Hi,

So for Debain 12, what is the command to install OBFS4? For my bridge at https://metrics.torproject.org/rs.html#details/0E547D99DEB753B20A19EEAA053CEF19EB5D54CD

Even though I configured obfs4 in torrc its saying no transport protocols. Thanks.

The torrc

Nickname udeservefreedom
ORPort
Log notice file /var/tornitces.log/notices.log
SocksPort 0
BridgeRelay 1
PublishServerDescriptor bridge
BridgeDistribution email
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
ServerTransportListenAddr obfs4 0.0.0.0:
ExtOrPort auto
ExitPolicy reject :
ContactInfo keiferdodderblyyatgmaildoddercom

Hi,

have you installed the obfs4proxy? If you follow this guide: https://community.torproject.org/relay/setup/bridge/debian-ubuntu/ you should be good to go.

I’ve added “BridgeDistribution https” for my bridge, if you follow the post install page there is written something about distribution channels.

Hi, yes I got it running. Wondering is there a single debain command to set up automatic upgrades for tor, and is there a torrc configuration to limit CPU usage? Thanks

Add Tor's repo in your system:

Then install unattended-upgrades too:

https://wiki.debian.org/UnattendedUpgrades

Unattended-Upgrade::Origins-Pattern {
        "origin=*";
};

This way (by including all origins) you basically keep all your packages upgraded.

Regarding CPU, you can give a try to cpulimit. I've never tested it with tor though:

Does your server CPU support hardware AES extensions?

Run this command in your shell (bash most likely):

lscpu | grep aes

If it returns the string AES, then you can make use of the crypto hardware acceleration.

This severely reduces CPU usage by Tor.

Also, if you want to reduce CPU usage further, throttle bandwidth, I wouldn’t use external tools not provided by Tor, unless you absolutely have to.

Take a look at RelayBandwidthRate / RelayBandwidthBurst**,** right here:

https://2019.www.torproject.org/docs/tor-manual.html.en#BandwidthRate

-GH

Thanks. One more question, is there a way to configure tor to start automatically when Linux bolts? Thanks.

–Keifer

Sorry for the late reply, but at least on ArchLinux, Tor already comes with a service file for systemd and an example configuration file at

/etc/tor/torrc

To make Tor auto-start on system boot, use:

systemctl enable tor

systemd also offers variable sandboxing mechanisms, which should be enabled for long-running services.

My current service file shipped by ArchLinux looks like this and has the sandboxing variables enabled:

/usr/lib/systemd/system/tor.service:

tor.service – this systemd configuration file for Tor sets up

relatively conservative, hardened Tor service. You may need to

edit it if you are making changes to your Tor configuration that it

does not allow. Package maintainers: this should be a starting point

for your tor.service; it is not the last point.

[Unit]
Description=Anonymizing overlay network for TCP
After=network.target nss-lookup.target

[Service]
Type=notify
NotifyAccess=all
ExecStartPre=/usr/bin/tor -f /etc/tor/torrc --verify-config
ExecStart=/usr/bin/tor -f /etc/tor/torrc
ExecReload=/bin/kill -HUP ${MAINPID}
KillSignal=SIGINT
TimeoutSec=60
Restart=on-failure
WatchdogSec=1m
LimitNOFILE=32768

Hardening

PrivateTmp=yes
PrivateDevices=yes
ProtectHome=yes
ProtectSystem=full
ReadOnlyDirectories=/
ReadWriteDirectories=-/var/lib/tor
ReadWriteDirectories=-/var/log/tor
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH CAP_KILL

[Install]

WantedBy=multi-user.target

By using:

You can see in the above default service file that the timeout for the service not responding is 60, yet I have ShutdownWaitLength set to 120 seconds instead of 60.

So I used:

systemctl edit tor

to override the default unit file:

/etc/systemd/system/tor.service.d/override.conf

Editing /etc/systemd/system/tor.service.d/override.conf

Anything between here and the comment below will become the contents of the drop-in file

[Service]
TimeoutSec=135
WatchdogSec=2m 15s

Edits below this comment will be discarded

Here you can see how I made systemd not deem my process unresponsive by increasing the timeout and watchdog thresholds.

The next time you have such trivial questions (regarding systemd, if it still has something to do with Tor, feel free to ask here), please refer to the systemd documentation and their mailing lists.

Google is also pretty good nowadays, and many problems have already been documented and solved by others.

I am happy to help new users, but I also have some time constraints.

All the best,

-GH