diff --git a/docs/configuration.rst b/docs/configuration.rst index 1bb2d33..e50a8aa 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -149,31 +149,74 @@ set the ``tub.location`` option described below. tub.port = 8098 tub.location = external-firewall.example.com:7912 - * Run a node behind a Tor proxy (perhaps via ``torsocks``), in client-only - mode (i.e. we can make outbound connections, but other nodes will not - be able to connect to us). The literal '``unreachable.example.org``' will - not resolve, but will serve as a reminder to human observers that this - node cannot be reached. "Don't call us.. we'll call you":: + * Run a node using Tor as a proxy (perhaps via ``torsocks`` or with + ``iptables`` transparent proxying), in client-only mode (i.e. we can make + outbound connections, but other nodes will not be able to connect to us). + The literal '``unreachable.example.org``' will not resolve, but will + serve as a reminder to human observers that this node cannot be reached. + "Don't call us.. we'll call you":: tub.port = 8098 tub.location = unreachable.example.org:0 - * Run a node behind a Tor proxy, and make the server available as a Tor - "hidden service". (This assumes that other clients are running their - node with ``torsocks``, such that they are prepared to connect to a - ``.onion`` address.) The hidden service must first be configured in - Tor, by giving it a local port number and then obtaining a ``.onion`` - name, using something in the ``torrc`` file like:: + * Run a node as a Tor Hidden Service, and make the server available only to + those connecting through the Tor network. This provides location + anonymity for your Tahoe node; usage of Tor's Hidden Service + authentication mechanisms may also be relevant. + (This assumes that other clients are running their node with + ``torsocks``, such that they are prepared to connect to a ``.onion`` + address.) The hidden service must first be configured in Tor, by giving + it a local port number and then obtaining a ``.onion`` name, using + something in the ``torrc`` file like:: HiddenServiceDir /var/lib/tor/hidden_services/tahoe - HiddenServicePort 29212 127.0.0.1:8098 + HiddenServicePort 443 127.0.0.1:4443 once Tor is restarted, the ``.onion`` hostname will be in ``/var/lib/tor/hidden_services/tahoe/hostname``. Then set up your ``tahoe.cfg`` like:: - tub.port = 8098 - tub.location = ualhejtq2p7ohfbb.onion:29212 + nickname = ualhejtq2p7ohfbb.onion + tub.port = tcp:4443:interface=127.0.0.1 + tub.location = ualhejtq2p7ohfbb.onion:443 + + Here is an example of bash script to load ``iptables`` rules. It will + transparently route outgoing TCP connections through Tor: + + #!/bin/bash -x + # This is a small script to ensure that the Tahoe-LAFS user always uses + # Tor to access the internet (when running as $TAHOEUSER). + TAHOEUSER=tahoe-lafs + TAHOEPORT=4443 + TORTRANSPORT=9040 + DNSPORT=5353 + + iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner $TAHOEUSER -m \ + tcp --syn -d 127.0.0.1 --dport $TAHOEPORT -j ACCEPT + + # The following rules will transparently Torify everything outgoing + iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner $TAHOEUSER -m \ + tcp -j REDIRECT --to-ports $TORTRANSPORT + + iptables -t nat -A OUTPUT -p udp -m owner --uid-owner $TAHOEUSER -m \ + udp --dport 53 -j REDIRECT --to-ports $DNSPORT + + # Accept redirected data in the filter chain + iptables -t filter -A OUTPUT -p tcp -m owner --uid-owner $TAHOEUSER \ + -m tcp --dport $TORTRANSPORT -j ACCEPT + + iptables -t filter -A OUTPUT -p udp -m owner --uid-owner $TAHOEUSER \ + -m \ udp --dport 53 -j ACCEPT + + # Drop everything else tahoe does + iptables -t filter -A OUTPUT -m owner --uid-owner $TAHOEUSER -j DROP + + Tor must be configured to support ``iptables`` transparent proxying. + Ensure Tor is configured with at least the following options: + + TransPort 9040 + DNSPort 5353 + AutomapHostsOnResolve 1 Most users will not need to set ``tub.location``.