Tag Archives: NAS

Howto: Running Tor on a Synology DiskStation

Note: All of these steps may no longer be necessary. Check out this comment for a software package for your DiskStation, if you trust a version of Tor you have not compiled yourself.

(Repost from my tumblr)

After a brief conversation with the Tor support, I tried to and suceeded at getting Tor to run on my Synology DiskStation 211j. I suppose the setup process will be similar on all DiskStations and possibly other BusyBox NAS Systems, but I only tried my own one.

I suppose you already know your way around your NAS, in having SSH enabled and secured (important!) , and ipkg installed. You should also know basic stuff about linux (editing files, creading directories, sudo / su, …), but you don’t need to be an expert (hell, I am mostly a newbie myself when it comes to Linux).

Please also be aware of the legal implications that come with running Tor. I am not responsible for anything that happens to you, your NAS, your Network, Internet Connection, computer, data, cat, or anything else. Also, please note that while the following steps have worked for me, they might not work for you, and chances are that I will be unable to assist you in any way. Use Google or whatever search engine you are comfortable with to find solutions.

A note on the ipkg version of Tor:

I have asked the guys at TOR, and the version on IPKG is not official. It is also outdated, so please don’t use it. Compile TOR yourself instead.

Step one: Getting the Tor Source code

There are, as of April 2012, no precompiled ARM binaries available, so you will have to compile Tor yourself.

Go to https://www.torproject.org/download/download.html.en and download the Source Tarball (That’s important. Do not download any precompiled linux package).

Copy it to your NAS in some way (via a network share, for example). Getting the source Tarball directly on the NAS was not possible for me, as it is only loadable via https, and my wget had no https support compiled in.

Copy it to a location of your choice (your home folder, for example), and unpack it using:

tar x -f name_of_source_tarball.tar.gz

(remember you can autocomplete the filename with tab)

Step two: Checking the config

This step is easy. Just run “./configure” from the unpacked directory (you may have to “cd” into it first).

You will most likely get errors. Don’t freak out, thats normal.

If it complains that you don’t have gcc installed, just run “sudo ipkg install gcc” and you should be fine.

Usually, it will tell you that it has found a shared library, but is unable to use it, and you can specify a new path using the “—with-[libraryname]-dir=path/to/library” switch.

Most of the libraries will be located at /opt/lib

If you are indeed missing a library completely, you can most likely install it using ipkg.

For example, I was missing the openssl-libraries. By running “sudo ipkg list | grep openssl”, I was able to locate the “openssl-dev”-package that contained the libraries. If you really can’t find the libraries, use a search engine to figure out how to get them.

Once you get the “./configure” command to run without errors, using the switches explained above, you can run “make” (or install it first, if you don’t have it already, using “sudo ipkg install make”).

This will take a while (about 10 minutes for me). It should run without errors. If you encounter problems here, I will most likely not be able to help you, so use your friendly search engine again.

Step three: Preparing the system

First off, if you have not properly sealed your ssh, now is the time to do it. Use keyfiles to log in, change the standard port, disallow root login and so on. I will not go into details here, there are enough tutorials for that online.

Make sure all your software is up to date (“sudo ipkg update”, followed by “sudo ipkg upgrade”), and that your router’s Firewall is blocking every port by default. Be a bit paranoid.

If you are done with that, run “sudo mkdir /root/.tor”, followed by “sudo chown -R [your_username] /root/.tor”. This will enable Tor to use the directory, as per standard config.

Alternatively, you could just run “sudo [path_to_tor_source_dir]/src/or/tor” and then, after a second, cancel the execution using ctrl+c. Tor should create all required directories. Now you can run it without the “sudo” to get a list of all relevant directories that were created (Because it will complain that it has no access to them). “chown -R” all of them to your user, as described above.

Step four: Preparing a torrc file

Torshould have created a folder called “tor” somewhere (For me, it was /opt/etc/tor). cd to that folder and edit the torrc.sample (Or maybe it will be called torrc, without the .sample).

Read through it carefully and consider your choices, then make your changes. Also, check if you have write access by changing something and saving. If it works, keep going. Otherwise, exit your editor and restart it using “sudo”.

Keep in mind that the “#” character is signifying a comment. So, make sure the relevant lines are uncommented.

The most important decisions you have to make are:

  • SocksPort: Set to 0 if you only want to run a relay / exit node
  • Log configuration: It is useful to set a logfile for “notice” level logs. For example: “Log notice file /path/to/the/file/filename.txt”
  • RunAsDaemon: If you want Tor to keep running in background if you terminate your SSH connection, set this to 1. In this case, it is important to set a log file, or you will be unable to find out what is going on inside Tor, if there are any problems.
  • Port: Set some some port and make sure that it is forwarded in your router.Only set this if you want to run a relay, bridge, or exit node.
  • NickName: Set anything here to identify your Node. Again, only set if you want to run a relay, bridge or exit node.
  • RelayBandwidthRate: Set if you want to limit traffic through your relay, bridge or exit node.
  • RelayBandwidthBurst: Same here
  • AccountingMax, AccountingStart: Same here
  • ContactInfo: Set if you want the Tor team to be able to contact you, should something be wrong. Search engines are indexing this, so spammers will find your email eventually, if you are setting this.
  • DirPort: If you want to mirror directory information, set this and make sure your Router forwards the port.
  • DirPortFrontPage: Specify a HTML document that should be displayed if someone browses to your IP on your DirPort. Totally optional
  • MyFamily: Set the fingerprints of other Tor relays you are running here.
  • ExitPolicy:This is critical!If you want to only relay traffic (From Tor into Tor, as opposed to from Tor into the Internet), set this to “reject *:*”. Else, you can reject special ports, for example BitTorrent, Usenet, …If you chooseto be an exit node, you will get problems at some point, because people are using Tor to do illegal stuff, and your IP will show up eventually. Consider this carefully. Running a non-exit relay is safe and very much helps the Tor network.
  • BridgeRelay: If you want to serve as a bridge, set this to 1.

If you need your fingerprint to configure other relays, check “/root/.tor”.

Don’t forget to remove the “.sample” from the torrc file, if it was still there (“mv torrc.sample torrc)

Step five: Running Tor for the first time (for real)

Run TOR using “[path_to_Tor_sources]/src/or/tor”. If the torrc file is not in the standard directory, you can specify the path using “-f /path/to/file/torrc”.

If you have set Daemon to 1, check your log files. It should say “Self-testing indicates your ORPort is reachable from the outside”, as well as “self-testing indicates your DirPort is reachable from the outside” (If you have enabled the respective ports). If there are problems, check your port forwarding, paths and permissions.

Step six: Killing Tor if is is a daemon

If you have set Daemon to 1 and need to kill Tor for some reason, run “ps | grep tor”, note the PID of the tor process and run “sudo kill -SIGINT [tor_pid]”. It will take 30 seconds for Tor to shut down. If you need to shut it down fast, without regard for the stability of the currently connected clients, you can just use the kill command without the -SIGINT. Please try to avoid this.

That’s it. You are now (hopefully) running a Tor relay, or at least have access to Tor, using your NAS as a Proxy.

Some notes:

  • Subscribe to the tor-announce mailing list if you want to be notified on new Tor updates. Install them ASAP, as old versions might be insecure.
  • IMPORTANT: Read this page on the Tor documentation about improving security of your Tor Relay. There are many things you can do to make it harder for people to break into your machine. This is especially important if you are running an exit node.
  • If you want to browse the internet using Tor, use the Tor browser bundle instead of setting Tor as a proxy in your Browser. The TBB contains a hardened version of Firefox that has some additional tracking and exploit protections built in that your regular browser does not have. Do not expect to be anonymous if you use your regular browser with a Tor proxy.

So, that’s it, this time for real. If you have any notes concerning the process, do not hesitate to comment.