Configuring my Tor Exit Router with IPv6

Recently I upgraded my home internet to 1 Gbps and also requested a static block of IPv6 addresses. It’s hard to believe how many hosts I could support with a /64 block–18,446,744,073,709,551,616 (18 quintillion) unique IPs.

Special shout-out to CondoInternet.net for being such an awesome ISP. With my former 100 Mbps internet line, I transfered over 20 Terabytes a month with this Exit Router and they don’t care. I had emailed them over a year ago asking for their policy or opinion about Tor and they don’t have either, though I did pique the interest of my support representative who kindly responded to my emails.

The following was performed on my recently deployed Ubuntu 13.04 server x64 host.

First I added the following 5 lines to the bottom of my network interfaces config.

sudo vim /etc/network/interfaces
auto eth0
iface eth0 inet static
address 216.243.58.198
netmask 255.255.###.###
gateway 216.243.###.###
broadcast 216.243.###.###
dns-nameservers 8.8.8.8 8.8.4.4
iface eth0 inet6 static
pre-up modprobe ipv6
address 2604:4080:110f:201::9001
netmask 64
gateway 2604:4080:####:###::####

I turned off the IPv6 Privacy Extension, which is on by default in recent versions of Ubuntu, since I’m not worried about my privacy for this static address being compromised by advertisers. However, I’m not sure if this is a necessary step for Tor routing.

sudo vim /etc/sysctl.d/10-ipv6-privacy.conf
net.ipv6.conf.all.use_tempaddr = 0
net.ipv6.conf.default.use_tempaddr = 0

I had to update my /etc/tor/torrc file by adding three lines. As the Tor Project guides mention, at this time Tor can only support IPv6 incoming traffic, so I added an ORPort with a static address. Since the Tor Project recommends that Exit Routers that aren’t hosting encrypted web content via port 443 use this port for their ORPort, I changed my IPv4 ORPort to 443 to better support Tor users behind restrictive firewalls. In the future I will likely change my IPv6 ORPort to a similar, more accessible port.

Additionally, I up’d my Relay Bandwidth Rate and Burst caps.

## Configuration file for a typical Tor user
## Last updated 12 September 2012 for Tor 0.2.4.3-alpha.
## (may or may not work for much older or much newer versions of Tor.)

SocksPort 0
Log notice file /var/log/tor/notices.log
RunAsDaemon 1
DataDirectory /var/lib/tor

################ This section is just for relays #####################

ORPort 443
ORPort [2604:4080:110f:201::9001]:9001
ClientUseIPv6 1
ClientPreferIPv6ORPort 1
OutboundBindAddress 216.243.58.198
Nickname YawnboxSeattle
RelayBandwidthRate 16000 KB
RelayBandwidthBurst 20000 KB
ContactInfo Chris Sheats <yawnbox@gmail.com>
DirPort 9030
DirPortFrontPage /var/www/index.html

ExitPolicy accept *:20-23 # FTP, SSH, telnet
ExitPolicy accept *:43 # WHOIS
ExitPolicy accept *:53 # DNS
ExitPolicy accept *:79-81 # finger, HTTP
ExitPolicy accept *:88 # kerberos
ExitPolicy accept *:110 # POP3
ExitPolicy accept *:119 # accept nntp as well as default exit policy
ExitPolicy accept *:143 # IMAP
ExitPolicy accept *:194 # IRC
ExitPolicy accept *:220 # IMAP3
ExitPolicy accept *:389 # LDAP
ExitPolicy accept *:443 # HTTPS
ExitPolicy accept *:464 # kpasswd
ExitPolicy accept *:465 # smtps (SMTP over SSL)
ExitPolicy accept *:531 # IRC/AIM
ExitPolicy accept *:543-544 # Kerberos
ExitPolicy accept *:554 # RTSP
ExitPolicy accept *:563 # NNTP over SSL
ExitPolicy accept *:636 # LDAP over SSL
ExitPolicy accept *:706 # SILC
ExitPolicy accept *:749 # kerberos
ExitPolicy accept *:873 # rsync
ExitPolicy accept *:902-904 # VMware
ExitPolicy accept *:981 # Remote HTTPS management for firewall
ExitPolicy accept *:989-995 # FTP over SSL, Netnews Administration System, telnets, IMAP over SSL, ircs, POP3 over SSL
ExitPolicy accept *:1194 # OpenVPN
ExitPolicy accept *:1220 # QT Server Admin
ExitPolicy accept *:1293 # PKT-KRB-IPSec
ExitPolicy accept *:1500 # VLSI License Manager
ExitPolicy accept *:1533 # Sametime
ExitPolicy accept *:1677 # GroupWise
ExitPolicy accept *:1723 # PPTP
ExitPolicy accept *:1755 # RTSP
ExitPolicy accept *:1863 # MSNP
ExitPolicy accept *:2082 # Infowave Mobility Server
ExitPolicy accept *:2083 # Secure Radius Service (radsec)
ExitPolicy accept *:2086-2087 # GNUnet, ELI
ExitPolicy accept *:2095-2096 # NBX
ExitPolicy accept *:2102-2104 # Zephyr
ExitPolicy accept *:3128 # SQUID
ExitPolicy accept *:3389 # MS WBT
ExitPolicy accept *:3690 # SVN
ExitPolicy accept *:4321 # RWHOIS
ExitPolicy accept *:4643 # Virtuozzo
ExitPolicy accept *:5050 # MMCC
ExitPolicy accept *:5190 # ICQ
ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL
ExitPolicy accept *:5228 # Android Market
ExitPolicy accept *:5900 # VNC
ExitPolicy accept *:6660-6669 # IRC
ExitPolicy accept *:6679 # IRC SSL
ExitPolicy accept *:6697 # IRC SSL
ExitPolicy accept *:8000 # iRDMI
ExitPolicy accept *:8008 # HTTP alternate
ExitPolicy accept *:8074 # Gadu-Gadu
ExitPolicy accept *:8080 # HTTP Proxies
ExitPolicy accept *:8087-8088 # Simplify Media SPP Protocol, Radan HTTP
ExitPolicy accept *:8332-8333 # BitCoin
ExitPolicy accept *:8443 # PCsync HTTPS
ExitPolicy accept *:8888 # HTTP Proxies, NewsEDGE
ExitPolicy accept *:9418 # git
ExitPolicy accept *:9999 # distinct
ExitPolicy accept *:10000 # Network Data Management Protocol
ExitPolicy accept *:11371 # OpenPGP hkp (http keyserver protocol)
ExitPolicy accept *:19294 # Google Voice TCP
ExitPolicy accept *:19638 # Ensim control panel
ExitPolicy reject *:*

After updating my UFW (iptables) rules, I rebooted my host and everything works great!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s