Azgard

Azgard

9 minute read

In this guide I’ll describe how to set up a Tor relay (middle/guard) under Debian Bookworm (12.0). I mostly follow the official instructions, but I’ve included some steps that I use in my workflow, and accommodated for the latest version of Debian.

Tip: if you’ve already got a server setup and ready to go skip straight to section 2.

0. Prerequisites

Before you begin you’ll need root access to the server where you wish to run your relay. If you don’t have a server yet take a look at Relay Requirements and Good Bad ISPs where you can find useful information and a host of options.

I recommend a system with a minimum of 1vCPU core, 1GB of RAM, a 100Mbps connection, and at least 10TB of bandwidth. Ideally you’d want at least a 1Gbps connection and unmetered bandwidth. 2GB of RAM or more is important if you’re able to sustain over 100Mbps. You may also want to consider a higher performance single vCPU core, e.g. a fast AMD EPYC or Ryzen rather than a low-end Intel Xeon. As Tor is single threaded it can only effectively utilize one CPU core. This should change in the future with Arti.

The official Technical Considerations guide from the Tor Project is also worth reviewing.

1. Prepare your system

Updating

Before you begin, ensure that your operating system is up to date.

apt update
apt upgrade -y

Restart your server once completed, if you’ve installed any major updates.

reboot

Upgrading your major OS version

If you’ve just set up a new VPS (virtual private server) you may not be on the latest version of Debian. Run

lsb_release -a or cat /etc/debian_version

And if you see anything below bookworm or 12 you’ll want to upgrade. This guide gives a summary of how to do it. I’ve found the following to work for me:

First upgrade all your packages and then remove any unnecessary ones.

apt update
apt upgrade
apt dist-upgrade
apt autoremove

Reboot your system.

reboot

Update source.list to tell apt to use the Debian Bookworm repositories and not the earlier ones, bullseye in this example.

sed -i 's/bullseye/bookworm/g' /etc/apt/sources.list

Then update the apt repository cache again, and upgrade everything. You’ll be asked if you want to restart services automatically, and if you want to keep your current config files or accept the new ones. Use your discretion, I usually keep my local copies of config files and allow all services to restart automatically.

apt update
apt upgrade --without-new-pkgs
apt full-upgrade

Finally, reboot the system:

reboot

Once your system has rebooted, verify that the upgrade worked:

lsb_release -a

You should see release 12 and codename bookworm.

If you need more information see the official Upgrades from Debian 11 page.

Automatic Updates

As recommended by the official Tor relay guide it’s a good idea to enable automatic software updates on your server if you’ll be running a relay. For full instructions see the aforementioned page, the following summary should work on a fresh Debian system.

Install the required packages:

apt install unattended-upgrades apt-listchanges

Edit the unattended-upgrades config file:

vim /etc/apt/apt.conf.d/50unattended-upgrades

Add the following as the last entry under the Unattended-Upgrade::Origins-Pattern section:

"origin=TorProject";

If you’d like to allow automatic reboots, you can add the following line to the end of this file. Just remember, a relay is expected to be stable, and multiple restarts will count against you.

Unattended-Upgrade::Automatic-Reboot "true";

Next, create the auto-upgrades config file:

vim /etc/apt/apt.conf.d/20auto-upgrades

Then update it with the following values, the numbers represents days.

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::AutocleanInterval "5";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Verbose "1";

If you’d like to test your config, you can run either:

unattended-upgrade --debug --dry-run

Adding a non-root user

If you only have the root user on your system you should create a new user for your every day activities. This helps to keep your system secure.

Run the following command and enter a password and details for your new user. Be sure to replace <username> with your new username.

adduser <username>

Next you should allow the user to run the sudo command, so that you can perform system administration tasks without having to switch to root. If you don’t have the relevant package installed (test with sudo -l and see if you’re asked for your password), you can install it using:

apt install sudo

Now add your user to the sudo group by running:

usermod -aG sudo <username>

Test that you can log in as your new user, you can do this by SSHing into your system with the user.

ssh <username>@<server_ip_address>

Once you’re logged in, run

id

And verify that you’re in the sudo group.

At this stage you should update your SSH server config to disallow root logins, you can do this by editing the config:

sudo vim /etc/ssh/sshd_config

And setting PermitRootLogin to no. Then reloading the SSH daemon:

sudo systemctl reload ssh

Ensure that you can still login via SSH after this change. You may want to leave an SSH session logged in as root open while you fine tune your SSH settings just in case you lock your new user out.

Setting up a firewall

I recommend running a firewall so that you can explicitly allow traffic to your server. You can use whichever you like, I personally like ufw as it’s easy to use.

Install ufw:

sudo apt install ufw

Allow the services, ports, or IP addresses that you need:

Ensure you allow SSH using something like:

sudo ufw allow OpenSSH

Or by specifying the port explicitly if you’re not using the default of 22:

sudo ufw allow <ssh port>/tcp

You could also allow all traffic to your server from your IP (if you have a static IP), by running:

sudo ufw allow from <your ip>

Next, you need to enable the firewall:

sudo ufw enable

You can then check the status using:

sudo ufw status

If you know which ORPort you’d like to allow for your relay you can allow it now:

sudo ufw allow <ORPort>/tcp

Finally, reload UFWs config:

sudo ufw reload

For more details on using UFW see How to Set Up a Firewall with UFW on Ubuntu.

2. Installing Tor

The official guide for installing Tor can be found here, I present a summary below.

First install the required packages:

sudo apt install apt-transport-https

Next, create the apt sources list file for the tor repository:

sudo vim /etc/apt/sources.list.d/tor.list

And add the following lines to it:

deb     [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main
deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main

Next, import the signature for the Tor package repository:

wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | 
gpg --dearmor | sudo tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null

Note: If gpg is missing, install it:

sudo apt install gpg

Finally, update the apt repository cache and install tor 🎉

sudo apt update
sudo apt install tor deb.torproject.org-keyring

3. Configuring your Tor relay

Now that you’ve got Tor installed the next step is to configure your relay. A minimal config file is provided by the Tor Project, here, I use a modified config file as my default, as below:

Nickname    myNiceRelay  # Change "myNiceRelay" to something you like
ContactInfo your@e-mail  # Write your e-mail and be aware it will be published
ORPort      443          # You might use a different port, should you want to
ExitRelay   0
SocksPort   0

# allow users in debian-tor to read the cookie auth file, for nyx
CookieAuthFileGroupReadable 1 

RelayBandwidthRate 100 MBytes
RelayBandwidthBurst 120 MBytes
MaxAdvertisedBandwidth 100 MBytes

# uncomment to allow a specific amount of bandwidth per day
#AccountingStart day 0:00
#AccountingMax 200 GBytes

Update your torrc file based on the above:

sudo vim /etc/tor/torrc

I plan to write another post to explore these options in the future, for now they’re fairly self-explanatory. See the official Debian page for more details. You could also use the Tor Relay Configurator to generate the file for you.

If you have a bandwidth cap set AccountingStart and AccountingMax. Uncomment the lines above to limit the relay to 200 GB of data every day. You can find out more about Tor’s bandwidth options at Bandwidth values in Tor (old), the new onbasca site, and on the official bandwidth shaping page.

Families

If you run more than one relay (excluding bridges) you should specify the MyFamily config option and include the fingerprints of each of your relays.

MyFamily <relay1key>,<relay2key>

This concept has been extended by the recent FamilyID addition to Tor alpha.

4. Start your relay!

Now you’re all set to start your new tor relay. Restart your relay by running:

sudo systemctl restart tor@default

You can use systemctl status to view the status of the service, or view the logs using:

sudo journalctl -e -u tor@default

Review the logs and take note of any warnings or errors which you may need to correct. You should see that tor discovers the IP address of your server, and verifies that it’s reachable from the outside world.

5. Post install tasks

The official post-install and best practises page is worth a read. Much of this section is based on it.

Monitoring

Find your relay using the Tor Metric Relay Search page and bookmark it for future review. As mentioned in the post-install notes, your relay will only appear here a few hours after it’s first started.

Be sure to read the page listed about the lifecycle of a new relay so you understand the process, and why your relay won’t see much use for a while.

Nyx

It’s convenient to be able to monitor your relay in real time, you can do this via nyx.

First you’ll need to install it using:

sudo apt install nyx

Next, you’ll need to add your user to the debian-tor group so that you have the access to run nyx.

sudo usermod -aG debian-tor <username>

For it to work you’ll need to log out and back in, or login with a new SSH session to test it. You can run id to view the list of groups you’re in, you should see debian-tor in the list.

Now you can run nyx and should be presented with a textual GUI displaying information about your relay. I use this to monitor my relays logs, bandwidth, and system resource usage.

nyx

You can find out more by visiting the Tor Nyx page.

Logs

You can view the logs of your relay by running:

sudo journalctl -e -u tor@default

Liveness Monitoring

You should use a service such as Uptime Robot to monitor your relay, and be notified if it goes down unexpectedly. This is fairly straight forward, and a quick search should get you going. Alternatively, or additionally, register at Tor Weather and add your relay fingerprint.

It’s worth noting that if you’ve configured your relay to only use a certain amount of bandwidth, then liveness probes will fail when it reaches the cap. If you log in to your relay and run nyx you’ll be able to see whether this is the case.

Conclusion

That’s it! Be sure to keep an eye on your relay, it can be fun to see how its use increases with time.

If you have any questions that haven’t been answered you could try the Tor Operators Mailing List, the General Tor mailing lists, or the relevant section of the Tor Project forum.

Thanks for running a relay! 🙏 Enjoy contributing to the Tor network