How to Set-up a Tor Bridge with a Raspberry Pi using Ubuntu Server

The Tor Logo: The United States Naval Research Laboratory developed "The Onion Routing Protocol (Tor)
The United States Naval Research Laboratory developed “The Onion Routing Protocol” (Tor)

The United States Naval Research Laboratory (NRL) developed “The Onion Routing Protocol” (Tor) to securely relay intelligence online via layered encryption. This tutorial demonstrates how to build a Tor-Bridge relay with a Raspberry Pi 2, which is essentially a decentralized node relaying a constituent layer of encrypted-data that is ultimately combined with the entire layer of data processed in part with other Tor-nodes, or “bridges” on the network. According to the official Tor website, the lack of security on the Internet and its ability to be used for tracking and surveillance was already abundantly clear as far back as 1995, so the NRL sought to create Internet connections that don’t reveal identities, even to someone or some entity monitoring the network. They pioneered the first prototypes of onion-routing. If you would like to know more about the details of Tor and how it works from an elementary perspective, check out this post: “How Does Tor Work?”

Essentially, Tor is a network of three types of node-relays as defined by the Tor Community Docs:

  1. Non-Exit Relay: A guard or middle-relay (aka non-exist relays) are the first relay in the chain of 3 relays building a Tor-circuit. A middle relay is neither a guard nor an exit relay, but acts as the second hop between the two. To become a guard, a relay has to be stable and fast (at least 2MByte/s) otherwise it will remain a middle relay.
  2. Exit Relay: The exit relay is the final relay in a Tor circuit, the one that sends traffic out its destination. The services Tor clients are connecting to (website, chat service, email provider, etc) will see the IP address of the exit relay instead of their real IP address of the Tor user; Exit relays have the greatest legal exposure and liability of all the relays– so this tutorial will part ways with you here at that trail to read more about Exit Relay at Tor but we will leave you to safely and legally build a Tor Bridge-Relay as defined below 🙂
  3. Bridge Relay: Tor bridges are nodes in the Tor-network that are not listed in the public Tor directory, which make it harder for ISPs and governments to block them. Bridges are useful for Tor users under oppressive regimes (ie China and Iran) or for people who want an extra layer of security because they’re worried somebody will recognize that they are contacting a public Tor relay IP address. Bridges are a great option if you can only run a Tor node from your home network, have only one static IP, and don’t have a huge amount of bandwidth to donate; we recommend giving your bridge at least 1 Mbit/sec- every Tor Bridge counts! If you want to help make the world more securely-connected, please proceed as instructed and build a Tor Bridge!
Are you doing your part?

Parts List

  1. Raspberry Pi 2 (or greater)
  2. 16 GB SanDisk MicroSD
  3. Mouse and Keyboard
  4. HDMI Monitor
  5. CAT-5/6E Cable
  6. MicroSD Formatter

Installing Tor

Initially, I began experimenting with Tor Bridge as documented after this heading Debian/Ubuntu Server (18.04). Although I succeeded with that approach, it was much more time-consuming than my first time experimenting with KALI-LINUX– so it’s recommended to proceed with the latter as detailed below if running a Tor Bridge.

Download KALI-LINUX for Raspberry Pi Install

  1. Go to Offensive Security and download go to Offensive Security and select “Raspberry Pi” (scroll-down the page and click on link “Raspberry Pi” for the drop-down menu and download the compressed .img file (non-64-bit) for Raspberry Pi 2,3,4; please note, you can also proceed below with Ubuntu Server if so inclined).
  2. Download The Unarchiver tool (available for free download at the Apple App Store) to unpack the image file “kali-linux-2019.3a-rpi3-nexmon.img.xz” so it formats to “kali-linux-2019.3a-rpi3-nexmon.img” to burn on the Samsung MicroSDXC.
  3. Input Samsung EVO-select MicroSDXC to dock and connect to computer via USB; download the appropriate SD-card formatter compatible with your OS to prepare this tutorial at the SD association OR you can use the Disk Utility tool in macOS Mojave- format Samsung MicroSDXC for FAT-32.
  4. Burning the unarchived KALI-LINUX Raspberry Pi 3 image-file (n00bs- download and use the balenaEtcher tool).
  5. Raspberry Pi 2 image-file (n00bs- download and use the balenaEtcher tool).
  6. Insert SSD into Raspberry Pi 2
  7. For Power-Users:
    1. diskutil list
    2. sudo diskutil unmount /dev/your-SANDISK-BOOT-Identifier (eg sudo diskutil unmount /dev/disk4s1).
    3. sudo dd bs=1m if=kali-linux-2019.3a-rpi3-nexmon.img.xz of=/dev/disk4 conv=sync
    4. You can use the shortcut Ctrl + T to check the progress of the write process.
    5. If you’re unfamiliar with command-line syntax, check-out explainshell.com and copy/paste the commands herein to understand what they execute.

Prepare Raspberry Pi for KALI-LINUX Install

  1. Insert SSD containing burned Ubuntu Server ISO-file into Raspberry Pi.
  2. Turn-on Raspberry Pi.
  3. After configuring Raspberry Pi user-authentication credentials, run the following commands to update the the Ubuntu Server environment (default KALI-LINUX username is “root” and default password is “toor”; you will be prompted to enter a new password).
  4. sudo apt-get update.
  5. sudo apt-get upgrade.
  6. sudo reboot.
  7. For the sake of InfoSec, set-up an easy firewall for the Raspberry Pi 2 in Ubuntu Server by running sudo apt install ufw, followed by the sequence of commands below:
    1. sudo ufw allow 3443 comment "TOR-circuit"
    2. sudo ufw allow 3480 comment "TOR"
    3. sudo ufw enable
    4. Then recommend rebooting with sudo reboot
  8. Lastly, you can skip this step if you don’t plan to remotely access this device on your network, but may be a good idea to prepare just in case:
    1. Run ifconfig -a to list the host-IP address.
    2. sudo apt-get install openssh-server
    3. sudo ufw allow 22
    4. sudo reboot
  9. After running the above commands here in step-8 and then rebooting, you will have the option to remotely access this Raspberry Pi 2 from another computer on network, which will be required if you’re unable to synchronize your full-node by limiting the memory-cache on-board; basically, you will be forced to download and run a full-node briefly on another computer attached to your network and after a complete download, secure copying it from one terminal to another- please proceed to secure copy below if that becomes the case.
  10. Next, secure root-access by running sudo passwd root and then type a new password (please note you will now use this as the username “root” as the designated username along with its password to be entered).
  11. Next type exit and hit the Return-key; then log-in using “root” as the username and the corresponding password entered.
  12. Lastly recommended mod is to rename the host/device home-name by running the following command according to the syntax:usermod -l -d /home/ -m or sudo usermod -l newUsername oldUsername and changing the host/device name to an identifiable name to easily access on-network by running (e.g.) sudo hostnamectl set-hostname raspberrypi2.

Installing Tor on KALI-LINUX

After starting the Raspberry Pi 2 with KALI-LINUX, simply install Tor with the one-liner as explained within the Tor community-docs: sudo apt-get install tor. After the install, proceed exactly as outlined below within previously mentioned Tor-docs:

  1. sudo apt-get install obfs4proxy
  2. Access both of these Tor-services options and set NoNewPrivileges=no– be sure to save these files by hitting the ESC-key + x to write/save the service-options.
    1. vi /lib/systemd/system/tor@default.service
    2. vi /lib/systemd/system/tor@.service
    3. Then run systemctl daemon-reload and then systemctl restart tor .
  3. Skip this step if you choose a port smaller than 443 for port-forwarding:
    1. If running another port besides smaller than 1024 (like 443), you must assign obfs4 binding capability to that port by running (if you’re following this tutorial, run it): sudo setcap cap_net_bind_service=+ep /usr/bin/obfs4proxy. If you need to unbind the port for whatever reason in the future, simply run sudo setcap cap_net_bind_service=-ep /usr/bin/obfs4proxy.
  4. Run vi Modify your torrc-file according to the below markdown:
RunAsDaemon 1
BridgeRelay 1

Log notice file /var/log/tor/notices.log
Log debug file /var/log/tor/debug.log
Log notice syslog
Log debug stderr

ORPort 3443

ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
ServerTransportListenAddr obfs4 0.0.0.0:3448

ExtORPort auto

## If you know to set-up DynamicDNS, uncomment the line below 
## Address your-dyanmic-dns

Nickname SatoshiNakamoto
SatoshiNakamoto <0xc78e9d242552d5da800a87b588dc3d2024a9fa0f@ethmail.cc>

RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps)

ExitPolicy reject *:*

PublishServerDescriptor 0

Download Ubuntu Server for Raspberry Pi 

  1. Go to Ubuntu and download Ubuntu Server for Raspberry Pi 2 (scroll-down the page and click on link “Ubuntu Server image for Raspberry Pi 2″; please note, you can also proceed with a Raspbery Pi 2 with Ubuntu Server if so inclined).
  2. Download The Unarchiver tool (available for free download at the Apple App Store) to unpack the image file “ubuntu-18.04.3-preinstalled-server-arm64+raspi2.img.xz” so it formats to “ubuntu-18.04.3-preinstalled-server-armhf+raspi2.img” to burn on the Samsung MicroSDXC.
  3. Input Samsung EVO-select MicroSDXC to dock and connect to computer via USB; download the appropriate SD-card formatter compatible with your OS to prepare this tutorial at the SD association OR you can use the Disk Utility tool in macOS Mojave- format Samsung MicroSDXC for FAT-32.
  4. Burning the unarchived Ubuntu Raspberry Pi 2 image-file (n00bs- download and use the balenaEtcher tool).
  5. Insert SSD into Raspberry Pi 2
  6. For Power-Users:
    1. diskutil list
    2. sudo diskutil unmount /dev/your-SANDISK-BOOT-Identifier (eg sudo diskutil unmount /dev/disk4s1).
    3. sudo dd bs=1m if=ubuntu-18.04.3-preinstalled-server-armhf+raspi2.img of=/dev/disk4 conv=sync
    4. You can use the shortcut Ctrl + T to check the progress of the write process.
    5. If you’re unfamiliar with command-line syntax, check-out explainshell.com and copy/paste the commands herein to understand what they execute.

Prepare Raspberry Pi for Ubuntu Server Install

  1. Insert SSD containing burned Ubuntu Server ISO-file into Raspberry Pi.
  2. Turn-on Raspberry Pi.
  3. After configuring Raspberry Pi user-authentication credentials, run the following commands to update the the Ubuntu Server environment (default Ubuntu Server username is “ubuntu” and default password is “ubuntu”; you will be prompted to enter a new password).
  4. sudo apt-get update.
  5. sudo apt-get upgrade.
  6. sudo reboot.
  7. For the sake of InfoSec, set-up an easy firewall for the Raspberry Pi 2 in Ubuntu Server by running sudo apt install ufw, followed by the sequence of commands below:
    1. sudo ufw allow 3443 comment "TOR-circuit"
    2. sudo ufw allow 3480 comment "TOR"
    3. sudo ufw enable
    4. Then recommend rebooting with sudo reboot
  8. Lastly, you can skip this step if you don’t plan to remotely access this device on your network, but may be a good idea to prepare just in case:
    1. Run ifconfig -a to list the host-IP address.
    2. sudo apt-get install openssh-server
    3. sudo ufw allow 22
    4. sudo reboot
  9. After running the above commands here in step-8 and then rebooting, you will have the option to remotely access this Raspberry Pi 2 from another computer on network, which will be required if you’re unable to synchronize your full-node by limiting the memory-cache on-board; basically, you will be forced to download and run a full-node briefly on another computer attached to your network and after a complete download, secure copying it from one terminal to another- please proceed to secure copy below if that becomes the case.
  10. Next, secure root-access by running sudo passwd root and then type a new password (please note you will now use this as the username “root” as the designated username along with its password to be entered).
  11. Next type exit and hit the Return-key; then log-in using “root” as the username and the corresponding password entered.
  12. Lastly recommended mod is to rename the host/device home-name by running the following command according to the syntax:usermod -l -d /home/ -m or sudo usermod -l newUsername oldUsername and changing the host/device name to an identifiable name to easily access on-network by running (e.g.) sudo hostnamectl set-hostname raspberrypi2.
  13. sudo reboot

Debian/Ubuntu Server (18.04 Bionic Beaver)

  1. After rebooting the Raspberry Pi, you may begin the install of Tor for the Debian-stable by running sudo-get install tor; you might also consider install Xubuntu to access this tutorial via FireFox or the Tor Docs because the commands below are quite long- to do, simply run sudo apt-get install xubuntu-desktop and then sudo reboot.
  2. Per the Tor Docs, there are a few modifications required; first proceed with the following steps configured as “Debian Bionic Beaver (18.04 LTS)” for Tor Stable:
    1. Run deb https://deb.torproject.org/torproject.org bionic main.
    2. Next, run deb-src https://deb.torproject.org/torproject.org bionic main.
    3. Then add the gpg-keys used to sign the packages running the following commands: curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import
    4. # gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -
    5. After assigning the gpg-keys, update with sudo apt-get update followed-by apt install tor deb.torproject.org-keyring.
  3. For this Debian/Ubuntu-build, runsudo apt-get install obfs4proxy.
  4. Access the Tor-configuration-file by running vi /etc/tor/torrc; input the following parameters by uncommenting or inputting where appropriate:
    1. RunAsDaemon 1
    2. ORPort 3443
    3. ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy.
    4. ServerTransportListenAddr obfs4 0.0.0.0:3448
    5. Uncomment line ExtORPort auto.
    6. Nickname choose-whatever-you-want
    7. ContactInfo your-contact-name <your-email-address@whatever.com>
      • eg SatoshiNakamoto <0xc78e9d242552d5da800a87b588dc3d2024a9fa0f@ethmail.cc>
    8. Hit ESC-key + x to save and exit vim.
  5. If running another port besides 9901 (like 443), you must assign obfs4 binding capability to that port by running (if you’re following this tutorial, run it): sudo setcap cap_net_bind_service=+ep /usr/bin/obfs4proxy. If you need to unbind the port for whatever reason in the future, simply run sudo setcap cap_net_bind_service=-ep /usr/bin/obfs4proxy.
  6. Access both of these Tor-services options and set NoNewPrivileges=no– be sure to save these files by hitting the ESC-key + x to write/save the service-options.
    1. vi /lib/systemd/system/tor@default.service
    2. vi /lib/systemd/system/tor@.service
    3. Then run systemctl daemon-reload and then systemctl restart tor.
  7. Restart the Raspberry Pi by running sudo reboot
  8. Tor should automatically start loading by running /var/log and then cat syslog OR cd /var/log/tor/ then cat log to verify Tor-connection status, or check out Tor Atlas to verify a successful connection and network status; if you’re running a Tor Bridge, you must search for the hashed-fingerprint within the “Advanced Search” tab, which can be found within the “notices.log” file located within /var/log/tordirectory- simply run cat notices.log and the returned terminal-output should contain a hashed-fingerprint value that can be retrieved on Tor Atlas, as depicted by the below screenshot.
  9. Please Note: For all concerns about legal matters and safety, the Tor config-file as detailed above by default sets the ExitRelay Policy to 0– so unless you specifically add ExitRelay 1 within the torrc config-file, Tor will automatically run as a Bridge Relay instead of an Exit Relay as disclaimed within the notices.log file after running starting Tor and within their documentation as of 09/05/2019; you can also uncomment line ExitPolicy reject *:* within the torrc config-file just to err on the side of caution to ensure your node is a Bridge Relay. The best way to confirm your Tor-node Exit Policy is verify with Tor Atlas, as depicted by the below screenshot.
A Tor Atlas Relay SERP; Mission Accomplished: Tor Bridge up- congrats!

Optimizing Tor Bridge

Recap: torrc

To recap, a legally compliant Tor Bridge will includeExitPolicy reject *:* and not include ExitRelay 1 anywhere whatsoever in the config-file; an example of a USA legally-compliant Tor Bridge torrc config-file is provided within the below markdown:

RunAsDaemon 1
BridgeRelay 1

Log notice file /var/log/tor/notices.log
Log debug file /var/log/tor/debug.log

ORPort 3443

ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
ServerTransportListenAddr obfs4 0.0.0.0:3448

ExtORPort auto

## If you know to set-up DynamicDNS, uncomment the line below 
## Address your-dyanmic-dns

Nickname SatoshiNakamoto
SatoshiNakamoto <0xc78e9d242552d5da800a87b588dc3d2024a9fa0f@ethmail.cc>

RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps)

ExitPolicy reject *:*

PublishServerDescriptor 0

Other Helpful Tips

Get comfortable monitoring your Tor Bridge install by running the following within their respective directories:

  • For /var/log/tor/notices.log: tail -f -n -100 notices.log
  • For /var/log/syslog: `tail -f -n -100 syslog

Also, if you prefer to avoid loading Xubuntu upon restart to conserve RAM, type CTRL + ALT + F3 at the Xubuntu welcome screen.

Leave a Reply

Your email address will not be published. Required fields are marked *