Tor server


The crisis in the Ukraine triggert me to run a Tor exit relay.

But my motivation is much bigger (and few inches in size): the Stasi observation files about my parents - few hundred pages.
In contrast the ridiculous 9 (almost blackened) pages about me (here).

My opinion: Freedom needs free press. Free press needs whistle-blowing. Whiste-blowing needs anonymity. Anonymity is provided by Tor.


The status of the Tor relay is seen at atlas. All exit families are ranked here.

DDoS and more

An unusual behavior a BOINC client was involved too happened at 6th of Nov 2014. And here're few DDoS examples from the past:
27th of April 2015 (>300 MBit/s), 20th of Nov 2015 (34 MBit/s, more), 30th of Jan 2016 (>500 MBit/s), 20th of March 2016 (>900 MBit/s, values), 13th of Jun 2016 (>65 MBit/s), 7th of Jun 2016 (>275 MBit/s), 21th of Jul 2016 (>180 MBit/s, values and graph), 22th of Jul 2016 (>250 Kpck/s, graph, ticket), ...

my setup

  • I followed the Tor Exit Guidelines, especially the Reduced Exit Policy.
  • OS is a hardened Gentoo Linux
  • minimal linux kernel config, no modules, no USB (reason)
  • /tmp is a tmpfs, swap is encrypted
  • network: static ip address
  • dnsmasq is used to have DNSSEC, configured using this wiki:
    1. install dnsmasq
    2. remove all nameserver= entries from /etc/resolv.conf except nameserver=
    3. edit /etc/dnsmasq.conf:
      • add all nameservers of your own ISP (and no other, this paper explains the reason) as lines like server=ip-address
      • set cache-size=10000
      • activate DNSSEC (look for conf-file=, dnssec and dnssec-check-unsigned)
    4. start dnsmasq
    5. verify name resolution, eg.: $> dig com. any +dnssec
  • incoming ports except ssh, DirPort and ORPort are closed
  • sshd listens at a non-default port, no password login, no root login, force elliptic-curve algorithm for key exchange ( KexAlgorithms in /etc/ssh/sshd_config )
  • weekly cron job (since logjam): openssl dhparam -out /etc/ssl/private/dhparams.pem 2048 2>/dev/null
  • provided a Tor exit notice both at the ipv4 and ipv6 address of the relay
  • homepage is legal-checked (contact, impressum and disclaimer)
  • I wrote for my own purpose these helper scripts.

  • "Tor" and the "Onion Logo" are registered trade marks of Torproject, Inc.

    back to my home page