Showing revision #64265e6f of page running_a_tor_relay


Basic Tutorial for Setting Up a Tor Relay

Running a Non-Exit Tor Relay

If you have a reasonably fast connection and would like to contribute a part of it to the Tor network, these instructions should help you achieve a functional basic Tor relay for your home computer.

It is recommended to run Tor relays on Debian, as the .deb package takes care of a bunch of configuration tasks, such as running it at startup, authenticating as a different user (debian-tor), and few others.

sudo apt install tor

Now the tricky part is probably the port forwarding/firewall rule creation. I will try to provide generic instructions that will help you set it up on your ISP modem and/or router.

Define what port you will want to use. The official Tor Relay Configuration page suggests port 443, and that is the one I will be using here, so change accordingly

ISP-provided modem

Open your web browser and type the modem's IP address to access its interface.

The modem is the last gate before the open internet, and we'll start by forwarding the 443 port to the next node in your network, usually the router.

Think of your LAN network as hierarchical. Your router is a child of the ISP modem, and your computers are children of the router. Each of them are subject to the rules of what is above.

ISP MODEM

ROUTER

COMPUTER

The modem assigns a different IP layout to its children, which is in this example 10.x.x.x. The only child of the modem is the router, so you must find the IP of the router, as you will forward the 443 port to it using the modem's configuration.

In short:

Forward port 443 to router IP 10.x.x.x

For example, suppose the router has received the IP 10.1.1.3. You type this IP on the port forwarding options within your modem's settings. Don't forget that its firewall must be enabled in order for port forwarding to work. Reboot the device when you're done.

Router

Open a web browser again, type the router's gateway (example: 192.168.0.x) and login to the settings.

Go to "Virtual Servers" or "Port Redirection" or anything equivalent to port forwarding. Click add and type the port 443 and the LAN IP of the computer where you'll run Tor (example: 192.168.0.5)

In short:

Forward port 443 to computer IP 192.168.0.x

Now there is one additional step. After configuring port forwarding, you will need to allocate a permanent IP for the device you're going to run your Tor relay. Because if your IP changes from 192.168.0.5 to 192.168.0.6 the next morning, Tor will no longer be accessible. This is usually easily done through the router's DHCP settings. Look for "Address reservation" or similar options.

Make sure the router's firewall is also enabled or port forwarding will not have any effect. Reboot the device and move on to the computer.

LiGNUx Machine

This is usually the easiest. I recommend that you install gufw, which provides a very simple and user friendly way of adding firewall rules. Allow port 443 through it. It might be necessary to reboot as well.

If you really want to learn the command line tools for configuring firewall, check firewall-cmd --help or the official Wiki (if running Fedora) or the more "low-level" Iptables. Check with your distribution.

Tor Configuration

You can check the instructions from the official Tor website, or use this straightforward list of what options to configure in order to achieve a basic and functional Tor relay for your home.

Open the terminal and edit this file.

sudo nano /etc/tor/torrc

This will get you started, but I encourage you to study the other options and adapt your file if you feel like you already understand how it works.

First, scroll down until you find the ORPort options. Since we are using the port 443 for this tutorial, I'll set it here. You should always find where the options are and edit them. Do not add them unless they are not present and are indeed valid entries.

ORPort 443
Nickname chooseaname
RelayBandwidthRate 100 KBytes   # Throttle traffic to 100KB/s (800Kbps)
RelayBandwidthBurst 200 KBytes   # But allow bursts up to 200KB (1600Kb)

Remember the difference between Kb and KB? 100 KBytes will be equivalent to 800 Kbps. 100 KBytes is the actual transfer speed, while 800 Kbps is the bandwidth your ISP advertises.(*)

More options:

ContactInfo Richard Stallman <richardmstallman AT mailprovider dot com>

Type your name or handle along with your email. This ensures that, in the event of some problem with your relay, someone will be able to contact you and help you fix it. But always type your email in an obscure way, to keep spammers from easily retrieving it.

ExitPolicy reject *:*   # no exits allowed

You will probably not want to run an exit relay from your home. Read more about it here.

That's basically it. Now restart your relay: sudo service tor reload. I recommend restarting the computer to let Tor initialize in a clean state.

The confirmation that your Tor is reachable will appear at /var/log/tor/log as Self-testing indicates your ORPort is reachable from the outside. Excellent.

After it's working, you'll want to read about arm, an official tool for monitoring your Tor relay.

<More about the "arm" tool coming soon>

(*) someone needs to verify this information


Source code

# Running a Non-Exit Tor Relay
If you have a reasonably fast connection and would like to contribute a part of it to the Tor network, these instructions should help you achieve a functional basic Tor relay for your home computer.

It is recommended to run Tor relays on Debian, as the .deb package takes care of a bunch of configuration tasks, such as running it at startup, authenticating as a different user (`debian-tor`), and few others.

`sudo apt install tor`

Now the tricky part is probably the port forwarding/firewall rule creation. I will try to provide generic instructions that will help you set it up on your ISP modem and/or router.

_Define what port_ you will want to use. The official Tor Relay Configuration page suggests port `443`, and that is the one I will be using here, so change accordingly

###  ISP-provided modem
Open your web browser and type the modem's IP address to access its interface.

The modem is the last gate before the open internet, and we'll start by forwarding the `443` port to the next node in your network, usually the router.

Think of your LAN network as hierarchical. Your **router** is a child of the **ISP modem**, and your **computers** are children of the **router.** Each of them are subject to the rules of what is above.

> ISP MODEM
>> ROUTER
>>> COMPUTER

The modem assigns a different IP layout to its children, which is in this example 10.x.x.x. The only child of the modem is the router, so you must find the IP of the router, as you will forward the 443 port to it using the modem's configuration.

In short:

> Forward port 443 to router IP 10.x.x.x

For example, suppose the router has received the IP 10.1.1.3. You type this IP on the port forwarding options within your modem's settings. Don't forget that its **firewall must be enabled** in order for port forwarding to work. Reboot the device when you're done.

### Router
Open a web browser again, type the router's gateway (example: 192.168.0.x) and login to the settings.

Go to "Virtual Servers" or "Port Redirection" or anything equivalent to port forwarding. Click add and type the port 443 and the LAN IP of the computer where you'll run Tor (example: 192.168.0.5)

In short:

> Forward port 443 to computer IP 192.168.0.x

Now there is one additional step. After configuring port forwarding, you will need to **allocate a permanent IP** for the device you're going to run your Tor relay. Because if your IP changes from 192.168.0.5 to 192.168.0.6 the next morning, Tor will no longer be accessible. This is usually easily done through the router's DHCP settings. Look for "Address reservation" or similar options.

Make sure the router's firewall is also enabled or port forwarding will not have any effect. Reboot the device and move on to the computer.

### LiGNUx Machine
This is usually the easiest. I recommend that you install `gufw`, which provides a very simple and user friendly way of adding firewall rules. Allow port `443` through it. It might be necessary to reboot as well.

If you really want to learn the command line tools for configuring firewall, check `firewall-cmd --help` or the official Wiki (if running Fedora) or the more "low-level" Iptables. Check with your distribution.

### Tor Configuration
You can check the instructions from the [official Tor website](https://www.torproject.org/docs/tor-relay-debian.html.en), or use this straightforward list of what options to configure in order to achieve a basic and functional Tor relay for your home.

Open the terminal and edit this file.

`sudo nano /etc/tor/torrc`

This will get you started, but I encourage you to study the other options and adapt your file if you feel like you already understand how it works.

First, scroll down until you find the ORPort options. Since we are using the port 443 for this tutorial, I'll set it here. **You should always find where the options are and edit them.** Do not add them unless they are not present and are indeed valid entries.

```
ORPort 443
Nickname chooseaname
RelayBandwidthRate 100 KBytes   # Throttle traffic to 100KB/s (800Kbps)
RelayBandwidthBurst 200 KBytes   # But allow bursts up to 200KB (1600Kb)
```
Remember the difference between Kb and KB? 100 KBytes will be equivalent to 800 Kbps. 100 KBytes is the actual transfer speed, while 800 Kbps is the bandwidth your ISP advertises.(*)

More options:
```
ContactInfo Richard Stallman <richardmstallman AT mailprovider dot com>
```
Type your name or handle along with your email. This ensures that, in the event of some problem with your relay, someone will be able to contact you and help you fix it. But always type your email in an obscure way, to keep spammers from easily retrieving it.

```
ExitPolicy reject *:*   # no exits allowed
```
You will probably not want to run an exit relay from your home. Read more about it [here](https://blog.torproject.org/five-years-exit-node-operator).

That's basically it. Now restart your relay: `sudo service tor reload`. I recommend restarting the computer to let Tor initialize in a clean state.

The confirmation that your Tor is reachable will appear at `/var/log/tor/log` as `Self-testing indicates your ORPort is reachable from the outside. Excellent.`

After it's working, you'll want to read about `arm`, an official tool for monitoring your Tor relay.

<More about the "arm" tool coming soon>


(*) someone needs to verify this information