Set up a Tor node on VirtualBox

This is one more shot at making the cheapest Tor relay node so people can make them easy and put them all over the place and solve all censorship and privacy issues once and for all.

I define cheap in terms of hardware, software, Computer resourses , Bandwith , `Legal` Complaints, and physical work ( time that takes to set up and maintain )

The VirtualBox Host is a computer running GNU/Linux.
The Virtual Machine runs Debian 6 Squeeze without a GUI.

Set up a Virtual Machine named "tornode" with the following specifications.

Virtual Machine Specs:
1 CPU
256 - 512 MB RAM
1GB - 2GB HD
2 Network Adapters ( Attached to: NAT , Promiscuous Mode: Deny )

Allow inbound ssh to your virtual machine.
Use this command on the Host System.
$ VBoxManage modifyvm "tornode" --natpf1 "tornodessh,tcp,,2222,,22"
The above command assumes that the virtual machine name is tornode, that tornode is the first virtual machine using NAT, and that port 2222 is not used by anything on the Host System.
Now the VirtualBox NAT engine forwards all traffic bound to TCP port 222 on the Host to the port 22 on the virtual Machine ( tornode guest ).

Set up Port forwarding for Tor.
Use this command on the Host System.
$ VBoxManage modifyvm "tornode" --natpf1 "tornodetoror,tcp,,9002,,9002"
Assumming that the this Tor Node will be using ORPort 9002 instead of the default 9001.

Set a Tor transparent socks server NAT Forwarding rule.
Use this command on the Host System.
$ VBoxManage modifyvm "tornode" --natpf1 "tornodetortsocks,tcp,,9050,,9050"


If you are using a NAT device to connect the Internet you need to set a rule for Tor on the NAT device.
NAT_device:9002 -> VirtualBoxHost:9002

Do not set a rule for 9050 --except if you want your tsocks proxy accessible from the Internet.

On the Virtuall Machine install Debian 6.
-Install just the system utilities and the ssh server. Do not install a GUI
-optionally install bind

Configure the Network Interface on the Virtual Machine "tornode".
The virtualbox NAT engine has a DHCP server but setting a static IP is better. The first default internal network for the VirtualBox NAT engine is 10.0.2.0/24 with gateway 10.0.2.2. Therefore the /etc/network/interfaces file on the Virtual Machine should look something like this.
# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
      address 10.0.2.15
      network 10.0.2.0
      netmask 255.255.255.0
      broadcast 10.0.2.255
      gateway 10.0.2.2



Install Tor
# apt-get install tor


Configure Tor

Try to configure at least the following Tor parameters.
# cat /etc/tor/torrc | grep g0
SocksPort 9050 #what port to open for local application connections #g0
SocksListenAddress 10.0.2.15 #g0
##SocksPolicy accept 192.168.0.0/16   #g0 
ORListenAddress 10.0.2.15:9002 #g0
Nickname IPduhDotCom #g0 IPduhDotCom is mine, use something else
Address mtor.ipduh.com   #g0 --Don't worry about this if you don't have access to the DNS of a domain name
RelayBandwidthRate 20 KB  # Throttle traffic to 160Kb/s #g0 --minimum
ContactInfo Tor Relay Admin  #g0
ExitPolicy accept *:80      #g0
ExitPolicy accept *:110     #g0
ExitPolicy accept *:143     #g0
ExitPolicy accept *:443     #g0
ExitPolicy accept *:993     #g0
ExitPolicy accept *:8080    #g0
ExitPolicy reject *:* # no exits allowed #g0
 


Restart Tor
# /etc/init.d/tor restart
Stopping tor daemon: ..............................tor.
Starting tor daemon: tor...
Jun 21 20:56:11.658 [notice] Tor v0.2.2.35 (git-4f42b0a93422f70e). This is experimental software. Do not rely on it for strong anonymity. (Running on Linux i686)
Jun 21 20:56:11.667 [notice] Initialized libevent version 1.4.13-stable using method epoll. Good.
Jun 21 20:56:11.668 [notice] Opening OR listener on 10.0.2.15:9002
Jun 21 20:56:11.668 [notice] Opening Socks listener on 10.0.2.15:9050
done.


If you do not have a Time server in your Network, then Install NTP on "Tornode".

NTP is the best way to keep your Tor Node's clock current.

check the date
# date


install ntp
#apt-get install ntp


see the time servers you are syncing with and then check the date.
# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 aquarius.chorum  192.0.2.44  2 u  19   64    1    7.622  12648.2 1316.29
 chronos.duh.gr   .PPS.            1 u   18   64    1   13.152  12655.9 1314.66
 hora.example.net .GPS.            1 u   17   64    1    0.857  12676.9 1327.20
Now check the date again. It should be different.
If you do not see something like the above, try
#dpkg-reconfigure ntp;ntpq -p


Some public Internet Time Servers Pools:
0.pool.ntp.org
1.pool.ntp.org
2.pool.ntp.org
3.pool.ntp.org
0.debian.pool.ntp.org
1.debian.pool.ntp.org
2.debian.pool.ntp.org
3.debian.pool.ntp.org
europe.pool.ntp.org
uk.pool.ntp.org




If you have a time server on your network, then set your "Tornode" to use it.
de-comment or put on /etc/ntp.conf
#tail -2 /etc/ntp.conf
disable auth
broadcastclient
and make sure that your network's time server is broadcasting to your "Tornode" eg:
# grep broadcast /etc/ntp.conf
broadcast 192.0.2.31
note:Assuming that your Host in the 192.0.2.16/28 block where 192.0.2.31 is the broadcast address.

Set Up DNS on "tornode".

IF you choose to not install Bind set resolv.conf with your ISP nameservers or some public DNS servers to spread the queries and provide more privacy. According to #define MAXNS on /usr/include/resolv.h we can track at least 3 nameservers so something like the following would be OK at /etc/resolv.conf.
# cat /etc/resolv.conf
#ISP Namerserver

#Google
nameserver 8.8.8.8

#Level 3
nameserver 4.2.2.1

#Norton
nameserver 198.153.192.40



If you choose to install Bind the following configuration files should be sufficient.

# cat /etc/bind/named.conf.options
options {
 directory "/var/cache/bind";

 // If there is a firewall between you and nameservers you want
 // to talk to, you may need to fix the firewall to allow multiple
 // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

 // If your ISP provided one or more IP addresses for stable 
 // nameservers, you probably want to use them as forwarders.  
 // Uncomment the following block, and insert the addresses replacing 
 // the all-0's placeholder.

 // forwarders {
 //  0.0.0.0;
 // };
 
 listen-on { 10.0.2.15; };
 auth-nxdomain no;    # conform to RFC1035
 //listen-on-v6 { any; };
};

You could set some public DNS servers as forwarders.

# cat /etc/resolv.conf
nameserver 10.0.2.15



Done! To use Tor use the socks server on port 9050 on the Host Machine.

augh ... almost done. Sooner or later you 'll figure out that the virtual machine outbound connections ( HTTP and HTTPS for sure) are extremely slow. The slow outbound connections are caused by the Virtual Box NAT engine. To correct it you will have to
  • increase the VirtualBox NAT Engine TCP/IP buffers to the maximum size ( 1024 KB ).
  • and add one more NATed Network Interface to the virtual machine to handle outgoing connections


To Increase the VirtualBox NAT Engine TCP/IP buffers to the maximum size (1024KB).
use the following command
$ VBoxmanage modifyvm "tornode" --natsettings1 1500,1024,1024,1024,1024


To add one more NATed Network Interface to the virtual machine
Set Adapter2 with Attached to: NAT and Promiscuous Mode: Deny , on the Virtual Machine Network Settings.

In the Virtual Machine add the following 2 lines to the /etc/network/interfaces file.
$ tail -3 interfaces

auto eth1
iface eth1 inet dhcp
The second interface does not need to have a static IP address. No services will be bound to it. The Virtual Box NAT Engine runs a dhcp server that will assign to it 10.0.3.15 in the 10.0.3.0/24 network. The gateway provided by the Virtual Box NAT Engine to 10.0.3.0/24 will be 10.0.3.2 and the default route 0.0.0.0/0 will be put higher on the virtual machine's routing table forcing all outbound connections this way.
# route -n 
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.2.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.0.3.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1
0.0.0.0         10.0.3.2        0.0.0.0         UG    0      0        0 eth1
0.0.0.0         10.0.2.2        0.0.0.0         UG    0      0        0 eth0


Now you are done!
To set up a browser look under Network or Proxy Settings. The transparent socks or just socks server in your browser 's settings should be accessible by the host machine on port 9050 just fine.

Use the Anonymity Check to test your setup.

References:
TorProject.org: Install Tor on Debian/Ubuntu
TorProject.org: Exit Relay Typical Abuses
TorProject.org: Tor Legal FAQ
VirtualBox.org : Virtual Networking
VirtualBox.org : NAT and limitations
VirtualBox.org : Fine-tuning the VirtualBox NAT





Set up a Tor node on VirtualBox