Setting Up A Tor Relay Node

Apr 15, 2020 00:00 · 1431 words · 7 minute read Tor anonymity

Why Tor

The Tor network is a critical part of the anonymous, private, and secure internet. People often reach for a VPN for anonymity online when they should infact be reaching for the Tor network. Unlike many other pieces of the Internet we interact with regularly, the Tor network isn’t run by any single individual or organization. Companies, public institutions, and individuals all over the world donate their own server resources to create all of the nodes in Tor’s famous onion-networking topography. The more nodes that exist, the stronger the network becomes stronger.

Type of Tor nodes

There are three main kinds of Tor nodes you could run:

Exits are where users leave the Tor network and connect back to the Internet (or clearnet)
Bridges are used to circumvent network censorship in countries where Tor usage is banned of illegal (where you wouldn’t be able to connect to a public relay)
Guard and Middle relays (or simply, relays) are how most users connect to the Tor network and all of their data bounces between multiple relays before reaching an exit node

Exit nodes are generally restricted to being run by larger organizations because of the legal requirements and risks associated. Individuals then take up the mantle of running bridges and relays. There’s nothing legally risky about running a bridge or a relay and many hosting providers openly accept running Tor relays on their infrastructure. This makes it trivial to strengthen the Tor network with minimal effort and resources.

Overview

These instructions are based on using Ubuntu 18.04 LTS running on a $5 DigitalOcean droplet (VPS), but can be easily adapted to your own hardware and software configuration using the resources at the end of this guide. It is assumed you can perform basic command line operations in Linux, remotely login to a server, and are operating as root. If you aren’t the root user, you will need to add sudo to the beginning of the terminal commands below.

Choosing a hosting provider

The first step is choosing a hosting provider for your Tor relay node. There are different factors that can help you determine what provider to use such as price and familiarity with their environment. Many popular VPS providers (AWS, DigitalOcean, DreamHost, OVH, etc) have no problem with you running Tor relays on their infrastructure.

For this example, we’re going to use DigitalOcean because it is affordable and will be familiar to even casual developers and technologists. If you’d like to use another provider, you can use the link below that contains a list of VPS providers that are suitable for Tor relays:

https://trac.torproject.org/projects/tor/wiki/doc/GoodBadISPs

The Tor Project recommends running nodes in locations that increase the geographic distribution of nodes around the world. The link below shows the number of nodes in countries around the world. With a moderately fast internet connection, you won’t notice much difference between remotely accessing a server near you or on the other side of the Earth. Feel free to diversify the geographical pool as you see fit.

https://metrics.torproject.org/rs.html#aggregate/cc

Requirements

The general requirements for a relay are as follow:

7000 concurrent connections
16 Mb/s upload speeds
16 Mb/s download speeds
Public IPv4 address (doesn’t need to be static)
Public IPv6 address (optional, but recommended)
1GB of RAM
At least 100GB of outbound traffic per month
At least 100GB of inbound traffic per month

These are easily handled by even the cheapest $5 droplet on DigitalOcean and many of the lowest-tier options offered by commercial VPS providers.

Pick your OS and Create your droplet

Ubuntu is a great operating system to use for your relay and the Tor Project manages first-party repositories with everything needed to get up and running quickly. At the time of writing, Ubuntu 18.04 is the LTS version (Long-Term Support) of Ubuntu.

On DigitalOcean, it is trivial to add IPv6 support. When you’re creating your droplet, in the Select additional options area, click the checkbox for IPv6.

After SSH-ing into your server or accessing your console from the web, you should update and upgrade all the base packages:

apt update
apt upgrade -y

Setup unattended upgrades

Next we have to setup unattended upgrades. This will ensure that security updates are applied automatically to your server. Start by installing to packages required for unattended upgrades:

apt install unattended-upgrades apt-listchanges

Then use a text editor to update the configuration file for unattended upgrades:

vim /etc/apt/apt.conf.d/50unattended-upgrades

Delete everything inside and paste the below:

Unattended-Upgrade::Origins-Pattern {
    "origin=Debian,codename=${distro_codename},label=Debian-Security";
    "origin=TorProject";
};
Unattended-Upgrade::Package-Blacklist {
};
Unattended-Upgrade::Automatic-Reboot "true";

Then edit the auto-upgrades configuration file:

vim /etc/apt/apt.conf.d/20auto-upgrades

Similarly, delete everything inside and paste the below:

APT::Periodic::Update-Package-Lists "1";        
APT::Periodic::AutocleanInterval "5";       
APT::Periodic::Unattended-Upgrade "1";      
APT::Periodic::Verbose "1";

Finally test unattended upgrades (which will result in a reboot) :

sudo unattended-upgrade -d

Enable Tor repository

Now we have to add the Tor Project’s repositories so we can get the latest version of tor. Start by installing apt-transport-https which will allow apt to fetch packages over https:

apt install apt-transport-https

Find the codename of the OS release you’re on:

lsb_release -c

Take note of the codename because we’ll need it in the next step. Start by editing the sources list for apt:

vim /etc/apt/sources.list

Add the following 2 lines to the bottom, where you should replace <DISTRIBUTION> with the codename you noted above:

deb https://deb.torproject.org/torproject.org <DISTRIBUTION> main
deb-src https://deb.torproject.org/torproject.org <DISTRIBUTION> main

Download the public GPG key of the Tor Project and import it into the gpg keyring:

wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import

Export the key and add it to apt’s keyring:

gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -

Now test updating the repositories and installing the tor package:

apt update
apt install tor deb.torproject.org-keyring

Setup Tor config file

Start by editing the Tor configuration file:

vim /etc/tor/torrc

Paste the lines below at the end of the torrc file. Be sure to edit the Nickname to something unique with no special characters (no dashes or underscores) and update the ContactInfo email address to be one that you can receive emails on (best to use an alias to your account or make a separate email account to receive any Tor related emails):

Nickname myNiceRelay
ORPort 443
ExitRelay 0
SocksPort 0
ControlSocket 0
ContactInfo tor-operator@your-emailaddress-domain.com

Save your configuration and restart the Tor service for the changes to take effect:

systemctl restart tor@default

Setup a firewall

It’s good practice to enable a firewall on your server. We can use the built in ufw firewall to only allow SSH access and HTTPS access to the server:

ufw allow OpenSSH
ufw allow https
ufw enable

Enable IPv6 (optional)

IPv6 is optional but easy to configure, so there are few reasons not to enable it. You’ll have to make sure your provider supports IPv6 access to your server.

Run the following command to test if IPv6 is accessible and work. You should see an OK if the command was successful:

ping6 -c2 2001:858:2:2:aabb:0:563b:1526 && ping6 -c2 2620:13:4000:6000::1000:118 && ping6 -c2 2001:67c:289c::9 && ping6 -c2 2001:678:558:1000::244 && ping6 -c2 2607:8500:154::3 && ping6 -c2 2001:638:a000:4140::ffff:189 && echo OK.

Allow the required IPv6 ports through our firewall:

ufw allow 9001

Finally, edit the torrc configuration file:

vim /etc/tor/torrc

Add this line to the end of the torrc file and be sure to update the IPv6-ADDRESS-HERE-IN-BRACKETS element with your public IPv6 address. Ensure that the IPv6 address remains inside of the square brackets:

ORPort [IPv6-ADDRESS-HERE-IN-BRACKETS]:9001

Confirming functionality

Once the setup is complete, you’ll have to wait a few hours for the relay’s information propogate through the Tor network. Then you’ll be able to search for your relay’s nickname on the following link and see it’s status:

https://metrics.torproject.org/rs.html

Final thoughts

With basic Linux experience, you could add to the strength and resiliance of the Tor network in less than 15 minutes for mere dollars per month. Every node helps and provides a better tool for individuals and organizations that rely on anonymity to stay safe. We hope you’ll decide to contribute to the Tor network.

References

If you encounter any issues or are interested in running a Tor relay with different configurations than the ones proposed above, you can use the following links as further references:

Main reference documentation with more information:
- https://trac.torproject.org/projects/tor/wiki/TorRelayGuide
Great pre-made shell script that does a lot of the setup for you if you prefer:
- https://github.com/coldhakca/tor-relay-bootstrap/blob/master/bootstrap.sh
List of all Tor nodes globally:
- https://metrics.torproject.org/rs.html#aggregate/cc
List of ISPs and VPS providers that clairifies which ones allow Tor nodes:
- https://trac.torproject.org/projects/tor/wiki/doc/GoodBadISPs
Setup IPv6 on DigitalOcean:
- https://www.digitalocean.com/docs/networking/ipv6/how-to/enable/
Setting up automatic upgrades on Debian/Ubuntu:
- https://trac.torproject.org/projects/tor/wiki/TorRelayGuide/DebianUbuntuUpdates
Enabling Tor repository with apt:
- https://support.torproject.org/apt/tor-deb-repo/
Setting up torrc config file:
- https://trac.torproject.org/projects/tor/wiki/TorRelayGuide/DebianUbuntu
Setup IPv6:
- https://trac.torproject.org/projects/tor/wiki/TorRelayGuide#IPv6
Running relays with different operating systems:
- https://trac.torproject.org/projects/tor/wiki/TorRelayGuide#PlatformspecificInstructions