9.0 KiB
Tor
Install tor. On Linux you can probably install a package called tor
and
be done, otherwise compile it. On Windows download this binary:
https://www.torproject.org/download/tor/.
Find your torrc. On Linux it is probably at /etc/tor/torrc
.
On Windows it might be somewhere in %appdata%\tor
or something.
Background
A Tor hidden service is a regular TCP service that you talk to via a 6-hop circuit created inside the Tor network. You initiate the creation of this circuit by providing tor with the service's hostname, a long base32-encoded string ending in ".onion". This hostname is derived from a pair of cryptographic keys generated by the hidden service operator.
A TCP service is a computer program you interact with over the Internet using TCP. TCP is a low-level networking protocol that sits above IP and creates a reliable "connection" between two computers. It handles the reordering and resending of packets that are shuffled or lost in transit on the Internet, such that the bytes sent from one computer will match exactly the bytes that arrive at the other (barring active interference (MITM), TCP is not secure). Getting reliability for free greatly simplifies the creation of network applications, and for this reason and other historical reasons TCP is ubiquitous on the Internet to this day. Many applications use TCP, for example IRC, SSH, RTMP, Minecraft, and HTTP (like us here).
Configuration
We are now going to create a hidden service. We need to give tor a
directory to store the keys it generates, the location of our existing
TCP service, and a virtual TCP port to listen on. There are two
directives we have to add to our torrc: HiddenServiceDir
and
HiddenServicePort
. (There is a commented-out section in the default
torrc for hidden services, you may wish to make these changes there.)
HiddenServiceDir
HiddenServiceDir
sets the directory for the hidden service's keys and
other data. You could choose any directory, but you should make sure
it's owned by the user the tor daemon runs as, and the directory's
permissions are 0700/drwx------
(rwx
for user, ---
for group and
everyone else).
If you configure this in a way tor doesn't like, tor will kill itself and complain in one of these two ways:
Jun 11 23:21:17.000 [warn] Directory /home/n9k/projects/anonstream/hidden_service cannot be read: Permission denied
Jun 12 02:37:51.036 [warn] Permissions on directory /var/lib/tor/anonstream are too permissive.
The simplest option is to copy the examples provided in the torrc, on
Linux that would probably be a directory inside /var/lib/tor
, e.g.
HiddenServiceDir /var/lib/tor/anonstream
. tor will create this
directory itself with the uid, gid, and permissions that it likes, which
for me are these:
Access: (0700/drwx------) Uid: ( 42/ tor) Gid: ( 42/ tor)
HiddenServiceDir
troubleshooting
If you created the directory yourself and gave it the wrong permissions or uid or gid, delete the directory and let tor create it itself, or do this:
# chown -R tor:tor /var/lib/tor/anonstream
# chmod 0700 /var/lib/tor/anonstream
# chmod 0600 /var/lib/tor/anonstream/*
# chmod 0700 /var/lib/tor/anonstream/*/
If the user and group tor
do not exist, your tor daemon runs as some
other user. There may be a User
directive in your torrc or in a file
included by your torrc, for example on Debian it's User debian-tor
.
This means that a tor process running as root will immediately drop
privileges by switching to the user debian-tor
. The user's primary
group should have the same name, check like this as root:
# id debian-tor
.
On Linux, if tor is already running you can see what user and group it is running as like this:
$ ps -C tor -o uid,gid,cmd
UID GID CMD
42 42 tor --quiet --runasdaemon 0
$ cat /etc/passwd | grep :42: | cut -f 1 -d : # 42 is the UID here
tor
$ cat /etc/group | grep :42: | cut -f 1 -d : # 42 is the GID here
tor
Alternatively you could specify a directory inside the cloned
repository, e.g. /home/delphine/Documents/anonstream/hidden_service
or something like that. This will only work if the tor daemon has rwx
permissions on the directory and at least r-x
permissions on all the
directories above it. This is probably not the case for you since your
home folder might have 0700/drwx------
permissions. If you
installed tor as a package, the daemon probably runs as its own user
(e.g. debian-tor
on Debian, tor
on Arch/Gentoo). If you want to
figure this out yourself go ahead. I would advise just using
/var/lib/tor/anonstream
though.
HiddenServicePort
Include this line verbatim directly below the HiddenServiceDir
line:
HiddenServicePort 80 127.0.0.1:5051
tor will listen for connections to our onion address at virtual port 80 (the conventional HTTP port), and it will forward traffic to the TCP service at 127.0.0.1:5051, which is our webserver.
Finish
Example configuration:
HiddenServiceDir /var/lib/tor/anonstream
HiddenServicePort 80 127.0.0.1:5051
Reload tor to make it reread its torrc: # pkill -HUP tor
. With
systemd you can alternatively do # systemctl reload tor
. If
everything went well, the directory will have been created and your
onion address will be in $HIDDEN_SERVICE_DIR/hostname
.
OBS Studio
Install OBS Studio. If the autoconfiguration wizard prompts you to choose a third-party service, ignore it since we're not going to be using a third-party service.
Click Settings
and set these:
- Advanced
- Recording
- Filename Formatting:
stream
- Overwrite if file exists: yes
- Filename Formatting:
- Recording
- Video
- Output (Scaled) Resolution:
960x540
or lower, or whatever you want - Common FPS Values: any integer framerate (e.g. 30 or 60)
- Output (Scaled) Resolution:
- Output
- Output Mode:
Advanced
- Recording:
+----------------------------+-------------------------------------+ | Field | Value | +============================+=====================================+ | Type | `Custom Output (FFmpeg)` | +----------------------------+-------------------------------------+ | FFmpeg Output Type | `Output to File` | +----------------------------+-------------------------------------+ | File path or URL | same as the `segments/directory` | | | option in config.toml, but make it | | | an absolute path | +----------------------------+-------------------------------------+ | Container Format | `hls` | +----------------------------+-------------------------------------+ | Muxer Settings (if any) | `hls_init_time=0 hls_time=2 ` | | | `hls_list_size=120 ` | | | `hls_flags=delete_segments ` | | | `hls_segment_type=fmp4` | +----------------------------+-------------------------------------+ | Video bitrate | `420 Kbps` or lower, or whatever | | | you want | +----------------------------+-------------------------------------+ | Keyframe interval (frames) | `framerate` * `hls_time`, e.g. for | | | 60fps and an `hls_time` of 2 | | | seconds, set this to 120 | +----------------------------+-------------------------------------+ | Video Encoder | libx264, or an H.264 hardware | | | encoder (e.g. `h264_nvenc` for | | | Nvidia, [see here][ffmpeg]) | +----------------------------+-------------------------------------+ | Audio Bitrate | `96 Kbps`, or whatever you want | +----------------------------+-------------------------------------+ | Audio Encoder | `aac` | +----------------------------+-------------------------------------+
- Output Mode:
If this table looks garbled, read this file as plaintext or click here and scroll to the bottom.
To start streaming click Start Recording
.
When it is recording, segments older than four minutes will be regularly
deleted, and when it stops recording the last four minutes worth of
segments will remain the segments directory. (You can change the number
of kept segments by modifying the hls_list_size
option in the muxer
settings.) When it is not recording, you can delete the files in the
segments directory without consequence. Old segments will never be sent
over the network even if they are not deleted.