wiki:doc/Tips_to_running_tor_bridges

The contents of this site aren't officially endorsed by torproject.org - instead this site is a community wiki project. This means if you find errors or think something is missing / outdated you can help improving this document. To do so click on "Register" and follow the instructions. While you are logged in an edit button will be available at the bottom of this page.

This site should provide help to people who want to run Tor bridges.

(For those who are new to the concept of Tor bridges or Tor in general: With the help of the Tor network, people who live in countries in which the Internet gets censored and connections are eavesdropped on can get access to the whole Internet without the surveillants seeing which sites they access. In order for the Tor network to function all IP addresses of Tor entry servers have to be public. Oppressive regimes can block these IP addresses. To make it possible for people in such countries to access Tor anyway the Tor network needs as many bridges as possible. The addresses of these bridges aren't publicized, but instead given to those who need it with the help of different distribution strategies. The more bridges there are, the harder it gets for oppressive regimes to block them all.)


1.0 Where to run bridges?

You could run a bridge from your home, but there are downsides to this approach:

  • The upload speed is usually quite low, especially on ordinary ADSL connections.
  • You should preferably use a device that is running 24/7.
  • On most connections your router will get a new IP address every 24 hours. In theory this could be a good thing for Tor bridges, as it makes it harder to block these ever-changing bridge addresses constantly. But unfortunately the bridge distribution system of the torproject.org is - at least at the moment - not able to treat these dynamically changing addresses "specially" (meaning: Promoting them instantly).

If you have decent upload speed, a machine that's running constantly, as well as a static IP you might consider using your setup.

Otherwise I'd recommend you to take a look at cheap "virtual private servers" (also known as "VPS" / "vserver").


1.1 How much RAM and monthly traffic data volume is needed?

Tor Bridges run without problems on Linux systems without graphical user interfaces with 256 MB RAM. More than that doesn't seem to be needed if you don't want to run additional services. If you have ideas which other services you could run simultaneously on your Tor bridge to make your server even more useful, please add them to this document. For example you could run an additional OpenVPN-Server (HowTo), install an IRC-Bouncer like ZNC or run a Teamspeak server.

If you are running Linux, Tor will use glibc, which doesn't do an overly good job at freeing up RAM. If you have far less then 256 MB RAM you might want to try to compile Tor yourself using OpenBSD's memory allocation implementation as stated here. It would be great if you were to add your findings regarding memory usage into this document, especially if you have experience with running Tor bridges on systems with 128 MB RAM.

To see how much RAM your system uses, the findings of the command line program htop should be more relevant than those of top.

Traffic-wise: The more the better, but usually it's more useful to run a lot of bridges with small traffic plans instead of running a few with big data packages. The more IP addresses censors have to learn and block, the harder it gets for them to make Tor unusable for their citizens.


1.2 Where to get the most bridge for your bucks at the moment?

Clearly the easiest way to set up a tor bridge right now is at Amazon. And it's really cheap or even free in the first year (depending on the bandwidth that actually gets used) - here is explained how to set it up. If you want to stay at Amazon with your Tor bridge after the the end of the free first year you should consider switching your instance from "Micro On-Demand" to "Micro Heavy Utilization Reserved" as it is cheaper (but it doesn't give you the option to cancel immediately).

If you have some basic Unix/Linux knowledge, such as how to install and use a text editor like nano you might want to consider switching to a significantly cheaper virtual private server.

In the following a compilation of offers which seem to provide a good service for relatively low prices:

Notice: While it's possible to run several Tor instances at once, it's not possible to run pluggable transports (such as obfs2/obfs3) on more than one ip address on one machine simultaneously. Besides it's a hassle to set up bridges with several IPs. Rather look for cheap offers with one ipv4 or better one ipv4 and an additional ipv6 address.

---

("256MB SVZ – SSD VPS", use the promo code "LEB35", it will cost $29.84 annually)

256 MB RAM, 1TB Bandwidth, 1x ipv4 and 1x usable ipv6 address (tor can not handle more than one ipv6 address at the moment)

You don't have to worry about additional costs when hitting the 2TB bandwidth limit.

Link to the offer

---

("512MB Yearly", it will cost $20 annually)

512MB RAM, 200GB Bandwidth, 1x ipv4. no ipv6 in Seattle at the moment. The IO disk speed is pretty low, which means you have to be patient when installing software.

They write on their page that they would charge $0.1 for each GigaByte more than the included 200 GigaBytes. But via mail they claim they would actually suspend the server until the end of the 30 days and never charge additionally fees. While it's possible to upgrade to a bigger data plan afterwards, data package upgrade plans for this provider aren't cheap.

Link to the offer

---

If you know a good offer please enhance this list!

One might find some offers which give you good value for your money on comparison websites such as lowendbox.


1.3 How to manage/install a vserver?

After purchasing a vserver you will usually get a link to a web interface where you are able to manage your vserver. It's possible to choose your operating system on this site. In case you changed your operating system wait ~15 minutes before connecting to your vserver. Afterwards you should be able to connect to your server via ssh using your root password (type "root@write_the_ip_address_of_your_vserver_here" into a terminal). Make sure to change your root password to a long one with special characters, either on the web interface or via the command passwd. Make sure you won't forget your password.

Once you are connected to your vserver Tor can be installed as described here (written for debian/ubuntu) - make sure to use the development version, as the ordinary versions aren't yet able to report the presence of obfs2/obfs3 capabilities to the torproject.org bridge distribution authority.

To make your bridge helpful in countries where Tor traffic is recognized as such and gets blocked (e. g. Iran) you want to add as many pluggable transports to your bridge as possible.

To configure your bridge with obfs2 and obfs3 functionality you can follow these instructions.

In case your vps is ipv6 capable add the line

ORPort [ipv6addressgoeshere]:443

to your Tor configuration file (path is /etc/tor/torrc) to get one of your ipv6 addresses work, which might be helpful to Tor bridge users who can use ipv6. Replace the ipv6addressgoeshere with your ipv6 address. Do not remove the square brackets! Tor can only handle one ipv6 address at the moment.


1.4 How to make sure your bridge is running correctly?

Surely you'd like to know whether your bridge is configured properly and whether or not it gets used.

There are several ways to achieve this:

  • If your bridge gets successfully published to the bridge authority it should appear here. You can search for it most easily if you use the Nickname option in your Tor configuration file. If the onionoo site shows your bridge, but the obfs2, obfs3 or ipv6 flags are missing it might take some hours and maybe a restart of the Tor service (service tor restart) or a reboot till they appear there.
  • "netstat -a" should show your ORPort, as well as a port for every registered pluggable transport as "Listening".
  • Take a look in the Tor log file which should be located in /var/log/tor/log by default. Tor should write into this file from time to time e. g. to report how much data it has sent and received. Make sure you don't get any error messages in there. If you have advised Tor to use pluggable transports, Tor should shortly after it gets started print a line for every one of these stating that a certain pluggable transport has been registered on a certain port (if the port number is preceded by "0.0.0.0:" that's okay).

If Tor writes the following line into your log file you don't have to worry and can just ignore it:

[notice] We were built to run on a 64-bit CPU, with OpenSSL 1.0.1 or later, but with a version of OpenSSL that apparently lacks accelerated support for the NIST P-224 and P-256 groups. Building openssl with such support (using the enable-ec_nistp_64_gcc_128 option when configuring it) would make ECDH much faster.


1.5 Further questions?

Before you ask, search on torproect.org and on the whole web. Most issues have already been discussed somewhere.

If you can't find a satisfactory answer you can use these official channels to ask people. If you post your questions in the IRC channel and don't get an answer immediately, stay there for several hours (or even longer if there's little to no discussion going on) as your question might be answered when someone takes a sporadic look.

You might also consider taking a look at the Tor subreddit, which is not an official communication channel of The Tor Project and therefore neither managed, nor endorsed by it. It could be helpful nonetheless.


1.6 Are there easier ways to run a Tor bridge?

Yes. There are bridges in development that can run in web browsers. Due to technical limitations they are not yet as helpful as the kind of bridges the main part of this document is about, but they already do help and are very easy to deploy.

Just install this addon for Firefox (which isn't yet officially endorsed by David Fifield or torproject.org) or this one for Chrome.

You might also want to read this small FAQ for the Firefox addon.

A lot of (mostly technical) information on this kind of bridge can be found on its official site.

Last modified 8 months ago Last modified on Aug 14, 2013 1:18:34 AM