This is a tutorial on how to setup a private Tor network. Note that we’re using the Tor version 0.2.4.23.

Notice: I no longer work on Tor and this post is kind of outdated. Interested reader should visit https://github.com/antitree/private-tor-network for more information.

Network Typology

The demo network topology is as follows:

All the PCs are running Slitaz Linux v3.2.53. It is easy to adapt the configuration to other distributions.

The roles of PCs are as follows:

  • RS1: Onion Client
  • RS2: Onion Router
  • RS3: Onion Router
  • RS4: Authority Server, HTTP Server and Onion Router

In current implementation of Tor, an Authority Server has to be an Onion Router at the same time. So we have to configure RS4 both as both Authority Server and Onion Router.

Install Tor

Note that in the following we’re using the Tor version 0.2.4.23. We have to install Tor on all machines RS1, RS2, RS3 and RS4.

Run following command to install Tor:

tazpkg get-install tor

To start Tor manually, run following command:

tor > /dev/tty2

To test Tor functionality, in the network setting of firefox, set SOCKS proxy to localhost:9050 and choose SOCKS v4. Be careful to not set HTTP or SSL proxy.

By default, Tor connects to the public Tor network. In the following, we are going to setup a private Tor network.

Setup Authority Server on RS4

First, run following commands to generate authority keys:

mkdir /var/lib/tor/keys
tor-gencert --create-identity-key -m 12 -a 192.168.1.4:7000 \
            -i /var/lib/tor/keys/authority_identity_key \
            -s /var/lib/tor/keys/authority_signing_key \
            -c /var/lib/tor/keys/authority_certificate \

When prompt for a password, use any that fits you best. This command will generate following files:

  • authority_identity_key: long term key to sign authority certificate
  • authority_signing_key: medium-term key(3-12 months) to sign directory information
  • authority_certificate: document signed by authority identity key to certify authority signing key.

Second, generate router keys:

tor --list-fingerprint --orport 1 \
    --dirserver "x 127.0.0.1:1 ffffffffffffffffffffffffffffffffffffffff" \
    --datadirectory /var/lib/tor/

The command will generate following files:

  • secret_id_key: long-term key to sign router descriptor and TLS certificates.
  • secret_onion_key: medium-term key used to establish a circuit and negotiate ephemeral keys.
  • secret_onion_key_ntor: short-term key for handshake.
  • fingerprint: fingerprint of the identity key.

Finally configure /etc/tor/torrc as follows:

TestingTorNetwork 1
DataDirectory /var/lib/tor
RunAsDaemon 1
ConnLimit 60
Nickname RS4
ShutdownWaitLength 0
PidFile /var/lib/tor/pid
Log notice file /var/lib/tor/notice.log
Log info file /var/lib/tor/info.log
ProtocolWarnings 1
SafeLogging 0
DisableDebuggerAttachment 0
DirAuthority RS4 orport=5000 no-v2 hs v3ident=finger1 192.168.1.4:7000 finger2

SocksPort 0
OrPort 5000
Address 192.168.1.4
DirPort 7000

# An exit policy that allows exiting to IPv4 LAN
ExitPolicy accept 192.168.1.0/24:*

# An exit policy that allows exiting to IPv6 localhost
ExitPolicy accept [::1]:*
IPv6Exit 1

AuthoritativeDirectory 1
V3AuthoritativeDirectory 1
ContactInfo auth0@test.test
ExitPolicy reject *:*
TestingV3AuthInitialVotingInterval 300
TestingV3AuthInitialVoteDelay 20
TestingV3AuthInitialDistDelay 20

The value finger1 can be found in /var/lib/tor/authority_certificate, search fingerprint. The value finger2 can be found in /var/lib/tor/fingerprint.

Now restart Tor:

kill -SIGHUP tor_pid

Setup Onion Client on RS1

Note that in our experiment we found that Onion Client has to be configured as Onion Router as well in order to function well.

First Generate router keys:

tor --list-fingerprint --orport 1 \
    --dirserver "x 127.0.0.1:1 ffffffffffffffffffffffffffffffffffffffff" \
    --datadirectory /var/lib/tor/

Then Configure file /etc/tor/torrc as follows:

TestingTorNetwork 1
DataDirectory /var/lib/tor
RunAsDaemon 1
ConnLimit 60
Nickname RS1
ShutdownWaitLength 0
PidFile /var/lib/tor/pid
Log notice file /var/lib/tor/notice.log
Log info file /var/lib/tor/info.log
ProtocolWarnings 1
SafeLogging 0
DisableDebuggerAttachment 0
DirAuthority RS4 orport=5000 no-v2 hs v3ident=finger1 192.168.1.4:7000 finger2

SocksPort 9011
OrPort 5000
Address 192.168.1.1

The value finger1 can be found on Authority Server in the file /var/lib/tor/authority_certificate, search fingerprint. The value finger2 can be found on Authority Server in the file /var/lib/tor/fingerprint.

Now restart Tor:

kill -SIGHUP tor_pid

Setup Onion Router on RS2, RS3

We demonstrate setup on RS2, the configuration for RS3 is similar.

First generate router keys:

tor --list-fingerprint --orport 1 \
    --dirserver "x 127.0.0.1:1 ffffffffffffffffffffffffffffffffffffffff" \
    --datadirectory /var/lib/tor/

Then configure file /etc/tor/torrc as follows:

TestingTorNetwork 1
DataDirectory /var/lib/tor
RunAsDaemon 1
ConnLimit 60
Nickname RS2
ShutdownWaitLength 0
PidFile /var/lib/tor/pid
Log notice file /var/lib/tor/notice.log
Log info file /var/lib/tor/info.log
ProtocolWarnings 1
SafeLogging 0
DisableDebuggerAttachment 0
DirAuthority RS4 orport=5000 no-v2 hs v3ident=finger1 192.168.1.4:7000 finger2

SocksPort 0
OrPort 5000
Address 192.168.1.2

# An exit policy that allows exiting to IPv4 LAN
ExitPolicy accept 192.168.1.0/24:*

# An exit policy that allows exiting to IPv6 localhost
ExitPolicy accept [::1]:*
IPv6Exit 1

The value finger1 can be found on Authority Server in the file /var/lib/tor/authority_certificate, search fingerprint. The value finger2 can be found on Authority Server in the file /var/lib/tor/fingerprint.

Setup Web Server on RS4

To verify that the private Tor network works, we setup a web server on RS4. httpd is a default service running on Slitaz Linux distributions. We need to configure /etc/httpd.conf to accept incoming http requests:

A:192.168.1.
A:127.

If the httpd service is not running, run following command to start the service manually:

httpd

Test The Private Network

On RS1, set the SOCKS proxy of firefox to “127.0.0.1:9011” and choose “SOCKS v4”. Be careful to not set HTTP or SSL proxy.

Now launch wireshark to watch the traffic on each PC and visit http://192.168.1.4 from RS1. From the captured logs, you’ll see the traffic follows a path to RS4. At the last router of the path, we can see that all outcoming HTTP traffic is in plaintext. However, the traffic between two neighboring routers is encrypted using SSL.

Reference

[Back to Top]