Run A Tor Relay On Ubuntu Trusty

If you’ve seen the Tor Challenge, you may be wondering how hard it really is to run a relay on one of your spare machines… It’s not hard at all! You can probably get up and running in less than half an hour.

The following instructions detail how to set up a middle relay on a fresh Ubuntu 14.04 (Trusty), but should apply to most Ubuntu configurations. Also, the official documentation covers every topic you can possibly think of.

Anyways, let’s get to it.

Installing OpenNTPD

Tor is pretty sensitive to clock skews, so the first thing we are going to do is install the openntpd package on the system in order to keep the clock in sync:

$ sudo apt-get install openntpd

The default configuration worked perfectly for me, but feel free to review it at /etc/openntpd/ntpd.conf.

We can check our clock skew by running something like this:

$ ntpdate -q ntp.ubuntu.com
server 91.189.89.199, stratum 2, offset -0.004620, delay 0.03673
server 91.189.94.4, stratum 2, offset -0.122827, delay 0.27477
 6 Jul 17:06:23 ntpdate[16452]: adjust time server 91.189.89.199 offset -0.004620 sec

The offset is well under a second, so we are good.

Installing Tor

Although there’s a tor package in Ubuntu’s universe repository, it isn’t always up to date, so by using it we could be missing stability and security fixes.

We’ll fetch Tor from the official package repository then. The first thing we need to do is add their source to our lists:

$ echo 'deb http://deb.torproject.org/torproject.org trusty main' | sudo tee -a /etc/apt/sources.list.d/torproject.list

We’ll also need to add the GPG key used to sign the packages:

$ gpg --keyserver keys.gnupg.net --recv 886DDD89
$ gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

If we refresh our sources, we should see http://deb.torproject.org being hit a bunch of times:

$ sudo apt-get update
Hit http://deb.torproject.org trusty InRelease
Hit http://deb.torproject.org trusty/main amd64 Packages
...

We can check that the tor package will be installed from the correct repository by doing something like:

$ sudo apt-cache showpkg tor
Package: tor
Versions:
0.2.4.22-1~trusty+1 (/var/lib/apt/lists/deb.torproject.org_torproject.org_dists_trusty_main_binary-amd64_Packages) (/var/lib/dpkg/status)
...
0.2.4.20-1 (/var/lib/apt/lists/azure.archive.ubuntu.com_ubuntu_dists_trusty_universe_binary-amd64_Packages)
...

Everything looks good, so let’s do this:

$ sudo apt-get install tor

The Tor project also provides a package to keep the signing key current. That’s a good thing, so we’ll install it too:

$ sudo apt-get install deb.torproject.org-keyring

Now we just need to configure Tor.

Configuring Tor

We can find the configuration file at /etc/tor/torrc. It’s owned by root, so we’ll have to sudo to edit it:

$ sudo nano /etc/tor/torrc

We’ll uncomment the options we need, and set them to the appropriate values, ending up with something like this:

ORPort 9001
DirPort 9030
ExitPolicy reject *:*

Nickname trustytohr
RelayBandwidthRate 1 MB
RelayBandwidthBurst 2 MB

AccountingStart month 1 00:00
AccountingMax 100 GB

DisableDebuggerAttachment 0

The most important settings are probably ORPort, DirPort and ExitPolicy:

There may be legal implications to running a Tor exit relay in your country so, if it’s your first time doing this, you should probably stick to a middle relay. There’s a legal FAQ that explains things pretty clearly.

In the example above, the values for AccountingStart and AccountingMax force Tor to hibernate until the first of the next month if it sends or receives more than 100 GB. This is really useful if we’re hosting our relay somewhere that charges for bandwidth used.

Setting DisableDebuggerAttachment to 0 is necessary for the monitoring tool we’re going to install in the next step. If you don’t care about monitoring the relay, feel free to leave it out.

The description for all options can be found in the manual.

After we are done editing the file, we’ll need to restart our relay so that the changes take effect:

$ sudo service tor restart

Once our relay connects to the network, it will try to determine whether the ports we configured are reachable from the outside. This step is usually fast, but it may take a few minutes. We can look for the following log entries in /var/log/tor/log:

Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Self-testing indicates your DirPort is reachable from the outside. Excellent.

If the entries are not there, it means that our relay is not reachable from the outside, so we would need to check port forwarding, firewalls, etc. on our system.

Once Tor decides that our relay is reachable, it will upload a server descriptor to the directory authorities, to let clients know how to connect to it. After a few hours (to give it enough time to propagate), we can query Atlas or Globe to see whether our relay has successfully registered in the network.

Monitoring Tor

If we wanted to watch our relay’s activities from the command line, we could use arm. It’s like top for our relay:

Running arm

To install it, just do:

$ sudo apt-get install tor-arm

One problem you may encounter is that arm needs to access resources owned by the debian-tor user, so I usually start it with:

$ sudo -u debian-tor arm

But be aware that this gives arm access to everything in /var/lib/tor/, including our keys, so we are expanding the attack surface. Hopefully this will be improved in future versions.