⋔ Blog ⋔ FAQ ⋔ Resources ⋔ GitHub ⋔ Contact ⋔ TDP Onion ⋔
The TDP Projects:
⋔ Tor Browser for OpenBSD ⋔ BSD Relay Guides ⋔ Corporate Relays ⋔ Ports for PETs ⋔ Statistics ⋔
THIS IS PRELIMINARY WORK AT AN EARLY STAGE. ANONYMITY IS NOT A GAME, SO PLEASE DO NOT JUST ASSUME THESE GUIDES ARE FINE AS-IS. YOU HAVE BEEN WARNED.
OpenBSD is a Unix-derived operating system focused on security and the adherence to standards. It is considered among the most secure systems available. OpenBSD developers rebuilt SSH from the ground up, until the omnipresent adoption of OpenSSH. OpenBSD developers are now building LibreSSL as a replacement for OpenSSL, frustrated by the accumulated laundry list of vulnerabilities.
With its default install, OpenBSD is not a high-bandwidth relay due to its secure configuration. Allowing a large number of open files on a system is a short route to a compromised device. This guide provides a number of simple changes to the default OpenBSD install.
For installing applications, OpenBSD’s recommended method is the pkg_add(1) system, as opposed to using ports build from source. pkg_add uses pre-compiled binary files with set options. Rarely should a user have an issue with the defaults. There are cases in which a more experienced OpenBSD user would opt for the ports system.
This guide is based on OpenBSD 5.7, which was released on May 1, 2015.
Refer to the Documentation Style Guide for information about syntax in this document.
OpenBSD documentation, both its FAQ and manual pages, are comprehensive and accurate. The vast majority of questions faced by a user are answered there. The manual pages are also available directly on an OpenBSD system.
OpenBSD’s -STABLE branch is released every six months. The -CURRENT branch, in the form of snapshots, are updated as often, sometimes on a daily basis. Upgrading OpenBSD is easiest with either physical or serial console access to the server. Without immediate access, the -STABLE version is the recommended route.
OpenBSD’s [pkg_add] system is reliable and errors are rare. For most users, the ports system is not recommended. However, it is important to note that OpenBSD does not include the alpha or unstable versions of Tor in its packages. In one case, OpenBSD did use the alpha version as its default package due to a significant Tor vulnerability.
These are the basic steps to configure a Tor relay with OpenBSD, based on the default install. This will create a relay. For more detailed instructions and for additional tips on securing and optimizing the relay
Install OpenBSD, then reboot
Add the following section to /etc/login.conf file:
$ sysctl kern.maxfiles=20000
$ pkg_add tor
Edit /etc/tor/torrc appropriately
Add the line tor_flags=“-f /etc/tor/torrc” in the /etc/rc.conf.local file
Start Tor with /etc/rc.d/tor start
Watch the Tor log with “tail -f /var/log/tor/notices.log”
RAM-based disks such as tmpfs or are useful for avoiding writes to the hard disk, which limits residual data after reboots and can increase the longevity of sensitive disk media, particularly compact flash cards.
The torrc file is located in /etc/tor/torrc.
The sample file is in /usr/local/share/examples/tor/torrc.sample
$ cat /etc/rc.conf.local
kern.maxfiles=20000 default is 7030
By default, OpenBSD maintains limits for kernel functions with an eye on security. For higher-bandwidth on an array of kernel functions. One in particular that will significantly throttle a Tor relay’s operation is the number of open files allowed. This raises the number of open files for the Tor daemon:
By default, OpenBSD enables encrypted swap in /etc/sysctl.conf, so no changes are necessary:
#vm.swapencrypt.enable=0 # 0=Do not encrypt pages that go to swap
OpenBSD’s pkg_add system is easy to use and smooth in operation.
Copyright © 2017 by The Tor BSD Diversity Project (TDP). All Rights Reserved.
last updated: Tue Nov 1 18:19:22 2016 UTC