Tor server


The trigger for me to provide a Tor exit relay was the crisis in the Ukraine in 2014.

But my motivation is much bigger (and few inches in size): the Stasi observation files about my parents.

Finally I'm convinced that freedom needs whistle blowing. And the later isn't possible w/o anonymity.

BTW the Stasi file about myself is very small, just few pages. Here's the scan.


The status of my relay is provided at atlas and torstatus. The Tor project provides a lot of other metrics, eg. about the network or relays. I wrote for my own purpose few helper scripts here available.

A breakin attempt using the BOINC client happened at 6th of Nov 2014. And here're few DDoS examples from the past:

27th of April 2015 (>300 MBit/s), 20th of Nov 2015 (34 MBit/s, more), 30th of Jan 2016 (>500 MBit/s), 20th of March 2016 (>900 MBit/s, values), 13th of Jun 2016 (>65 MBit/s), 7th of Jun 2016 (>275 MBit/s), 21th of Jul 2016 (>180 MBit/s, values and graph), 22th of Jul 2016 (>250 Kpck/s, graph, ticket), ...

my setup

  • I followed the Tor Exit Guidelines, especially the Reduced Exit Policy.
  • OS is a 64 bit hardened Gentoo Linux (PAX + Grsecurity)
  • minimal linux kernel configuration (eg.: no USB), no modules
  • /tmp is a tmpfs, swap is encrypted
  • network: static ip address, dnsmasq is used as a local DNS cache, configured following this wiki for DNSSEC:
    1. install dnsmasq
    2. remove all nameserver= entries from /etc/resolv.conf except nameserver=
    3. edit /etc/dnsmasq.conf:
      • add all nameservers of your ISP (and no externals if this paper is right) as server=ip-address
      • set cache-size=10000
      • activate DNSSEC (look for conf-file=, dnssec and dnssec-check-unsigned)
    4. start dnsmasq
    5. verify name resolution, eg.: $> dig com. any +dnssec
  • incoming ports except ssh, DirPort and ORPort are closed, DDoS handling (for IPv6 replace 32 with 128):
          -A INPUT -p tcp --destination-port  80 --match conntrack --ctstate NEW --match connlimit --connlimit-above 2 --connlimit-mask 32 -j DROP
          -A INPUT -p tcp --destination-port 443 --match conntrack --ctstate NEW --match connlimit --connlimit-above 2 --connlimit-mask 32 -j DROP
  • sshd listens at a non-default port, no password login, no root login, force elliptic-curve algorithm for key exchange ( KexAlgorithms in /etc/ssh/sshd_config )
  • weekly cron job (since logjam): openssl dhparam -out /etc/ssl/private/dhparams.pem 2048 2>/dev/null
  • provided a Tor exit notice both at the ipv4 and ipv6 address of the relay
  • homepage is legal-checked (contact, impressum and disclaimer)

  • "Tor" and the "Onion Logo" are registered trade marks of Torproject, Inc.

    back to my home page