Questions about Tor bridge (network security)

Hello all,
I hope all is good for you. :slight_smile:
I plan to run a bridge at home.

I have few questions about it, emphasize the security.

I plan to create a DMZ, and few firewalls (software and hardware).

About my relay I will set up automatic updates and remove any remote access.

Do you have any recommendation to increase the security, some tips?

The answer to that question is entirely dependent on how your network is setup, and what os your running.
Is this a BSD, or linux machine? Something else?
Also, DMZs can be dangerous if improperly setup. I highly advise against using a DMZ unless absolutely necessary, as doing so punches a hole through all firewalls between it and the internet, and enables the node to be a pivot point for an attacker attempting to get in. This is my opinion though, not a fact. But its been my experience that DMZs allow any and all connections to the target, including those that you probably don’t need or even want for that matter.

EDIT:08-09-22-- A relay only node should theoretically only need 1 open port, 9001 for OR by default, which can (and in a lot of cases should) be changed for better accessibility by censored users.
Credit for correction: boldsuck

Mind you, these are default values, can be changed to other ports if needed for one reason or another. But a DMZ to a machine behind several firewalls seems to completely defeat the point of the firewalls even being there in the first place.



Thank you for your answer, so I will just do a port redirection instead of a DMZ, it’s better I think because I don’t really know how my ISP’s router creates a DMZ.

About the OS, I use BSD.

I was really hesitating between DMZ and just open the needed ports.

I’d suggest starting with just forwarding the default ports from the router to your BSD machine then, and set a static ipv4 in the router settings. The post from earlier was in reference to tor middle relay, I’ve not run a bridge so im not completely sure on the details. Tor Project | FreeBSD or Tor Project | OpenBSD depending on your distro will get you jump started.

I would like to point out specifically these points from the setup details, "

# Replace "TODO2" with an obfs4 port of your choice.  This port must be
# externally reachable and must be different from the one specified for ORPort.
# Avoid port 9001 because it's commonly associated with
# Tor and censors may be scanning the Internet for this port.

So I’d suggest choosing a high port for both the OR port, and the obfs4 port instead of the defaults to ensure it will be more excessible to those who really need it.

When setting up port forwarding on your router, specify the external port, and either leave the internal empty, or 0 so it can assign as many internal sockets as needed for the node to work. I ran into this problem when setting both internal and external.

With that settled, for security, you’ll probably want to separate the subnet for the relay and the rest of your devices. This way, any traffic or attacks directed at the server won’t easily be able to hit your other devices on the network.Ie, 192.168.1.* for all your usual shit, and another VLAN or private subnet like 10.0.1.*
This also means you piss off your wife/housemates a lot less when you oof on implementing a firewall rule. If your relay is on a different subnet, and your messing about with firewall rules and such can cause problems for the rest of the devices on your network. BSD is an excellent choice overall for security.

Once you have everything setup the way you like it, turn it on and see what happens. Then use nmap to scan your node and see what you can see. Ive already found and fixed several vulnerabilities in my own relay. A particularly useful command for finding bugs and shit is the
““sudo nmap -vvv --privileged --script vuln -Pn -sT -sV -O [target ip/hostname]””

About my relay I will set up automatic updates and remove any remote access.

Do you have any recommendation to increase the security, some tips?

Don’t run Tor relays (bridge, exit, non-exit) with a dyn IP, run a snowflake proxy.

We have our servers behind a bastion host to which a VPN connection is established.
1 network card with their own IPs for the BMC Mgmt Interface. (IPMI)
1 network card with their own IPs for SSH
The Tor IP’s are routed via 2 SFP+ ports. (LACP bond)

SSH keys are PIN & password protected FIDO2 Resident Keys on a PIN protected OnlyKey

Especially with exits, do not use HD encryption!
Use OfflineMasterKey for relays especially on VPN.
Avoid clouds :face_vomiting:

A relay only node should only need one port to WAN! The ORPort (Hint: default dual stack)
9050 is usually the Socks5 that you only want to use locally for HS exactly like 9051 the ControlPort for NYX.

SocksPort 0
SocksPolicy reject *

DirPort is only used for exit DirPortFrontPage /etc/tor/tor-exit-notice.html

Bridge needs additionally:

# obfs4 can do IPv4 and IPv6 connections simultaneously
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy

# The ServerTransportListenAddr line is dual stack friendly.
ServerTransportListenAddr obfs4 [::]:12345

# Local communication port between Tor and obfs4.  Always set this to "auto".
# "Ext" means "extended", not "external".  Don't try to set a specific port number, nor listen on
ExtORPort auto

This is very helpful boldsuck, thank you for correcting my error in that point. Gonna fix my relay later then to only reveal OR to WAN.