A Raspberry Pi as a Tor Relay

Make an alarmpi directory, cd to it and follow the Arch Linux ARM installation instructions. But in step 5, instead of just wgetting the tarball, also do

wget https://archlinuxarm.org/os/ArchLinuxARM-rpi-armv7-latest.tar.gz.md5
wget https://archlinuxarm.org/os/ArchLinuxARM-rpi-armv7-latest.tar.gz.sig

(note that there’s some TLS-stripping redirection). Compare the md5 hash (md5sum -c) and verify the signature by getting the Arch Linux ARM package signing key (0x77193F152BDBE6A6).

Once we’re in the Pi, the first thing to do is set up package signing by following these instructions.

Then update and grab some useful packages.

pacman -Syu
pacman -S sudo vim bash-completion

Now it’s time for some user management. First enable root login over SSH (temporarily) by editing /etc/ssh/sshd_config and adding

PermitRootLogin yes

and then reloading the dæmon. Log out and then back in as root. This is so we can change the alarm username.

usermod -l username alarm
usermod -d /home/username -m username

Disallow SSH root logins again and reload the dæmon.

(This isn’t necessary if you have a keyboard and screen. We’re strictly headless here.)

Run visudo and uncomment the line

# %wheel ALL=(ALL) ALL

to add the user to the sudoers file.

Now would be a good time to change the passwords. Do

passwd root
passwd username

and log back in as the user.

Now that the system is taking shape, let’s do some customising before we get to Tor.

To make things a bit friendlier, download your Vim configuration.

Next up, set the locale and timezone stuff (see the installation guide).

localectl set-locale LANG=en_IE.UTF-8

Change the hostname with

hostnamectl set-hostname hostname

and edit /etc/hosts and add the hostname to the end.

OK, now let’s get Tor (and arm).

sudo pacman -S tor arm

Edit /etc/tor/torrc to make it a relay. There might be some port-forwarding to be done for the ORPort (9001) and DirPort (9030) as well as SocksPort (9050). Note that we don’t need to run Tor as a dæmon — systemd takes care of that.

To get arm working we need to open up the control port, but it’s not safe to do so without some authentication. Run

tor --hash-password password

and paste the hash into the HashedControlPassword line. Then open up the control port on port 9051.

Start Tor and check its status. If all seems well, enable it. Run

sudo -u tor arm

to see how things are going.

The last thing to do for Tor is sign up for the weather reports.

We’re done! But wait. Our relay is vulnerable. Let’s beef up the security by securing SSH with iptables. You can move old iptables around with iptables-save and iptables-restore, but don’t forget to make them persistent.

The only internet-facing services should be Tor and an SSH dæmon. There’s nothing else to do for Tor, but we can make SSH much more secure.

First of all, copy the public key over with

ssh-copy-id -i ~/.ssh/id_ed25519.pub 192.168.0.x

and check if it worked. Probably you’ll have to edit .ssh/config if you’re disallowing public key identification in general (which you probably should be).

Now you can harden the server by enforcing public key authentication and choosing good algorithms.

Edit /etc/motd to get rid of the boilerplate. It could be nice to print the ED25519 fingerprint here.

Finally, set up SSH as a hidden service so you can SSH to it from anywhere and have a static onion URL and all that.