Hacker News new | past | comments | ask | show | jobs | submit login
Tor project needs volunteers to help Iranian users access the internet (torproject.org)
298 points by folz on Feb 11, 2012 | hide | past | favorite | 48 comments

does anyone have a configured aws image? seems like that would help - people could just deploy them to micro instances for free...

[i am about to try build this on an aws instance, but since i know very little about images i am sure others will be better/quicker than me]

[update: if anyone else is doing this, you are best picking a new base distro that is new enough to contain libevent 2]

OK, i think (i have never done this before) that the following image should be public - ami-a97eaec0

it contains a basic 64 bit amazon linux image, with the extra code generated according to lgeek below http://news.ycombinator.com/item?id=3579531

to run, deploy the image, connect as ec2-user in the normal way and then:

- modify ~/tor.sh to change the port on which obsproxy listens, if you want

- change the security group to allow ports 9100 and 2189 (or whatever you change 2189 to above) (you may need to restart the instance at this point to apply the security group).

- modify the bandwidth limit in /usr/local/etc/tor/torrc (ie sudo emacs -nw /usr/local/etc/tor/torrc) - currently it's 50 KB/s which i think comes out as around $10-20 a month if it's fully used.

- start with the tor.sh script.

- check tor.log and note your external IP address.

- check external access using something like "telnet xxx.xxx.xxx.xxx 2189" (which generates a screenful of binary on success).

- contact tor-assistants at torproject.org so they can give the bridge location out to someone that needs it.

please post here or email me if there are any issues (a confirmation that you can access the ami would be cool too :o). also, are AWS external IP addresses permanent (if not, may need to use elastic IP + DNS)?

It looks like you left your public key in authorized_keys. I guess it was an honest mistake, but at the very least anyone using this AMI should remove it.

Now, please don't be offended, but this is one of the reasons I prefer instructions or more generally an easy way to replicate a result - which is easier to verify - rather than the built software/AMI/whatever. It's trivial to offer a compromised system and nearly impossible to verify that a system is secure.

On the other hand, tor and obfsproxy work for me using your AMI.

Security groups are applied as soon as you save your changes, no restart is required.

I've never seen an external IP address for an EC2 box change, I don't believe they do. They are typically part of the hostname and it would be strange to have amazon change this at random points in time. Elastic IP is good if you want to change a server a domain points to without having to wait for DNS propagation.

I just confirmed that I can access your AMI in the US East region. Be aware, however, that AMIs are region specific and thus your AMI cannot be found or used in any other region (such as US West).

thanks to the comments, i've created a new ami, ami-2b61b142, which should not have my keys. again, this is in US east.

i will delete the ami described in the post above, please use this one.

this will still have my contact details in the tor config /usr/local/etc/tor/torrc - you should change those too... (not a security issue, but if they email me about your install, there's not much i can do...)

Here's how to install everything on Amazon's AMI: https://gist.github.com/1802068

Note that obfsproxy seems to crash in managed mode, so run it stand-alone. Configure tor as a regular bridge (https://www.torproject.org/docs/bridges.html.en#RunningABrid...), and then start obfsproxy with ./obfsproxy obfs2 --dest= server

9001 is the bridge port configured in tor and 1051 is the port which will accepted obfuscated connections. I think that a random port is chosen in managed mode, so you might want to change it.

Although AWS is cool to allow lots of people, all the eggs are still in the AWS basket, which makes it easy to block. If lots of people were to run things on their own servers scattered all over the global, all over the IP space, then it's harder to block.

that's true. so perhaps you could start one up somewhere else? thanks!

Please, someone familiar with Tor and the special bridge mentioned here, make such an image available. I would deploy one ASAP.

You'll still need to pay for the bandwidth, right?

I've set it up in my home server (it's seems really easy, at least according to their instructions), but I only have 512kbps of upload, which will probably limit its usefulness.

Is this something that you can easily scale up and down? If so, shoot me an e-mail and I'll sponsor you to crank it up for the next month. (e-mail in my profile description)

i understand that there's 15GB/month of bandwidth included in a free micro instance (and i have used one as a personal ssh tunnel without paying anything). the images in the link i gave - https://cloud.torproject.org/ - look like they include some limited to the free amount.

for something like this, personally, i am also willing to spend some money [i am still working on aws trying to get an image working - last attempt failed through lack of scsi drivers afaict - will post here if successful].

And you can also configure Tor to only use a certain bandwidth quota per day/week/month.

Just FYI, what andrew said sounded like a plan to me, but AWS only gives 750 hours with the free tier. Might suffice for now, but not forever. So looks like I'll have to do this on an linux vm instead (at home).

What base image are you working from?

i was trying to get an opensuse 12.1 ami from suse studio running (as it has libevent 2). however, i am now following this http://news.ycombinator.com/item?id=3579531 and with the fixes i posted in the comments there, things appear to be ok (waiting for tor compile to finish).

I am pretty sure AWS (like most major hosts) does not allow the operation of TOR nodes. [this statement is wrong see below, my bad sorry]

absolutely not.

it is common - https://cloud.torproject.org/

tor is not mentioned on the aws site - http://aws.amazon.com/search?searchQuery=tor&searchPath=...

there is nothing related in the customer agreement - http://aws.amazon.com/agreement/ (no mention of tor, proxy, etc).

Not to derail, but the depressing headlines from Syria suggest the need there for secure communication with the outside world is particularly urgent at present.

Things aren't looking too good in Saudi Arabia either:


they can already use tor. this call is for additional work needed because iran is actively blocking access.

I see your point; it just occurs to me that since Iran appears to be Syria's sole reliable ally the same thing could happen in Syria at any time.

Here's the beauty of an interconnected world. You can actually help someone else directly. People can easily organize around the globe to let those in power know they can't just keep doing whatever they want. Keep up the good fight!

After reading the post above, I reached out to our cloud vendors and got them to sponsor us with Tor-servers. As of right now, we have five Tor server up and running, and we are expecting more shortly (more here http://wireload.net/2012/02/were-helping-tor-project-bypass-...)

Out of curiosity, what prevents Iran from just blocking all Tor end nods ?

If del.icio.us is able to do it[1], surely Iran must be able to too.

[1] https://news.ycombinator.com/item?id=3567996

They can only do that on sites they control.

Iran wants to prevent users from getting into the Tor network and going to sites that they do not have control over. Since it is easy for them to block the public routers Tor uses "bridges" which are nodes that will allow people to connect to the entry nodes through them. The lists of these nodes are then treated as semi-secret (in that they try to limit any one person or organization from learning all of them). This is exactly what they are looking for people to make, more bridges, not more exits.

edit: They actually say that Iran does very little active blocking and are just throttling anything that looks like TLS, so the bridge vs. entry node distinction does not really apply in this case, but it is relevant to the attack you are trying to describe.

But couldn't they simply block on a combination of encrypted traffic and whitelist? That is only allow encrypted traffic to known 'good' sites.

Iran is doing an extreme version of precisely that, where the whitelist is a null set.

Tor also has a well-established way of fighting blacklists. Normal relays are all listed on a public network, but there is also an opt-in program which exists for Tor relays: a Tor relay can choose to be "hidden" in a certain sense. A "hidden" relay node accepts only entrance connections, and these are advertised more quietly by the Tor Project folks, who don't reveal too many too fast. It is therefore the case that blacklists can be circumvented by asking Tor for a couple of hidden entrance nodes and configuring yourself appropriately.

The goal of obfuscation is to buy a little more time during which people can use encryption again, by making the encryption look like normal traffic. (But I have no further knowledge of the particulars, so take what I have said with a grain of salt.)

I noticed too, on the Tor project website, about the obfuscating Tor traffic to appear as non-encrypted traffic; that sounds interesting - https://www.torproject.org/projects/obfsproxy-instructions.h....

this call is for a workaround that avoids (hopefully) blocking encrypted traffic.

why don't you, you know, read the link that this thread is about before commenting?

andrewcooke - sorry, I downvoted before you'd updated your answer. Apologies - should not be a downvote.

Watch the very informative and entertaining talk by Roger and Jacob from 28c3 http://mirror.fem-net.de/CCC/28C3/webm/28c3-4800-en-how_gove...

YouTube link: http://www.youtube.com/watch?v=DX46Qv_b7F4

High Quality H264 link (720x576): http://mirror.fem-net.de/CCC/28C3/mp4-h264-HQ/28c3-4800-en-h... (found on the YouTube page)

Where is the obfuscation bridge covered in more detail? (I've already checked the link in Jason's email.) He says it's highly technical, maybe to some it is, but it only coves installation; not how the obfuscation actually works: how a TLS connection can appears to be HTTP? Someone might say read the source, but my literacy in that area is questionable.

Yeah, that talk got me to set up a tor node. Watching it is a time well spent.

Hands down the best talk of 28C3.

I only know a little bit about tor, but my understanding is that if you run a relay, then you are basically proxying traffic for other people on the tor network.

If this is true, and if someone is looking at kiddie porn through your connection, could you get implicated?

If you're running an intermediate node, then you're proxying an encrypted datastream from one node to another. You don't know what's in the datastream, who it's from (the endpoint), or where it's going (the other endpoint). See here: https://en.wikipedia.org/wiki/Onion_routing

That's still a legal gray area. The short answer is maybe, but the EFF will probably take your case if you get in legal trouble.

> Can EFF promise that I won't get in trouble for running a Tor relay?

> No. All new technologies create legal uncertainties, and Tor is no exception. Presently, no court has ever considered any case involving the Tor technology, and we therefore cannot guarantee that you will never face any legal liability as a result of running a Tor relay. However, EFF believes so strongly that those running Tor relays shouldn't be liable for traffic that passes through the relay that we're running our own middle relay.


speaking of this, does anyone have the html/images of the iranian block page? I collect them and would really appreciate it if someone was able to send that along. Or does the iranian firewall just drop the connection without the censorship notice?

They're dropping SSH too, so I'd just assume that they're dropping everything. No block page for you. ^_^

The goal might not be censorship, even. Iran's most prominent recent actions have been provocative trade threats and hacking a US drone -- and US Presidential candidates have been discussing the possibility of eventually invading Iran. Iran has plenty of paranoia to spare:


I'm guessing that they're dropping connections in part based on that; fear of spies rather than fear of speech. In which case they wouldn't really have any motive for a blockpage, either.

It is the anniversary of the overthrow of the Shah and they do something like every time there is something politically sensitive going on.

It is clearly population/sentiment control and not 'fear of spies'.

The actual url is: Site&policy=MainPolicy but obviously you can't access that (it's a local IP).

You can download the html source at https://raw.github.com/gist/1805605/f2211718b70f7cb24f3d3213...

('peyvandha' means 'links')

Would running through an unencrypted socat tunnel (http://freecode.com/projects/socat) defeat the DPI?

If yes, you could setup a tunnel on port 80 and then run openvpn or tor through it. Technically it works as I've done this for a friend in China (but China wasn't doing DPI on SSL handshaking).

I posted this same question on the earlier Iran shutdown thread but was probably too late to get a response (http://news.ycombinator.com/item?id=3577901).

why would it help? socat just sets up a tcp connection. whatever data you send across it is going to look like data sent across any other tcp connection (including the ones that browsers and servers use).

am i missing something?

No I think you're probably right. Not knowing how exactly the DPI is done, I was abstractly thinking that perhaps shoving the SSL handshake through another TCP/UDP connection might defeat it but tbh I have no idea. Hence the question :)

Edit: the reason I mentioned socat was because when I used it to help the guy in China, it was because they were apparently filtering openvpn and we found that when it went via socat the connection was much more stable and faster.

Edit 2: if TCP through a UDP socat wouldn't work, how about something totally off the wall like an ipv6 tunnel over ipv4 (using http://en.wikipedia.org/wiki/Teredo_tunneling) and then an ipv4 tunnel within that ipv6 tunnel (through which the tor or openvpn connection would go). Sorry if I'm spouting garbage but it's quite fun thinking about all the random ways one might be able to tunnel one stream of data through another. (although given the Iranians urgent predicament, my mental masturbation is probably best saved for another day...)

I know jack about tor except other than it's purpose, but shouldn't it be possible to configure a virtual machine to do this and upload it, so that one would "only" have to mount the machine and turn it on in order to help?

Might be good to ask this where major-league hosting providers hang out like webhostingtalk?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact