Basic Tutorial for Setting Up a Tor Relay
Running a Non-Exit Tor Relay
If you have a reasonably fast connection and would like to contribute a part of it to the Tor network, these instructions should help you achieve a functional basic Tor relay for your home computer. We'll be covering port forwarding, the firewall and the torrc file. Some of you may have modem/router functionality in one device. That's fine. This simply means the port forwarding is done in one place.
Update Feb 11th, 2018
There is a new and more complete official guide for relay operation available here. For Debian stable users like me, this tutorial remains up to date. For anyone else, it is best to follow their guide, since it covers some changes that were introduced in new versions and is applicable to many different types of situations.
This Raddle tutorial is simply an attempt to explain in simple terms and in the shortest amount of time how to get a relay up and running, while covering port forwarding in greater detail, since it is not well explained elsewhere.
Let's get going
It is recommended to run Tor relays on Debian, as the .deb package takes care of a bunch of configuration tasks, such as running it at startup, authenticating as a different user (
debian-tor), and few others.
sudo apt install tor
Now the tricky part is probably the port forwarding/firewall rule creation. I will try to provide generic instructions that will help you set it up on your ISP modem and/or router.
Define what port you will want to use. The official Tor Relay Configuration page suggests port
443, and that is the one I will be using here, so change accordingly
Open your web browser and type the modem's IP address to access its interface.
The modem is the last gate before the open internet, and we'll start by forwarding the
443 port to the next node in your network, usually the router.
Think of your LAN network as hierarchical (revolution triggered!). Your router is a child of the ISP modem, and your computers are children of the router. Each of them are subject to the rules of what is above.
The modem assigns a different IP layout to its children, which is in this example 10.x.x.x. The only child of the modem is the router, so you must find the IP of the router, as you will forward the 443 port to it using the modem's configuration.
Forward port 443 to router IP 10.x.x.x
For example, suppose the router has received the WAN IP 10.1.1.3. You type this IP on the port forwarding options within your modem's settings. Don't forget that its firewall must be enabled in order for port forwarding to work. Reboot the device when you're done.
Open a web browser again, type the router's gateway (example: 192.168.0.x) and login to the settings.
Go to "Virtual Servers" or "Port Redirection" or anything equivalent to port forwarding. Click add and type the port 443 and the LAN IP of the computer where you'll run Tor (example: 192.168.0.5)
Forward port 443 to computer IP 192.168.0.x
Now there is one additional step. After configuring port forwarding, you will need to allocate a permanent IP for the device you're going to run your Tor relay. Because if your IP changes from 192.168.0.5 to 192.168.0.6 the next morning, Tor will no longer be accessible. This is usually easily done through the router's DHCP settings. Look for "Address reservation" or similar options.
Make sure the router's firewall is also enabled or port forwarding will not have any effect. Reboot the device and move on to the computer.
This is usually the easiest. I recommend that you install
gufw, which provides a very simple and user friendly way of adding firewall rules. Allow port
443 through it. You can either reboot the computer or reload the firewall with
sudo ufw reload
You can check the instructions from the official Tor wiki, or use this straightforward list of what options to configure in order to achieve a basic and functional Tor relay for your home.
Open the terminal and edit this file.
sudo nano /etc/tor/torrc
This will get you started, but I encourage you to study the other options and adapt your file if you feel like you already understand how it works.
First, scroll down until you find the ORPort options. Since we are using the port 443 for this tutorial, I'll set it here.
ORPort 443 Nickname RichardStallmanComputer RelayBandwidthRate 100 KBytes # Throttle traffic to 100KB/s (800Kbps) RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB (1600Kb)
Remember the difference between Kilobits and KiloBytes? If your ISP provides you 50 Megabits per second (50 Mbps). Divide that by 8, and you get your download speed, which is around 6.25 MBps (MegaBytes).
ContactInfo Richard Stallman <richardmstallman AT mailprovider dot com>
Type your name/nickname along with your email. This ensures that, in the event of some problem with your relay, someone will be able to contact you and help you fix it. But always type your email in an obscure way, to keep spammers from easily retrieving it.
ExitPolicy reject *:* # no exits allowed
Since we're just starting and we're running this relay at home, I don't recommend jumping straight to an exit node setup. Read more about it here.
That's basically it. Now restart your relay:
sudo service tor reload. I recommend restarting the computer to let Tor initialize in a clean state.
The confirmation that your Tor is reachable will appear at
/var/log/tor/log as "
Self-testing indicates your ORPort is reachable from the outside. Excellent."
After it's working, you'll want to read about
arm, an official tool for monitoring your Tor relay in real time. The Relay Search website (formerly called "Atlas") is where your relay information will be shown after directory authorities allow it into the network consensus (which usually happens after a few hours that it's running).
For anyone running a more bleeding-edge distro or using the latest Tor version instead of the Debian package, be aware that the "arm" tool has been rebranded to Nyx. For Debian Stretch, the package name remains "tor-arm". This might change in future releases.
Backup your keys
Every new relay goes through a ramp-up phase that can last a few months before it reaches its full potential (see below). To avoid going through the ramp-up stage all over again when you have to reinstall your system or move to another machine, backup your keys by copying everything at
and restore it when your new system is ready. This will preserve your relay's identity and reputation.
For clarification on how relays evolve over time
Also, when you have sufficient bandwidth, opening the DirPort along with the ORPort is a good thing. Lastly, be advised that your public IP address will remain visible to anyone who finds it through online tools such as Atlas for as long as your relay is running and present in the consensus. If you don't want your IP visible, run a bridge. You can ask these questions at the #tor IRC channel in OFTC server.
Note to contributors: If someone has the time, you can append more information about the "arm" or "nyx" tool here.