203 行
9.0 KiB
Markdown
203 行
9.0 KiB
Markdown
### Tor
|
|
|
|
Install tor. On Linux you can probably install a package called `tor` and
|
|
be done, otherwise [compile it][tor]. On Windows download this binary:
|
|
<https://www.torproject.org/download/tor/>.
|
|
|
|
Find your [torrc][torrc]. On Linux it is probably at `/etc/tor/torrc`.
|
|
On Windows it might be somewhere in `%appdata%\tor` or something.
|
|
|
|
#### Background
|
|
|
|
A Tor hidden service is a regular TCP service that you talk to via a
|
|
6-hop circuit created inside the Tor network. You initiate the creation
|
|
of this circuit by providing tor with the service's hostname, a long
|
|
base32-encoded string ending in ".onion". This hostname is derived from
|
|
a pair of cryptographic keys generated by the hidden service operator.
|
|
|
|
A TCP service is a computer program you interact with over the Internet
|
|
using TCP. TCP is a low-level networking protocol that sits above IP
|
|
and creates a reliable "connection" between two computers. It handles
|
|
the reordering and resending of packets that are shuffled or lost in
|
|
transit on the Internet, such that the bytes sent from one computer will
|
|
match exactly the bytes that arrive at the other (barring active
|
|
interference (MITM), TCP is not secure). Getting reliability for free
|
|
greatly simplifies the creation of network applications, and for this
|
|
reason and other historical reasons TCP is ubiquitous on the Internet to
|
|
this day. Many applications use TCP, for example IRC, SSH, RTMP,
|
|
Minecraft, and HTTP (like us here).
|
|
|
|
#### Configuration
|
|
|
|
We are now going to create a hidden service. We need to give tor a
|
|
directory to store the keys it generates, the location of our existing
|
|
TCP service, and a virtual TCP port to listen on. There are two
|
|
directives we have to add to our torrc: `HiddenServiceDir` and
|
|
`HiddenServicePort`. (There is a commented-out section in the default
|
|
torrc for hidden services, you may wish to make these changes there.)
|
|
|
|
##### `HiddenServiceDir`
|
|
|
|
`HiddenServiceDir` sets the directory for the hidden service's keys and
|
|
other data. You could choose any directory, but you should make sure
|
|
it's owned by the user the tor daemon runs as, and the directory's
|
|
permissions are `0700/drwx------` (`rwx` for user, `---` for group and
|
|
everyone else).
|
|
|
|
If you configure this in a way tor doesn't like, tor will kill itself
|
|
and complain in one of these two ways:
|
|
```
|
|
Jun 11 23:21:17.000 [warn] Directory /home/n9k/projects/anonstream/hidden_service cannot be read: Permission denied
|
|
```
|
|
```
|
|
Jun 12 02:37:51.036 [warn] Permissions on directory /var/lib/tor/anonstream are too permissive.
|
|
```
|
|
|
|
The simplest option is to copy the examples provided in the torrc, on
|
|
Linux that would probably be a directory inside `/var/lib/tor`, e.g.
|
|
`HiddenServiceDir /var/lib/tor/anonstream`. tor will create this
|
|
directory itself with the uid, gid, and permissions that it likes, which
|
|
for me are these:
|
|
```
|
|
Access: (0700/drwx------) Uid: ( 42/ tor) Gid: ( 42/ tor)
|
|
```
|
|
|
|
###### `HiddenServiceDir` troubleshooting
|
|
|
|
If you created the directory yourself and gave it the wrong permissions
|
|
or uid or gid, delete the directory and let tor create it itself, or do
|
|
this:
|
|
```
|
|
# chown -R tor:tor /var/lib/tor/anonstream
|
|
# chmod 0700 /var/lib/tor/anonstream
|
|
# chmod 0600 /var/lib/tor/anonstream/*
|
|
# chmod 0700 /var/lib/tor/anonstream/*/
|
|
```
|
|
|
|
If the user and group `tor` do not exist, your tor daemon runs as some
|
|
other user. There may be a `User` directive in your torrc or in a file
|
|
included by your torrc, for example on Debian it's `User debian-tor`.
|
|
This means that a tor process running as root will immediately drop
|
|
privileges by switching to the user `debian-tor`. The user's primary
|
|
group should have the same name, check like this as root:
|
|
`# id debian-tor`.
|
|
|
|
On Linux, if tor is already running you can see what user and group it is
|
|
running as like this:
|
|
```
|
|
$ ps -C tor -o uid,gid,cmd
|
|
UID GID CMD
|
|
42 42 tor --quiet --runasdaemon 0
|
|
$ cat /etc/passwd | grep :42: | cut -f 1 -d : # 42 is the UID here
|
|
tor
|
|
$ cat /etc/group | grep :42: | cut -f 1 -d : # 42 is the GID here
|
|
tor
|
|
```
|
|
|
|
Alternatively you could specify a directory inside the cloned
|
|
repository, e.g. `/home/delphine/Documents/anonstream/hidden_service`
|
|
or something like that. This will only work if the tor daemon has `rwx`
|
|
permissions on the directory and at least `r-x` permissions on all the
|
|
directories above it. This is probably not the case for you since your
|
|
home folder might have `0700/drwx------` permissions. If you
|
|
installed tor as a package, the daemon probably runs as its own user
|
|
(e.g. `debian-tor` on Debian, `tor` on Arch/Gentoo). If you want to
|
|
figure this out yourself go ahead. I would advise just using
|
|
`/var/lib/tor/anonstream` though.
|
|
|
|
##### `HiddenServicePort`
|
|
|
|
Include this line verbatim directly below the `HiddenServiceDir` line:
|
|
```
|
|
HiddenServicePort 80 127.0.0.1:5051
|
|
```
|
|
|
|
tor will listen for connections to our onion address at virtual port 80
|
|
(the conventional HTTP port), and it will forward traffic to the TCP
|
|
service at 127.0.0.1:5051, which is our webserver.
|
|
|
|
##### Finish
|
|
|
|
Example configuration:
|
|
```
|
|
HiddenServiceDir /var/lib/tor/anonstream
|
|
HiddenServicePort 80 127.0.0.1:5051
|
|
```
|
|
|
|
Reload tor to make it reread its torrc: `# pkill -HUP tor`. With
|
|
systemd you can alternatively do `# systemctl reload tor`. If
|
|
everything went well, the directory will have been created and your
|
|
onion address will be in `$HIDDEN_SERVICE_DIR/hostname`.
|
|
|
|
### OBS Studio
|
|
|
|
Install OBS Studio. If the autoconfiguration wizard prompts you to
|
|
choose a third-party service, ignore it since we're not going to be
|
|
using a third-party service.
|
|
|
|
Click `Settings` and set these:
|
|
|
|
* Advanced
|
|
* Recording
|
|
* Filename Formatting: `stream`
|
|
* Overwrite if file exists: yes
|
|
* Video
|
|
* Output (Scaled) Resolution: `960x540` or lower, or whatever you want
|
|
* Common FPS Values: any integer framerate (e.g. 30 or 60)
|
|
* Output
|
|
* Output Mode: `Advanced`
|
|
* Recording:
|
|
```
|
|
+----------------------------+-------------------------------------+
|
|
| Field | Value |
|
|
+============================+=====================================+
|
|
| Type | `Custom Output (FFmpeg)` |
|
|
+----------------------------+-------------------------------------+
|
|
| FFmpeg Output Type | `Output to File` |
|
|
+----------------------------+-------------------------------------+
|
|
| File path or URL | same as the `segments/directory` |
|
|
| | option in config.toml, but make it |
|
|
| | an absolute path |
|
|
+----------------------------+-------------------------------------+
|
|
| Container Format | `hls` |
|
|
+----------------------------+-------------------------------------+
|
|
| Muxer Settings (if any) | `hls_init_time=0 hls_time=2 ` |
|
|
| | `hls_list_size=120 ` |
|
|
| | `hls_flags=delete_segments ` |
|
|
| | `hls_segment_type=fmp4` |
|
|
+----------------------------+-------------------------------------+
|
|
| Video bitrate | `420 Kbps` or lower, or whatever |
|
|
| | you want |
|
|
+----------------------------+-------------------------------------+
|
|
| Keyframe interval (frames) | `framerate` * `hls_time`, e.g. for |
|
|
| | 60fps and an `hls_time` of 2 |
|
|
| | seconds, set this to 120 |
|
|
+----------------------------+-------------------------------------+
|
|
| Video Encoder | libx264, or an H.264 hardware |
|
|
| | encoder (e.g. `h264_nvenc` for |
|
|
| | Nvidia, [see here][ffmpeg]) |
|
|
+----------------------------+-------------------------------------+
|
|
| Audio Bitrate | `96 Kbps`, or whatever you want |
|
|
+----------------------------+-------------------------------------+
|
|
| Audio Encoder | `aac` |
|
|
+----------------------------+-------------------------------------+
|
|
```
|
|
|
|
> *If this table looks garbled, read this file as plaintext or [click
|
|
> here][plaintext] and scroll to the bottom.*
|
|
|
|
To start streaming click `Start Recording`.
|
|
|
|
When it is recording, segments older than four minutes will be regularly
|
|
deleted, and when it stops recording the last four minutes worth of
|
|
segments will remain the segments directory. (You can change the number
|
|
of kept segments by modifying the `hls_list_size` option in the muxer
|
|
settings.) When it is not recording, you can delete the files in the
|
|
segments directory without consequence. Old segments will never be sent
|
|
over the network even if they are not deleted.
|
|
|
|
[tor]: https://gitlab.torproject.org/tpo/core/tor
|
|
[torrc]: https://support.torproject.org/#tbb-editing-torrc
|
|
[ffmpeg]: https://trac.ffmpeg.org/wiki/HWAccelIntro
|
|
[plaintext]: https://git.076.ne.jp/ninya9k/anonstream/raw/branch/master/STREAMING.md
|