Running a Tor node from Amazon's Elastic Computing Cloud.

Mar 05, 2011

Updated: 8 March 2011.

After a discussion on the torservers mailing list about setting up lots of Tor bridges for people to use to connect with the network in areas where it is otherwise blocked, it struck me that I should probably write up how I set up a few back in February during the uprising in Egypt.

Seeing as how I have a limited amount of bandwidth where I live for various reasons (most of all Verizon halting deployment of residential fibre) I've been making use of VPS companies and pushing certain tasks off of my network and onto other people's.

I know... I know.. I'm the first person to bitch in any conversation about untrusted because it runs on someone else's machines about losing control of your data. "If it's not your box, it's not yours anymore." The way I've been using untrusted because it runs on someone else's machines, however, I store a minimum of data on the virtual hosts I buy; it gets synched to my physical machines at home a few times an hour where it then gets backed up to cold storage. I've been making use of the CPUs and bandwidth bought from VPS providers but not so much the storage in case my hosts suddenly vanish. Anyway... I based the extra Tor nodes I set up on this procedure for building a private OpenVPN server to encrypt traffic while you're on an untrusted network. For my virtual machines I'm using micro instances under the Free Usage Tier of AWS running 64-bit Arch Linux (all the flexibility of Gentoo without all the compiling-it-yourself). While I would much prefer running OpenBSD for my nodes, the EC2 is based upon Linux's Xen virtualization platform, which OpenBSD isn't compatible with.

EDIT: 20110308: I've been asked to point out that if you operate EC2 instances under the free tier (which lasts for one calendar year, measured from the time you set up your account), you get 30 GB of traffic per month for free. If you don't want to pay anything, you don't have to so long as you configure Tor appropriately. Please bear in mind that even if you do operate within the free service tier, you'll still have to give Amazon a credit card number of some kind just to set up the account.

After standing up a couple of instances, auditing them as well as I could (someone else built the image in the marketplace, after all), patching and hardening them, and setting up unprivileged user accounts to log in with I installed Tor and configured it to operate as both a router and a bridge. Here are the relevant lines from the config file:

Address 174.x.y.z
ORPort 8080
ExitPolicy reject *:*
BridgeRelay 0
BandwidthRate 300 KB
BandwidthBurst 350 KB
AccountingStart month 1 00:00
AccountingMax 100 GB
MyFamily rei, asuka, shinji, touji, kaoru, ...

The Address line configures the publically routable IP address of each node. By default, every instance you stand up in the EC2 is behind a firewall with an RFC 1918 IP address. You have to use the EC2 web management console to poke a couple of holes through the firewall by going to the Security Group page, editing the 'default' group, and adding a couple of allowed connections:
  • Protocol TCP, From port 8080, To port 8080, from Source IP or Group
I picked port 8080/TCP because it's too easy to filter the standard port 9001/TCP at a firewall, and some web proxies tend to act unreliably when contacting something on port 443/TCP that isn't a web server. I could just as easily have picked something different or left it at the default. The ExitPolicy line defines what ports on the public Net my Tor nodes will allow people to access (none; route traffic to other Tor nodes only). The BridgeRelay option activates the capability to allow Tor clients to connect to the same port that Tor routers do so they can get onto the darknet from restricted environments.

EDIT: 20110308: It's been pointed out to me that if you configure Tor to act as a bridge, it won't route traffic as either an exit or a middleman relay.

I capped the maximum speed of connections to my nodes (300 KB per second, up to 350 KB for short periods of time) because I didn't want to take the chance of accidentally flooding the LAN my instances are on, interfering with other customers' instances, and getting dropped. Due to the fact that I didn't know ahead of time how much this would run me (and I didn't trust my arithmatic) I opted to limit the amount of traffic per billing period by using the AccountingStart option to begin tallying the amount of traffic at midnight the first day of every month. Whenever one of my Tor nodes has transmitted 100GB of data (AccountingMax) it automatically drops itself out of the darknet and hibernates until next month. The MyFamily option is set for every node, and contains a list of every other node I run to keep transmitted traffic separate in accord with best practices.

Here's the interesting bit: I got my invoice a few days ago from Amazon. For each node pushing 100GB of traffic per month I only paid about $23us. Running even a single Tor node is astoundingly cheap. I pay several times that every month just for DSL service.

I don't feel particularly confident about running exit nodes from the EC2 because of a couple of provisions in their user agreement (accessed 20110305 at 1321 EST5EDT). Section 4.1 says that people putting virtual machines on the EC2 are responsible for the content put online through those instances and the legal ramifications thereof (including DMCA takedowns). Section 4.3 says that I am responsible for setting an End User Agreement for any services I make available, and that I am responsible for enforcing that agreement. I can't make anyone using the Tor network agree to anything, so I've chosen to enforce a policy of "No direct net.access" by configuring Tor to only act as a router and bridge and not an exit. All it would take is one person doing something antisocial to torpedo at the very least the Tor instance in question (and possibly all of the others linked ot my account). Section 6.1 part (a) states that my instances and account can be suspended if anything they do is deemed a threat to any other customer's AWS resources, or impresses liability onto Amazon. Furthermore, section 7.2, part (b), subpart (ii) says that Amazon can kick me to the kerb for violations of part 6.1. I want to keep providing nodes to the Tor darknet, so that underlines the "Don't run exit nodes" bit a few times.

So, there you have it. For the price of ten venti regular coffees at Starbucks in northern Virginia, you too can run a Tor router and bridge from Amazon's network per month. I highly suggest that you do; the Tor network has become very important in the past few months, not only for people who are concerned about their privacy, but for people whose freedom and even lives are on the line because they're fighting to make their world a better place.