Running a Non-Exit Tor Relay
If you have a reasonably fast connection and would like to contribute a part of it to the Tor network, these instructions should help you achieve a functional basic Tor relay for your home computer. We'll be covering port forwarding, the firewall and the torrc file. Some of you may have modem/router functionality in one device. That's fine. This simply means the port forwarding is done in one place.
It is recommended to run Tor relays on Debian, as the .deb package takes care of a bunch of configuration tasks, such as running it at startup, authenticating as a different user (
debian-tor), and few others.
sudo apt install tor
Now the tricky part is probably the port forwarding/firewall rule creation. I will try to provide generic instructions that will help you set it up on your ISP modem and/or router.
Define what port you will want to use. The official Tor Relay Configuration page suggests port
443, and that is the one I will be using here, so change accordingly
Open your web browser and type the modem's IP address to access its interface.
The modem is the last gate before the open internet, and we'll start by forwarding the
443 port to the next node in your network, usually the router.
Think of your LAN network as hierarchical (revolution triggered!). Your router is a child of the ISP modem, and your computers are children of the router. Each of them are subject to the rules of what is above.
The modem assigns a different IP layout to its children, which is in this example 10.x.x.x. The only child of the modem is the router, so you must find the IP of the router, as you will forward the 443 port to it using the modem's configuration.
Forward port 443 to router IP 10.x.x.x
For example, suppose the router has received the WAN IP 10.1.1.3. You type this IP on the port forwarding options within your modem's settings. Don't forget that its firewall must be enabled in order for port forwarding to work. Reboot the device when you're done.
Open a web browser again, type the router's gateway (example: 192.168.0.x) and login to the settings.
Go to "Virtual Servers" or "Port Redirection" or anything equivalent to port forwarding. Click add and type the port 443 and the LAN IP of the computer where you'll run Tor (example: 192.168.0.5)
Forward port 443 to computer IP 192.168.0.x
Now there is one additional step. After configuring port forwarding, you will need to allocate a permanent IP for the device you're going to run your Tor relay. Because if your IP changes from 192.168.0.5 to 192.168.0.6 the next morning, Tor will no longer be accessible. This is usually easily done through the router's DHCP settings. Look for "Address reservation" or similar options.
Make sure the router's firewall is also enabled or port forwarding will not have any effect. Reboot the device and move on to the computer.
This is usually the easiest. I recommend that you install
gufw, which provides a very simple and user friendly way of adding firewall rules. Allow port
443 through it. It might be necessary to reboot as well.
You can check the instructions from the official Tor website, or use this straightforward list of what options to configure in order to achieve a basic and functional Tor relay for your home.
Open the terminal and edit this file.
sudo nano /etc/tor/torrc
This will get you started, but I encourage you to study the other options and adapt your file if you feel like you already understand how it works.
First, scroll down until you find the ORPort options. Since we are using the port 443 for this tutorial, I'll set it here. You should always find where the options are and edit them. Do not add them unless they are not present and are indeed valid entries.
ORPort 443 Nickname chooseaname RelayBandwidthRate 100 KBytes # Throttle traffic to 100KB/s (800Kbps) RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB (1600Kb)
Remember the difference between Kb and KB? 100 KBytes will be equivalent to 800 Kbps. 100 KBytes is the actual transfer speed, while 800 Kbps is the bandwidth your ISP advertises.(*)
ContactInfo Richard Stallman <richardmstallman AT mailprovider dot com>
Type your name or handle along with your email. This ensures that, in the event of some problem with your relay, someone will be able to contact you and help you fix it. But always type your email in an obscure way, to keep spammers from easily retrieving it.
ExitPolicy reject *:* # no exits allowed
You will probably not want to run an exit relay from your home. Read more about it here.
That's basically it. Now restart your relay:
sudo service tor reload. I recommend restarting the computer to let Tor initialize in a clean state.
The confirmation that your Tor is reachable will appear at
Self-testing indicates your ORPort is reachable from the outside. Excellent.
After it's working, you'll want to read about
arm, an official tool for monitoring your Tor relay. The Relay Search website (formerly called "Atlas") is where your relay information will be shown after directory authorities allow it into the network consensus (which usually happens after a few hours that it's running).
For clarification on how relays evolve over time
Also, when you have sufficient bandwidth, opening the DirPort along with the ORPort is a good thing. Lastly, be advised that your public IP address will remain visible to anyone who finds it through online tools such as Atlas for as long as your relay is running and present in the consensus. If you don't want your IP visible, run a bridge. You can ask these questions at the #tor IRC channel in OFTC server.
Note to contributors: If someone has the time, you can append more information about the "arm" tool here.
(*) someone needs to verify this information