wiki:OperatorsTips/DebianUbuntuConfiguringYourTorRelay

Configuring your Tor to run as a relay on Debian/Ubuntu

Running a guard or middle relay on Debian/Ubuntu

  1. Run "apt-get install tor" (as root).
  2. Make sure your clock, date, and timezone are set correctly. Install the ntp or openntpd (or similar) package to keep it that way.
  3. Edit /etc/tor/torrc to look like the following:
    ## The IP address or hostname for incoming connections (leave commented and Tor will guess)
    #Address noname.example.com
    
    ## Set the nickname of this relay
    Nickname ididnteditheconfig
    
    ## Set your own contact info
    ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>
    
    ## If you control multiple relays, include then in the family
    #MyFamily $keyid,$keyid,...
    
    ORPort 9001
    DirPort 9030
    
    ## Set your bandwidth rate (leave commented and Tor will run without bandwidth caps)
    #RelayBandwidthRate 30 MBytes
    #RelayBandwidthBurst 100 MBytes
    
    ExitPolicy reject *:*
    
  4. Run "service tor reload" (as root)
  5. After your relay connects to the network, it will try to determine whether the ports you configured are reachable from the outside. This step is usually fast, but it may take a few minutes. Look for a log entry in /var/log/syslog such as "Self-testing indicates your ORPort is reachable from the outside. Excellent." If you don't see this message, it means that your relay is not reachable from the outside. You should re-check your firewalls, check that the IP and ports you specified in your torrc are correct, etc.

When it confirms that it's reachable, it will upload a "server descriptor" to the directory authorities to let clients know what address, ports, keys, etc your relay is using. After a few hours (to give it enough time to propagate), you can query Atlas to see whether your relay has successfully registered in the network. If it hasn't, re-check firewalls, IP and ports again.

How do I run an exit relay on Debian?

  1. Review our Exit relay guidelines
  2. Run "apt-get install tor" (as root).
  3. Make sure your clock, date, and timezone are set correctly. Install the ntp or openntpd (or similar) package to keep it that way.
  4. Edit /etc/tor/torrc to look like the following:
## Set the nickname of this relay
Nickname ididnteditheconfig

## Set your own contact info
ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>

ORPort 9001
DirPort 9030

## The IP address or hostname for incoming connections (leave commented and Tor will guess)
#Address noname.example.com

## Set your bandwidth rate (leave commented and Tor will run without bandwidth caps)
#RelayBandwidthRate 30 MBytes
#RelayBandwidthBurst 100 MBytes

## If you control multiple relays, include then in the family
#MyFamily $keyid,$keyid,...
  1. Run "service tor reload" (as root)
  2. After your relay connects to the network, it will try to determine whether the ports you configured are reachable from the outside. This step is usually fast, but it may take a few minutes. Look for a log entry in your /var/log/syslog such as "Self-testing indicates your ORPort is reachable from the outside. Excellent." If you don't see this message, it means that your relay is not reachable from the outside. You should re-check your firewalls, check that the IP and ports you specified in your torrc are correct, etc.

When it confirms that it's reachable, it will upload a "server descriptor" to the directory authorities to let clients know what address, ports, keys, etc your relay is using. After a few hours (to give it enough time to propagate), you can query Atlas to see whether your relay has successfully registered in the network. If it hasn't, re-check firewalls, IP and ports again.

  1. Consider if you'd like to switch to the Reduced exit policy.

How do I run a middle or guard relay on FreeBSD or HardenedBSD?

  1. Run "pkg install tor" (as root).
  2. Make sure your clock, date, and timezone are set correctly. Enabling ntpd is suggested.
  3. Edit /usr/local/etc/tor/torrc to look like the following:
    ## Set the nickname of this relay
    Nickname ididnteditheconfig
    
    ## Set your own contact info
    ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>
    
    ORPort 9001
    DirPort 9030
    
    ## Set your bandwidth rate (leave commented and Tor will run without bandwidth caps)
    #RelayBandwidthRate 30 MBytes
    #RelayBandwidthBurst 100 MBytes
    
    ExitPolicy reject *:*
    
    ## If you control multiple relays, include then in the family
    #MyFamily $keyid,$keyid,...
    
    RunAsDaemon 1
    Log notice file /var/log/tor/notices.log
    
  4. Make sure tor starts on boot by running "sysrc tor_enable=YES" (as root)
  5. Run "service tor start" (as root)
  6. After your relay connects to the network, it will try to determine whether the ports you configured are reachable from the outside. This step is usually fast, but it may take a few minutes. Look for a log entry in /var/log/tor/notices.log such as "Self-testing indicates your ORPort is reachable from the outside. Excellent." If you don't see this message, it means that your relay is not reachable from the outside. You should re-check your firewalls, check that the IP and ports you specified in your torrc are correct, etc.

When it confirms that it's reachable, it will upload a "server descriptor" to the directory authorities to let clients know what address, ports, keys, etc your relay is using. After a few hours (to give it enough time to propagate), you can query Atlas to see whether your relay has successfully registered in the network. If it hasn't, re-check firewalls, IP and ports again.

How do I make sure that I'm using the correct packages on Ubuntu?

  1. Do not use the packages in Ubuntu's repositories. They are not reliably updated. If you use them, you will miss important stability and security fixes.
  1. Determine your Ubuntu version by running the following command:
    lsb_release -c
    
  1. As root, add the following lines to /etc/apt/sources.list. Use the version you found in step 2 for <version>.
    deb http://deb.torproject.org/torproject.org <version> main
    deb-src http://deb.torproject.org/torproject.org <version> main
    
  1. Add the gpg key used to sign the packages by running the following commands:
    gpg --keyserver keys.gnupg.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
    gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
    
  1. Run the following commands to install tor and check its signatures:
    sudo apt-get update
    sudo apt-get install tor deb.torproject.org-keyring
    

What is a bridge?

Bridge relays are Tor relays that are not listed in the public Tor directory. That means that ISPs or governments trying to block access to the Tor network can't simply block all bridges. Bridges are useful for Tor users under oppressive regimes, and for people who want an extra layer of security because they're worried somebody will recognize that they are contacting a public Tor relay IP address.

A bridge is just a normal relay with a slightly different configuration. See (link to How do I run a bridge) for instructions.

Several countries, including China and Iran, have found ways to detect and block connections to Tor bridges. Obfsproxy bridges address this by adding another layer of obfuscation.

Setting up an obfsproxy bridge requires an additional software package and additional configurations. See https://www.torproject.org/docs/pluggable-transports.html.en.

How do I run a obfs4 bridge on Debian?

  1. Run "apt-get install tor obfs4proxy" (as root).
  2. Make sure your clock, date, and timezone are set correctly. Install the ntp or === Configuring your Tor to run as a relay on Debian ===

Run an obfs4 bridge on Debian

  1. Run "apt-get install tor obfs4proxy" (as root).
  2. Make sure your clock, date, and timezone are set correctly. Install the ntp or openntpd (or similar) package to keep it that way.
  3. Edit /etc/tor/torrc to look like the following:
    ## The IP address or hostname for incoming connections (leave commented
    and Tor will guess)
    #Address noname.example.com
    
    ## Set the nickname of this relay
    Nickname ididnteditheconfig
    
    ## Set your own contact info
    ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>
    
    BridgeRelay 1
    ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
    ExtORPort auto
    ORPort 9001
    
    ## Set your bandwidth rate (leave commented and Tor will run without
    bandwidth caps)
    #RelayBandwidthRate 30 MBytes
    #RelayBandwidthBurst 100 MBytes
    
  4. Run "service tor reload" (as root)
  5. After your relay connects to the network, it will try to determine whether the ports you configured are reachable from the outside. This step is usually fast, but it may take a few minutes. Look for a log entry in /var/log/syslog such as "Self-testing indicates your ORPort is reachable from the outside. Excellent." If you don't see this message, it means that your relay is not reachable from the outside. You should re-check your firewalls, check that the IP and ports you specified in your torrc are correct, etc. You should also see the message "Registered server transport 'obfs4'" indicating that obfs4proxy is functional.

Run a middle or guard relay on Debian

  1. Run "apt-get install tor" (as root).
  2. Make sure your clock, date, and timezone are set correctly. Install the ntp or openntpd (or similar) package to keep it that way.
  3. Edit /etc/tor/torrc to look like the following:
    ## The IP address or hostname for incoming connections (leave commented and Tor will guess)
    #Address noname.example.com
    
    ## Set the nickname of this relay
    Nickname ididnteditheconfig
    
    ## Set your own contact info
    ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>
    
    ## If you control multiple relays, include then in the family
    #MyFamily $keyid,$keyid,...
    
    ORPort 9001
    DirPort 9030
    
    ## Set your bandwidth rate (leave commented and Tor will run without bandwidth caps)
    #RelayBandwidthRate 30 MBytes
    #RelayBandwidthBurst 100 MBytes
    
    ExitPolicy reject *:*
    
  4. Run "service tor reload" (as root)
  5. After your relay connects to the network, it will try to determine whether the ports you configured are reachable from the outside. This step is usually fast, but it may take a few minutes. Look for a log entry in /var/log/syslog such as "Self-testing indicates your ORPort is reachable from the outside. Excellent." If you don't see this message, it means that your relay is not reachable from the outside. You should re-check your firewalls, check that the IP and ports you specified in your torrc are correct, etc. When it confirms that it's reachable, it will upload a "server descriptor" to the directory authorities to let clients know what address, ports, keys, etc your relay is using. After a few hours (to give it enough time to propagate), you can query Atlas to see whether your relay has successfully registered in the network. If it hasn't, re-check firewalls, IP and ports again.

Run an exit relay on Debian

  1. Review our Exit relay guidelines
  2. Run "apt-get install tor" (as root).
  3. Make sure your clock, date, and timezone are set correctly. Install the ntp or openntpd (or similar) package to keep it that way.
  4. Edit /etc/tor/torrc to look like the following:
## Set the nickname of this relay
Nickname ididnteditheconfig

## Set your own contact info
ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>

ORPort 9001
DirPort 9030

## The IP address or hostname for incoming connections (leave commented and Tor will guess)
#Address noname.example.com

## Set your bandwidth rate (leave commented and Tor will run without bandwidth caps)
#RelayBandwidthRate 30 MBytes
#RelayBandwidthBurst 100 MBytes

## If you control multiple relays, include then in the family
#MyFamily $keyid,$keyid,...
  1. Run "service tor reload" (as root)
  2. After your relay connects to the network, it will try to determine whether the ports you configured are reachable from the outside. This step is usually fast, but it may take a few minutes. Look for a log entry in your /var/log/syslog such as "Self-testing indicates your ORPort is reachable from the outside. Excellent." If you don't see this message, it means that your relay is not reachable from the outside. You should re-check your firewalls, check that the IP and ports you specified in your torrc are correct, etc. When it confirms that it's reachable, it will upload a "server descriptor" to the directory authorities to let clients know what address, ports, keys, etc your relay is using. After a few hours (to give it enough time to propagate), you can query Atlas to see whether your relay has successfully registered in the network. If it hasn't, re-check firewalls, IP and ports again.
  3. Consider if you'd like to switch to the Reduced exit policy.

Advice for all relays

Don't forget to give your relay a name in the "Nickname field in your torrc. You can use the "Relay Search" function on Atlas (https://atlas.torproject.org/) to see if a name is already in use, if you'd like your name to be unique. Be creative!

By default, Tor may attempt to use all of the bandwidth you provide the system. You can limit these speeds by adjusting the following values in your torrc:

RelayBandwidthRate 30 MBytes RelayBandwidthBurst 100 MBytes

Adding these lines to your torrc would cause Tor to use 30 MBytes/second, and "burst" up to 100 MBytes/second. By adjusting the BandwidthRate and the BandwidthBurst, you can limit the amount of bandwidth Tor uses to something you are comfortable with.

It is also important to provide a contact email address. You can do this with the "ContactInfo" flag in your torrc. As an example: ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>

As you can see above, you can also add PGP key information (replace "0xFFFFFFFF" with your PGP key ID) to your ContactInfo.

Last modified 11 months ago Last modified on Dec 8, 2017, 9:28:32 PM