Tor exit-friendly VPS (1c2g5g, 2 IPs) outside of common exit locations

Comments

• Beanzy Member

  March 1

  This price should be quite high, so there should be plenty of options available.

  Thanked by 1zejjnt
• forest Member

  March 1 edited March 1

  @Beanzy said:
  This price should be quite high, so there should be plenty of options available.

  You'd think, but $70/year is not even $6/month. 100 Mbps unmetered is up to 33 TB/month (or 66 in+out). And with the second IPv4 and the fact that it'll dirty one of the IPs and add to the administrative burden of handling abuse reports (even if all it takes is a reply with a "this is a Tor exit node, not a zombie" template), it's a stretch for that price.

  I think it's reasonable that I'll find at least a few options, but there aren't many hosts that are both cheap and allow exits.

  Thanked by 1OpaqueRegistrant
• concept Member

  March 1

  @forest said:

  @Beanzy said:
  This price should be quite high, so there should be plenty of options available.

  You'd think, but $70/year is not even $6/month. 100 Mbps unmetered is up to 33 TB/month (or 66 in+out). And with the second IPv4 and the fact that it'll dirty one of the IPs and add to the administrative burden of handling abuse reports (even if all it takes is a reply with a "this is a Tor exit node, not a zombie" template), it's a stretch for that price.

  I think it's reasonable that I'll find at least a few options, but there aren't many hosts that are both cheap and allow exits.

  yup, that is the struggle with hosting exits. That is why the big tor exit operators use their own ASN and IP and colo their own servers.
• forest Member

  March 1 edited March 1

  @concept said:

  @forest said:

  @Beanzy said:
  This price should be quite high, so there should be plenty of options available.

  You'd think, but $70/year is not even $6/month. 100 Mbps unmetered is up to 33 TB/month (or 66 in+out). And with the second IPv4 and the fact that it'll dirty one of the IPs and add to the administrative burden of handling abuse reports (even if all it takes is a reply with a "this is a Tor exit node, not a zombie" template), it's a stretch for that price.

  I think it's reasonable that I'll find at least a few options, but there aren't many hosts that are both cheap and allow exits.

  yup, that is the struggle with hosting exits. That is why the big tor exit operators use their own ASN and IP and colo their own servers.

  And the smaller providers who do allow it usually only do it because they believe in free speech as a value. There are a number of those here who do allow exits in this price range, but they're all in the list of countries that I'd like to avoid simply because Tor already has many exits in those regions (the network doesn't need yet another NL relay).

  Thanked by 1OpaqueRegistrant
• concept Member

  March 1

  @forest said:
  There are a number of those here who do allow exits in this price range, but they're all in the list of countries that I'd like to avoid simply because Tor already has many exits in those regions (the network doesn't need yet another NL relay).

  Trying to run a relay outside of those countries is even harder.. There is only so much you can do. Even if there is a lot in EU/US already, it still better to run one in those countries than to not run at all.
• forest Member

  March 7 edited March 7

  For reference, the exits I currently have are in:

  • Romania (iHostART x2)
  • South Africa (Maxko Hosting)
  • USA (Advin Servers)
  • Moldova (Trabia)
  • Slovenia (Pfcloud)
  • Sweden (No Ack Hosting)

  I also run non-exits on hosts that allow exits, and I may switch them over to exits eventually (after triple checking that exits are fully allowed). These are:

  • Croatia (Maxko Hosting)
  • Switzerland (Aluy)
  • Bulgaria (Aluy)
  • Netherlands (Aluy)
  • Finland (Aluy)
  • Sweden (IncogNET)
  • United Kingdom (xHosts)
  • Greece (4vps)

  So that's 7 exits and a potential additional 8 exits out of the 42 relays I have as of writing this.

  4vps has by far some of the most diverse locations where exits are permitted, but their AS is "GLOBAL CONNECTIVITY SOLUTIONS LLC", which already makes up a fairly significant portion of Tor exit capacity.

  The reason I want a routed /48 is so that I can have (at least) two /64 blocks, one of which will be assigned to the Tor exit (which will damage the /64 reputation enough that some nameservers will block it, same reason I need two IPv4 addresses), the other of which will be used as a routed subnet so that Unbound, a local recursive DNS resolver, can use random source addresses to improve protection against DNS poisoning attacks. So far, only my Advin Servers system has routed IPv6 set up that way.

  @concept said:

  @forest said:
  There are a number of those here who do allow exits in this price range, but they're all in the list of countries that I'd like to avoid simply because Tor already has many exits in those regions (the network doesn't need yet another NL relay).

  Trying to run a relay outside of those countries is even harder.. There is only so much you can do. Even if there is a lot in EU/US already, it still better to run one in those countries than to not run at all.

  Indeed, but since I'm on a budget, it's often better to run a number of non-exits in obscure locations than to add yet another exit to the Netherlands or Germany.

  Thanked by 9concept buggedout grinsmix Void fluffernutter dosai noloudelou miniopt taizi
• gbzret4d Member

  March 7

  @forest check out exservers for locations. I'm not sure if they allow exit nodes.
• DejavuMoe Member

  March 7

  If you can find it, I think Netcup’s old VPS nano $1.68/m well be a good choice.

  • an IPv4, IPv6/64
  • 2vCPU
  • 2GB RAM
  • 60GB SSD
  • 1Gbps (Dynamic data exceeding 1TB in 24 hours will be temporarily limited to 100Mbps)
• forest Member

  March 7

  @gbzret4d said:
  @forest check out exservers for locations. I'm not sure if they allow exit nodes.

  They're quite pricey, but they've got some very interesting locations! Venezuela, Lebanon, Iran, Columbia, Mexico... I doubt they'll allow exits, but if they do, I might have to suck it up and pay that $300/yr.

  @DejavuMoe said:
  If you can find it, I think Netcup’s old VPS nano $1.68/m well be a good choice.

  • an IPv4, IPv6/64
  • 2vCPU
  • 2GB RAM
  • 60GB SSD
  • 1Gbps (Dynamic data exceeding 1TB in 24 hours will be temporarily limited to 100Mbps)

  I think Netcup already hosts a large number of relays. What country is their old nano in?
• DejavuMoe Member

  March 7

  @forest said:

  @gbzret4d said:
  @forest check out exservers for locations. I'm not sure if they allow exit nodes.

  They're quite pricey, but they've got some very interesting locations! Venezuela, Lebanon, Iran, Columbia, Mexico... I doubt they'll allow exits, but if they do, I might have to suck it up and pay that $300/yr.

  @DejavuMoe said:
  If you can find it, I think Netcup’s old VPS nano $1.68/m well be a good choice.

  • an IPv4, IPv6/64
  • 2vCPU
  • 2GB RAM
  • 60GB SSD
  • 1Gbps (Dynamic data exceeding 1TB in 24 hours will be temporarily limited to 100Mbps)

  I think Netcup already hosts a large number of relays. What country is their old nano in?

  I previously had a VPS nano in Nuremberg, Germany.
• forest Member

  March 7

  @DejavuMoe said:

  @forest said:

  @gbzret4d said:
  @forest check out exservers for locations. I'm not sure if they allow exit nodes.

  They're quite pricey, but they've got some very interesting locations! Venezuela, Lebanon, Iran, Columbia, Mexico... I doubt they'll allow exits, but if they do, I might have to suck it up and pay that $300/yr.

  @DejavuMoe said:
  If you can find it, I think Netcup’s old VPS nano $1.68/m well be a good choice.

  • an IPv4, IPv6/64
  • 2vCPU
  • 2GB RAM
  • 60GB SSD
  • 1Gbps (Dynamic data exceeding 1TB in 24 hours will be temporarily limited to 100Mbps)

  I think Netcup already hosts a large number of relays. What country is their old nano in?

  I previously had a VPS nano in Nuremberg, Germany.

  Most exits are already in DE and NL, which is why I'm avoiding them. I want to improve Tor's geographical diversity.

  Thanked by 3DejavuMoe whynotlearn tux
• JohnFilch123 Member

  March 7

  @forest said: Tor

  Would you like to share how you install tor nodes? Some kind of manual or a script would be very helpful.
• gbzret4d Member

  March 7 edited March 7

  @forest said:

  @gbzret4d said:
  @forest check out exservers for locations. I'm not sure if they allow exit nodes.

  They're quite pricey, but they've got some very interesting locations! Venezuela, Lebanon, Iran, Columbia, Mexico... I doubt they'll allow exits, but if they do, I might have to suck it up and pay that $300/yr.

  @DejavuMoe said:
  If you can find it, I think Netcup’s old VPS nano $1.68/m well be a good choice.

  • an IPv4, IPv6/64
  • 2vCPU
  • 2GB RAM
  • 60GB SSD
  • 1Gbps (Dynamic data exceeding 1TB in 24 hours will be temporarily limited to 100Mbps)

  I think Netcup already hosts a large number of relays. What country is their old nano in?

  Ask them if they allow exit nodes and also ask them about a sponsorship for some locations. They offer Iran as location but I'm sure it's not really located in iran
• forest Member

  March 7 edited March 7

  @JohnFilch123 said:

  @forest said: Tor

  Would you like to share how you install tor nodes? Some kind of manual or a script would be very helpful.

  Assuming Debian, it's as simple as installing the tor package and then putting the following in /etc/tor/torrc:

  SocksPort 0
  ExitRelay 0
  ORPort 9001
  Sandbox 1
  Nickname mycoolnewrelay
  ContactInfo [email protected]
  

  If you have a monthly bandwidth cap (in this example, 5 TB/month), additionally add:

  AccountingMax 5TB
  AccountingRule sum
  AccountingStart month 1 0:00
  

  If you have a firewall, make sure to open up TCP/9001 and make sure you have at least 1 GB RAM. Now restart the service and you're good to go! It can take a few weeks for the traffic to ramp up, but that's normal.

  It's usually recommended to use Tor Project's more up-to-date repo, and they explain how to add that repo in https://support.torproject.org/little-t-tor/getting-started/installing/. Or just run as non-root:

  echo "deb [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org trixie main" | sudo tee /etc/apt/sources.list.d/tor.list >/dev/null
  wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | sudo tee /usr/share/keyrings/deb.torproject.org-keyring.gpg >/dev/null
  sudo apt update
  sudo apt install tor deb.torproject.org-keyring
  

  Or, if you're an Ansible fan and want to automate deployment of a large number of relays, check out https://github.com/nusenu/ansible-relayor (but that's more complex and unnecessary if you just want to run one or two on idlers).

  Thanked by 5grinsmix Netralex JohnFilch123 Not_Oles Void
• JohnFilch123 Member

  March 7

  @forest said: simple

  Thanks. Pretty simple. I kinda have a similar set up. Is it worth running snowflake?
• forest Member

  March 7 edited March 7

  @JohnFilch123 said:

  @forest said: simple

  Thanks. Pretty simple. I kinda have a similar set up. Is it worth running snowflake?

  If you have an extra IP which is not being used for any Tor relays, yeah. But Snowflake is a type of bridge, so the IP has to stay secret (or at least, don't publish anywhere that it could be easily added to some blacklist. I only run it if I'm either not running a Tor relay at all, or if I have two IPv4 addresses assigned, only one of which is published as a Tor IP.

  Thanked by 1JohnFilch123
• buggedout Member

  March 7

  @JohnFilch123 said:

  @forest said: Tor

  Would you like to share how you install tor nodes? Some kind of manual or a script would be very helpful.

  @oloke made this post earlier: https://lowendtalk.com/discussion/214994/webtunnel-and-snowflake-tor-bridge-setup-ansible-playbooks-inside#p1

  Thanked by 4forest oloke JohnFilch123 Not_Oles
• JohnFilch123 Member

  March 7

  @buggedout said: made this post earlier

  Yes yes thanks, I have seen it but I do not like Ansible

  Thanked by 3oloke buggedout Not_Oles
• JohnFilch123 Member

  March 7

  @forest said: If you have an extra IP

  Gotcha. I usually only have one IPv4 and a subnet of IPv6. Cool, thanks again.
• forest Member

  March 8 edited March 8

  @JohnFilch123 said:

  @buggedout said: made this post earlier

  Yes yes thanks, I have seen it but I do not like Ansible

  If you'd like, I can write you a quick script for Debian that you can run which will automatically install and configure Snowflake. On Debian, the stable (trixie) version is quite outdated, but the testing version is much more up-to-date. Since it's written in pure Go, there are really no dependencies that would have to be pulled in, so there's no risk of dependency hell that would normally be an issue when mixing stable and testing repos.

  @JohnFilch123 said:

  @forest said: If you have an extra IP

  Gotcha. I usually only have one IPv4 and a subnet of IPv6. Cool, thanks again.

  As long as you aren't running a public Tor node on that same IPv4 and IPv6 subnet, it's totally appropriate to run Snowflake.

  Thanked by 3concept buggedout Not_Oles
• JohnFilch123 Member

  March 8

  @forest said: If you'd like, I can write you a quick script for Debian that you can run which will automatically install and configure Snowflake

  Would be nice, if you have time, thanks. I am just curious how it works. Since it has to stay secret, I have got nobody to send it to but good for experimental/educational purpose.
• concept Member

  March 8 edited March 8

  Looks like 4vps has moved to Datapacket/CDN77 for some of it's locations. Hope that means better CPU performance and network performance which would be good for Tor.

  Thanked by 1forest
• forest Member

  March 8

  @JohnFilch123 said:

  @forest said: If you'd like, I can write you a quick script for Debian that you can run which will automatically install and configure Snowflake

  Would be nice, if you have time, thanks. I am just curious how it works. Since it has to stay secret, I have got nobody to send it to but good for experimental/educational purpose.

  It will automatically add itself to the network so people can use it. The only reason to keep it secret is so that it can't be trivially added to some ISP filter in Iran, which would prevent people there from using it otherwise.

  This should work (not tested but it's pretty trivial, just writing a few files):

  #!/bin/bash
  
  set -e
  
  (( ! EUID ))
  [[ ! -e /var/lib/tor/fingerprint ]]
  
  cat > /etc/apt/preferences.d/no-testing.pref << EOF
  Package: *
  Pin: release a=testing
  Pin-Priority: -1
  EOF
  
  echo "deb https://deb.debian.org/debian testing main" > /etc/apt/sources.list.d/testing.list
  
  systemctl mask snowflake-proxy.service
  apt-get update
  apt-get -y install snowflake-proxy/testing
  systemctl unmask snowflake-proxy.service
  
  adduser --system --group snowflake-proxy
  
  systemctl edit --stdin snowflake-proxy.service << EOF
  [Service]
  User=snowflake-proxy
  KeyringMode=private
  LockPersonality=yes
  DevicePolicy=closed
  ProtectClock=yes
  ProtectHome=yes
  ProtectKernelLogs=yes
  ProtectKernelModules=yes
  ProtectKernelTunables=yes
  ProtectSystem=strict
  RestrictRealtime=yes
  RemoveIPC=yes
  PrivateTmp=yes
  MemoryDenyWriteExecute=yes
  RestrictAddressFamilies=AF_INET AF_INET6
  SystemCallArchitectures=native
  SystemCallFilter=@system-service
  SystemCallFilter=~kcmp splice tee userfaultfd vmsplice
  EOF
  
  cat > /etc/apparmor.d/usr.bin.snowflake-proxy << EOF
  #include <tunables/global>
  
  profile /usr/bin/snowflake-proxy {
    #include <abstractions/base>
    #include <abstractions/openssl>
    #include <abstractions/nameservice>
  
    /usr/bin/snowflake-proxy mr,
  }
  EOF
  
  systemctl reload apparmor.service
  systemctl enable --now snowflake-proxy.service
  

  Thanked by 6buggedout sh97 eliphas JohnFilch123 oloke Not_Oles
• JohnFilch123 Member

  March 8

  @forest said: [Service]

  Thanks. No need for ExecStart= here?
• forest Member

  March 8 edited March 8

  @JohnFilch123 said:

  @forest said: [Service]

  Thanks. No need for ExecStart= here?

  The systemctl edit command doesn't create a new service file, it just adds an override file. The original unit file isn't replaced. The package installs /usr/lib/systemd/system/snowflake-proxy.service which contains:

  [Unit]
  Description=snowflake-proxy
  Documentation=man:snowflake-proxy
  Documentation=https://snowflake.torproject.org/
  After=network-online.target docker.socket firewalld.service
  Wants=network-online.target
  
  [Service]
  EnvironmentFile=-/etc/default/snowflake-proxy
  ExecStart=/usr/bin/snowflake-proxy $ARGS
  DynamicUser=yes
  
  [Install]
  WantedBy=multi-user.target
  

  But you don't have to create that file yourself, and the systemctl edit --stdin snowflake-proxy.service command just reads from stdin and writes to /etc/systemd/system/snowflake-proxy.service.d/override.conf and then does an implicit daemon-reload. Systemd will read from both files (the original service file and the override) when starting a service.

  See how it has DynamicUser=yes? I prefer static users, which is why I have User=snowflake-proxy in the override file. I find that easier to manage. I think I added that initially to make SNAT easier, so I could add to /etc/nftables.conf:

  chain postrouting_nat {
          type nat hook postrouting priority srcnat; policy accept
          skuid snowflake-proxy oifname eth0 ip saddr != $secondary_ipv4 snat to $secondary_ipv4
  }
  

  I do that on systems that have two IPv4 addresses to force Snowflake to only use the secondary one (since the primary one is being used for a Tor relay's ORPort), since it doesn't seem to have any options to exclusively bind to a chosen IP.

  The other additions to the override file are just miscellaneous hardening features.

  Come to think about it, I should probably add After=network-online.target nftables.service to my own overrides...

  Thanked by 2JohnFilch123 Not_Oles
• JohnFilch123 Member

  March 8

  @forest said: it just adds an override file

  Ah yes, missed that. Gotcha, thanks again. Will experiment.

  Thanked by 1forest
• janderbilla Member

  March 8

  This budget is peanuts for Asia/Africa for the bandwidth alone. You want an extra IPv4. And this is for a tor relay. Good luck with that.
• forest Member

  March 10 edited March 11

  @janderbilla said:
  This budget is peanuts for Asia/Africa for the bandwidth alone. You want an extra IPv4. And this is for a tor relay. Good luck with that.

  It doesn't have to be an APAC country. An uncommon EU country would be fine as well. Yes, it is a bit of a stretch, but that's why I'm flexible on budget. Usually the only providers who are willing to deal with this on their own subnets are those who personally support privacy. I believe @MAXKO_Hosting is planning to open up a location in Serbia soon which will allow Tor exits, for example. He is a big supporter of the Tor network and even gives a discount to people who buy VPSes for the purpose of running a Tor relay!

  I could get HK, SG, UAE, and a number of others for this budget with 4vps, so hosts that permit exits for such a price do exist, but they already host quite a number of Tor exits and I am prioritizing network diversity.
• forest Member

  April 13

  Increasing my budget to $120/year.
• matze00 Member

  April 13

  @forest said:

  So that's 7 exits and a potential additional 8 exits out of the 42 relays I have as of writing this.

  Thanks for your participation against censorship. Are you also running I2P relays?

  Thanked by 2oloke forest