March 1, 2011

Running a Tor relay / node / server on Ubuntu

Posted in Society, Software at 07:29 by graham

Updated October 2013: Minor edits.

Right now, for people like me who have access to servers, the single biggest benefit we can provide to society at large is by running a Tor relay. Tor provides anonymity to users of the Internet.

This page is about contributing to the network by running a relay (or server, or node – same thing). If you want to use Internet services anonymously, you probably want the Tor Browser Bundle.

There’s are good official instructions on running a relay.

Install it from the official repository

Edit your sources list: /etc/apt/sources.list

Add the following lines. Substitute ‘raring’ (13.04) with your Ubuntu or Debian version see list:

# Tor
deb http://deb.torproject.org/torproject.org raring main

Add the Tor public key:

gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

Install it:

sudo apt-get update
sudo apt-get install tor tor-arm

Edit the obvious parts of the config file

Edit the config file: /etc/tor/torrc, mainly the This section is just for relays part.

Set the ORPort. Give your relay a nice Nickname. Set Address, ContactInfo, and so on.

RelayBandwidthRate: Throttle it

The RelayBandwidthRate and RelayBandwidthBurst settings are very important. The Tor network has many clients (think Tunisia, Egypt, Libya, Anonymous, etc), and they’ll take all the bandwidth you can spare. Here’s what happened to my bandwidth when I left it unthrottled.

After the peak, you can see two steps where I throttled it back gradually.

ExitPolicy: Decide whether you will be an exit relay, and what kind of exit

Traffic in the tor network bounces around between relays, then exits to the real destination. If the Tor user does something nasty to the destination, they will complain to the hosting provider of the exit relay, because it looks like the traffic comes from there.

Your first step should be to just get your relay up and running, without any further reading, so start with no exits:

ExitPolicy reject *:* # no exits allowed

Start it

sudo service tor start
sudo tail -f /var/log/tor/log

Congratulations! You are now, in a small way, helping oppressed people all over the world.

ExitPolicy redux

Exit relays are obviously very important, so you should consider being one. Read these to help you decide:

You can decide which ports you allow users to connect to from your exit relay. Obvious ones to block are port 25 (to prevent sending of email spam) and bittorrent ports 6881-7000 (to keep the network fast). Blocking port 80 should cut the bulk of the abuse, but also makes your node less useful, so that’s a tough call.

If you want to dip your toes in the exit waters, be an IRC exit node. IRC is being used by some people in the North African and Middle-Eastern uprisings.

ExitPolicy accept *:6660-6667,reject *:*  # allow irc ports but no more

I ran an IRC-only exit for a while with no problems. I’ve recently opened it up a bit more. Here is my current exit policy:

ExitPolicy accept *:22  # ssh
ExitPolicy accept *:465 # smtps (SMTP over SSL)
ExitPolicy accept *:993 # imaps (IMAP over SSL)
ExitPolicy accept *:994 # ircs (IRC over SSL)
ExitPolicy accept *:995 # pop3s (POP3 over SSL)
ExitPolicy accept *:5222 # xmpp
ExitPolicy accept *:6660-6697 # allow irc ports, very widely
ExitPolicy reject *:* # no other exits allowed

Assuming you put correct contact information in your config file, the Tor project will send you an email once your node has been up for a few days, to welcome you to the network.

arm – Watch cool stuff happen

Now that your relay is up, type arm on the command line. Arm is a command line (curses) monitor for your relay.

Happy relaying!

12 Comments »

  1. BeagleBone Tor | fortune datko said,

    August 24, 2013 at 16:26

    [...] to run an exit node, start with tailored exit policies for certain protocols.  A good guide is here which limits the exit ports to ssh, ircs and a few [...]

  2. Raspberry Pi as TOR Middle Relay | cave's tinker pit said,

    August 3, 2013 at 13:14

    [...] http://www.atagar.com/arm/ http://www.darkcoding.net/society/running-a-tor-relay-node-server-on-ubuntu/ [...]

  3. tor in bridge mode: traffic? said,

    October 12, 2012 at 18:22

    [...] You can see the importance of throttling the bandwidth from tehgraph here http://www.darkcoding.net/society/ru…ver-on-ubuntu/ The TOR project recommends a minimum of 30 KB/s so you are well above that (if not up to the [...]

  4. Richard said,

    September 28, 2012 at 04:16

    Great tutorial. It works like a charm. Also, if you haven’t installed arm as shown above, you really should as it’s a wonderful tool. Thanks both.

  5. My first 24 hours as a Tor exit node | Focus Determines Reality said,

    February 18, 2012 at 20:06

    [...] setup a limited Tor exit node in my home yesterday by following @grahamking‘s guide for Ubuntu. Presently I’m using Ubuntu 11.10 x64 on a spare laptop. The laptop is HP/Compaq 6510b; not [...]

  6. Graham King said,

    September 26, 2011 at 17:20

    @Bill tor-arm is excellent, thanks! For anyone else looking for it on 10.04, it’s in the backports repository, which is not enabled by default.

  7. Bill said,

    September 25, 2011 at 17:50

    Found a great tool for monitoring Tor relay:

    http://www.atagar.com/arm/

    I installed using sudo apt-get install tor-arm

    I feel like I’m now in control of my new Tor relay – especially since I’m dealing with Ubuntu server, CLI, and I’m a Linux novice.

  8. Graham King said,

    September 24, 2011 at 01:53

    @Bill I don’t know how to monitor the bandwidth directly – please add a comment if you have a solution. Linode (my hosting provider, whom I love) has bandwidth graphs in their admin panel, so I just use that.

    The relay uses about 200 GB / month. Linode pools quota from all your machines, so I have 600 GB of bandwidth available, which I never come near. If your ISP is a hassle – change! :-)

  9. Bill said,

    September 23, 2011 at 17:18

    Thanks, Graham, for this. This will speed my deployment of my Tor node.

    Question: how do I monitor the bandwidth through my Tor node? Is there a log file …

    Also, has your ISP given you any hassle about exceeding some invisible bandwidth threshold?

  10. Graham King said,

    August 10, 2011 at 20:05

    @Steve. Nope, no complaints at all. I even forgot I was running the relay until I saw your question!

    @Eugeniu: Not that I know of.

  11. Steve said,

    August 10, 2011 at 15:43

    So now it’s been 5 months since your post. Have you gotten any complaints about spamming from your open SMTPS (port 465) exit?

  12. Eugeniu said,

    May 25, 2011 at 23:37

    Nice tutorial. Thanks! Is there a simple way to monitor instantaneous traffic rates through the Tor network on my machine? Like maybe an iftop filter for the user debian-tor or something like that.

Leave a Comment

Note: Your comment will only appear on the site once I approve it manually. This can take a day or two. Thanks for taking the time to comment.