Hi,
Thanks all for joining the Tor Relay Operator Meetup!
You can find the meetup notes below.
The next Tor Relay Operator online meetup is July 29, 2023 @ 18 UTC.
cheers,
Gus
## Tor Relay Operator Meetup - 2023-06-24
### Before we start
Tor operators are recommended to read the Tor Code of Conduct and
Expectations of Tor Operators.
Tor Code of Conduct:
Expectations for Relay Operators:
### 1. Announcements
1.1. In-person activities
- Tor Relay Operators meetup @ Bornhack
(BornHack 2023) in August (Denmark). Ping Alex
(ahf) for more information.
- Tor Relay Operators meetup @ CCCamp 2023. CCCamp
(Chaos Communication Camp 2023) is taking place near
Berlin, Germany, in August. Ping gus or other tor people if you want to
help.
1.2. More unrestricted snowflake proxies are needed
- Context: Snowflake is very popular in Iran and China. See the Tor
metrics graphs:
- Users โ Tor Metrics
- Users โ Tor Metrics
- But there is an issue: many snowflake proxies (volunteers) are
behind "restricted connections," including NAT and packet filtering.
'Unrestricted' snowflake proxies will work with all snowflake clients,
even those with the most restrictive symmetric NATs and filtering
behaviour.
- Current stats:
snowflake-ips-nat-restricted 72006
snowflake-ips-nat-unrestricted 2447 <- We need your help to increase this pool!
snowflake-ips-nat-unknown 47623
- To understand Snowflake NAT matching behavior, please check out this
documentation:
NAT matching ยท Wiki ยท The Tor Project / Anti-censorship / Pluggable Transports / Snowflake ยท GitLab
- Maybe there should be a guide on how to go from being restricted to
unrestricted for standalone snowflake proxy from home and/or from a
server with a firewall (i.e. limit the range used by snowflake, and
"find how to open a range of port on your router").
- Recommendation: Do not run snowflake proxy on the same IP as a
relay/bridge. It's a good call to run it on a machine with public
dynamic IP address.
1.3. Relays EOL (0.4.5.x) removal
- Only public relays running 0.4.5.x are affected; bridges are
unaffected.
- If your relay was blocked because was running tor 0.4.5.x version,
please reach out to bad-relays at lists.torproject.org and ask them
to unblock your relay.
- Issue:
Deal with EOL 0.4.5.x relays and bridges (#291) ยท Issues ยท The Tor Project / Network Health / Team ยท GitLab
1.4. IPv4 limit proposal (bumped limit from 2 to 4, and soon 4 to 8!)
- Proposal: Increase the amount of allowed relays per IP address to 8 (#40744) ยท Issues ยท The Tor Project / Core / Tor ยท GitLab
- Currently we're allowing 4 relays per IPv4 address. This new max
allowed relays per IP address was analyzed here:
Analyze the results of bumping the max allowed relays per IP address to 4 (#51) ยท Issues ยท The Tor Project / Network Health / Analysis ยท GitLab
- We're considering to bump the limit to 8 relays per IPv4 address.
1.5. Tor Forum is now self-hosted by Tor Project
- The Tor Forum migration was completed last week:
https://forum.torproject.org/
- tor-talk will be deactivated next week. The mailing list archive
will be publicly available. Other mailing lists aren't affected.
- The Tor Forum Privacy policy will be updated.
### 2. Presentation about Webtunnel bridges with Tor Anti-censorship
Team
Tor Anti-censorship Team is soft-releasing Webtunnel, a new pluggable
transport based on HTTP Upgrade (HTTPT). It is designed to hide behind
HTTPS servers to resist against active probing attacks and to
effectively blend in with Internet traffic.
Bridge operators can deploy this new pluggable transport on the same
IP/machine if they are already running obsf4.
Please don't expect a lot of users at the moment, bceause webtunnel is
only available on Tor Browser Alpha.
Slides: https://nc.torproject.net/s/PP98BXDMk8nwtrn
Webtunnel requirements for operators:
- A self-hosted HTTPS website
- Handle traffic with configurable reverse proxy
- Environment to run Tor bridge
- (Optional) Container runtime like Docker
You can find instructions on how to deploy webtunnel here:
A Dockerfile is available for use with a Debian container and a package
for FreeBSD has been created.
Q: What is the distribution mechanism?
(https://bridges.torproject.org).
Q: Are the regular traffic patterns of webtunnel-transported traffic
similar to tor traffic? Are they usually bi-directional
No, the traffic looks like HTTPS.
### 3. Tor Network Health proposals discussion
- Meta proposal discussion:
Write a meta proposal for community proposals: 001-community-relay-operator-process.md (#2) ยท Issues ยท The Tor Project / Community / Policies ยท GitLab
- contactinfo proposal discussion:
Write proposal to restrict contact information field to email address (and make it mandatory) (#71) ยท Issues ยท The Tor Project / Community / Relays ยท GitLab
The contactinfo proposal: we don't need to rush as this is a proposal
for Arti relays, which won't happen any time soon (probably is not
happening for the next 2 years), but we should start scoping which
fields the community want.
### 4. Next Tor Relay Operator Meetup
- Date: July 29, 2023 at 18:00 UTC.
### 5. Q&A
Q: I am conducting a survey to understand the attitudes of relay
operators towards current relay updates and a new automatic update
design. How should I approach contacting relay operators? I apologize
for any potential lack of knowledge in this area, as I am new to this
field and seeking guidance on the best practices for engaging with relay
operators.
request.
Q: Will the obfs fork affect the future development of obfs/its fork?
is probably not going to happen much in any near future. Bridge
operators don't need to migrate to lyrebird yet, is great if they do,
but we haven't packaged it to debian or any distro, neither use it yet
in our docker images. For now the changes in our fork only affect meek.
tl;dr: bridge operators don't need to do anything yet, just keep an eye
for it.
Q: Any plans, ETA, or budget estimation for running relays using Arti?
relays and this process will take time (it's not part of 2023/2024
roadmap). Relay Operators will be involved when the time comes.
Q: Are unrestricted snowflake proxies currently more needed than obfs4
bridges?
Bridges/Relays are best for static IPs, snowflake for dynamic addresses.
E.g. Snowflake is used more than obfs4 in China, obfs4 more than
Snowflake in Russia.
Q: When should someone run a snowflake proxy instead of a bridge or
relay?
Snowflakes work with dynamic IPs eg at home.
Q: ipv4 limit relaxation - is that due to carrier-grade NAT being used
more and more?
IPv4 addresses more expensive. Thus, the cost for relay operators
running more relays got higher while resources got wasted, which is
hurting good operators. We try to accommodate that with allowing more
relays per IP address while keeping the network monitored so that sybil
attacks are not a danger and get dealt with quickly.
Q: What is the status regarding ddos?
issue with their DNS resolver.
Q: How meaningful is it at all to run an obfs4 bridge on the network of
a big hoster like Hetzner (regarding situations like in Turkmenistan, as
mentioned in one of the last meetings - possibly those countries block
whole IP ranges from such hosters)?
collateral damage. You shouldn't really need to find an obscure hoster.
For Turkmenistan, bridges running on obfs4 port 80, 443 or 8080 and
residential connections seems to work!
Q: Is there a plan to have IPv6 only Relay (way cheaper)?
network.
Q: What does it mean if no Bandwidth Ratio is displayed on
bridges.torproject.org scanner (while obfs4 reachability is displayed)?
(For one of my bridges, there is no "Bandwidth ratio" entry, but a
"obfs4: functional" and a "Last tested" entry)
to the rest of bridges. it means that the bandwidth is not being tested
yet by onbasca, it could be that onbasca has failed to test it or just
need a bit longer, but we don't distribute bridges with low ratio.
ยทยทยท
A: At the moment webtunnel is being distributed only via "HTTPS"
A: Please contact gus and geko by email, so they can evaluate your
A: We plan to continue the development of obfs4 in lyrebird, but there
A: No, not yet. We don't have any funded project to develop Arti
A: Depends on the type/location of user you are wanting to help most.
A: Snowflake proxies tend to use less bandwidth than a relay/bridge.
A: Not really. It's more that servers got more powerful over time and
A: The main ddos seems to be stopped, but some exit operators are having
A: It's very meaningful to use big hosters as blocks can cause a lot of
A: Not really because relays must be reachable by the rest of the Tor
A: The bandwidth ratio is the ratio of how fast is this bridge compared
On Sat, Jun 24, 2023 at 06:46:08PM +0200, lists@for-privacy.net wrote:
On Samstag, 24. Juni 2023 18:03:47 CEST lists@for-privacy.net wrote:
> On Dienstag, 20. Juni 2023 23:01:23 CEST gus wrote:
> > Just a friendly reminder that the Relay Operator meetup will happen this
> > Saturday, June 24 at 18 UTC.
> >
> > ## Agenda
> >
> > 1. Announcements
> >
> > - Tor Relay Operators meetup @ CCCamp 2023!
> > - More unrestricted snowflake proxies are needed
> > - Relays EOL (0.4.5.x) removal
> > - IPv4 limit proposal
> >
> > 2. Presentation about Webtunnel bridges with Tor Anti-censorship Team
> >
> > 3. Tor Network Health proposals discussion
> >
> > - Meta proposal discussion
> > - contactinfo proposal discussion
> >
> > 4. Q&A
> >
> > Riseup Pad
>
> https://pad.riseup.net/ is down 
> As an alternative, the 'German riseup' systemli could be taken. systemli.org
> is hosted on its own servers at Community-IX.
>
> systemli pad
I think gus copied the pad. Thanks. Hidden service link is:
http://mjrkrqnlf26etelsi7zpkqc3dzlrzyurvmd3jksmndarzzbugz5xctid.onion/p/tor-relay-op-meetup-june-keep
--
โฐ_โฏ Ciao Marco!
Debian GNU/Linux
It's free software and it gives you freedom!
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page
--
The Tor Project
Community Team Lead