Dear List,
How important is the throughput on an exit relay? I realize that more is always better, making it harder to associate exit packets with input ones at the other end. My numbers: For the same price I can buy 2 exit relays that run about 3500 to 4000 connections or one that runs about 4300 to 4700 connections. The actual daily throughput varies a good deal, but the cheaper ones show about 15-20% less throughput, at around 330 GiB/day when I look at vnstat.
Can I assume 2 is almost always better than one? Or is there a threshold below which packets are too easily tracked? I have no common sense about this.
TIA,
--Torix
Sent with [ProtonMail](https://protonmail.com) Secure Email.
Tor already has code that avoids having multiple nodes from a single /16 range or from the same AS (correct me on that one if I'm wrong, not totally sure about it) in the same circuit, so as long as your MyFamily setting is set correctly, I see no problem here.
Throughput is important as you will be able to serve more clients at once, so AES hardware acceleration and a CPU with very good single thread performance are important.
However, running a high-capacity node under an AS like OVH or Hetzner has certain anonymity implications, since many Tor nodes already already being run there, a single wire-tap on their peers / up-streams is enough to capture the traffic of around 15-25% of all tor nodes (got the numbers from the top of my head, for exact numbers check out Tor Metrics @ https://metrics.torproject.org/networksize.html).
Ideally go for a hoster in an uncommon, underdeveloped (Tor-wise) country that only hosts a handful, if any, of Tor Nodes and colocate if you have the hardware, time and money - this helps spread out Tor nodes across as many countries as possible, which makes it harder for adversaries to control all of Tor's traffic at once.
You should also allocate a small IP range for yourself, and ask them to modify the whois so it shows an e-mail address you control as the abuse address.
Hope this was helpful.
William
2020-06-20 12:30 GMT, torix@protonmail.com torix@protonmail.com:
Dear List,
How important is the throughput on an exit relay? I realize that more is always better, making it harder to associate exit packets with input ones at the other end. My numbers: For the same price I can buy 2 exit relays that run about 3500 to 4000 connections or one that runs about 4300 to 4700 connections. The actual daily throughput varies a good deal, but the cheaper ones show about 15-20% less throughput, at around 330 GiB/day when I look at vnstat.
Can I assume 2 is almost always better than one? Or is there a threshold below which packets are too easily tracked? I have no common sense about this.
TIA,
--Torix
Sent with [ProtonMail](https://protonmail.com) Secure Email.
Also - 4000 connections sounds like your OS limiting the amount of open file descriptors, when I still used to run exit relays, it was at least 6500 connections just for all the other Tor relays, which should now be 7000.
You should at the very least allow 8192 open file descriptors.
If you launch Tor using systemd, use 'systemctl edit <service_name>' to create an override such as:
[Service] LimitNOFILE=8192
You might also want to raise the limits in limits.conf, the location of this file might be different across different distributions, but generally (at least on Debian and Arch Linux) you can find it at /etc/security/limits.conf.
Don't forget to reboot.
2020-06-20 13:10 GMT, William Kane ttallink@googlemail.com:
Tor already has code that avoids having multiple nodes from a single /16 range or from the same AS (correct me on that one if I'm wrong, not totally sure about it) in the same circuit, so as long as your MyFamily setting is set correctly, I see no problem here.
Throughput is important as you will be able to serve more clients at once, so AES hardware acceleration and a CPU with very good single thread performance are important.
However, running a high-capacity node under an AS like OVH or Hetzner has certain anonymity implications, since many Tor nodes already already being run there, a single wire-tap on their peers / up-streams is enough to capture the traffic of around 15-25% of all tor nodes (got the numbers from the top of my head, for exact numbers check out Tor Metrics @ https://metrics.torproject.org/networksize.html).
Ideally go for a hoster in an uncommon, underdeveloped (Tor-wise) country that only hosts a handful, if any, of Tor Nodes and colocate if you have the hardware, time and money - this helps spread out Tor nodes across as many countries as possible, which makes it harder for adversaries to control all of Tor's traffic at once.
You should also allocate a small IP range for yourself, and ask them to modify the whois so it shows an e-mail address you control as the abuse address.
Hope this was helpful.
William
2020-06-20 12:30 GMT, torix@protonmail.com torix@protonmail.com:
Dear List,
How important is the throughput on an exit relay? I realize that more is always better, making it harder to associate exit packets with input ones at the other end. My numbers: For the same price I can buy 2 exit relays that run about 3500 to 4000 connections or one that runs about 4300 to 4700 connections. The actual daily throughput varies a good deal, but the cheaper ones show about 15-20% less throughput, at around 330 GiB/day when I look at vnstat.
Can I assume 2 is almost always better than one? Or is there a threshold below which packets are too easily tracked? I have no common sense about this.
TIA,
--Torix
Sent with [ProtonMail](https://protonmail.com) Secure Email.
tor-relays@lists.torproject.org
-
torix@protonmail.com -
William Kane