I would like to run public Tor relay on a fast residential gigabit fiber so that I can have physical control over it, but the traffic would need to be routed through different IP-address, eg. a VPS-host that runs just some kind of TCP-Proxy or reverse-proxy software. The relay should appear to use VPS IP-address in Tor consensus documents and not my residential IP. Is this kind of setup possible and what Linux proxy software would you recommend? HAProxy?
My present problem is that my residential IP gets blacklisted by many Internet websites despite running a non-exit relay.
You could run a standalone Snowflake proxy (not the browser one) in unrestricted mode. It’s not like running a relay but still helps circumvent censorship which is what you want to do. Have no idea how many clients you could support. I don’t have the fastest residential fiber connection so I set mine for 9 clients max. Ubuntu 22.04 running 24/7.
This would prevent your IP from being blacklisted. I’ve not noticed any negative effects.
Guess it would be possible to do it with HAProxy, there are instructions out there combining tor and HAProxy, but not for your special use case as far as I know.
Maybe another possible solution would be using wireguard to connect your gigabit to a VPS and configure routing accordingly.
Of course it does. When the relay is run on VPS the IP address of the VPS is used as public IP.
If a VPS is involved anyway, then why not run the relay on the VPS? How does it make sense to use it as proxy instead?
it is a big difference if you are running on hardware you control or someone else’s, especially on a VPS, where you are even sharing components with multiple unknown parties
Yes, of course. I had VPN on my mind when I wrote that. OUCH.
I assume he wants to run a Tor relay at home because there is no more cost then his residential plan. Now this VPS service would cost something and the Snowflake proxy costs nothing. With his gigabyte plan he could probably run unlimited clients. So the final results of circumventing censorship is achieved anyway. There is hardly any effort in putting up a Snowflake proxy. If I can do it, anyone can.
And yes, why not run the relay on the VPS instead if that is the choice.
I am in the same situation. I have 10 Gbps fiber available at home but behind a NAT. I want to run my relay on my hardware in the 10.0.0.0/8 address space, but advertise on my public IP (and portforward traffic from TCP/9001 to the relay).
I’ve tried setting Address, OutboundBindAddress, ORPort and such to the public IP, but nothing seems to work. The torrc lists configuration options for doing just this, but I cannot make it work.
Is your router at home also behind a NAT? If so, you may be out of luck. If this router has public IP addresses, you can configure port forwarding on it.
Don’t really understand this reply. I was referring to the cost in dollars and not CPU cycles. Have no idea about the cost of a VPS but it must not be free.
I assumed that if a person is willing to run a relay then it would be a 24/7 machine just like a standalone Snowflake proxy. Now you have the bandwidth and the machine and want to circumvent censorship but a home relay gets you blacklisted which is not desirable. That was the problem.
How does shifting packets back and forth for clients that different on a Snowflake proxy than on a Tor relay. A client makes a request to a website for a file and it comes back. The traffic has to be about equal for both.
Traffic is not the issue here, I’m talking about how much CPU you need to push that traffic. On all my setups I can push way more traffic with the tor implementation in c than with the webtunnel implementation in go. So you will need a much stronger CPU to saturate the link with webtunnel.
Sure, but on a VPS you do not control the CPU, so you do not control the encryption, because a higher instance can record every instruction cycle. Even with a trusted execution environment it is disputed if this addition is safe enough for processing confidential information.
There are multiple encryption layers. One of them is being established between client and the destination server and this one prevents any relay from seeing plain data. All relays get to see encrypted stuff only, except somebody still visits pure HTTP websites etc., but it’s insecure whether using Tor or not.
The tor server has a public IP in the assigned /29 range. I would like all traffic to/from the relay on the 10/8 network to appear from the sole public IP assigned via port-forwarding. Bidirectional NAT works. I cannot get tor to advertise the public IP but run on the local 10/8 IP.