commit 217d2842aa40b2ca0af506faeb8cbafa4f858385
Author: gus <g...@torproject.org>
Date: Tue Jul 30 03:45:24 2019 -0400
Rename directories in relay operations section
---
.../bridge/centos-rhel-opensuse/contents.lr | 101 ++++++++++++
.../technical-setup/bridge/contents.lr | 23 +++
.../bridge/debian-ubuntu/contents.lr | 80 +++++++++
.../technical-setup/bridge/freebsd/contents.lr | 98 +++++++++++
.../technical-setup/bridge/openbsd/contents.lr | 74 +++++++++
.../bridge/post-install/contents.lr | 22 +++
.../technical-setup/centosrhel/contents.lr | 19 ---
.../technical-setup/debianubuntu/contents.lr | 19 ---
.../technical-setup/exit/contents.lr | 181 +++++++++++++++++++++
.../technical-setup/fedora/contents.lr | 19 ---
.../technical-setup/freebsd/contents.lr | 19 ---
.../technical-setup/guard/centosrhel/contents.lr | 56 +++++++
.../technical-setup/guard/contents.lr | 15 ++
.../technical-setup/guard/debianubuntu/contents.lr | 46 ++++++
.../technical-setup/guard/fedora/contents.lr | 37 +++++
.../technical-setup/guard/freebsd/contents.lr | 73 +++++++++
.../technical-setup/post-install/contents.lr | 179 ++++++++++++++++++++
17 files changed, 985 insertions(+), 76 deletions(-)
diff --git
a/content/relay-operations/technical-setup/bridge/centos-rhel-opensuse/contents.lr
b/content/relay-operations/technical-setup/bridge/centos-rhel-opensuse/contents.lr
new file mode 100644
index 0000000..5849e5a
--- /dev/null
+++
b/content/relay-operations/technical-setup/bridge/centos-rhel-opensuse/contents.lr
@@ -0,0 +1,101 @@
+_model: page
+---
+title: CentOS / RHEL / OpenSUSE
+---
+body:
+
+# 1. Install tor and dependencies
+
+* Redhat / RHEL:
+
+```
+yum install epel-release
+yum install git golang tor
+```
+
+* OpenSUSE:
+
+```
+zypper install tor go git
+```
+
+# 2. Build obfs4proxy and move it into place.
+
+Heavily outdated versions of git can make `go get` fail, so try upgrading to a
more recent git version if you're running into this problem.
+
+* CentOS / RHEL:
+
+```
+export GOPATH=`mktemp -d`
+go get gitlab.com/yawning/obfs4.git/obfs4proxy
+sudo cp $GOPATH/bin/obfs4proxy /usr/local/bin/
+chcon --reference=/usr/bin/tor /usr/local/bin/obfs4proxy
+```
+
+* OpenSUSE:
+
+```
+export GOPATH=`mktemp -d`
+go get gitlab.com/yawning/obfs4.git/obfs4proxy
+sudo cp $GOPATH/bin/obfs4proxy /usr/local/bin/
+```
+
+# 3. Edit your Tor config file, usually located at `/etc/tor/torrc` and add
the following lines:
+
+```
+#Bridge config
+RunAsDaemon 1
+ORPort auto
+BridgeRelay 1
+ServerTransportPlugin obfs4 exec /usr/local/bin/obfs4proxy
+# For a fixed obfs4 port (e.g. 34176), uncomment the following line.
+#ServerTransportListenAddr obfs4 0.0.0.0:34176
+# Local communication port between Tor and obfs4. Always set this to "auto".
"Ext" means
+# "extended", not "external". Don't try to set a specific port number, nor
listen on 0.0.0.0.
+ExtORPort auto
+
+# Contact information that allows us to get in touch with you in case of
+# critical updates or problems with your bridge. This is optional, so you
+# don't have to provide an email address if you don't want to.
+ContactInfo <addr...@email.com>
+# Pick a nickname that you like for your bridge.
+Nickname PickANickname
+```
+
+Don't forget to change the ContactInfo and Nickname options.
+
+* Note that both Tor's OR port **and** its obfs4 port must be reachable. If
your bridge is behind a firewall or NAT, make sure to open both ports.
+
+# 4. Restart tor
+
+`systemctl restart tor`
+
+# 5. Monitor your logs (usually in your syslog)
+
+To confirm your bridge is running with no issues, you should see something
like this:
+
+```
+[notice] Your Tor server's identity key fingerprint is '<NICKNAME>
<FINGERPRINT>'
+[notice] Your Tor bridge's hashed identity key fingerprint is '<NICKNAME>
<HASHED FINGERPRINT>'
+[notice] Registered server transport 'obfs4' at '[::]:46396'
+[notice] Tor has successfully opened a circuit. Looks like client
functionality is working.
+[notice] Bootstrapped 100%: Done
+[notice] Now checking whether ORPort <redacted>:9001 is reachable... (this may
take up to 20 minutes -- look for log messages indicating success)
+[notice] Self-testing indicates your ORPort is reachable from the outside.
Excellent. Publishing server descriptor.
+```
+
+Remember to open the random port associated with your bridge. You can find it
in your tor log; in the above example it is 46396. To use a fixed port,
uncomment the
[ServerTransportListenAddr](https://www.torproject.org/docs/tor-manual.html.en#ServerTransportListenAddr)
option in your torrc. You can use [our reachability
test](https://bridges.torproject.org/scan/) to see if your obfs4 port is
reachable from the Internet.
+
+
+---
+html: two-columns-page.html
+---
+key:
+
+2
+---
+color: primary
+---
+subtitle: How to deploy obfs4proxy Bridge on CentOS / RHEL / OpenSUSE
+---
+_template: layout.html
diff --git a/content/relay-operations/technical-setup/bridge/contents.lr
b/content/relay-operations/technical-setup/bridge/contents.lr
new file mode 100644
index 0000000..c83b3e6
--- /dev/null
+++ b/content/relay-operations/technical-setup/bridge/contents.lr
@@ -0,0 +1,23 @@
+_model: page
+---
+title:
+
+ Bridge
+---
+body:
+
+This guide will help you run an obfs4 bridge to help censored users connect to
the Tor network. The requirements are 1) 24/7 Internet connectivity and 2) the
ability to expose TCP ports to the Internet (make sure that NAT doesn't get in
the way).
+
+Note: If you're running platforms that are not listed on this page, you should
probably [compile obfs4 from
source](https://gitlab.com/yawning/obfs4#installation).
+---
+html: two-columns-page.html
+---
+key: 2
+---
+section: Bridge operations
+---
+section_id: bridge-operations
+---
+subtitle: Run an obfs4 bridge to help censored users connect to the Tor network
+---
+_slug: {{bridge}}
diff --git
a/content/relay-operations/technical-setup/bridge/debian-ubuntu/contents.lr
b/content/relay-operations/technical-setup/bridge/debian-ubuntu/contents.lr
new file mode 100644
index 0000000..8900995
--- /dev/null
+++ b/content/relay-operations/technical-setup/bridge/debian-ubuntu/contents.lr
@@ -0,0 +1,80 @@
+_model: page
+---
+title: Debian / Ubuntu
+---
+body:
+
+# 1. Install Tor
+
+Get the latest version of Tor. If you're on Debian stable, `sudo apt-get
install tor` should give you the latest stable version of Tor.
+
+* Note:''' Ubuntu users need to get it from Tor repository. Please see
[Download instructions for
Ubuntu](https://www.torproject.org/docs/debian.html.en#ubuntu).
+
+# 2. Install obfs4proxy
+
+On [Debian](https://packages.debian.org/search?keywords=obfs4proxy), the
`obfs4proxy` package is available in sid, buster, and stretch. On
[https://packages.ubuntu.com/search?keywords=obfs4proxy Ubuntu], bionic,
cosmic, disco, and eoan have the package. If you're running any of them, `sudo
apt-get install obfs4proxy` should work.
+
+If not, you can [build it from
source](https://gitlab.com/yawning/obfs4#installation).
+
+# 3. Edit your Tor config file, usually located at `/etc/tor/torrc` and add
the following lines:
+
+```
+#Bridge config
+RunAsDaemon 1
+ORPort auto
+BridgeRelay 1
+ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
+# For a fixed obfs4 port (e.g. 34176), uncomment the following line.
+#ServerTransportListenAddr obfs4 0.0.0.0:34176
+# Local communication port between Tor and obfs4. Always set this to "auto".
"Ext" means
+# "extended", not "external". Don't try to set a specific port number, nor
listen on 0.0.0.0.
+ExtORPort auto
+
+# Contact information that allows us to get in touch with you in case of
+# critical updates or problems with your bridge. This is optional, so you
+# don't have to provide an email address if you don't want to.
+ContactInfo <addr...@email.com>
+# Pick a nickname that you like for your bridge.
+Nickname PickANickname
+```
+
+Don't forget to change the ContactInfo and Nickname options.
+
+* If you decide to use a fixed obfs4 port smaller than 1024 (for example 80 or
443), you will need to give obfs4 `CAP_NET_BIND_SERVICE` capabilities to bind
the port with a non-root user:
+
+```
+sudo setcap cap_net_bind_service=+ep /usr/bin/obfs4proxy
+```
+
+* Under Debian, you will also need to set `NoNewPrivileges=no` in
`/lib/systemd/system/tor@default.service` and
`/lib/systemd/system/tor@.service` and then run `systemctl daemon-reload`. [bug
#18356](https://trac.torproject.org/projects/tor/ticket/18356)
+
+* Note that both Tor's OR port **and** its obfs4 port must be reachable. If
your bridge is behind a firewall or NAT, make sure to open both ports.
+
+# 4. Restart tor
+
+`systemctl restart tor`
+
+# 5. Monitor your logs
+
+To confirm your bridge is running with no issues, you should see something
like this (usually in `/var/log/tor/log` or `/var/log/syslog`):
+
+
+```
+[notice] Your Tor server's identity key fingerprint is '<NICKNAME>
<FINGERPRINT>'
+[notice] Your Tor bridge's hashed identity key fingerprint is '<NICKNAME>
<HASHED FINGERPRINT>'
+[notice] Registered server transport 'obfs4' at '[::]:46396'
+[notice] Tor has successfully opened a circuit. Looks like client
functionality is working.
+[notice] Bootstrapped 100%: Done
+[notice] Now checking whether ORPort <redacted>:9001 is reachable... (this may
take up to 20 minutes -- look for log messages indicating success)
+[notice] Self-testing indicates your ORPort is reachable from the outside.
Excellent. Publishing server descriptor.
+```
+
+Remember to open the random port associated with your bridge. You can find it
in your tor log; in the above example it is 46396. To use a fixed port,
uncomment the
[ServerTransportListenAddr](https://www.torproject.org/docs/tor-manual.html.en#ServerTransportListenAddr)
option in your torrc. You can use [our reachability
test](https://bridges.torproject.org/scan/) to see if your obfs4 port is
reachable from the Internet.
+
+
+---
+key: 1
+---
+html: two-columns-page.html
+---
+subtitle: How to deploy an obfs4proxy Bridge on Debian / Ubuntu
diff --git
a/content/relay-operations/technical-setup/bridge/freebsd/contents.lr
b/content/relay-operations/technical-setup/bridge/freebsd/contents.lr
new file mode 100644
index 0000000..01adcd2
--- /dev/null
+++ b/content/relay-operations/technical-setup/bridge/freebsd/contents.lr
@@ -0,0 +1,98 @@
+_model: page
+---
+title: FreeBSD
+---
+html: two-columns-page.html
+---
+key: 3
+---
+body:
+
+# 1. Install packages
+
+```
+pkg install obfs4proxy-tor tor ca_root_nss
+```
+
+# 2. Edit your Tor config file, usually located at `/usr/local/etc/tor` and
add the following lines
+
+```
+#Bridge config
+RunAsDaemon 1
+ORPort auto
+BridgeRelay 1
+ServerTransportPlugin obfs4 exec /usr/local/bin/obfs4proxy
+# For a fixed obfs4 port (e.g. 34176), uncomment the following line.
+#ServerTransportListenAddr obfs4 0.0.0.0:34176
+# Local communication port between Tor and obfs4. Always set this to "auto".
"Ext" means
+# "extended", not "external". Don't try to set a specific port number, nor
listen on 0.0.0.0.
+ExtORPort auto
+
+# Contact information that allows us to get in touch with you in case of
+# critical updates or problems with your bridge. This is optional, so you
+# don't have to provide an email address if you don't want to.
+ContactInfo <addr...@email.com>
+# Pick a nickname that you like for your bridge.
+Nickname PickANickname
+
+Log notice file /var/log/tor/notices.log
+```
+
+Don't forget to change the ContactInfo and Nickname options.
+
+* Note that both Tor's OR port **and** its obfs4 port must be reachable. If
your bridge is behind a firewall or NAT, make sure to open both ports.
+
+# 3. Ensure that the `random_id` sysctl setting is enabled:
+
+```
+echo "net.inet.ip.random_id=1" >> /etc/sysctl.conf
+sysctl net.inet.ip.random_id=1
+```
+
+# 4. Start the tor daemon and make sure it starts at boot:
+
+```
+sysrc tor_enable=YES
+service tor start
+```
+
+# 5. Monitor your logs
+
+To confirm your bridge is running with no issues, you should see something
like this in `/var/log/tor/notices.log`:
+
+```
+[notice] Your Tor server's identity key fingerprint is '<NICKNAME>
<FINGERPRINT>'
+[notice] Your Tor bridge's hashed identity key fingerprint is '<NICKNAME>
<HASHED FINGERPRINT>'
+[notice] Registered server transport 'obfs4' at '[::]:46396'
+[notice] Tor has successfully opened a circuit. Looks like client
functionality is working.
+[notice] Bootstrapped 100%: Done
+[notice] Now checking whether ORPort <redacted>:9001 is reachable... (this may
take up to 20 minutes -- look for log messages indicating success)
+[notice] Self-testing indicates your ORPort is reachable from the outside.
Excellent. Publishing server descriptor.
+```
+
+Remember to open the random port associated with your bridge. You can find it
in your tor log; in the above example it is 46396. To use a fixed port,
uncomment the [
ServerTransportListenAddr](https://www.torproject.org/docs/tor-manual.html.en#ServerTransportListenAddr)
option in your torrc. You can use[our reachability test]
(https://bridges.torproject.org/scan/) to see if your obfs4 port is reachable
from the Internet.
+
+# 6. To get the fastest package updates, switch from the "quarterly" package
repo to the "latest" repo.
+
+Create the following folder:
+
+```
+mkdir -p /usr/local/etc/pkg/repos
+```
+
+Create the file `/usr/local/etc/pkg/repos/FreeBSD.conf` with the following
content:
+
+```
+FreeBSD: { enabled: no }
+
+FreeBSDlatest: {
+ url: "pkg+https://pkg.FreeBSD.org/${ABI}/latest";,
+ mirror_type: "srv",
+ signature_type: "fingerprints",
+ fingerprints: "/usr/share/keys/pkg",
+ enabled: yes
+}
+```
+
+---
+subtitle: How to deploy obfs4proxy Bridge on FreeBSD
diff --git
a/content/relay-operations/technical-setup/bridge/openbsd/contents.lr
b/content/relay-operations/technical-setup/bridge/openbsd/contents.lr
new file mode 100644
index 0000000..ae682d9
--- /dev/null
+++ b/content/relay-operations/technical-setup/bridge/openbsd/contents.lr
@@ -0,0 +1,74 @@
+_model: page
+---
+title: OpenBSD
+---
+html: two-columns-page.html
+---
+key: 4
+---
+body:
+
+# 1. Install packages
+```
+pkg_add tor obfs4proxy
+```
+
+# 2. Edit your Tor config file
+
+Usually located at `/etc/tor/torrc`, add the following lines:
+
+```
+#Bridge config
+RunAsDaemon 1
+ORPort auto
+BridgeRelay 1
+ServerTransportPlugin obfs4 exec /usr/local/bin/obfs4proxy
+# For a fixed obfs4 port (e.g. 34176), uncomment the following line.
+#ServerTransportListenAddr obfs4 0.0.0.0:34176
+# Local communication port between Tor and obfs4. Always set this to "auto".
"Ext" means
+# "extended", not "external". Don't try to set a specific port number, nor
listen on 0.0.0.0.
+ExtORPort auto
+
+# Contact information that allows us to get in touch with you in case of
+# critical updates or problems with your bridge. This is optional, so you
+# don't have to provide an email address if you don't want to.
+ContactInfo <addr...@email.com>
+# Pick a nickname that you like for your bridge.
+Nickname PickANickname
+
+Log notice file /var/log/tor/notices.log
+
+User _tor
+```
+
+Don't forget to change the ContactInfo and Nickname options.
+
+Note that both Tor's OR port and its obfs4 port must be reachable. If your
bridge is behind a firewall or NAT, make sure to open both ports.
+
+# 3. Start the tor daemon and make sure it starts at boot:
+
+```
+rcctl enable tor
+rcctl start tor
+```
+# 4. Monitor your logs
+
+To confirm your bridge is running with no issues, you should see something
like this (`/var/log/tor/notices.log`):
+
+```
+[notice] Your Tor server's identity key fingerprint is '<NICKNAME>
<FINGERPRINT>'
+[notice] Your Tor bridge's hashed identity key fingerprint is '<NICKNAME>
<HASHED FINGERPRINT>'
+[notice] Registered server transport 'obfs4' at '[::]:46396'
+[notice] Tor has successfully opened a circuit. Looks like client
functionality is working.
+[notice] Bootstrapped 100%: Done
+[notice] Now checking whether ORPort <redacted>:9001 is reachable... (this may
take up to 20 minutes -- look for log messages indicating success)
+[notice] Self-testing indicates your ORPort is reachable from the outside.
Excellent. Publishing server descriptor.
+```
+
+Remember to open the random port associated with your bridge. You can find it
in your tor log; in the above example it is 46396. To use a fixed port,
uncomment the
[ServerTransportListenAddr](https://www.torproject.org/docs/tor-manual.html.en#ServerTransportListenAddr)
option in your torrc. You can use [our reachability
test](https://bridges.torproject.org/scan/) to see if your obfs4 port is
reachable from the Internet.
+---
+subtitle: How to deploy obfs4proxy Bridge on OpenBSD
+---
+section: Bridge
+---
+section_id: bridge
diff --git
a/content/relay-operations/technical-setup/bridge/post-install/contents.lr
b/content/relay-operations/technical-setup/bridge/post-install/contents.lr
new file mode 100644
index 0000000..e7f19cd
--- /dev/null
+++ b/content/relay-operations/technical-setup/bridge/post-install/contents.lr
@@ -0,0 +1,22 @@
+_model: page
+---
+title: Post-install
+---
+body:
+
+Congrats! If you get to this point, it means that your obfs4 bridge is running
and is being distributed by BridgeDB to censored users. If you want to connect
to your bridge manually, you will need to know the bridge's obfs4 certificate.
See the file `/var/lib/tor/pt_state/obfs4_bridgeline.txt` and paste the entire
bridge line into Tor Browser:
+
+```
+Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> cert=<CERTIFICATE> iat-mode=0
+```
+
+You'll need to replace `<IP ADDRESS>`, `<PORT>`, and `<FINGERPRINT>` with the
actual values, which you can find in the tor log. Make sure to use
`<FINGERPRINT>`, not `<HASHED FINGERPRINT>`; and that `<PORT>` is the one from
the log line `Registered server transport 'obfs4'`, not the one from the line
`Now checking whether ORPort ... is reachable`.
+
+Finally, you can monitor your obfs4 bridge's usage on [Relay
Search](https://metrics.torproject.org/rs.html#search). Just enter your
bridge's `<HASHED FINGERPRINT>` in the form and click "Search". After having
set up the bridge, it takes approximately three hours for the bridge to show up
in Relay Search.
+
+---
+html: two-columns-page.html
+---
+key: 5
+---
+subtitle: How to find your Bridge in Relay Search and connect manually
diff --git a/content/relay-operations/technical-setup/centosrhel/contents.lr
b/content/relay-operations/technical-setup/centosrhel/contents.lr
deleted file mode 100644
index 28f5d71..0000000
--- a/content/relay-operations/technical-setup/centosrhel/contents.lr
+++ /dev/null
@@ -1,19 +0,0 @@
-_model: page
----
-title: CentOS
----
-html: two-columns-page.html
----
-section: relay operations
----
-section_id: relay-operations
----
-key: 3
----
-body:
-
-
----
-subtitle: CentOS
----
-_slug: {{centos}}
diff --git a/content/relay-operations/technical-setup/debianubuntu/contents.lr
b/content/relay-operations/technical-setup/debianubuntu/contents.lr
deleted file mode 100644
index 28f5d71..0000000
--- a/content/relay-operations/technical-setup/debianubuntu/contents.lr
+++ /dev/null
@@ -1,19 +0,0 @@
-_model: page
----
-title: CentOS
----
-html: two-columns-page.html
----
-section: relay operations
----
-section_id: relay-operations
----
-key: 3
----
-body:
-
-
----
-subtitle: CentOS
----
-_slug: {{centos}}
diff --git a/content/relay-operations/technical-setup/exit/contents.lr
b/content/relay-operations/technical-setup/exit/contents.lr
new file mode 100644
index 0000000..7c57eeb
--- /dev/null
+++ b/content/relay-operations/technical-setup/exit/contents.lr
@@ -0,0 +1,181 @@
+_model: page
+---
+title: Exit
+---
+html: two-columns-page.html
+---
+section: relay operations
+---
+section_id: relay-operations
+---
+key: 3
+---
+body:
+
+We assume you read through the [relay guide](..) already. This subpage is for
operators that want to turn on exiting on their relay.
+
+It is recommended that you setup exit relays on servers dedicated to this
purpose.
+It is not recommended to install Tor exit relays on servers that you need for
other services as well.
+Do not mix your own traffic with your exit relay traffic.
+
+## Reverse DNS and WHOIS record
+
+Before turning your non-exit relay into an exit relay, ensure that you have
set a reverse DNS record (PTR) to make it more obvious that this is a tor exit
relay. Something like "tor-exit" it its name is a good start.
+
+If your provider offers it, make sure your WHOIS record contains clear
indications that this is a Tor exit relay.
+
+## Exit Notice HTML page
+
+To make it even more obvious that this is a Tor exit relay you should serve a
Tor exit notice HTML page.
+Tor can do that for you if your DirPort is on TCP port 80, you can make use of
tor's DirPortFrontPage feature to display a HTML file on that port.
+This file will be shown to anyone directing his browser to your Tor exit relay
IP address.
+
+```
+DirPort 80
+DirPortFrontPage /path/to/html/file
+```
+
+We offer a sample Tor exit notice HTML file, but you might want to adjust it
to your needs:
+https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html
+
+Here are some more tips for running a reliable exit relay:
+https://blog.torproject.org/tips-running-exit-node
+
+## Exit Policy
+
+Defining the [exit
policy](https://www.torproject.org/docs/tor-manual.html.en#ExitPolicy) is one
of the most important parts of an exit relay configuration.
+The exit policy defines which destination ports you are willing to forward.
+This has an impact on the amount of abuse emails you will get (less ports
means less abuse emails, but an exit relay allowing only few ports is also less
useful).
+If you want to be a useful exit relay you must **at least allow destination
ports 80 and 443**.
+
+As a new exit relay - especially if you are new to your hoster - it is good to
start with a reduced exit policy (to reduce the amount of abuse emails) and
further open it up as you become more experienced.
+The reduced exit policy can be found on the
[ReducedExitPolicy](https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy)
wiki page.
+
+To become an exit relay change ExitRelay from 0 to 1 in your torrc
configuration file and restart the tor daemon.
+
+```
+ExitRelay 1
+```
+
+## DNS on Exit Relays
+
+Unlike other types of relays, exit relays also do DNS resolution for Tor
clients.
+DNS resolution on exit relays is crucial for Tor clients, it should be
reliable and fast by using caching.
+
+* DNS resolution can have a significant impact on the performance and
reliability your exit relay provides.
+ Poor DNS performance will result in less traffic going through your exit
relay.
+* Don't use any of the big DNS resolvers as your primary or fallback DNS
resolver to avoid centralization (Google, OpenDNS, Quad9, Cloudflare, 4.2.2.1-6)
+* We recommend running a local caching and DNSSEC-validating resolver without
using any forwarders (specific instructions follow bellow for each operating
systems)
+* if you want to add a second DNS resolver as a fallback to your
/etc/resolv.conf configuration, try to choose a resolver within your autonomous
system and make sure it is not your first entry in that file (the first entry
should be your local resolver)
+* if a local resolver like unbound is not an option for you try to use a
resolver that your provider runs in the same autonomous system (to find out if
an IP address is in the same AS as your relay, you can look it up, using for
example https://bgp.he.net).
+* try to avoid adding too many resolvers to your /etc/resolv.conf file to
limit exposure on an AS-level (try to not use more than two entries)
+
+There are multiple options for DNS server software, unbound has become a
popular one but **feel free to use any other you are comfortable with**.
+When choosing your DNS resolver software try to ensure it supports DNSSEC
validation and QNAME minimisation (RFC7816).
+In every case the software should be installed using the OS package manager to
ensure it is updated with the rest of the system.
+
+By using your own DNS resolver you are less vulnerable to DNS-based censorship
that your upstream resolver might impose.
+
+Here follow specific instructions on how to install and configure unbound on
your exit - a DNSSEC-validating and caching resolver. unbound has many
configuration and tuning nobs but we try to keep these instructions as simple
and short as possible and the basic setup will do just fine for most operators.
+
+After switching to unbound verify it works as expected by resolving a valid
hostname, if it does not work, you can restore the old resolv.conf file.
+
+### Debian/Ubuntu
+
+The following 3 commands install unbound, backup your DNS configuration and
tell the system to use the local unbound:
+
+```
+apt install unbound
+cp /etc/resolv.conf /etc/resolv.conf.backup
+echo nameserver 127.0.0.1 > /etc/resolv.conf
+```
+
+To avoid that the configuration gets changed (for example by the DHCP client):
+
+```
+chattr +i /etc/resolv.conf
+```
+
+The Debian configuration ships with QNAME minimisation (RFC7816) enabled by
default so you don't need to enable it explicitly.
+The unbound resolver you just installed does also DNSSEC validation.
+
+### CentOS/RHEL
+
+Install the unbound package:
+
+```
+yum install unbound
+```
+
+in /etc/unbound/unbound.conf replace the line
+
+```
+# qname-minimisation: no
+```
+
+with:
+
+```
+qname-minimisation: yes
+```
+
+enable and start unbound:
+
+```
+systemctl enable unbound
+systemctl start unbound
+```
+
+Tell the system to use the local unbound server:
+
+```
+cp /etc/resolv.conf /etc/resolv.conf.backup
+echo nameserver 127.0.0.1 > /etc/resolv.conf
+```
+
+To avoid that the configuration gets changed (for example by the DHCP client):
+
+```
+chattr +i /etc/resolv.conf
+```
+
+### FreeBSD
+
+FreeBSD ships unbound in the base system but the one in ports is usually
following upstream more closely so we install the unbound package:
+
+```
+pkg install unbound
+```
+
+Replace the content in /usr/local/etc/unbound/unbound.conf with the following
lines:
+
+```
+server:
+ verbosity: 1
+ qname-minimisation: yes
+```
+
+enable and start the unbound service:
+
+```
+sysrc unbound_enable=YES
+service unbound start
+```
+
+Tell the system to use the local unbound server:
+
+```
+cp /etc/resolv.conf /etc/resolv.conf.backup
+echo nameserver 127.0.0.1 > /etc/resolv.conf
+```
+
+To avoid that the configuration gets changed (for example by the DHCP client):
+
+```
+chflags schg /etc/resolv.conf
+```
+
+---
+subtitle: How to deploy an Exit node
+---
+_slug: {{exit}}
diff --git a/content/relay-operations/technical-setup/fedora/contents.lr
b/content/relay-operations/technical-setup/fedora/contents.lr
deleted file mode 100644
index 9236220..0000000
--- a/content/relay-operations/technical-setup/fedora/contents.lr
+++ /dev/null
@@ -1,19 +0,0 @@
-_model: page
----
-title: Fedora
----
-html: two-columns-page.html
----
-section: relay operations
----
-section_id: relay-operations
----
-key: 3
----
-body:
-
-
----
-subtitle: Fedora
----
-_slug: {{fedora}}
diff --git a/content/relay-operations/technical-setup/freebsd/contents.lr
b/content/relay-operations/technical-setup/freebsd/contents.lr
deleted file mode 100644
index 28f5d71..0000000
--- a/content/relay-operations/technical-setup/freebsd/contents.lr
+++ /dev/null
@@ -1,19 +0,0 @@
-_model: page
----
-title: CentOS
----
-html: two-columns-page.html
----
-section: relay operations
----
-section_id: relay-operations
----
-key: 3
----
-body:
-
-
----
-subtitle: CentOS
----
-_slug: {{centos}}
diff --git
a/content/relay-operations/technical-setup/guard/centosrhel/contents.lr
b/content/relay-operations/technical-setup/guard/centosrhel/contents.lr
new file mode 100644
index 0000000..27b6031
--- /dev/null
+++ b/content/relay-operations/technical-setup/guard/centosrhel/contents.lr
@@ -0,0 +1,56 @@
+_model: page
+---
+title: CentOS/RHEL
+---
+body:
+
+# 1. Enable the EPEL repository
+
+To install `tor` package on CentOS/RHEL, you need to install the
[EPEL](https://fedoraproject.org/wiki/EPEL) repository first:
+
+`yum install epel-release`
+
+# 2. Install the tor package and verify the EPEL signing key
+
+`yum install tor`
+
+When you install the first package from the EPEL repository you will be asked
about verifying the EPEL GPG signing key. Please ensure the key matches with
the one available on the [Fedora Project website](https://getfedora.org/keys/).
+
+# 3. Put the tor configuration file `/etc/tor/torrc` in place
+
+```
+#change the nickname "myNiceRelay" to a name that you like
+Nickname myNiceRelay
+ORPort 9001
+SocksPort 0
+ExitRelay 0
+# Change the email address bellow and be aware that it will be published
+ContactInfo tor-operator@your-emailaddress-domain
+```
+
+# 4. Enable and start your Tor relay
+
+CentOS 7 / RHEL 7:
+
+```
+systemctl enable tor
+systemctl start tor
+```
+
+CentOS 6 / RHEL 6:
+
+```
+service tor enable
+service tor start
+```
+
+---
+html: two-columns-page.html
+---
+key: 5
+---
+section: relay operations
+---
+section_id: relay-operations
+---
+subtitle: How to deploy a middle/Guard node on CentOS/RHEL
diff --git a/content/relay-operations/technical-setup/guard/contents.lr
b/content/relay-operations/technical-setup/guard/contents.lr
new file mode 100644
index 0000000..7cfa3dd
--- /dev/null
+++ b/content/relay-operations/technical-setup/guard/contents.lr
@@ -0,0 +1,15 @@
+_model: page
+---
+title: Middle/Guard relay
+---
+body: In this guide we describe how to setup a new Middle/Guard relay. Please
choose your platform below.
+---
+html: two-columns-page.html
+---
+key: 1
+---
+section: relay operations
+---
+section_id: relay-operations
+---
+subtitle: Run a Middle/Guard relay
diff --git
a/content/relay-operations/technical-setup/guard/debianubuntu/contents.lr
b/content/relay-operations/technical-setup/guard/debianubuntu/contents.lr
new file mode 100644
index 0000000..f7992dd
--- /dev/null
+++ b/content/relay-operations/technical-setup/guard/debianubuntu/contents.lr
@@ -0,0 +1,46 @@
+_model: page
+---
+title: Debian/Ubuntu
+---
+body:
+
+# 1. Configure Tor Package Repository
+
+Enable the Torproject package repository by following the instructions
**[here](https://2019.www.torproject.org/docs/debian.html.en#ubuntu)**.
+
+# 2. Package Installation
+
+Install the `tor` package:
+
+`apt update && apt install tor`
+
+# 3. Configuration File
+
+Put the configuration file `/etc/tor/torrc` in place:
+
+```
+#change the nickname "myNiceRelay" to a name that you like
+Nickname myNiceRelay
+ORPort 443
+ExitRelay 0
+SocksPort 0
+ControlSocket 0
+# Change the email address bellow and be aware that it will be published
+ContactInfo tor-operator@your-emailaddress-domain
+```
+
+# 4. Restart the Service
+
+Restart the tor daemon so your configuration changes take effect:
+
+`systemctl restart tor@default`
+---
+html: two-columns-page.html
+---
+key: 1
+---
+section: relay operations
+---
+section_id: relay-operations
+---
+subtitle: How to deploy a middle/Guard node on Debian/Ubuntu
diff --git a/content/relay-operations/technical-setup/guard/fedora/contents.lr
b/content/relay-operations/technical-setup/guard/fedora/contents.lr
new file mode 100644
index 0000000..cc984cc
--- /dev/null
+++ b/content/relay-operations/technical-setup/guard/fedora/contents.lr
@@ -0,0 +1,37 @@
+_model: page
+---
+title: Fedora
+---
+body:
+
+# 1. Install the tor package:
+
+`dnf install tor`
+
+# 2. Put the tor configuration file `/etc/tor/torrc` in place:
+
+```
+#change the nickname "myNiceRelay" to a name that you like
+Nickname myNiceRelay
+ORPort 9001
+ExitRelay 0
+# Change the email address bellow and be aware that it will be published
+ContactInfo tor-operator@your-emailaddress-domain
+```
+
+# 3. Start the tor daemon and make sure it starts at boot:
+
+```
+systemctl enable tor
+systemctl start tor
+```
+---
+html: two-columns-page.html
+---
+key: 3
+---
+section: relay operations
+---
+section_id: relay-operations
+---
+subtitle: How to deploy a middle/Guard node on Fedora
diff --git a/content/relay-operations/technical-setup/guard/freebsd/contents.lr
b/content/relay-operations/technical-setup/guard/freebsd/contents.lr
new file mode 100644
index 0000000..a47dfc8
--- /dev/null
+++ b/content/relay-operations/technical-setup/guard/freebsd/contents.lr
@@ -0,0 +1,73 @@
+_model: page
+---
+title: FreeBSD
+---
+body:
+
+## 1. Install the tor package
+
+`pkg install tor ca_root_nss`
+
+or for alpha releases:
+
+`pkg install tor-devel ca_root_nss`
+
+## 2. Put the configuration file `/usr/local/etc/tor/torrc` in place
+
+```
+#change the nickname "myNiceRelay" to a name that you like
+Nickname myNiceRelay
+ORPort 9001
+ExitRelay 0
+SocksPort 0
+# Change the email address bellow and be aware that it will be published
+ContactInfo tor-operator@your-emailaddress-domain
+Log notice syslog
+```
+
+## 3. Ensure that the `random_id` sysctl setting is enabled:
+
+```
+echo "net.inet.ip.random_id=1" >> /etc/sysctl.conf
+sysctl net.inet.ip.random_id=1
+```
+
+## 4. Start the tor daemon and make sure it starts at boot:
+
+```
+sysrc tor_enable=YES
+service tor start
+```
+
+### Optional but recommended
+
+To get package updates faster after they have been build it is best to switch
from the "quarterly" with "latest" repository.
+
+Create the following folder:
+
+`mkdir -p /usr/local/etc/pkg/repos`
+
+and create the file `/usr/local/etc/pkg/repos/FreeBSD.conf` with the following
content:
+
+```
+FreeBSD: { enabled: no }
+
+FreeBSDlatest: {
+ url: "pkg+https://pkg.FreeBSD.org/${ABI}/latest";,
+ mirror_type: "srv",
+ signature_type: "fingerprints",
+ fingerprints: "/usr/share/keys/pkg",
+ enabled: yes
+}
+```
+
+---
+html: two-columns-page.html
+---
+key: 2
+---
+section: relay operations
+---
+section_id: relay-operations
+---
+subtitle: How to deploy a middle/Guard node on FreeBSD
diff --git a/content/relay-operations/technical-setup/post-install/contents.lr
b/content/relay-operations/technical-setup/post-install/contents.lr
new file mode 100644
index 0000000..5236fbe
--- /dev/null
+++ b/content/relay-operations/technical-setup/post-install/contents.lr
@@ -0,0 +1,179 @@
+_model: page
+---
+title: Relay Post-install and good practices
+---
+body:
+
+#1. Make sure relay ports can be reached
+
+If you are using a firewall, open a hole in your firewall so incoming
connections can reach the ports you will use for your relay (ORPort, plus
DirPort if you enabled it).
+
+Also, make sure you allow all outgoing connections too, so your relay can
reach the other Tor relays, clients and destinations.
+
+You can find the specific ORPort TCP port number in the torrc configuration
samples bellow (in the OS specific sections).
+
+# 2. Verify that your relay works
+
+If your logfile (syslog) contains the following entry after starting your tor
daemon your relay should be up and running as expected:
+
+```
+Self-testing indicates your ORPort is reachable from the outside. Excellent.
+Publishing server descriptor.
+```
+
+About 3 hours after you started your relay it should appear on [Relay
Search](https://metrics.torproject.org/rs.html).
+You can search for your relay using your nickname or IP address.
+
+# 3. Read about Tor relay lifecycle
+
+It takes some time for relay traffic to ramp up, this is especially true for
guard relays but to a lesser extend also for exit relays. To understand this
process, read about the [lifecycle of a new
relay](https://blog.torproject.org/lifecycle-new-relay).
+
+# 4. Configuration Management
+
+If you plan to run more than a single relay, or you want to run a high
capacity relay (multiple Tor instances per server) or want to use strong
security features like [Offline Master
Keys](https://trac.torproject.org/projects/tor/wiki/doc/TorRelaySecurity/OfflineKeys)
without performing additional steps manually, you may want to use a
configuration management for better maintainability.
+
+There are multiple configuration management solutions for Unix based operating
systems (Ansible, Puppet, Salt, ...).
+
+The following Ansible Role has specifically been build for Tor relay operators
and supports multiple operating systems: [Ansible
Relayor](http://github.com/nusenu/ansible-relayor).
+
+# 5. Important: if you run more than one Tor instance
+
+To avoid putting Tor clients at risk when operating multiple relays you must
set a proper
[MyFamily](https://2019.www.torproject.org/docs/tor-manual.html.en#MyFamily)
value and have a valid
[ContactInfo](https://2019.www.torproject.org/docs/tor-manual.html.en#ContactInfo)
in your torrc configuration.
+The MyFamily setting is simply telling Tor clients what Tor relays are
controlled by a single entity/operator/organization, so they are not used in
multiple positions in a single circuit.
+
+If you run two relays and they have fingerprints AAAAAAAAAA and BBBBBBBB, you
would add the following configuration to set MyFamily:
+
+```
+MyFamily AAAAAAAAAA,BBBBBBBB
+```
+
+to both relays. To find your relays fingerprint you can look into the log
files when tor starts up or find the file named "fingerprint" in your tor
DataDirectory.
+
+Instead of doing so manually for big operators we recommend to automate the
MyFamily setting via a configuration management solution.
+Manually managing MyFamily for big relay groups is error prone and can put Tor
clients at risk.
+
+# 6. Optional: Limiting bandwidth usage (and traffic)
+
+Tor will not limit its bandwidth usage by default, but supports multiple ways
to restrict the used bandwidth and the amount of traffic.
+This can be handy if you want to ensure that your Tor relay does not exceed a
certain amount of bandwidth or total traffic per day/week/month.
+The following torrc configuration options can be used to restrict bandwidth
and traffic:
+
+* AccountingMax
+* AccountingRule
+* AccountingStart
+* BandwidthRate
+* BandwidthBurst
+* RelayBandwidthRate
+
+Having a fast relay for some time of the month is preferred over a slow relay
for the entire month.
+
+Also see the bandwidth entry in the
[FAQ](https://www.torproject.org/docs/faq.html.en#BandwidthShaping).
+
+# 7. Check IPv6 availability
+
+We encourage everyone to enable IPv6 on their relays. This is especially
valuable on exit and guard relays.
+
+Before enabling your tor daemon to use IPv6 in addition to IPv4 you should do
some basic IPv6 connectivity tests.
+
+The following command line will ping the IPv6 addresses of Tor directory
authorities from your server:
+
+```
+ping6 -c2 2001:858:2:2:aabb:0:563b:1526 && ping6 -c2
2620:13:4000:6000::1000:118 && ping6 -c2 2001:67c:289c::9 && ping6 -c2
2001:678:558:1000::244 && ping6 -c2 2607:8500:154::3 && ping6 -c2
2001:638:a000:4140::ffff:189 && echo OK.
+```
+
+At the end of the output you should see "OK." if that is not the case do not
enable IPv6 in your torrc configuration file before IPv6 is indeed working.
+If you enable IPv6 without working IPv6 connectivity your entire relay will
not be used, regardless if IPv4 is working.
+
+If it worked fine, make your Tor relay reachable via IPv6 by adding an
additional ORPort line to your configuration (example for ORPort 9001):
+
+```
+ORPort [IPv6-address]:9001
+```
+
+The location of that line in the configuration file does not matter you can
simply add it next to the first ORPort lins in your torrc file.
+
+Note: You have to explicitly specify your IPv6 address in square brackets, you
can not tell tor to bind to any IPv6 (like you do for IPv4).
+If you have a global IPv6 address you should be able to find it in the output
of the following command:
+
+```
+ip addr|grep inet6|grep global
+```
+
+If you are an exit relay with IPv6 connectivity, tell your tor daemon to allow
exiting via IPv6 so clients can reach IPv6 destinations:
+
+```
+IPv6Exit 1
+```
+
+Note: Tor requires IPv4 connectivity, you can not run a Tor relay on IPv6-only.
+
+# 8. Maintaining a relay
+
+## Backup Tor Identity Keys
+
+After your initial installation and start of the tor daemon it is a good idea
to make a backup of your relay's long term identity keys.
+They are located in the "keys" subfolder of your DataDirectory (simply make a
copy of the entire folder and store it in a secure location).
+Since relays have a ramp-up time it makes sense to backup the identity key to
be able to restore your relay's reputation after a disk failure - otherwise you
would have to go through the ramp-up phase again.
+
+Default locations of the keys folder:
+
+* Debian/Ubuntu: `/var/lib/tor/keys`
+* FreeBSD: `/var/db/tor/keys`
+
+## Subscribe to the tor-announce mailing list
+
+This is a very low traffic mailing list and you will get information about new
stable tor releases and important security update information:
[tor-announce](https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce).
+
+## Setting up outage notifications
+
+Once you setup your relay it will likely run without much work from your side.
+If something goes wrong it is good to get notified automatically.
+We recommend you use one of the free services that allow you to check your
relay's ORPorts for reachability and send you an email should they become
unreachable for what ever reason.
+
+[UptimeRobot](https://uptimerobot.com/) is one of these services that allow
you to monitor TCP listeners on arbitrary ports.
+This service can check your configured ports once every 5 minutes and send you
an email should your tor process die or become unreachable.
+This checks only for the listener but does not speak the Tor protocol.
+
+A good way to monitor a relay for its health state is to have a look at its
bandwidth graphs.
+
+## System Health Monitoring
+
+To ensure your relay is healthy and not overwhelmed it makes sense to have
some basic system monitoring in place to keep an eye on the following metrics:
+
+* Bandwidth
+* Established TCP Connections
+* Memory
+* Swap
+* CPU
+
+There are many tools for monitoring this kind of data,
[munin](http://munin-monitoring.org/) is one of them and is relatively easy to
setup.
+
+Note: **Do not make your private monitoring data graphs public since this
could help attackers with deanonymizing Tor users.**
+
+Some practical advice:
+
+* If you want to publish traffic statistics, you should aggregate all your
relays' traffic over at least a week, then round that to the nearest 10 TiB
(terabytes).
+* Reporting individual relays is worse than reporting totals for groups of
relays. In future, tor will securely aggregate bandwidth statistics, so any
individual relay bandwidth reporting will be less secure than tor's statistics.
+* Smaller periods are worse.
+* Numbers are worse than graphs.
+* Real-time data is worse than historical data.
+* Data in categories (IP version, in/out, etc.) is worse than total data.
+
+## Tools
+
+ This section lists a few tools that you might find handy as a Tor relay
operator.
+
+* [Nyx](https://nyx.torproject.org/): is a Tor Project tool (formerly arm)
that allows you to see real time data of your relay.
+
+* vnstat: vnstat is a command-line tool that shows the amount of data going
through your network connection.
+You can also use it to generate PNG pictures showing traffic graphs. [vnstat
documentation](https://humdi.net/vnstat/) and [demo
output](https://humdi.net/vnstat/cgidemo/).
+---
+html: two-columns-page.html
+---
+key: 4
+---
+section: Relay operations
+---
+section_id: relay-operations
+---
+subtitle:
_______________________________________________
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits
