A Raspberry Pi as a Tor Relay
Make an alarmpi
directory, cd
to it and follow the Arch Linux ARM installation instructions. But in step 5, instead of just wget
ting the tarball, also do
wget https://archlinuxarm.org/os/ArchLinuxARM-rpi-armv7-latest.tar.gz.md5 wget https://archlinuxarm.org/os/ArchLinuxARM-rpi-armv7-latest.tar.gz.sig
(note that there’s some TLS-stripping redirection). Compare the md5
hash (md5sum -c
) and verify the signature by getting the Arch Linux ARM package signing key (0x77193F152BDBE6A6
).
Once we’re in the Pi, the first thing to do is set up package signing by following these instructions.
Then update and grab some useful packages.
pacman -Syu pacman -S sudo vim bash-completion
Now it’s time for some user management. First enable root login over SSH (temporarily) by editing /etc/ssh/sshd_config
and adding
PermitRootLogin yes
and then reloading the dæmon. Log out and then back in as root. This is so we can change the alarm
username.
usermod -l username alarm usermod -d /home/username -m username
Disallow SSH root logins again and reload the dæmon.
(This isn’t necessary if you have a keyboard and screen. We’re strictly headless here.)
Run visudo
and uncomment the line
# %wheel ALL=(ALL) ALL
to add the user to the sudoers file.
Now would be a good time to change the passwords. Do
passwd root passwd username
and log back in as the user.
Now that the system is taking shape, let’s do some customising before we get to Tor.
To make things a bit friendlier, download your Vim configuration.
Next up, set the locale and timezone stuff (see the installation guide).
localectl set-locale LANG=en_IE.UTF-8
Change the hostname with
hostnamectl set-hostname hostname
and edit /etc/hosts
and add the hostname to the end.
OK, now let’s get Tor (and arm
).
sudo pacman -S tor arm
Edit /etc/tor/torrc
to make it a relay. There might be some port-forwarding to be done for the ORPort (9001) and DirPort (9030) as well as SocksPort (9050). Note that we don’t need to run Tor as a dæmon — systemd takes care of that.
To get arm
working we need to open up the control port, but it’s not safe to do so without some authentication. Run
tor --hash-password password
and paste the hash into the HashedControlPassword
line. Then open up the control port on port 9051.
Start Tor and check its status. If all seems well, enable it. Run
sudo -u tor arm
to see how things are going.
The last thing to do for Tor is sign up for the weather reports.
We’re done! But wait. Our relay is vulnerable. Let’s beef up the security by securing SSH with iptables. You can move old iptables around with iptables-save
and iptables-restore
, but don’t forget to make them persistent.
The only internet-facing services should be Tor and an SSH dæmon. There’s nothing else to do for Tor, but we can make SSH much more secure.
First of all, copy the public key over with
ssh-copy-id -i ~/.ssh/id_ed25519.pub 192.168.0.x
and check if it worked. Probably you’ll have to edit .ssh/config
if you’re disallowing public key identification in general (which you probably should be).
Now you can harden the server by enforcing public key authentication and choosing good algorithms.
Edit /etc/motd
to get rid of the boilerplate. It could be nice to print the ED25519 fingerprint here.
Finally, set up SSH as a hidden service so you can SSH to it from anywhere and have a static onion URL and all that.