Re: [vserver] tor in a vserver?:
 vserver development mailing list 
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]

Re: [vserver] tor in a vserver?

From: Arjan <sw-vserver_at_el-c.xs4all.nl>
Date: Wed 24 Oct 2007 - 14:39:12 BST
Message-ID: <471F4B00.3090501@el-c.xs4all.nl>

Martin Fick wrote:
> --- Arjan <sw-vserver@el-c.xs4all.nl> wrote:
[...]
>>
>> Because of the NAT, you'll have to forward incoming
>> traffic on ORPort (and optionally DirPort) to your
>> tor vserver.
>
> This is the part I was unclear about from the tor
> docs. Do I simply have to configure my router to port
> forward to the vservers IP or do I have to (the tor
> docs make it seem like I do) do some NAT/IP forwarding
> on the linux host also?

Just forwarding on the router will do.

The tor docs describe situations like this:
        ORPort 443
        ORListenAddress 0.0.0.0:9001
        DirPort 80
        DirListenAddress 0.0.0.0:9030
Here, you'll tell the tor network that your server is listening on port
443 and 80. This helps tor clients behind restrictive firewalls to
connect, because https and http traffic are often allowed.
You can't actually run your tor server on those ports, because tor
should be not run as root. So, you'll have to port forward incoming
traffic on port 443 to port 9001 on your vserver ip (and 80 to 9030).
You can do all that forwarding on your router. The more complicated way
would be to do the ip forwarding on the router and the port forwarding
on the machine with your tor vserver.

> In other words, is your tor server listening to the
> private vserver IP? If so, how do the other tor
> servers know how to contact it? Do they simply wait
> for your server to contact them and then note the
> public NATted IP?

It's listening on the private vserver IP.
When the tor server starts, it announces its ORPort and DirPort to the
tor network. The tor network then also learns your public IP. Your node
information is then added to the tor directory which can be retrieved
from any tor node with an enabled DirPort (via http).

[...]
> Is there perhaps a large security benefit from running
> separate tor server and the tor client instances in
> separate vservers? I.E. If someone breaks into your
> tor server vserver, they will still not be able to see
> your local unencrypted tor traffic since it will enter
> the other (client tor) vserver which does not have any
> listening ports exposed to the internet?

I'm not a tor expert, but I think you're right.

It would also make sense to keep the tor client and the applications
using it as close together as possible (same PC), because LAN traffic
could be sniffed.
Received on Wed Oct 24 14:44:26 2007

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 24 Oct 2007 - 14:44:32 BST by hypermail 2.1.8