences > Advanced > Connection (Settings) > Manual proxy configuration:

* Use custom proxy settings:
HTTP Proxy: Port: 8118
SSL Proxy: Port: 8118
SOCKS Host: Port: 9100
* SOCKS v5
No Proxies for: 127.0.0.1

Try visiting a web page using this configuration and see what kinds of errors are returned. Frequently that information can be useful in troubleshooting. Once you've checked all the logs and double checked all of your configuration files, the Tor IRC channel is a good place to visit next. It can be found at #tor on irc.oftc.net. The TorFAQ is a good place to check for more help as well.

Known Issues

Polipo can leak information

I have come across some issues while using this setup under Ubuntu with Firefox running on Macs.

Too much information stored in logs - For some visited web pages, Polipo stores the following information in /var/log/polipo/polipo.log

Restarting pipeline to www.xxx.yyy:80.

To avoid this problem, it is important to use Firefox in "Private Browsing Mode." This mode is more secure as it attempts to leave less traces about your web activity on the host where it is running. It also avoids the pipeline issue above.

The proper way to avoid these leaks is by:

  1. Use polipo version 1.1.x and set 'scrubLogs' to 'true'; or
  1. Restrict the kind of messages that polipo will log or disable logging:
  • Restrict logs by setting 'logLevel' to 1 (only log L_ERROR-level messages) or 0 (do not log any message). ('logLevel' is a mask, see "log.h" in polipo's sources.)
  • Disable logging by setting 'logSyslog' to 'false' and 'logFile' to "" (empty string). Important: Log messages will now go to standard error, so you might want to redirect that to /dev/null as well.

Contact Information

Please feel free to contact me with questions.  Also, if you find an error, remember this is a Wiki; feel free to fix the error or add more information.  You can reach me at gmail: aaron.ciuffo.

Last modified 5 months ago Last modified on Sep 23, 2016, 4:49:33 AM