If you’ve seen the Tor Challenge, you may be wondering how hard it really is to run a relay on one of your spare machines… It’s not hard at all! You can probably get up and running in less than half an hour.
The following instructions detail how to set up a middle relay on a fresh Ubuntu 14.04 (Trusty), but should apply to most Ubuntu configurations. Also, the official documentation covers every topic you can possibly think of.
Anyways, let’s get to it.
Tor is pretty sensitive to clock skews, so the first thing we are going to do is install the
openntpd package on the system in order to keep the clock in sync:
$ sudo apt-get install openntpd
The default configuration worked perfectly for me, but feel free to review it at
We can check our clock skew by running something like this:
$ ntpdate -q ntp.ubuntu.com server 22.214.171.124, stratum 2, offset -0.004620, delay 0.03673 server 126.96.36.199, stratum 2, offset -0.122827, delay 0.27477 6 Jul 17:06:23 ntpdate: adjust time server 188.8.131.52 offset -0.004620 sec
The offset is well under a second, so we are good.
Although there’s a
tor package in Ubuntu’s universe repository, it isn’t always up to date, so by using it we could be missing stability and security fixes.
We’ll fetch Tor from the official package repository then. The first thing we need to do is add their source to our lists:
$ echo 'deb http://deb.torproject.org/torproject.org trusty main' | sudo tee -a /etc/apt/sources.list.d/torproject.list
We’ll also need to add the GPG key used to sign the packages:
$ gpg --keyserver keys.gnupg.net --recv 886DDD89 $ gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
If we refresh our sources, we should see http://deb.torproject.org being hit a bunch of times:
$ sudo apt-get update Hit http://deb.torproject.org trusty InRelease Hit http://deb.torproject.org trusty/main amd64 Packages ...
We can check that the
tor package will be installed from the correct repository by doing something like:
$ sudo apt-cache showpkg tor Package: tor Versions: 0.2.4.22-1~trusty+1 (/var/lib/apt/lists/deb.torproject.org_torproject.org_dists_trusty_main_binary-amd64_Packages) (/var/lib/dpkg/status) ... 0.2.4.20-1 (/var/lib/apt/lists/azure.archive.ubuntu.com_ubuntu_dists_trusty_universe_binary-amd64_Packages) ...
Everything looks good, so let’s do this:
$ sudo apt-get install tor
The Tor project also provides a package to keep the signing key current. That’s a good thing, so we’ll install it too:
$ sudo apt-get install deb.torproject.org-keyring
Now we just need to configure Tor.
We can find the configuration file at
/etc/tor/torrc. It’s owned by
root, so we’ll have to
sudo to edit it:
$ sudo nano /etc/tor/torrc
We’ll uncomment the options we need, and set them to the appropriate values, ending up with something like this:
ORPort 9001 DirPort 9030 ExitPolicy reject *:* Nickname trustytohr RelayBandwidthRate 1 MB RelayBandwidthBurst 2 MB AccountingStart month 1 00:00 AccountingMax 100 GB DisableDebuggerAttachment 0
The most important settings are probably
ORPortis the port where Tor listens for connections from other clients and servers. This option is required.
DirPortis the port where Tor advertises the directory service. If we have enough bandwidth, we should set it to a non-zero value.
ExitPolicydetermines whether this node is an exit relay or not. If we don’t want to run an exit relay, just a middle relay, then we should set this option to
There may be legal implications to running a Tor exit relay in your country so, if it’s your first time doing this, you should probably stick to a middle relay. There’s a legal FAQ that explains things pretty clearly.
In the example above, the values for
AccountingMax force Tor to hibernate until the first of the next month if it sends or receives more than 100 GB. This is really useful if we’re hosting our relay somewhere that charges for bandwidth used.
0 is necessary for the monitoring tool we’re going to install in the next step. If you don’t care about monitoring the relay, feel free to leave it out.
The description for all options can be found in the manual.
After we are done editing the file, we’ll need to restart our relay so that the changes take effect:
$ sudo service tor restart
Once our relay connects to the network, it will try to determine whether the ports we configured are reachable from the outside. This step is usually fast, but it may take a few minutes. We can look for the following log entries in
Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor. Self-testing indicates your DirPort is reachable from the outside. Excellent.
If the entries are not there, it means that our relay is not reachable from the outside, so we would need to check port forwarding, firewalls, etc. on our system.
Once Tor decides that our relay is reachable, it will upload a server descriptor to the directory authorities, to let clients know how to connect to it. After a few hours (to give it enough time to propagate), we can query Atlas or Globe to see whether our relay has successfully registered in the network.
If we wanted to watch our relay’s activities from the command line, we could use
arm. It’s like
top for our relay:
To install it, just do:
$ sudo apt-get install tor-arm
One problem you may encounter is that
arm needs to access resources owned by the
debian-tor user, so I usually start it with:
$ sudo -u debian-tor arm
But be aware that this gives
arm access to everything in
/var/lib/tor/, including our keys, so we are expanding the attack surface. Hopefully this will be improved in future versions.