Showing revision #fbcf2d74 of page running_a_tor_relay

Basic Tutorial for Setting Up a Tor Relay

  1. Running a Non-Exit Tor Relay

    1. Update Feb 11th, 2018

    2. Let's get going

    3. ISP-provided modem

    4. Router

    5. LiGNUx Machine

    6. Tor Configuration

    7. Monitoring tools

    8. Backup your keys

    9. For clarification on how relays evolve over time

Running a Non-Exit Tor Relay

If you have a reasonably fast connection and would like to contribute a part of it to the Tor network, these instructions should help you achieve a functional basic Tor relay for your home computer. We'll be covering port forwarding, the firewall and the torrc file. Some of you may have modem/router functionality in one device. That's fine. This simply means the port forwarding is done in one place.

Update Feb 11th, 2018

There is a new and more complete official guide for relay operation available here. For Debian stable users like me, this tutorial remains up to date. For anyone else, it is best to follow their guide, since it covers some changes that were introduced in new versions and is applicable to many different types of situations.

This Raddle tutorial is simply an attempt to explain in simple terms and in the shortest amount of time how to get a relay up and running, while covering port forwarding in greater detail, since it is not well explained elsewhere.

Let's get going

It is recommended to run Tor relays on Debian, as the .deb package takes care of a bunch of configuration tasks, such as running it at startup, authenticating as a different user (debian-tor), and few others.

sudo apt install tor

Now the tricky part is probably the port forwarding/firewall rule creation. I will try to provide generic instructions that will help you set it up on your ISP modem and/or router.

Define what port you will want to use. The official Tor Relay Configuration page suggests port 443, and that is the one I will be using here, so change accordingly

ISP-provided modem

Open your web browser and type the modem's IP address to access its interface.

The modem is the last gate before the open internet, and we'll start by forwarding the 443 port to the next node in your network, usually the router.

Think of your LAN network as hierarchical (revolution triggered!). Your router is a child of the ISP modem, and your computers are children of the router. Each of them are subject to the rules of what is above.

ISP MODEM

ROUTER

COMPUTER

The modem assigns a different IP layout to its children, which is in this example 10.x.x.x. The only child of the modem is the router, so you must find the IP of the router, as you will forward the 443 port to it using the modem's configuration.

In short:

Forward port 443 to router IP 10.x.x.x

For example, suppose the router has received the WAN IP 10.1.1.3. You type this IP on the port forwarding options within your modem's settings. Don't forget that its firewall must be enabled in order for port forwarding to work. Reboot the device when you're done.

Router

Open a web browser again, type the router's gateway (example: 192.168.0.x) and login to the settings.

Go to "Virtual Servers" or "Port Redirection" or anything equivalent to port forwarding. Click add and type the port 443 and the LAN IP of the computer where you'll run Tor (example: 192.168.0.5)

In short:

Forward port 443 to computer IP 192.168.0.x

Now there is one additional step. After configuring port forwarding, you will need to allocate a permanent IP for the device you're going to run your Tor relay. Because if your IP changes from 192.168.0.5 to 192.168.0.6 the next morning, Tor will no longer be accessible. This is usually easily done through the router's DHCP settings. Look for "Address reservation" or similar options.

Make sure the router's firewall is also enabled or port forwarding will not have any effect. Reboot the device and move on to the computer.

LiGNUx Machine

This is usually the easiest. I recommend that you install gufw, which provides a very simple and user friendly way of adding firewall rules. Allow port 443 through it. You can either reboot the computer or reload the firewall with sudo ufw reload

Tor Configuration

You can check the instructions from the official Tor website, or use this straightforward list of what options to configure in order to achieve a basic and functional Tor relay for your home.

Open the terminal and edit this file.

sudo nano /etc/tor/torrc

This will get you started, but I encourage you to study the other options and adapt your file if you feel like you already understand how it works.

First, scroll down until you find the ORPort options. Since we are using the port 443 for this tutorial, I'll set it here.

ORPort 443
Nickname RichardStallmanComputer
RelayBandwidthRate 100 KBytes   # Throttle traffic to 100KB/s (800Kbps)
RelayBandwidthBurst 200 KBytes   # But allow bursts up to 200KB (1600Kb)

Remember the difference between Kb and KB? 100 KBytes will be equivalent to ~800 Kbps. 100 KBytes is the actual transfer speed, while 800 Kbps is the bandwidth your ISP advertises.(*)

More options:

ContactInfo Richard Stallman <richardmstallman AT mailprovider dot com>

Type your name/nickname along with your email. This ensures that, in the event of some problem with your relay, someone will be able to contact you and help you fix it. But always type your email in an obscure way, to keep spammers from easily retrieving it.

ExitPolicy reject *:*   # no exits allowed

Since we're just starting and we're running this relay at home, I don't recommend jumping straight to an exit node setup. Read more about it here.

That's basically it. Now restart your relay: sudo service tor reload. I recommend restarting the computer to let Tor initialize in a clean state.

The confirmation that your Tor is reachable will appear at /var/log/tor/log as Self-testing indicates your ORPort is reachable from the outside. Excellent.

Monitoring tools

After it's working, you'll want to read about arm, an official tool for monitoring your Tor relay in real time. The Relay Search website (formerly called "Atlas") is where your relay information will be shown after directory authorities allow it into the network consensus (which usually happens after a few hours that it's running).

For anyone running a more bleeding-edge distro or using the latest Tor version instead of the Debian package, be aware that the "arm" tool has been rebranded to Nyx. For Debian Stretch, the package name remains "tor-arm". This might change in future releases.

Backup your keys

Every new relay goes through a ramp-up phase that can last a few months before it reaches its full potential (see below). To avoid going through the ramp-up stage all over again when you have to reinstall your system or move to another machine, backup your keys by copying everything at

/var/lib/tor/keys

and restore it when your new system is ready. This will preserve your relay's identity and reputation.

For clarification on how relays evolve over time

https://blog.torproject.org/lifecycle-new-relay

Also, when you have sufficient bandwidth, opening the DirPort along with the ORPort is a good thing. Lastly, be advised that your public IP address will remain visible to anyone who finds it through online tools such as Atlas for as long as your relay is running and present in the consensus. If you don't want your IP visible, run a bridge. You can ask these questions at the #tor IRC channel in OFTC server.

Note to contributors: If someone has the time, you can append more information about the "arm" or "nyx" tool here.

(*) someone needs to verify this information


Source code

# Running a Non-Exit Tor Relay
If you have a reasonably fast connection and would like to contribute a part of it to the Tor network, these instructions should help you achieve a functional basic Tor relay for your home computer. We'll be covering port forwarding, the firewall and the torrc file. Some of you may have modem/router functionality in one device. That's fine. This simply means the port forwarding is done in one place.

### Update Feb 11th, 2018
There is a new and more complete official guide for relay operation available [here](https://trac.torproject.org/projects/tor/wiki/TorRelayGuide). For Debian stable users like me, this tutorial remains up to date. For anyone else, it is best to follow their guide, since it covers some changes that were introduced in new versions and is applicable to many different types of situations.

This Raddle tutorial is simply an attempt to explain in simple terms and in the shortest amount of time how to get a relay up and running, while covering port forwarding in greater detail, since it is not well explained elsewhere.

### Let's get going

It is recommended to run Tor relays on Debian, as the .deb package takes care of a bunch of configuration tasks, such as running it at startup, authenticating as a different user (`debian-tor`), and few others.

`sudo apt install tor`

Now the tricky part is probably the port forwarding/firewall rule creation. I will try to provide generic instructions that will help you set it up on your ISP modem and/or router.

_Define what port_ you will want to use. The official Tor Relay Configuration page suggests port `443`, and that is the one I will be using here, so change accordingly

###  ISP-provided modem
Open your web browser and type the modem's IP address to access its interface.

The modem is the last gate before the open internet, and we'll start by forwarding the `443` port to the next node in your network, usually the router.

Think of your LAN network as hierarchical (revolution triggered!). Your **router** is a child of the **ISP modem**, and your **computers** are children of the **router.** Each of them are subject to the rules of what is above.

> ISP MODEM
>> ROUTER
>>> COMPUTER

The modem assigns a different IP layout to its children, which is in this example 10.x.x.x. The only child of the modem is the router, so you must find the IP of the router, as you will forward the 443 port to it using the modem's configuration.

In short:

> Forward port 443 to router IP 10.x.x.x

For example, suppose the router has received the WAN IP 10.1.1.3. You type this IP on the port forwarding options within your modem's settings. Don't forget that its **firewall must be enabled** in order for port forwarding to work. Reboot the device when you're done.

### Router
Open a web browser again, type the router's gateway (example: 192.168.0.x) and login to the settings.

Go to "Virtual Servers" or "Port Redirection" or anything equivalent to port forwarding. Click add and type the port 443 and the LAN IP of the computer where you'll run Tor (example: 192.168.0.5)

In short:

> Forward port 443 to computer IP 192.168.0.x

Now there is one additional step. After configuring port forwarding, you will need to **allocate a permanent IP** for the device you're going to run your Tor relay. Because if your IP changes from 192.168.0.5 to 192.168.0.6 the next morning, Tor will no longer be accessible. This is usually easily done through the router's DHCP settings. Look for "Address reservation" or similar options.

Make sure the router's firewall is also enabled or port forwarding will not have any effect. Reboot the device and move on to the computer.

### LiGNUx Machine
This is usually the easiest. I recommend that you install `gufw`, which provides a very simple and user friendly way of adding firewall rules. Allow port `443` through it. You can either reboot the computer or reload the firewall with ```sudo ufw reload```

### Tor Configuration
You can check the instructions from the [official Tor website](https://www.torproject.org/docs/tor-relay-debian.html.en), or use this straightforward list of what options to configure in order to achieve a basic and functional Tor relay for your home.

Open the terminal and edit this file.

`sudo nano /etc/tor/torrc`

This will get you started, but I encourage you to study the other options and adapt your file if you feel like you already understand how it works.

First, scroll down until you find the ORPort options. Since we are using the port 443 for this tutorial, I'll set it here.

```
ORPort 443
Nickname RichardStallmanComputer
RelayBandwidthRate 100 KBytes   # Throttle traffic to 100KB/s (800Kbps)
RelayBandwidthBurst 200 KBytes   # But allow bursts up to 200KB (1600Kb)
```
Remember the difference between Kb and KB? 100 KBytes will be equivalent to ~800 Kbps. 100 KBytes is the actual transfer speed, while 800 Kbps is the bandwidth your ISP advertises.(*)

More options:
```
ContactInfo Richard Stallman <richardmstallman AT mailprovider dot com>
```
Type your name/nickname along with your email. This ensures that, in the event of some problem with your relay, someone will be able to contact you and help you fix it. But always type your email in an obscure way, to keep spammers from easily retrieving it.

```
ExitPolicy reject *:*   # no exits allowed
```
Since we're just starting and we're running this relay at home, I don't recommend jumping straight to an exit node setup. Read more about it [here](https://blog.torproject.org/five-years-exit-node-operator).

That's basically it. Now restart your relay: `sudo service tor reload`. I recommend restarting the computer to let Tor initialize in a clean state.

The confirmation that your Tor is reachable will appear at `/var/log/tor/log` as `Self-testing indicates your ORPort is reachable from the outside. Excellent.`

### Monitoring tools

After it's working, you'll want to read about `arm`, an official tool for monitoring your Tor relay in real time. The [Relay Search](https://atlas.torproject.org/) website (formerly called "Atlas") is where your relay information will be shown after directory authorities allow it into the network consensus (which usually happens after a few hours that it's running).

For anyone running a more bleeding-edge distro or using the latest Tor version instead of the Debian package, be aware that the "arm" tool has been rebranded to [Nyx](https://nyx.torproject.org/). For Debian Stretch, the package name remains "tor-arm". This might change in future releases.

### Backup your keys
Every new relay goes through a ramp-up phase that can last a few months before it reaches its full potential (see below). To avoid going through the ramp-up stage all over again when you have to reinstall your system or move to another machine, backup your keys by copying everything at

 ```/var/lib/tor/keys```

and restore it when your new system is ready. This will preserve your relay's identity and reputation.

### For clarification on how relays evolve over time
https://blog.torproject.org/lifecycle-new-relay

Also, when you have sufficient bandwidth, opening the DirPort along with the ORPort is a good thing. Lastly, be advised that your public IP address will remain visible to anyone who finds it through online tools such as Atlas for as long as your relay is running and present in the consensus. If you don't want your IP visible, run a bridge. You can ask these questions at the #tor IRC channel in OFTC server.

Note to contributors:
If someone has the time, you can append more information about the "arm" or "nyx" tool here.

(*) someone needs to verify this information