Embedded Tor Node
Outdated Software ahead
This project is severly outdated! While I keep the images linked in this article online for you to explore please *do not run them in production* on an actual tor node anymore. Rebuild fresh images from source!
Embedded Tor Node Hardware Appliance
This product is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.
Dieses Produkt ist unabhängig von der Tor Anonymitätssoftware entwickelt und beinhaltet keine Garantie von The Tor Projectbezüglich der Qualität, Anwendbarkeit oder sonst was.
Warum ist diese Projektbeschreibung in englischer Sprache? - Why is this page in english?
Da das Projekt ein wenig Interesse aus internationalen Kreisen bekommen hat sind die Informationen in Englisch besser zugänglich. Wer Fragen dazu hat wendet sich bitte an Pepi! Since the project gained some interest by international people the documentation is available to a broader audience when in english. If you have questions, please contact Pepi!
WTF?
The average Desktop PC has a lot of components which I deem unnecessary for a network-only device. Like a graphics card, audio components, harddrive, etc. I wanted to build a Tor node that can act as a relay or bridge based on efficient embedded hardware instead of an electricity-hungry general purpose PC. Think green-IT.
If you don't know what Tor is, you should read up on the Tor-Overview which is also available in german as Tor-Überblick and many other languages.
The Hardware: ALIX 3D2 Single Board Computer
I've chosen an ALIX 3D2 SBC by swiss manufacturer PC-Engines as the main component. You can get this board for about 75,- € (plus VAT.). From the manufacturer you can also get a PDF of the schematics of the board if you want to dig deeper.
The operating system is booted from a Compact Flash card which is mounted on the bottom side of the PCB. I've been working with 2GB cards from SanDisk, but most quality CF cards should work just fine. I haven't yet done a build for 1GB cards, but it should be enough space for everything.
The Operating System: nanoBSD
I've evaluated many different OS for this device. It can run almost any OS that is available for the i386 platform including many Linux flavors, *BSD and even exotic stuff like Windows. My operating of choice for the project is nanoBSD which is a special flavor of FreeBSD for embedded devices. Since we are booting from flash memory, which doesn't like too many write cycles, this is the perfect choice as everything runs read only during normal operation. (Wear leaving of modern flash memories has reduced the write cycles problem of flash memory. Modern CF cards do not suffer from this anymore in my experience.) Yet it's still nice to have a read only system. You don't have to worry about corrupting your filesystem by a power outage. You can just pull-the-plug and nothing will happen to your system. It will just boot up again once power comes back. Another advantage of nanoBSD over Linux is that it will just boot up even if the realtime clock is not yet set correctly, skipping unnecessary boot delays because of fsck. nanoBSD will set the clock via ntp after obtaining an IP via DHCP. Keep in mind that this system board does not come with a backup battery for the clock (and we actually do not need one).
Building the OS
This has been the hardest part of the project. The nanoBSD build process is not the most simple thing in the world, especially when you're not yet acquainted with it. But steep learning curves are great, because you get to learn a lot in a very short time. One basically needs two files for the build process. A system configuration and a kernel configuration. I'll put them up very soon, so you can start building your own nodes. I also want to provide prebuilt CF images which you can simply dd to a fresh card to get going very quickly.
You need the following system configuration file: http://pastebin.com/m61e126b4
and the following kernel configuration file http://pastebin.com/f32ec04b7
To make the build run through you also need to download the following packages and put the files into /usr/src/tools/tools/nanobsd/packages on your FreeBSD machine you use to build nanoBSD.
These versions are outdated, please only use current ones
libevent-1.4.13.tbz openssl-0.9.8l_4.tbz tor-0.2.1.22.tbz tsocks-1.8.b5_4.tbz
You can download these from one of the many FreeBSD mirrors. The architecture you need is i386 and the Release version is 8.0.
You can also download a prebuilt, but very outdated nanoBSD image for a 2GB CF card not suitable for running as an actual tor node anymore'.
Be aware that some of these development builds have SSH enabled and there is an empty root password! Do not connect this device to the internet without changing the password for root and making sure it sticks across reboots!
You can download the images for testing purposes from my server.
2010/02/06 04:12 CET: Bootstrapped 100%: Done. Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor. Self-testing indicates your DirPort is reachable from the outside. Excellent. Performing bandwidth self-test...done.
TODO
Things I haven't yet solved… Please contact me if you can help with any of these!
Things still needed for a deployable prototype:
- Automatically copy torrc and cryptographic identity from a USB stick at boot up when the system is missing them.
Things needed to do to optimize security on the system:
- Expert users of FreeBSD/nanoBSD should glance over the configuration used for the project and suggest (and hopefully help to implement) stuff needed to further secure the system.
- improve documentation
Things needed to optimize performance:
- Further remove things from the configuration that we do not need for operation. The smaller the installation and kernel are, the faster it will work and the faster the build process will be as well. (Currently 40 minutes on a quad Xeon 2.26)
- Test node on a link with some bandwidth.
- Test if the Soekris vpn1411 crypto accelerator board works with nanoBSD 8 (it should) and if you can have two of these boards in a node.
- Test power consumption (PC-Engines specify about 5 Watts for the plain board)
Random stuff:
- Better pictures
- Better documentation
- Better build instructions
- DIY video: How to build your own
- Get a green Tor-Shirt
- Laser engraving on the enclosure
- Self Update mechanism (nanoBSD directly supports this, how can I make this easily available for the users?)
- Indicate status information with two of the three LEDs on the board
- Management GUI?
Pictures of a Finished Tor Node
The components for the device. (From top left to bottom right)
enclosure bezel with cutting for USB ports logic board (ALIX 3D2) enclosure bezel with cuttings for: WiFi Antenna (not used in this project), RJ45 (ethernet), power jack, 2nd antenna, 3 LEDs, RS232 serial green passive processor cooler (optional), 2GB Compact Flash card (SanDisk) Aluminum enclosure Power Supply with Euro plug.
The assembled device looks like this:
Backside view with two USB 2.0 ports
Frontside view with RJ45 (ethernet), power jack, RS232 serial connector The LED (green) cuttings are below the right antenna plug. The holes for optional WiFi antennas have been protected with rubber plugs.
Thanks
Thanks to kyrah for her mental support during times of hair pulling struggle and worldi on ##FreeBSD for sharing his knowledge about FreeBSD package management and the nanoBSD build process. Also thanks to all the folks who wrote documentation about nanoBSD.