Restricting Tor client access by country
26/11/24
There's no denying Tor can be used for good or bad but by allowing users from only certain countries your guard relay, obfs4 bridge or snowflake will more likely be used to positive rather than negative effect. Whilst criminals and whacko conspiracy theorists are present the world over the proportion of them as Tor users is lower under repressive regimes than more open jurisdictions as under the former more people will adopt Tor to source outside information otherwise unavailable to them than the latter.
Ok, the above was stated as fact but it's more of a gut feeling really. Anyway, if for whatever reason you want to make your bandwith primarily available to limited countries Tor entry nodes have no built in mechanism for this. There are ways to do it though and the following describes how on a Virtualization Station capable QNAP, although the same principles can be applied to other setups. Included here's what's necessary for obfs4 bridges and snowflakes so if you're not using both some parts can be skipped.
The general principle is to assign rules with generous bandwidth limiters to favoured countries and very restrictive limiters to any others. Global access seems necessary for STUN to register your snowflake as unrestricted NAT and Tor infrastructure to be happy about your relay or bridge behaviour. The restrictive limits can be very low though. Typically a bandwidth ratio of 100 to 1 or higher (favoured to unfavoured countries) is observed using the method described below.
Set up a geo-block capable firewall
Pfsense is the obvious choice here as it works great on VS and it's free.
Create a Pfsense VS VM with the Pfsense WAN connected to your LAN and your Tor containers on a virtual switch connected to the Pfsense LAN.
Install pfBlockerNG-devel using the package manager.
pfBlockerNG-devel config
Get a free MaxMind account and set your license key in Firewall>pfBlockerNG>IP.
In Firewall/pfBlockerNG/IP/GeoIP select continents with countries you'd like to allow fast access from by setting Action to Alias Match and to deny by setting Action to Disabled for continents with only countries who's users you'd like to discourage.
Edit each Alias Match continent and select the countries to allow fast access from.
Load the Geo-Ips and Feed with Firewall/pfBlockerNG/Update
Aliases
In Firewall/Aliases/IP create TorAndUtilities (Type Host(s)) with these.
If you're hosting a snowflake also create Stun (the standard snowflake stun server list) with these.
And StunExtended for good measure in case they change with these.
Create StunAll, comprising Stun and StunExtended
Create OBFS4 containing the Pfsense LAN addresses of your obfs4 bridge.
Create SFP containing the Pfsense LAN addresses of your snowflake proxy.
Create OBFS4_SFP comprising OBFS4 and SFP.
Create TorRelays (Type URL Table (IPs)) with https://2tor2.com/NodeList/TorNodesIpV4.txt if using IPV4
or https://2tor2.com/NodeList/TorNodesIpV6.txt if using IPV6.
Please do not download TorNodesIpV4/6.txt more than four times a day or your IP address may be blacklisted.
In Firewall/Aliases/Ports create OBFS4PtPort (Type Port(s)) containing your bridge PT port.
In Firewall/Aliases/Ports create OBFS4OrPort (Type Port(s)) containing your bridge OR port.
Create OBFS4Ports comprising OBFS4PtPort and OBFS4OrPort.
Limiters
In Firewall/TrafficShaper/Limiters create the following
| Name | Mask | Bandwidth |
|---|---|---|
| OBFS4_Mask_Source | Source | High |
| OBFS4_Mask_Dest | Destination | High |
| SFP_Mask_Source | Source | High |
| SFP_Mask_Dest | Destination | High |
| Trickle_Mask_Source | Source | Low |
| Trickle_Mask_Dest | Destination | Low |
For all masks set IPv4 Mask Bits to 32 and IPv6 Mask Bits to 128.
High bandwidth is your chosen per client maximum allowed traffic rate used for countries you'd like to receive reasonably usable bandwidth. Low bandwidth (10kbs-50kbs) is just for clients to be able to establish a connection (necessary for Tor infrastructure and snowflake unrestricted NAT detection) but the bandwidth is so low most clients will abandon trying to use your bridge or snowflake.
If you prefer to use a single bandwidth bucket rather than per client you can set the Mask option to None rather than Source or Destination, in which case the Mask Bits value doesn't matter.
Port Forwarding
For your bridge forward OBFS4PtPort and OBFS4OrPort from the WAN interface to OBFS4.
For your snowflake forward ports 32768 through to 60999 from the WAN interface to SFP (assuming you're using default ports, otherwise adjust).
Check outbound NAT is using static ports for the bridge/snowflake LAN subnet.
WAN Rules
In Firewall/Rules/WAN create the following in the following order. These allow any Tor infrastructure adresses (authorities, relays) to use unrestricted bandwidth.
| Protocol | Source | S Port | Destination | D Port | In Pipe | Out Pipe |
|---|---|---|---|---|---|---|
| TCP/UDP | TorAndUtilities | Any | OBFS4_SFP | Any | None | None |
| TCP/UDP | TorRelays | Any | OBFS4_SFP | Any | None | None |
| TCP | Any | Any | OBFS4 | OBFS4OrPort | None | None |
For each pfBlockerNG continent for which you have selected countries and have an OBFS4 bridge. This allows high bandwidth access for clients in these countries.
| Protocol | Source | S Port | Destination | D Port | In Pipe | Out Pipe |
|---|---|---|---|---|---|---|
| TCP | pfB_[continent]_Vx | Any | OBFS4 | OBFS4Ports | OBFS4_Mask_Source | OBFS4_Mask_Dest |
For each pfBlockerNG continent for which you have selected countries and have a snowflake proxy. This allows high bandwidth access for clients in these countries.
| Protocol | Source | S Port | Destination | D Port | In Pipe | Out Pipe |
|---|---|---|---|---|---|---|
| UDP | pfB_[continent]_Vx | Any | SFP | Any | SFP_Mask_Source | SFP_Mask_Dest |
The following single rule whether you have a bridge or snowflake or both. This allows only minimal bandwidth for clients in countries you want to discourage from using your services.
| Protocol | Source | S Port | Destination | D Port | In Pipe | Out Pipe |
|---|---|---|---|---|---|---|
| TCP/UDP | Any | Any | OBSF4_SFP | Any | Trickle_Mask_Source | Trickle_Mask_Dest |
LAN Rules
In Firewall/Rules/LAN create the following in the following order. These allow your bridge, relay or snowflake to access anything external they need. Bandwidth restrictions are unnecessary as the WAN rules with in and out limiters perform the required throttling.
| Protocol | Source | S Port | Destination | D Port | In Pipe | Out Pipe |
|---|---|---|---|---|---|---|
| TCP/UDP | OBFS4_SFP | Any | TorAndUtilities | Any | None | None |
| TCP/UDP | OBFS4_SFP | Any | TorRelays | Any | None | None |
| TCP/UDP | OBFS4 | Any | Any | Any | None | None |
| TCP/UDP | SFP | Any | StunAll | Any | None | None |
That's it. Once your Tor stuff's been started up you can see the connections real time in Diagnostics/Limiter Info