Tor Node Deployment Plan¶
Date: October 14, 2025 Target: 4 Tor nodes on workers 17.0.0.10-13 Goal: Add Tor/Onion routing to existing VPN load balancer
Overview¶
Add 4 Tor nodes to provide: - Anonymous onion routing (slower but more private than VPN) - Access to .onion hidden services - Mix Tor traffic with existing VPN workers for enhanced privacy - Optional: Expose router management via hidden services
Architecture¶
┌──────────────────────────────────────────────────────────┐
│ CLIENT │
│ Configure proxy: http://17.0.0.1:8888 (existing) │
│ http://17.0.0.1:9888 (Tor-only) │
└────────────────────────┬─────────────────────────────────┘
│
↓
┌──────────────────────────────────────────────────────────┐
│ MASTER (17.0.0.1) │
│ - HAProxy port 8888 → All workers (VPN + Tor mixed) │
│ - HAProxy port 9888 → Tor nodes only │
└────────────────────────┬─────────────────────────────────┘
│
┌───────────────┼───────────────┬─────────────────┐
↓ ↓ ↓ ↓
Worker 10 Worker 11 Worker 12 Worker 13
Tor SOCKS Tor SOCKS Tor SOCKS Tor SOCKS
Port 9050 Port 9050 Port 9050 Port 9050
(Workers 14-25 continue with VPN as before)
Node Selection¶
Tor Nodes: 17.0.0.10, 17.0.0.11, 17.0.0.12, 17.0.0.13
Why these 4? - First 4 workers in sequence (easy to remember) - Can disable their VPN to avoid "Tor over VPN" (which is slower) - Keep workers 14-25 on VPN for fast anonymous traffic - Total: 4 Tor + 12 VPN = 16 workers with different privacy profiles
Deployment Strategy¶
Option A: Tor-Only Nodes (Recommended)¶
- Remove VPN from workers 10-13
- Install Tor as their only anonymization layer
- Faster - No double encryption overhead
- Cleaner - One purpose per worker
Option B: Tor + VPN Hybrid¶
- Keep VPN on workers 10-13
- Add Tor on top of VPN (Tor over VPN)
- Slower - Double encryption penalty
- More private? - Debatable, may reduce Tor's effectiveness
Recommendation: Go with Option A for better performance and cleaner architecture.
Installation Steps¶
Phase 1: Install Tor on Workers 10-13¶
For each worker (10, 11, 12, 13):
# SSH to worker
ssh root@17.0.0.10
# Update package list
opkg update
# Install Tor
opkg install tor tor-geoip
# Verify installation
tor --version
Phase 2: Configure Tor as SOCKS Proxy¶
Edit /etc/tor/torrc on each worker:
cat > /etc/tor/torrc << 'EOF'
## Tor SOCKS Proxy Configuration
# Run as daemon
RunAsDaemon 1
# Data directory
DataDirectory /var/lib/tor
# SOCKS proxy (for proxy clients)
SocksPort 0.0.0.0:9050
# DNS resolver through Tor
DNSPort 9053
# Control port (optional, for monitoring)
ControlPort 9051
# Log configuration
Log notice syslog
# Performance tuning
MaxMemInQueues 512 MB
NumCPUs 2
# Exclude certain exit nodes (optional)
# ExcludeExitNodes {RU},{CN},{KP}
# Circuit building timeout
CircuitBuildTimeout 60
EOF
Enable and start Tor:
# Enable on boot
/etc/init.d/tor enable
# Start Tor
/etc/init.d/tor start
# Check status
ps | grep tor
logread | grep Tor
Phase 3: Disable VPN on Tor Workers (Option A)¶
Only if going with Tor-only strategy:
# On each worker 10-13
/etc/init.d/openvpn stop
/etc/init.d/openvpn disable
# Verify VPN is down
ip link show | grep tun # Should show nothing
Phase 4: Install Privoxy (HTTP Proxy Front-End)¶
Tor provides SOCKS, but we want HTTP proxy like TinyProxy:
# Install Privoxy (converts HTTP to SOCKS)
opkg install privoxy
# Configure Privoxy
cat > /etc/privoxy/config << 'EOF'
# Listen for HTTP proxy requests
listen-address 0.0.0.0:3128
# Forward to Tor SOCKS
forward-socks5 / 127.0.0.1:9050 .
# Logging
logdir /var/log
logfile privoxy
# Don't show Privoxy headers
hide-console-on-error 1
EOF
# Enable and start
/etc/init.d/privoxy enable
/etc/init.d/privoxy start
# Test
curl --proxy http://127.0.0.1:3128 http://check.torproject.org
Alternative: Keep TinyProxy and point it to Tor:
Phase 5: Update Master HAProxy Configuration¶
Add Tor backend to HAProxy:
Add Tor-specific frontend/backend:
# Tor-Only Proxy Frontend
frontend tor_proxy
bind *:9888
mode http
default_backend tor_nodes
# Tor Backend (4 nodes)
backend tor_nodes
mode http
balance roundrobin
server tor1 17.0.0.10:3128 check
server tor2 17.0.0.11:3128 check
server tor3 17.0.0.12:3128 check
server tor4 17.0.0.13:3128 check
# Update existing worker_proxy to include all 16 workers
backend worker_proxy
mode http
balance roundrobin
# Tor workers (slower but private)
server tor1 17.0.0.10:3128 check weight 50
server tor2 17.0.0.11:3128 check weight 50
server tor3 17.0.0.12:3128 check weight 50
server tor4 17.0.0.13:3128 check weight 50
# VPN workers (faster)
server vpn1 17.0.0.14:3128 check weight 100
server vpn2 17.0.0.15:3128 check weight 100
# ... (continue for workers 16-25)
Explanation of weights: - Tor nodes: weight 50 (get fewer requests, they're slower) - VPN nodes: weight 100 (get more requests, they're faster) - Weighted round-robin distributes proportionally
Restart HAProxy:
Testing¶
Test 1: Tor SOCKS Proxy Directly¶
# From your local machine
curl --socks5 17.0.0.10:9050 http://check.torproject.org/api/ip
# Expected output: {"IsTor": true, "IP": "some.tor.exit.ip"}
Test 2: Tor via Privoxy HTTP Proxy¶
# Test single worker
curl --proxy http://17.0.0.10:3128 http://check.torproject.org/api/ip
# Expected: Tor exit IP
Test 3: Tor via Master Load Balancer (Tor-only port)¶
export http_proxy=http://17.0.0.1:9888
export https_proxy=http://17.0.0.1:9888
curl http://check.torproject.org/api/ip
# Run multiple times to see round-robin through 4 Tor nodes
for i in {1..8}; do
echo "Request $i: $(curl -s http://check.torproject.org/api/ip | grep IP)"
sleep 2 # Tor circuits take time
done
Test 4: Mixed Traffic (VPN + Tor)¶
export http_proxy=http://17.0.0.1:8888
export https_proxy=http://17.0.0.1:8888
# This should now balance across all 16 workers
# Some requests via Tor (slower), some via VPN (faster)
for i in {1..20}; do
echo "Request $i: $(curl -s http://ipinfo.io/ip)"
sleep 1
done
Hidden Services (Optional Bonus)¶
Deploy SSH Hidden Service on Each Tor Node¶
Why? - Access your routers from anywhere via .onion address - No port forwarding, no static IP needed - Fully encrypted through Tor
Setup on worker 10:
ssh root@17.0.0.10
# Install hidden service package
opkg install tor-hs
# Configure SSH hidden service
cat > /etc/config/tor-hs << 'EOF'
config hidden-service
option Name 'sshd'
option Description 'SSH access via Tor'
option Enabled '1'
option IPv4 '127.0.0.1'
list PublicLocalPort '22;22'
EOF
# Enable and start
/etc/init.d/tor-hs enable
/etc/init.d/tor-hs start
# Get your .onion address
cat /var/lib/tor/hidden_service/hostname
# Example output: abc123xyz456.onion
Access from anywhere:
# On your laptop (with Tor Browser or torsocks installed)
torsocks ssh root@abc123xyz456.onion
# Or configure ssh to use Tor
ssh -o ProxyCommand="nc -X 5 -x localhost:9050 %h %p" root@abc123xyz456.onion
Repeat for workers 11, 12, 13 - Each gets unique .onion address.
Performance Considerations¶
Tor vs VPN Speed Comparison¶
VPN Workers (14-25): - Latency: ~100-300ms - Bandwidth: Near full speed - Use for: General browsing, streaming, fast downloads
Tor Workers (10-13): - Latency: ~500ms-2000ms (3+ hops through Tor network) - Bandwidth: ~1-5 Mbps typically - Use for: Anonymous browsing, accessing .onion sites, maximum privacy
Weighted Load Balancing Strategy¶
With weights configured: - 80% of traffic → VPN workers (fast) - 20% of traffic → Tor workers (private)
Or offer separate endpoints: - Port 8888 → All workers (mixed) - Port 9888 → Tor only (slow but anonymous) - Port 8888 (existing) → VPN only (remove Tor workers)
Security Considerations¶
DNS Leaks¶
- Tor handles DNS automatically (DNSPort 9053)
- Privoxy forwards all DNS through Tor
- No risk of DNS leaks ✅
Traffic Analysis¶
- Tor over VPN: Hides Tor usage from ISP, but may correlate traffic
- Tor only: ISP sees Tor usage, but can't correlate (more standard)
- Recommendation: Tor-only for best privacy
Exit Node Selection¶
# In /etc/tor/torrc, exclude certain countries
ExcludeExitNodes {RU},{CN},{KP},{IR},{SY}
StrictNodes 1
Circuit Isolation¶
Tor automatically creates new circuits for different destinations, preventing correlation.
Monitoring¶
Check Tor Status¶
# On any Tor worker
ssh root@17.0.0.10
# Check if Tor is running
ps | grep tor
# View Tor logs
logread | grep Tor | tail -20
# Check Tor circuits
# (Requires control port enabled)
echo "GETINFO circuit-status" | nc 127.0.0.1 9051
HAProxy Stats¶
Now shows: - 4 Tor workers (slower response times) - 12 VPN workers (faster response times)
Troubleshooting¶
Tor Won't Start¶
# Check logs
logread | grep Tor
# Common issues:
# 1. Insufficient memory (Tor needs ~128MB)
# 2. Firewall blocking outbound 9001, 9030, 443
# 3. Clock skew (Tor requires accurate time)
# Fix clock
ntpd -q -p pool.ntp.org
Slow Tor Performance¶
# Tune Tor config
# In /etc/tor/torrc:
MaxMemInQueues 1024 MB # Increase if you have RAM
NumCPUs 4 # Match your router's cores
Can't Access .onion Sites¶
# Verify Tor is providing DNS
nslookup example.onion 127.0.0.1 -port=9053
# Test Tor connectivity
curl --socks5 127.0.0.1:9050 https://check.torproject.org
Maintenance¶
Updating Tor¶
Rotating Circuits¶
Tor automatically rotates circuits every 10 minutes. To force:
Backup Hidden Service Keys¶
# On each Tor worker
tar -czf /root/tor-hs-backup.tar.gz /var/lib/tor/hidden_service/
# Copy to master for safekeeping
scp /root/tor-hs-backup.tar.gz root@17.0.0.1:/root/backups/
Configuration Files Reference¶
/etc/tor/torrc¶
RunAsDaemon 1
DataDirectory /var/lib/tor
SocksPort 0.0.0.0:9050
DNSPort 9053
ControlPort 9051
Log notice syslog
MaxMemInQueues 512 MB
NumCPUs 2
CircuitBuildTimeout 60
/etc/privoxy/config¶
/etc/config/tor-hs (Hidden Service)¶
config hidden-service
option Name 'sshd'
option Description 'SSH via Tor'
option Enabled '1'
option IPv4 '127.0.0.1'
list PublicLocalPort '22;22'
Summary¶
What You Get: - 4 Tor nodes (17.0.0.10-13) providing onion routing - 12 VPN nodes (17.0.0.14-25) providing fast anonymous access - Dual proxy endpoints: - Port 8888: Mixed VPN+Tor (smart weighted balancing) - Port 9888: Tor-only (maximum privacy) - Optional: SSH access via .onion hidden services - All integrated with existing HAProxy infrastructure
Recommended Configuration: - Workers 10-13: Tor-only (no VPN, cleaner/faster) - Workers 14-25: VPN-only (existing setup) - Master HAProxy: Weighted round-robin (80% VPN, 20% Tor)
Next Steps: 1. Review this plan 2. Decide: Tor-only vs Tor+VPN for workers 10-13 3. Deploy to one worker first (17.0.0.10) as proof of concept 4. Test thoroughly 5. Roll out to workers 11, 12, 13 6. Update master HAProxy config 7. Enjoy anonymous onion routing! 🧅