torbsd / torbsd.github.io Goto Github PK

Please feel free to contact the Tor BSD Diversity Project via this issue tracker. Post an issue and we'll see it and respond.

I enjoyed George's talk about the Tor BSD Diversity Project at BSDCan this year and spent some time writing a couple scripts to build pre-configured OpenBSD resflash images for Tor non-exit relays. I'm running them now on a couple VPS/VM providers quite successfully. The README includes anything one might need to know to get them running securely:

https://stable.rcesoftware.com/pub/resflash/tor/

Additional information:

https://stable.rcesoftware.com/resflash/

Like my non-Tor pre-canned images, I expect to keep them up to date with the latest OpenBSD -stable branch.

First of all, "pkg_add" doesn't really need "-r", like on freebsd so better to take that out.
Also, the last sentence on that page ends rather strange, so please fill out what the end should be.

plz add in the guide how to bind to low ports (e. g. 80 and 443)

(I'm not in your target group (moving from linux to bsd for diversity) and new to bsd)
I managed it with: sysctl net.inet.ip.portrange.reservedhigh=0

also maybe give a hint that the keys are stored under: /var/db/tor
to save people time searching for them (especially since we got an offline master key feature)

tnx

This is fairly meta, but why not.

I'm currently in the process of standardizing on "BSD by default" for my growing fleet of four modest Tor middle relays. I appreciate the very straightforward reasons expressed so well by the Tor BSD Diversity Project and I’ve picked up on that as a way to start working on my own Linux monoculture. It seems like I currently run the only two BSD-based Tor relays in Finland (edit: this is not true at all, there are a handful. Looked through a list very sloppily!).

I particularly enjoy FreeBSD and the in-place upgrade path offered through ‘freebsd-update’.

Recently, I’ve been curious about HardenedBSD, as this fork fills in some of the odd blanks in FreeBSD, such as a PaX-like implementation of ASLR. I’m looking forward to their upcoming FreeBSD 11.0-RELEASE based release.

So, my question as an enthusiast, non-CS person: is HardenedBSD likely to mitigate any tangible risks of Tor relays being compromised through known or unknown vulnerabilities? That is, when compared to running vanilla FreeBSD and always applying relevant OS and Tor patches in a timely fashion.

Or are HardenedBSD's benefits in the case of Tor on a dedicated machine or VM small enough to be outweighed by the potential hassle of relying on the continuity and QA of a new project?

Maybe I’m overthinking this, but I find platform choices like these to be interesting dilemmas.

How and from where can we download Tor Browser Bundle if it is ready to use. Is there a complete tor browser bundle ready to use in OpenBSD like Tor browser bundle available from tor website for use on linux and windows.

When I try to run tor-browser.desktop I am told it cannot execute the child process, what am I doing wrong?

It would be helpful for the tor network to not only add diversity to its nodes but also its clients.
I applaud TDP's efforts on the Torbrowser port for OpenBSD, but more could be done.

I realize that making a BSD-based version of Tails that incorporates all of Tails' features right now is out of scope. But by just configuring an OpenBSD installation to function more like Tails, one would achieve a reasonably secure alternative to Tails.

A SiteXX.tgz for OpenBSD that includes the some of the same things as tails would be ideal:

• Automatically install packages such as tor, torbrowser, XFCE/GNOME3, PGP/GPG, KeePass, a mailclient
• automatically start tor on startup
• pf.conf to route everything through tor
• Desktop XFCE/GNOME3 metapackage
• automatic OpenBSD upgrading

It might also be easier to patch the install script and add a diskencryption setup in there.

So, a torbsd-desktop, good idea / bad idea?

Could you elaborate on how one could set up PF properly on the *BSDs?
Perhaps an example configuration with Ping,SSH,DirPort,ORPort open and everything else locked down?