Azgard

Azgard

Software developer and Tor proponent

Setting up a Tor Relay

9 minute read

In this guide I’ll describe how to setup a Tor relay (middle/guard) under Debian Bookworm (12.0). I mostly follow the official instructions, but I’ve included some steps that I use in my workflow, and accommodated for the latest version of Debian.

Tip: if you’ve already got a server setup and ready to go skip straight to section 2.

0. Prerequisites

Before you begin you’ll need root access to the server where you wish to run your relay. If you don’t have a server yet take a look at https://community.torproject.org/relay/relays-requirements/ and https://community.torproject.org/relay/community-resources/good-bad-isps/ where you can find useful information and a host of options. I’ll be writing a detailed post on how to select a good host and optimal system specifications in future, and will update this post when it’s published. For now, I recommend a system with a minimum of 1vCPU core, 1GB of RAM, a 100Mbps connection, and at least 10TB of bandwidth. Ideally you’d want a 1Gbps connection and unmetered bandwidth. 2GB of RAM could be useful if you’re able to sustain over 100Mbps. You may also want to consider a higher performance single vCPU core, e.g. a fast AMD EPYC or Ryzen rather than a low end Intel Xeon. As Tor is single threaded it can only effectively utilize one CPU core. This should change in the future with Arti TODO add a link

The official guide from the Tor Project is also worth reviewing: https://community.torproject.org/relay/technical-considerations/

1. Prepare your system

Updating

Before you begin, ensure that your operating system is up to date.

apt update
apt upgrade -y

I always recommend restarting your server once you’ve completed any major updates.

reboot

Upgrading your major OS version

If you’ve just setup a new VPS (virtual private server) you may not be on the latest version of Debian. Run

lsb_release -a or cat /etc/debian_version

And if you see anything below bookworm or 12 you’ll want to upgrade. This guide gives a summary of how to do it. I’ve found the following to work for me:

First upgrade all your packages and then remove any unnecessary ones.

apt update
apt upgrade
apt dist-upgrade
apt autoremove

Reboot your system.

reboot

Update source.list to tell apt to use the Debian Bookworm repositories and not the earlier ones, bullseye in this example.

sed -i 's/bullseye/bookworm/g' /etc/apt/sources.list

Then update the apt repository cache again, and upgrade everything. You’ll be asked if you want to restart services automatically, and perhaps if you want to keep your current config files or accept the new ones. Use your discretion, I usually keep my local copies of config files and allow all services to restart automatically.

apt update
apt upgrade --without-new-pkgs
apt full-upgrade

Finally, reboot the system.

reboot

Once your system has rebooted, verify that the upgrade worked:

lsb_release -a

You should see release 12 and codename bookworm.

If you need more information the official upgrade page can be found at https://www.debian.org/releases/bookworm/amd64/release-notes/ch-upgrading.en.html.

Automatic Updates

As recommended by the official Tor relay guide it’s a good idea to enable automatic software updates on your server if you’ll be running a relay. For full instructions see the aforementioned page, the following summary should work just fine on a fresh Debian system.

Install the required packages:

apt install unattended-upgrades apt-listchanges

Edit the unattended-upgrades config file:

vim /etc/apt/apt.conf.d/50unattended-upgrades

And add "origin=TorProject"; as the last entry under the Unattended-Upgrade::Origins-Pattern section. If you’d like to allow automatic rebooting, you can also add the following line to the end of this file:

Unattended-Upgrade::Automatic-Reboot "true";

Next, create the auto-upgrades config file:

vim /etc/apt/apt.conf.d/20auto-upgrades

Update/create it to have the following values:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::AutocleanInterval "5";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Verbose "1";

If you’d like to test your config, you can run either:

unattended-upgrade --debug --dry-run or unattended-upgrade --debug

The non dry-run may cause your system to reboot if you have any outstanding updates.

Adding a non-root user

If you only have the root user on your system you should create a new user for your every day activities. This helps to keep your system secure.

Run adduser <username> and enter a password and details for your new user. Be sure to replace <username> with the username you’d like to use.

Next you should allow your new user to run the sudo command, so that you can perform system administration tasks without having to switch to root every time. If you don’t already have the relevant package installed (test with sudo -l and see if you’re asked for your password), you can install it using:

apt install sudo

Now you can add your user to the sudo group by running:

usermod -aG sudo <username>

Test that you can login as your new user, you can do this by SSHing into your system with the user. e.g. ssh <username>@<server_ip_address>. Once you’re logged in, run id and verify that you are in the sudo group. You could also test this by running sudo -l and entering your password when prompted.

At this stage you should probably update your SSH server config to disallow root logins, you can do this by editing the config,

sudo vim /etc/ssh/sshd_config

and setting PermitRootLogin to no. Then reload the SSH daemon:

sudo systemctl reload ssh

Ensure that you can still login via SSH after this change. You may want to leave an SSH session logged in as root open while you fine tune your SSH settings just incase you lock your new user out.

Setting up a firewall

I recommend running a firewall so that you can explicitly allow traffic to your server. You can use whichever you like, I personally like ufw as it’s very easy to use.

Install ufw:

sudo apt install ufw

Allow the services, ports, IP, etc.. that you need:

Ensure you allow SSH using something like:

sudo ufw allow OpenSSH

Or by specifying the port explicitly if you’re not using the default of 22,

sudo ufw allow <ssh port>/tcp

You could also choose to allow all traffic to your server from your IP (if you have a static one), by running:

sudo ufw allow from <your ip>

Next, you need to enable the firewall: sudo ufw enable

You can then check the status using sudo ufw status

If you know which port you’d like to use for your relay you can allow it now, for example I generally use:

sudo ufw allow 443/tcp - allow the default relay port

sudo ufw reload - Reload the ufw rules so that they take effect

For more details on using ufw this page is helpful https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04.

2. Installing Tor

The official guide for this can be found here, I present a summary below.

First install the required packages:

sudo apt install apt-transport-https

Next, create the apt sources list file for the tor repository:

sudo vim /etc/apt/sources.list.d/tor.list

And add the following two lines to it:

deb     [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main
deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main

Next, import the relevant signature for the Tor package repository:

wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | 
gpg --dearmor | sudo tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null

Note: If gpg is missing, install it: sudo apt install gpg

Finally, update the apt repository cache and install tor 🎉

sudo apt update

sudo apt install tor deb.torproject.org-keyring

3. Configuring your Tor relay

Now that you’ve got Tor installed the next step is to configure your relay. A minimal config file is provided by the Tor Project, here, is shown below:

Nickname    myNiceRelay  # Change "myNiceRelay" to something you like
ContactInfo your@e-mail  # Write your e-mail and be aware it will be published
ORPort      443          # You might use a different port, should you want to
ExitRelay   0
SocksPort   0

I use a slightly modified config file as my default, with the additional options shown below:

# allow users in debian-tor to read the cookie auth file, for nyx
CookieAuthFileGroupReadable 1 

RelayBandwidthRate 100 MBytes
RelayBandwidthBurst 120 MBytes
MaxAdvertisedBandwidth 100 MBytes
AccountingStart day 0:00
AccountingMax 200 GBytes

Update your torrc file based on the above:

sudo vim /etc/tor/torrc

I plan to write another post to explore these options in the future, for now they’re fairly self explanatory. If you have a bandwidth cap I recommend setting AccountingStart and AccountingMax. The values above allow the relay to use 200 GB of data every day, and the cap resets at midnight.

You can find out more about Tor’s bandwidth options at https://onbasca.readthedocs.io/en/latest/bandwidth_tor.html, and on the official site here https://support.torproject.org/relay-operators/bandwidth-shaping/.

Families

If you run more than one relay (excluding bridges) you should specify the MyFamily config option and include the fingerprints of each of your relays. For e.g.

MyFamily <relay1key>,<relay2key>

I’ll cover this in more detail in the future, for now the basics are described in https://community.torproject.org/relay/setup/post-install/.

4. Start your relay!

Now you’re all set to startup your new tor relay. Restart your relay by running:

sudo systemctl restart tor@default

You can use systemctl status to view the status of the service, or view the logs using:

sudo journalctl -e -u tor@default

Review the logs and take note of any warnings or errors which you may need to correct. You should see that tor discovers the IP address of your server, and verifies that it’s reachable from the outside world.

5. Post install tasks

The offical post-install and best practises page is worth a read. Much of this section is based on that.

Monitoring

You should find your relay using the Tor Metric Relay Search page and bookmark it for future review. As mentioned in the post-install notes, your relay will only appear here a few hours after it’s first started.

Be sure to read the page listed about the lifecycle of a new relay so you can understand the process, and why your relay won’t see much use for a while.

Nyx

It’s convenient to be able to monitor your relay over SSH, you can do this via nyx.

First you’ll need to install it using:

sudo apt install nyx

Second, you’ll need to add your user to the debian-tor group so that you have the access to run nyx. You can do this by running:

sudo usermod -aG debian-tor <username>

For it to work you’ll need to logout and back in, or login with a new SSH session to test it. You can run id to view the list of groups you’re in, you should see debian-tor in the list if it worked.

Now you can run nyx and should be presented with a GUI displaying various pieces of information about your relay. I personally use this to monitor my relays logs, bandwidth, and system resource usage.

You can find out more by visiting https://nyx.torproject.org/.

Logs

You can view the logs of your relay by running:

sudo journalctl -e -u tor@default

Uptime Robot

You should use a service such as Uptime Robot in order to monitor your relay, and be notified if it goes down unexpectedly. This is fairly straight forward, and a quick Google or DuckDuckGo search should be sufficient.

It’s worth noting that if you’ve configured your relay to only use a certain amount of bandwidth, then liveness probes will fail when it reaches the cap. If you login to your relay and run nyx you’ll be able to see whether or not this is the case.

Conclusion

That’s it! Be sure to keep an eye on your relay, it can be quite fun to see how it gets used more and more over time.

If you have any questions that haven’t been answered you could try the Tor Operators Mailing List, or the relevant section of the Tor Project forum.

Thanks for running a relay! 🙏 Enjoy contributing to the Tor network

Updated: