Showing revision #57189fcf of page running_a_tor_relay

Basic Tutorial for Setting Up a Tor Relay

  1. Running a Non-Exit Tor Relay

    1. ISP-provided modem

    2. Router

    3. LiGNUx Machine

    4. Tor Configuration

    5. For clarification on how relays evolve over time

Running a Non-Exit Tor Relay

If you have a reasonably fast connection and would like to contribute a part of it to the Tor network, these instructions should help you achieve a functional basic Tor relay for your home computer. We'll be covering port forwarding, the firewall and the torrc file. Some of you may have modem/router functionality in one device. That's fine. This simply means the port forwarding is done in one place.

It is recommended to run Tor relays on Debian, as the .deb package takes care of a bunch of configuration tasks, such as running it at startup, authenticating as a different user (debian-tor), and few others.

sudo apt install tor

Now the tricky part is probably the port forwarding/firewall rule creation. I will try to provide generic instructions that will help you set it up on your ISP modem and/or router.

Define what port you will want to use. The official Tor Relay Configuration page suggests port 443, and that is the one I will be using here, so change accordingly

ISP-provided modem

Open your web browser and type the modem's IP address to access its interface.

The modem is the last gate before the open internet, and we'll start by forwarding the 443 port to the next node in your network, usually the router.

Think of your LAN network as hierarchical (revolution triggered!). Your router is a child of the ISP modem, and your computers are children of the router. Each of them are subject to the rules of what is above.

ISP MODEM

ROUTER

COMPUTER

The modem assigns a different IP layout to its children, which is in this example 10.x.x.x. The only child of the modem is the router, so you must find the IP of the router, as you will forward the 443 port to it using the modem's configuration.

In short:

Forward port 443 to router IP 10.x.x.x

For example, suppose the router has received the WAN IP 10.1.1.3. You type this IP on the port forwarding options within your modem's settings. Don't forget that its firewall must be enabled in order for port forwarding to work. Reboot the device when you're done.

Router

Open a web browser again, type the router's gateway (example: 192.168.0.x) and login to the settings.

Go to "Virtual Servers" or "Port Redirection" or anything equivalent to port forwarding. Click add and type the port 443 and the LAN IP of the computer where you'll run Tor (example: 192.168.0.5)

In short:

Forward port 443 to computer IP 192.168.0.x

Now there is one additional step. After configuring port forwarding, you will need to allocate a permanent IP for the device you're going to run your Tor relay. Because if your IP changes from 192.168.0.5 to 192.168.0.6 the next morning, Tor will no longer be accessible. This is usually easily done through the router's DHCP settings. Look for "Address reservation" or similar options.

Make sure the router's firewall is also enabled or port forwarding will not have any effect. Reboot the device and move on to the computer.

LiGNUx Machine

This is usually the easiest. I recommend that you install gufw, which provides a very simple and user friendly way of adding firewall rules. Allow port 443 through it. It might be necessary to reboot as well.

Tor Configuration

You can check the instructions from the official Tor website, or use this straightforward list of what options to configure in order to achieve a basic and functional Tor relay for your home.

Open the terminal and edit this file.

sudo nano /etc/tor/torrc

This will get you started, but I encourage you to study the other options and adapt your file if you feel like you already understand how it works.

First, scroll down until you find the ORPort options. Since we are using the port 443 for this tutorial, I'll set it here. You should always find where the options are and edit them. Do not add them unless they are not present and are indeed valid entries.

ORPort 443
Nickname chooseaname
RelayBandwidthRate 100 KBytes   # Throttle traffic to 100KB/s (800Kbps)
RelayBandwidthBurst 200 KBytes   # But allow bursts up to 200KB (1600Kb)

Remember the difference between Kb and KB? 100 KBytes will be equivalent to 800 Kbps. 100 KBytes is the actual transfer speed, while 800 Kbps is the bandwidth your ISP advertises.(*)

More options:

ContactInfo Richard Stallman <richardmstallman AT mailprovider dot com>

Type your name/nickname along with your email. This ensures that, in the event of some problem with your relay, someone will be able to contact you and help you fix it. But always type your email in an obscure way, to keep spammers from easily retrieving it.

ExitPolicy reject *:*   # no exits allowed

You will probably not want to run an exit relay from your home. Read more about it here.

That's basically it. Now restart your relay: sudo service tor reload. I recommend restarting the computer to let Tor initialize in a clean state.

The confirmation that your Tor is reachable will appear at /var/log/tor/log as Self-testing indicates your ORPort is reachable from the outside. Excellent.

After it's working, you'll want to read about arm, an official tool for monitoring your Tor relay. The Relay Search website (formerly called "Atlas") is where your relay information will be shown after directory authorities allow it into the network consensus (which usually happens after a few hours that it's running).

For clarification on how relays evolve over time

https://blog.torproject.org/lifecycle-new-relay

Also, when you have sufficient bandwidth, opening the DirPort along with the ORPort is a good thing. Lastly, be advised that your public IP address will remain visible to anyone who finds it through online tools such as Atlas for as long as your relay is running and present in the consensus. If you don't want your IP visible, run a bridge. You can ask these questions at the #tor IRC channel in OFTC server.

Note to contributors: If someone has the time, you can append more information about the "arm" tool here.

(*) someone needs to verify this information


Source code

# Running a Non-Exit Tor Relay
If you have a reasonably fast connection and would like to contribute a part of it to the Tor network, these instructions should help you achieve a functional basic Tor relay for your home computer. We'll be covering port forwarding, the firewall and the torrc file. Some of you may have modem/router functionality in one device. That's fine. This simply means the port forwarding is done in one place.

It is recommended to run Tor relays on Debian, as the .deb package takes care of a bunch of configuration tasks, such as running it at startup, authenticating as a different user (`debian-tor`), and few others.

`sudo apt install tor`

Now the tricky part is probably the port forwarding/firewall rule creation. I will try to provide generic instructions that will help you set it up on your ISP modem and/or router.

_Define what port_ you will want to use. The official Tor Relay Configuration page suggests port `443`, and that is the one I will be using here, so change accordingly

###  ISP-provided modem
Open your web browser and type the modem's IP address to access its interface.

The modem is the last gate before the open internet, and we'll start by forwarding the `443` port to the next node in your network, usually the router.

Think of your LAN network as hierarchical (revolution triggered!). Your **router** is a child of the **ISP modem**, and your **computers** are children of the **router.** Each of them are subject to the rules of what is above.

> ISP MODEM
>> ROUTER
>>> COMPUTER

The modem assigns a different IP layout to its children, which is in this example 10.x.x.x. The only child of the modem is the router, so you must find the IP of the router, as you will forward the 443 port to it using the modem's configuration.

In short:

> Forward port 443 to router IP 10.x.x.x

For example, suppose the router has received the WAN IP 10.1.1.3. You type this IP on the port forwarding options within your modem's settings. Don't forget that its **firewall must be enabled** in order for port forwarding to work. Reboot the device when you're done.

### Router
Open a web browser again, type the router's gateway (example: 192.168.0.x) and login to the settings.

Go to "Virtual Servers" or "Port Redirection" or anything equivalent to port forwarding. Click add and type the port 443 and the LAN IP of the computer where you'll run Tor (example: 192.168.0.5)

In short:

> Forward port 443 to computer IP 192.168.0.x

Now there is one additional step. After configuring port forwarding, you will need to **allocate a permanent IP** for the device you're going to run your Tor relay. Because if your IP changes from 192.168.0.5 to 192.168.0.6 the next morning, Tor will no longer be accessible. This is usually easily done through the router's DHCP settings. Look for "Address reservation" or similar options.

Make sure the router's firewall is also enabled or port forwarding will not have any effect. Reboot the device and move on to the computer.

### LiGNUx Machine
This is usually the easiest. I recommend that you install `gufw`, which provides a very simple and user friendly way of adding firewall rules. Allow port `443` through it. It might be necessary to reboot as well.

### Tor Configuration
You can check the instructions from the [official Tor website](https://www.torproject.org/docs/tor-relay-debian.html.en), or use this straightforward list of what options to configure in order to achieve a basic and functional Tor relay for your home.

Open the terminal and edit this file.

`sudo nano /etc/tor/torrc`

This will get you started, but I encourage you to study the other options and adapt your file if you feel like you already understand how it works.

First, scroll down until you find the ORPort options. Since we are using the port 443 for this tutorial, I'll set it here. **You should always find where the options are and edit them.** Do not add them unless they are not present and are indeed valid entries.

```
ORPort 443
Nickname chooseaname
RelayBandwidthRate 100 KBytes   # Throttle traffic to 100KB/s (800Kbps)
RelayBandwidthBurst 200 KBytes   # But allow bursts up to 200KB (1600Kb)
```
Remember the difference between Kb and KB? 100 KBytes will be equivalent to 800 Kbps. 100 KBytes is the actual transfer speed, while 800 Kbps is the bandwidth your ISP advertises.(*)

More options:
```
ContactInfo Richard Stallman <richardmstallman AT mailprovider dot com>
```
Type your name/nickname along with your email. This ensures that, in the event of some problem with your relay, someone will be able to contact you and help you fix it. But always type your email in an obscure way, to keep spammers from easily retrieving it.

```
ExitPolicy reject *:*   # no exits allowed
```
You will probably not want to run an exit relay from your home. Read more about it [here](https://blog.torproject.org/five-years-exit-node-operator).

That's basically it. Now restart your relay: `sudo service tor reload`. I recommend restarting the computer to let Tor initialize in a clean state.

The confirmation that your Tor is reachable will appear at `/var/log/tor/log` as `Self-testing indicates your ORPort is reachable from the outside. Excellent.`

After it's working, you'll want to read about `arm`, an official tool for monitoring your Tor relay. The [Relay Search](https://atlas.torproject.org/) website (formerly called "Atlas") is where your relay information will be shown after directory authorities allow it into the network consensus (which usually happens after a few hours that it's running).

### For clarification on how relays evolve over time
https://blog.torproject.org/lifecycle-new-relay

Also, when you have sufficient bandwidth, opening the DirPort along with the ORPort is a good thing. Lastly, be advised that your public IP address will remain visible to anyone who finds it through online tools such as Atlas for as long as your relay is running and present in the consensus. If you don't want your IP visible, run a bridge. You can ask these questions at the #tor IRC channel in OFTC server.

Note to contributors:
If someone has the time, you can append more information about the "arm" tool here.

(*) someone needs to verify this information