Changes between Initial Version and Version 1 of OperatorsTips/DebianUbuntuConfiguringYourTorRelay


Ignore:
Timestamp:
Dec 8, 2017, 9:28:32 PM (2 years ago)
Author:
alison
Comment:

added relay configs

Legend:

Unmodified
Added
Removed
Modified
  • OperatorsTips/DebianUbuntuConfiguringYourTorRelay

    v1 v1  
     1=== Configuring your Tor to run as a relay on Debian/Ubuntu ===
     2
     3==== Running a guard or middle relay on Debian/Ubuntu ====
     41. Run "apt-get install tor" (as root).
     52. Make sure your clock, date, and timezone are set correctly. Install the ntp or openntpd (or similar) package to keep it that way.
     63. Edit /etc/tor/torrc to look like the following:
     7{{{
     8## The IP address or hostname for incoming connections (leave commented and Tor will guess)
     9#Address noname.example.com
     10
     11## Set the nickname of this relay
     12Nickname ididnteditheconfig
     13
     14## Set your own contact info
     15ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>
     16
     17## If you control multiple relays, include then in the family
     18#MyFamily $keyid,$keyid,...
     19
     20ORPort 9001
     21DirPort 9030
     22
     23## Set your bandwidth rate (leave commented and Tor will run without bandwidth caps)
     24#RelayBandwidthRate 30 MBytes
     25#RelayBandwidthBurst 100 MBytes
     26
     27ExitPolicy reject *:*
     28}}}
     294. Run "service tor reload" (as root)
     305. After your relay connects to the network, it will try to determine whether the ports you configured are reachable from the outside. This step is usually fast, but it may take a few minutes. Look for a log entry in /var/log/syslog such as "Self-testing indicates your ORPort is reachable from the outside. Excellent." If you don't see this message, it means that your relay is not reachable from the outside. You should re-check your firewalls, check that the IP and ports you specified in your torrc are correct, etc.
     31
     32When it confirms that it's reachable, it will upload a "server descriptor" to the directory authorities to let clients know what address, ports, keys, etc your relay is using. After a few hours (to give it enough time to propagate), you can query [https://atlas.torproject.org Atlas] to see whether your relay has successfully registered in the network. If it hasn't, re-check firewalls, IP and ports again.
     33
     34==== How do I run an exit relay on Debian? ====
     351. Review our [https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines Exit relay guidelines]
     362. Run "apt-get install tor" (as root).
     373. Make sure your clock, date, and timezone are set correctly. Install the ntp or openntpd (or similar) package to keep it that way.
     384. Edit /etc/tor/torrc to look like the following:
     39
     40{{{
     41## Set the nickname of this relay
     42Nickname ididnteditheconfig
     43
     44## Set your own contact info
     45ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>
     46
     47ORPort 9001
     48DirPort 9030
     49
     50## The IP address or hostname for incoming connections (leave commented and Tor will guess)
     51#Address noname.example.com
     52
     53## Set your bandwidth rate (leave commented and Tor will run without bandwidth caps)
     54#RelayBandwidthRate 30 MBytes
     55#RelayBandwidthBurst 100 MBytes
     56
     57## If you control multiple relays, include then in the family
     58#MyFamily $keyid,$keyid,...
     59}}}
     60
     615. Run "service tor reload" (as root)
     626. After your relay connects to the network, it will try to determine whether the ports you configured are reachable from the outside. This step is usually fast, but it may take a few minutes. Look for a log entry in your /var/log/syslog such as "Self-testing indicates your ORPort is reachable from the outside. Excellent." If you don't see this message, it means that your relay is not reachable from the outside. You should re-check your firewalls, check that the IP and ports you specified in your torrc are correct, etc.
     63
     64When it confirms that it's reachable, it will upload a "server descriptor" to the directory authorities to let clients know what address, ports, keys, etc your relay is using. After a few hours (to give it enough time to propagate), you can query [https://atlas.torproject.org Atlas] to see whether your relay has successfully registered in the network. If it hasn't, re-check firewalls, IP and ports again.
     657. Consider if you'd like to switch to the [https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy Reduced exit policy].
     66==== How do I run a middle or guard relay on FreeBSD or HardenedBSD? ====
     671. Run "pkg install tor" (as root).
     682. Make sure your clock, date, and timezone are set correctly. Enabling ntpd is suggested.
     693. Edit /usr/local/etc/tor/torrc to look like the following:
     70{{{
     71## Set the nickname of this relay
     72Nickname ididnteditheconfig
     73
     74## Set your own contact info
     75ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>
     76
     77ORPort 9001
     78DirPort 9030
     79
     80## Set your bandwidth rate (leave commented and Tor will run without bandwidth caps)
     81#RelayBandwidthRate 30 MBytes
     82#RelayBandwidthBurst 100 MBytes
     83
     84ExitPolicy reject *:*
     85
     86## If you control multiple relays, include then in the family
     87#MyFamily $keyid,$keyid,...
     88
     89RunAsDaemon 1
     90Log notice file /var/log/tor/notices.log
     91}}}
     924. Make sure tor starts on boot by running "sysrc tor_enable=YES" (as root)
     935. Run "service tor start" (as root)
     946. After your relay connects to the network, it will try to determine whether the ports you configured are reachable from the outside. This step is usually fast, but it may take a few minutes. Look for a log entry in /var/log/tor/notices.log such as "Self-testing indicates your ORPort is reachable from the outside. Excellent." If you don't see this message, it means that your relay is not reachable from the outside. You should re-check your firewalls, check that the IP and ports you specified in your torrc are correct, etc.
     95
     96When it confirms that it's reachable, it will upload a "server descriptor" to the directory authorities to let clients know what address, ports, keys, etc your relay is using. After a few hours (to give it enough time to propagate), you can query [https://atlas.torproject.org Atlas] to see whether your relay has successfully registered in the network. If it hasn't, re-check firewalls, IP and ports again.
     97==== How do I make sure that I'm using the correct packages on Ubuntu? ====
     981. Do not use the packages in Ubuntu's repositories. They are not reliably updated. If you use them, you will miss important stability and security fixes.
     99
     1002. Determine your Ubuntu version by running the following command:
     101{{{
     102#!shell
     103lsb_release -c
     104}}}
     105
     1063. As root, add the following lines to /etc/apt/sources.list. Use the version you found in step 2 for <version>.
     107{{{
     108deb http://deb.torproject.org/torproject.org <version> main
     109deb-src http://deb.torproject.org/torproject.org <version> main
     110}}}
     111
     1124. Add the gpg key used to sign the packages by running the following commands:
     113{{{
     114#!shell
     115gpg --keyserver keys.gnupg.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
     116gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
     117}}}
     118
     1195. Run the following commands to install tor and check its signatures:
     120{{{
     121#!shell
     122sudo apt-get update
     123sudo apt-get install tor deb.torproject.org-keyring
     124}}}
     125
     126==== What is a bridge? ====
     127Bridge relays are Tor relays that are not listed in the public Tor
     128directory. That means that ISPs or governments trying to block access to the
     129Tor network can't simply block all bridges. Bridges are useful for Tor
     130users under oppressive regimes, and for people who want an extra layer of
     131security because they're worried somebody will recognize that they are
     132contacting a public Tor relay IP address.
     133
     134A bridge is just a normal relay with a slightly different configuration. See
     135(link to How do I run a bridge) for instructions.
     136
     137Several countries, including China and Iran, have found ways to detect and
     138block connections to Tor bridges. [https://github.com/Yawning/obfs4/blob/master/doc/obfs4-spec.txt Obfsproxy] bridges address this by adding
     139another layer of obfuscation.
     140
     141Setting up an obfsproxy bridge requires an additional software package and
     142additional configurations. See https://www.torproject.org/docs/pluggable-transports.html.en.
     143==== How do I run a obfs4 bridge on Debian? ====
     1441. Run "apt-get install tor obfs4proxy" (as root).
     1452. Make sure your clock, date, and timezone are set correctly. Install the ntp or === Configuring your Tor to run as a relay on Debian ===
     146
     147==== Run an obfs4 bridge on Debian ====
     1481. Run "apt-get install tor obfs4proxy" (as root).
     1492. Make sure your clock, date, and timezone are set correctly. Install the ntp or openntpd (or similar) package to keep it that way.
     1503. Edit /etc/tor/torrc to look like the following:
     151{{{
     152## The IP address or hostname for incoming connections (leave commented
     153and Tor will guess)
     154#Address noname.example.com
     155
     156## Set the nickname of this relay
     157Nickname ididnteditheconfig
     158
     159## Set your own contact info
     160ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>
     161
     162BridgeRelay 1
     163ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
     164ExtORPort auto
     165ORPort 9001
     166
     167## Set your bandwidth rate (leave commented and Tor will run without
     168bandwidth caps)
     169#RelayBandwidthRate 30 MBytes
     170#RelayBandwidthBurst 100 MBytes
     171}}}
     1724. Run "service tor reload" (as root)
     1735. After your relay connects to the network, it will try to determine whether the ports you configured are reachable from the outside. This step is usually fast, but it may take a few minutes. Look for a log entry in /var/log/syslog such as "Self-testing indicates your ORPort is reachable from the outside. Excellent." If you don't see this message, it means that your relay is not reachable from the outside. You should re-check your firewalls, check that the IP and ports you specified in your torrc are correct, etc. You should also see the message "Registered server transport 'obfs4'" indicating that obfs4proxy is functional.
     174
     175==== Run a middle or guard relay on Debian ====
     1761. Run "apt-get install tor" (as root).
     1772. Make sure your clock, date, and timezone are set correctly. Install the ntp or openntpd (or similar) package to keep it that way.
     1783. Edit /etc/tor/torrc to look like the following:
     179{{{
     180## The IP address or hostname for incoming connections (leave commented and Tor will guess)
     181#Address noname.example.com
     182
     183## Set the nickname of this relay
     184Nickname ididnteditheconfig
     185
     186## Set your own contact info
     187ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>
     188
     189## If you control multiple relays, include then in the family
     190#MyFamily $keyid,$keyid,...
     191
     192ORPort 9001
     193DirPort 9030
     194
     195## Set your bandwidth rate (leave commented and Tor will run without bandwidth caps)
     196#RelayBandwidthRate 30 MBytes
     197#RelayBandwidthBurst 100 MBytes
     198
     199ExitPolicy reject *:*
     200}}}
     2014. Run "service tor reload" (as root)
     2025. After your relay connects to the network, it will try to determine whether the ports you configured are reachable from the outside. This step is usually fast, but it may take a few minutes. Look for a log entry in /var/log/syslog such as "Self-testing indicates your ORPort is reachable from the outside. Excellent." If you don't see this message, it means that your relay is not reachable from the outside. You should re-check your firewalls, check that the IP and ports you specified in your torrc are correct, etc. When it confirms that it's reachable, it will upload a "server descriptor" to the directory authorities to let clients know what address, ports, keys, etc your relay is using. After a few hours (to give it enough time to propagate), you can query [https://atlas.torproject.org Atlas] to see whether your relay has successfully registered in the network. If it hasn't, re-check firewalls, IP and ports again.
     203
     204==== Run an exit relay on Debian ====
     2051. Review our [https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines Exit relay guidelines]
     2062. Run "apt-get install tor" (as root).
     2073. Make sure your clock, date, and timezone are set correctly. Install the ntp or openntpd (or similar) package to keep it that way.
     2084. Edit /etc/tor/torrc to look like the following:
     209
     210{{{
     211## Set the nickname of this relay
     212Nickname ididnteditheconfig
     213
     214## Set your own contact info
     215ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>
     216
     217ORPort 9001
     218DirPort 9030
     219
     220## The IP address or hostname for incoming connections (leave commented and Tor will guess)
     221#Address noname.example.com
     222
     223## Set your bandwidth rate (leave commented and Tor will run without bandwidth caps)
     224#RelayBandwidthRate 30 MBytes
     225#RelayBandwidthBurst 100 MBytes
     226
     227## If you control multiple relays, include then in the family
     228#MyFamily $keyid,$keyid,...
     229}}}
     230
     2315. Run "service tor reload" (as root)
     2326. After your relay connects to the network, it will try to determine whether the ports you configured are reachable from the outside. This step is usually fast, but it may take a few minutes. Look for a log entry in your /var/log/syslog such as "Self-testing indicates your ORPort is reachable from the outside. Excellent." If you don't see this message, it means that your relay is not reachable from the outside. You should re-check your firewalls, check that the IP and ports you specified in your torrc are correct, etc. When it confirms that it's reachable, it will upload a "server descriptor" to the directory authorities to let clients know what address, ports, keys, etc your relay is using. After a few hours (to give it enough time to propagate), you can query [https://atlas.torproject.org Atlas] to see whether your relay has successfully registered in the network. If it hasn't, re-check firewalls, IP and ports again.
     2337. Consider if you'd like to switch to the [https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy Reduced exit policy].
     234
     235=== Advice for all relays ===
     236Don't forget to give your relay a name in the "Nickname field in your torrc. You can use the "Relay Search" function on Atlas (https://atlas.torproject.org/) to see if a name is already in use, if you'd like your name to be unique. Be creative!
     237
     238By default, Tor may attempt to use all of the bandwidth you provide the system. You can limit these speeds by adjusting the following values in your torrc:
     239   
     240    RelayBandwidthRate 30 MBytes
     241    RelayBandwidthBurst 100 MBytes
     242
     243Adding these lines to your torrc would cause Tor to use 30 MBytes/second, and "burst" up to 100 MBytes/second. By adjusting the BandwidthRate and the BandwidthBurst, you can limit the amount of bandwidth Tor uses to something you are comfortable with.
     244
     245It is also important to provide a contact email address. You can do this with the "ContactInfo" flag in your torrc. As an example:
     246   
     247ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>
     248
     249As you can see above, you can also add PGP key information (replace "0xFFFFFFFF" with your PGP key ID) to your ContactInfo.