From 1f20fa511414da03e533cf6ecd072c0850a56bc5 Mon Sep 17 00:00:00 2001 From: Tim Kuijsten Date: Thu, 30 Aug 2018 21:23:09 +0200 Subject: [PATCH 01/10] update obsd-relay manual to use modern practices --- obsd-relays.md | 68 +++++++++++++++++++------------------------------- 1 file changed, 26 insertions(+), 42 deletions(-) diff --git a/obsd-relays.md b/obsd-relays.md index ddeb7ef..4d4b922 100644 --- a/obsd-relays.md +++ b/obsd-relays.md @@ -20,7 +20,7 @@ With its default install, OpenBSD is not a high-bandwidth relay due to its secur For installing applications, OpenBSD's [recommended method] is the [pkg_add(1)] system, as opposed to using ports build from source. pkg_add uses pre-compiled binary files with set options. Rarely should a user have an issue with the defaults. There are cases in which a more experienced OpenBSD user would opt for the ports system. -This guide is based on OpenBSD 5.7, which was released on May 1, 2015. +This guide is based on OpenBSD 6.3, which was released on April 15, 2018. ### Syntax ### @@ -36,19 +36,21 @@ OpenBSD's -STABLE branch is released every six months. The -CURRENT branch, in t OpenBSD's [pkg_add] system is reliable and errors are rare. For most users, the [ports] system is not recommended. However, it is important to note that OpenBSD does not include the alpha or unstable versions of Tor in its packages. In one case, OpenBSD did use the alpha version as its default package due to a significant Tor vulnerability. -## The Quick and Short Version ## +## Installation and configuration ## -These are the basic steps to configure a Tor relay with OpenBSD, based on the default install. This will create a relay. For more detailed instructions and for additional tips on securing and optimizing the relay +These are the basic steps to create a new Tor relay with OpenBSD, based on the default install. -1. Install OpenBSD, then reboot +1. Install OpenBSD and reboot -2. Add the following section to */etc/login.conf* file: +2. By default, OpenBSD maintains a rather low limit on the maximum number of open files for a process. For a daemon such as Tor, that opens a connection to each and every other relay (currently around 7000 relays), these limits should be raised. Add the following section to the */etc/login.conf* file: >`tor:\` + >>`:openfiles-max=8192:\` + >>`:tc=daemon:` -3. Increase the kernel limit on maximum files: +3. And increase the kernel maximum number of files limit: >$ sysctl kern.maxfiles=20000 @@ -60,17 +62,27 @@ These are the basic steps to configure a Tor relay with OpenBSD, based on the de >$ pkg_add tor -6. Copy the torrc.sample file to torrc: +6. Edit */etc/tor/torrc* appropriately. Settings you definitely want to take a look at are: +* SOCKSPort +* ORPort +* Nickname +* RelayBandwidthRate +* RelayBandwidthBurst +* ContactInfo +* DirPort +* ExitRelay + +7. Start Tor automatically after a reboot: ->$ +>$ doas rcctl enable tor -7. Edit */etc/tor/torrc* appropriately +8. Start Tor now: -8. Add the line tor_flags="-f /etc/tor/torrc" in the /etc/rc.conf.local file +>$ doas rcctl start tor -9. Start Tor with /etc/rc.d/tor start +9. And at last, watch the Tor log for anything special: -10. Watch the Tor log with "tail -f /var/log/tor/notices.log" +>$ tail -n20f /var/log/daemon ## Some Additional Configuration Considerations & Options ## @@ -82,37 +94,9 @@ RAM-based disks such as tmpfs or are useful for avoiding writes to the hard disk #### Layout of Tor Files on OpenBSD ### -The torrc file is located in /etc/tor/torrc. - -The sample file is in /usr/local/share/examples/tor/torrc.sample - -Log - -/var/log/tor/notices.log - -### Tor on Startup ### - -$ cat /etc/rc.conf.local - ->tor_flags="-f /etc/tor/torrc" - ->ntpd_flags="-s" - ->sndiod_flags=NO - -/etc/sysctl.conf - -kern.maxfiles=20000 default is 7030 - -/etc/login.conf - -By default, OpenBSD maintains limits for kernel functions with an eye on security. For higher-bandwidth on an array of kernel functions. One in particular that will significantly throttle a Tor relay's operation is the number of open files allowed. This raises the number of open files for the Tor daemon: - -`tor:\` - ->`:openfiles-max=8192:\` +The Tor config file file is located in /etc/tor/torrc. ->`:tc=daemon:` +By default, Tor logs to the daemon facility which ends up in /var/log/daemon. ### Encrypting Swap ### From a9fabb4ec4b8e84431c987a096115e7edeb86b5c Mon Sep 17 00:00:00 2001 From: Tim Kuijsten Date: Thu, 30 Aug 2018 21:35:30 +0200 Subject: [PATCH 02/10] use markdown syntax highlighting --- obsd-relays.md | 42 +++++++++++++++++++++++++++--------------- 1 file changed, 27 insertions(+), 15 deletions(-) diff --git a/obsd-relays.md b/obsd-relays.md index 4d4b922..eae44ab 100644 --- a/obsd-relays.md +++ b/obsd-relays.md @@ -42,27 +42,33 @@ These are the basic steps to create a new Tor relay with OpenBSD, based on the d 1. Install OpenBSD and reboot -2. By default, OpenBSD maintains a rather low limit on the maximum number of open files for a process. For a daemon such as Tor, that opens a connection to each and every other relay (currently around 7000 relays), these limits should be raised. Add the following section to the */etc/login.conf* file: +2. By default, OpenBSD maintains a rather low limit on the maximum number of open files for a process. For a daemon such as Tor, that opens a connection to each and every other relay (currently around 7000 relays), these limits should be raised. Add the following section to `/etc/login.conf`: ->`tor:\` +``` +tor:\ + :openfiles-max=8192:\ + :tc=daemon: +``` ->>`:openfiles-max=8192:\` +3. Increase the kernel maximum number of files limit: ->>`:tc=daemon:` +```shell +$ sysctl kern.maxfiles=20000 +``` -3. And increase the kernel maximum number of files limit: +4. To make that sysctl change remains after rebooting, add the following to `/etc/sysctl.conf`: ->$ sysctl kern.maxfiles=20000 - -4. To make that sysctl change remains after rebooting, add the following to the */etc/sysctl.conf* file: - ->>kern.maxfiles=20000 +``` +kern.maxfiles=20000 +``` 5. Install Tor: ->$ pkg_add tor +```shell +$ pkg_add tor +``` -6. Edit */etc/tor/torrc* appropriately. Settings you definitely want to take a look at are: +6. Edit `/etc/tor/torrc` appropriately. Settings you definitely want to take a look at are: * SOCKSPort * ORPort * Nickname @@ -74,15 +80,21 @@ These are the basic steps to create a new Tor relay with OpenBSD, based on the d 7. Start Tor automatically after a reboot: ->$ doas rcctl enable tor +```shell +$ doas rcctl enable tor +``` 8. Start Tor now: ->$ doas rcctl start tor +```shell +$ doas rcctl start tor +``` 9. And at last, watch the Tor log for anything special: ->$ tail -n20f /var/log/daemon +```shell +$ tail -n20f /var/log/daemon +``` ## Some Additional Configuration Considerations & Options ## From bedc2a8d8f0005919cd820bea8784fd279947779 Mon Sep 17 00:00:00 2001 From: Tim Kuijsten Date: Thu, 30 Aug 2018 21:41:45 +0200 Subject: [PATCH 03/10] some small language tweaks --- obsd-relays.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/obsd-relays.md b/obsd-relays.md index eae44ab..e90b69e 100644 --- a/obsd-relays.md +++ b/obsd-relays.md @@ -50,13 +50,13 @@ tor:\ :tc=daemon: ``` -3. Increase the kernel maximum number of files limit: +3. Increase the kernel maximum number of files: ```shell $ sysctl kern.maxfiles=20000 ``` -4. To make that sysctl change remains after rebooting, add the following to `/etc/sysctl.conf`: +4. And make this change persistent so that it is in effect after a reboot by adding the following to `/etc/sysctl.conf`: ``` kern.maxfiles=20000 From ecc1d80c3a516386bf6966d0244d351fae8b1490 Mon Sep 17 00:00:00 2001 From: Tim Kuijsten Date: Thu, 30 Aug 2018 21:43:08 +0200 Subject: [PATCH 04/10] remove the section on additional configuration This mostly contains information that is either: * out-dated (encrypted swap is the default) * not really relevent (tmpfs no longer ships with OpenBSD and mfs is advised, but I'm not sure this really matters for a "network-only" server like Tor that hardly touches the disk). * or redundant (config and log file locations) --- obsd-relays.md | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/obsd-relays.md b/obsd-relays.md index e90b69e..353f6cf 100644 --- a/obsd-relays.md +++ b/obsd-relays.md @@ -96,26 +96,6 @@ $ doas rcctl start tor $ tail -n20f /var/log/daemon ``` -## Some Additional Configuration Considerations & Options ## - -Installing OpenBSD - -System Configuration - -RAM-based disks such as tmpfs or are useful for avoiding writes to the hard disk, which limits residual data after reboots and can increase the longevity of sensitive disk media, particularly compact flash cards. - -#### Layout of Tor Files on OpenBSD ### - -The Tor config file file is located in /etc/tor/torrc. - -By default, Tor logs to the daemon facility which ends up in /var/log/daemon. - -### Encrypting Swap ### - -By default, OpenBSD enables encrypted swap in /etc/sysctl.conf, so no changes are necessary: - -`#vm.swapencrypt.enable=0 # 0=Do not encrypt pages that go to swap` - ## Future ## ### Why To Use Ports as Opposed to Packages ### From 296945ebff7e51f82e2bc60395e228a53486d639 Mon Sep 17 00:00:00 2001 From: Tim Kuijsten Date: Thu, 30 Aug 2018 21:48:45 +0200 Subject: [PATCH 05/10] remove the question about whether or not to use ports One argument against packages would be the lack of updates during a release cycle, but let's not go there now. --- obsd-relays.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/obsd-relays.md b/obsd-relays.md index 353f6cf..e4013aa 100644 --- a/obsd-relays.md +++ b/obsd-relays.md @@ -96,12 +96,6 @@ $ doas rcctl start tor $ tail -n20f /var/log/daemon ``` -## Future ## - -### Why To Use Ports as Opposed to Packages ### - -OpenBSD's pkg_add system is easy to use and smooth in operation. - [OpenBSD]: http://www.openbsd.org "OpenBSD Project" [FAQ]: http://www.openbsd.org/faq/index.html "OpenBSD FAQ" [manual pages]: http://www.openbsd.org/cgi-bin/man.cgi "OpenBSD Manual Pages" From 355644ec3161e70478625e21106c116e18ca3980 Mon Sep 17 00:00:00 2001 From: Tim Kuijsten Date: Thu, 30 Aug 2018 21:53:19 +0200 Subject: [PATCH 06/10] recommend adding tor config to the changelist --- obsd-relays.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/obsd-relays.md b/obsd-relays.md index e4013aa..52307f7 100644 --- a/obsd-relays.md +++ b/obsd-relays.md @@ -78,15 +78,15 @@ $ pkg_add tor * DirPort * ExitRelay -7. Start Tor automatically after a reboot: - -```shell -$ doas rcctl enable tor +7. Enable configuration backup and change notifications to root. Add the following to ` /etc/changelist`: +``` +/etc/tor/torrc ``` -8. Start Tor now: +8. Start Tor automatically after a reboot and start it now: ```shell +$ doas rcctl enable tor $ doas rcctl start tor ``` From bcd0e0a5fda531d092641f551a05f31c2ab762b6 Mon Sep 17 00:00:00 2001 From: Tim Kuijsten Date: Thu, 30 Aug 2018 21:54:42 +0200 Subject: [PATCH 07/10] emphasize file changes can be appended to the EOF --- obsd-relays.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/obsd-relays.md b/obsd-relays.md index 52307f7..2dc1937 100644 --- a/obsd-relays.md +++ b/obsd-relays.md @@ -42,7 +42,7 @@ These are the basic steps to create a new Tor relay with OpenBSD, based on the d 1. Install OpenBSD and reboot -2. By default, OpenBSD maintains a rather low limit on the maximum number of open files for a process. For a daemon such as Tor, that opens a connection to each and every other relay (currently around 7000 relays), these limits should be raised. Add the following section to `/etc/login.conf`: +2. By default, OpenBSD maintains a rather low limit on the maximum number of open files for a process. For a daemon such as Tor, that opens a connection to each and every other relay (currently around 7000 relays), these limits should be raised. Append the following section to `/etc/login.conf`: ``` tor:\ @@ -56,7 +56,7 @@ tor:\ $ sysctl kern.maxfiles=20000 ``` -4. And make this change persistent so that it is in effect after a reboot by adding the following to `/etc/sysctl.conf`: +4. And make this change persistent so that it is in effect after a reboot by appending the following to `/etc/sysctl.conf`: ``` kern.maxfiles=20000 @@ -78,7 +78,7 @@ $ pkg_add tor * DirPort * ExitRelay -7. Enable configuration backup and change notifications to root. Add the following to ` /etc/changelist`: +7. Enable configuration backup and change notifications to root. Append the following to ` /etc/changelist`: ``` /etc/tor/torrc ``` From 9078563b3c804c20a82492b6ab04b7de607a5264 Mon Sep 17 00:00:00 2001 From: Tim Kuijsten Date: Thu, 30 Aug 2018 22:03:55 +0200 Subject: [PATCH 08/10] link to the official Tor relay guide --- obsd-relays.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/obsd-relays.md b/obsd-relays.md index 2dc1937..3045bba 100644 --- a/obsd-relays.md +++ b/obsd-relays.md @@ -26,9 +26,9 @@ This guide is based on OpenBSD 6.3, which was released on April 15, 2018. Refer to the [Documentation Style Guide](doc-guide.html) for information about syntax in this document. -### OpenBSD Documentation ### +### OpenBSD Documentation and Tor Relay Guide ### -OpenBSD documentation, both its [FAQ] and [manual pages], are comprehensive and accurate. The vast majority of questions faced by a user are answered there. The manual pages are also available directly on an OpenBSD system. +OpenBSD documentation, both its [FAQ] and [manual pages], are comprehensive and accurate. The vast majority of questions faced by a user are answered there. The manual pages are also available directly on an OpenBSD system. Additionally make sure to read the official [Tor Relay Guide]. ### Some Preliminary Issues: OpenBSD -STABLE -CURRENT or snapshots? Ports or Packages? ### @@ -102,5 +102,6 @@ $ tail -n20f /var/log/daemon [recommended method]: http://www.openbsd.org/faq/faq15.html#Intro "The OpenBSD packages and ports system" [pkg_add(1)]: http://www.openbsd.org/faq/faq15.html#PkgMgmt "pkg_add system" [ports]: http://www.openbsd.org/faq/faq15.html#Ports "ports system" +[Tor Relay Guide]:https://trac.torproject.org/projects/tor/wiki/TorRelayGuide {{footer.md}} From 7c20dcfd1176d59d882f1d1a98ca4867976b514c Mon Sep 17 00:00:00 2001 From: Tim Kuijsten Date: Thu, 30 Aug 2018 22:06:14 +0200 Subject: [PATCH 09/10] link to new url of OpenBSD manual pages --- obsd-relays.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/obsd-relays.md b/obsd-relays.md index 3045bba..d358be4 100644 --- a/obsd-relays.md +++ b/obsd-relays.md @@ -98,7 +98,7 @@ $ tail -n20f /var/log/daemon [OpenBSD]: http://www.openbsd.org "OpenBSD Project" [FAQ]: http://www.openbsd.org/faq/index.html "OpenBSD FAQ" -[manual pages]: http://www.openbsd.org/cgi-bin/man.cgi "OpenBSD Manual Pages" +[manual pages]: http://man.openbsd.org "OpenBSD manual pages" [recommended method]: http://www.openbsd.org/faq/faq15.html#Intro "The OpenBSD packages and ports system" [pkg_add(1)]: http://www.openbsd.org/faq/faq15.html#PkgMgmt "pkg_add system" [ports]: http://www.openbsd.org/faq/faq15.html#Ports "ports system" From e38e6e4af4ebdf21afebf4439aef3bf789dcc935 Mon Sep 17 00:00:00 2001 From: Tim Kuijsten Date: Thu, 6 Sep 2018 02:47:28 +0200 Subject: [PATCH 10/10] use kern.maxfiles and openfiles-max from doc/TUNING --- obsd-relays.md | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/obsd-relays.md b/obsd-relays.md index d358be4..913c813 100644 --- a/obsd-relays.md +++ b/obsd-relays.md @@ -40,35 +40,34 @@ OpenBSD's [pkg_add] system is reliable and errors are rare. For most users, the These are the basic steps to create a new Tor relay with OpenBSD, based on the default install. -1. Install OpenBSD and reboot - -2. By default, OpenBSD maintains a rather low limit on the maximum number of open files for a process. For a daemon such as Tor, that opens a connection to each and every other relay (currently around 7000 relays), these limits should be raised. Append the following section to `/etc/login.conf`: +1. By default, OpenBSD maintains a rather low limit on the maximum number of open files for a process. For a daemon such as Tor, that opens a connection to each and every other relay (currently around 7000 relays), these limits should be raised. Append the following section to `/etc/login.conf`: ``` tor:\ - :openfiles-max=8192:\ + :openfiles-max=13500:\ :tc=daemon: ``` -3. Increase the kernel maximum number of files: +2. OpenBSD stores a kernel-level file descriptor limit in the sysctl variable +kern.maxfiles. Increase it from the default of 7,030 to 16,000: ```shell -$ sysctl kern.maxfiles=20000 +$ sysctl kern.maxfiles=16000 ``` -4. And make this change persistent so that it is in effect after a reboot by appending the following to `/etc/sysctl.conf`: +3. And make this change persistent so that it is in effect after a reboot by appending the following to `/etc/sysctl.conf`: ``` -kern.maxfiles=20000 +kern.maxfiles=16000 ``` -5. Install Tor: +4. Install Tor: ```shell $ pkg_add tor ``` -6. Edit `/etc/tor/torrc` appropriately. Settings you definitely want to take a look at are: +5. Edit `/etc/tor/torrc` appropriately. Settings you definitely want to take a look at are: * SOCKSPort * ORPort * Nickname @@ -78,19 +77,19 @@ $ pkg_add tor * DirPort * ExitRelay -7. Enable configuration backup and change notifications to root. Append the following to ` /etc/changelist`: +6. Enable configuration backup and change notifications to root. Append the following to ` /etc/changelist`: ``` /etc/tor/torrc ``` -8. Start Tor automatically after a reboot and start it now: +7. Start Tor automatically after a reboot and start it now: ```shell $ doas rcctl enable tor $ doas rcctl start tor ``` -9. And at last, watch the Tor log for anything special: +8. And at last, watch the Tor log for anything special: ```shell $ tail -n20f /var/log/daemon