Let's set up a Tor relay!

Let's set up a Tor relay!

If you’re interested in setting up a Tor relay, but don’t know how to get started, then read on! I’ll go through how I set one up in about 20 minutes. This isn’t an exhaustive guide, but it should cover the basics like:


To Sections

Recipe

  • A server (more on this below)
  • Some basic command line experience
  • An email you don’t mind being associated with the relay (maybe a protonmail email but not a temporary or throwaway email account)

Disclaimer / safety

A number of countries are interested trying to ban/block Tor and other tools like VPNs. If you live in one of these countries right now, I can NOT recommend you set up a relay.

  • Turkey
  • China
  • Iraq
  • UAE
  • Oman
  • Bahrain
  • Saudi Arabia
  • Iran
  • Russia
  • Belarus
  • North Korea

Since this guide only covers one of the many ways to set up a Tor Relay, you can find more details at the Tor Project in their excellent guide here.

We’re going to be setting up a “guard/middle” relay - NOT AN EXIT NODE. Why? Because running an exit node is fairly more involved and runs the risk of attracting attention and questions from your internet service provider and law enforcement.

This guide will cover setting one up on an Ubuntu/Debian server hosted on DigitalOcean for $5/month. That being said, I want to encourage everyone to NOT do this on an Ubuntu/Devian server hosted on DigitalOcean if they can. This is because around 5% of the Tor network is on DigitalOcean. If, for example, DigitalOcean stopped allowing people to set up relays on their servers, that’d be a major loss.

There’s also a Tor initiative looking for people to setup relays on BSD systems. Have a look at their guide if you’re up for it!

My hope is you can use this to learn the basic steps to setting up a relay. Then, after, go! Find a different way to setup Tor! And, if at all possible, outside of Germany, France, the Netherlands, the US, or the UK!

Where and how to host?

For the sake of my own familiarity, I’m using Digital Ocean in this guide. But the Tor Project hosts a detailed list of all the Tor-friendly hosting providers with a collection of the community’s stories and email correspondances with the various providers.

Subscribing to most of the services should be a fairly similar process to using Digital Ocean. It typically involves submitting an email, payment method, and a monthly or yearly payment to keep the server going (opinion: go monthly! less commitment/risk).

Make sure you are purchasing a Virtual Private Server of some kind which allows SSH access - not a Wordpress or blog hosting type of server. If you’ve never purchased and created your own virtual server before, you can read this guide to learn how to create one on Digital Ocean after you sign up for an account.

I created an Ubuntu 17.10 droplet in India for my relay, but you can do Ubuntu 16.04 or Debian for yours if you’d like too. Be sure to read the section below about adding an SSH key to your droplet before creating it!

Hardening your server

Having a public Tor relay will increase the attention the server receives and you should always take a few basic steps to secure it from bots and malicious actors. There’s even a server hardening script specifically for Tor relays here. I’ll be copying a thing or two from there just to streamline things.

We’ll be hardening the server in 2 ways.

  1. Securing login access
  2. Setting up a firewall

Securing login access

You can either setup your login with a strong password (20+ characters) or use an SSH key for no-password login. The latter is more convenient (no password needed) and secure because it only allows computers that have the key saved on it (your computer) to login, but either is fine.

When you create your droplet on Digital Ocean, you can choose to enter your public key during the signup process and they’ll set it up automatically for you.


You might have one located on your computer already at ~/.ssh/id_rsa.pub. If you don’t, you can generate a new one with this command:

ssh-keygen -t rsa

To check if you have one, type in:

cat ~/.ssh/id_rsa.pub

…and the key should print into your terminal so you can copy/paste it in.

You can also follow this guide on digital ocean (which works for any Ubuntu/Debian server) for setting this up on a server if it’s already live.

If everything worked, you can login to your new server just by typing ssh root@<server-ip-address> from the computer that has the key saved on it and you won’t need to enter a password. Again, this is a more secure alternative to setting up the login with a very strong password, but either method should be fine as long as you don’t type password1 to login to your server.

# replace <server-ip-address> with the IP address of your new server
ssh root@<server-ip-address>

Setting up the firewall

Now, once you’re logged in, we’ll need to setup the firewall. This is so we can limit the amount of unnecessary traffic our relay gets and reduce the risk of someone tampering with the server.

The first thing to do is to install a package called iptables-persistant so that if the server restarts, we don’t lose everything we did.

# Install iptables-persistent, enter 'Yes' when it asks you where to save the rules.
apt-get install -y iptables-persistent

Moving on, there are some specific rules that a Tor relay firewall needs, so this is where I’m going to copy the firewall rules from the bootstrap script I mentioned earlier.

One by one, enter the following commands into your server. It’s crucial you don’t mess up the ports at the step - if you don’t accept port 22, you can’t SSH in. If you don’t accept ports 9001 your relay can’t connect to the internet.

# Allows all loopback (lo0) traffic (which is traffic generated from your server talking to itself)
iptables -A INPUT -i lo -j ACCEPT

# Accepts SSH port 22 connections ** very imporant so you don't lock yourself out!**
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allows Tor to use port 9001 for the ORPort to connect to the internet.
iptables -A INPUT -p tcp --dport 9001 -j ACCEPT

# This is optional - its for the DirPort which Tor uses to help keep relays in sync with each other. It doesn't hurt to open this port up if you decide you'd like to utilize it later.
iptables -A INPUT -p tcp --dport 9030 -j ACCEPT

# Allows and ratelimits ICMP (which includes server pings, traceroute probes, etc)
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 2/s -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -p icmp -j ACCEPT

# Log any denied traffic for record keeping
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Blocks all other traffic
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP

Setting up fail2ban

For extra security, we can install a program called Fail2Ban to block IP addresses that try to consistantly SSH access our server without authorization. The internet is full of bots crawling the web and trying to take control of servers (for cryptocurrency mining schemes, DDOS botnet attacks, or maybe just rookie hackers), so an extra layer of security doesn’t hurt to ensure the long-term survival of our relay.

This only takes a couple steps for Ubuntu. There’s more information on fail2ban for other operating systems in this guide too.

# Install fail2ban, which will automatically set itself up
apt-get install -y fail2ban

# Start fail2ban
service fail2ban start

Installing and configuring the Tor relay

Once you have your server set up, downloading and installing a Tor relay is a very automated process.

First we need to tell our server where to download everything from. The Tor project has a helper at this link. Please open this up and scroll to the bottom and enter in the Ubuntu or Debian version you’re setting this up on.


If you chose Ubuntu 17.10 like I did, open your /etc/apt/source.list file

nano /etc/apt/sources.list

… and add the following lines at the bottom.

# Tor for Ubuntu 17.10 Artful
deb http://deb.torproject.org/torproject.org artful main
deb-src http://deb.torproject.org/torproject.org artful main

Exit the nano editor (control-X) and run the rest of the commands in your terminal.

# Adds a key to your server so that it can unlock and download the Tor Relay software
gpg --keyserver keys.gnupg.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

# Update your package installer with the new key and sources
apt update

# Install the Tor software
apt install tor deb.torproject.org-keyring

If you get an error, check that you copied the right links into your sources.list file for the correct operating system from the website.

Configuration and starting your Tor Relay

Once the files install, you should have a configuration file located at /etc/tor/torrc

Open it up with your editor and have a look inside.

nano /etc/tor/torrc

The file starts with everything disabled. You can configure everything from which port you use, to how much traffic to let through, to the public name of your relay. Read through the file below with my comments and go through your own configuration file to update the values. I included some notes and calculations below to ensure we don’t hit the 1TB/month bandwidth limit that digital ocean has. Be sure to pick a unique nickname and enter a contact email address for your server


# 0 means off - We do NOT want to setup an exit relay!
ExitRelay 0

# SOCKSPort is only required if using the relay to make connections to local 
# applications. Not needed for this guide. 0 means off.
SOCKSPort 0

# ControlPort is also only for local connections and not needed for a basic
# public relay. 0 means off.
ControlPort 0

# The DirPort is an extra port Tor Relays use to help the network stay 
# informed about each other, but increases the bandwidth traffic your server 
# uses. Having this on or off is up to you but keep in mind we have a 
# limited bandwidth /month on Digital Ocean. If you enable it, 
# make sure your firewall accepts connections to it the same way we opened up port 9001 (use port 9030)! 
DirPort 0

# Set this port to allow the relay to accept incoming connections on this port. Make sure the firewall we setup earlier has this port!
ORPort 9001

# Turn on notice logs (should not contain sensitive info at this level)
Log notice file /var/log/tor/notices.log

# Digital Ocean has 1TB/month limit on bandwidth before they start charging 
# extra (like a few cents per GB I think). But we want to make sure we don't 
# go over because of this. The following commands tell the Tor relay to never 
# go over 999 gb/month and starts counting on the 1st of each month at 
# 3:00pm

AccountingMax 999 GBytes
AccountingStart month 1 15:00 

# If we hit 999GB in a month, the server will hibernate until the start of 
# next month. This means that the network won't label us as a "stable" relay. 
# This next line will throttle the amount of traffic per second to make sure 
# your relay never hibernates, but also never goes over the 1TB limit each 
# month.

# This chart is based off this answer
# https://tor.stackexchange.com/questions/791/how-to-calculate-optimal-relay-bandwidth-throughput

#  Limit - KB/sec to set
# - - - - - - - - - - - -
#  500GB - 91 KB
# 1000GB - 182 KB <- this is us ****
# 2000GB - 364 KB
# 4000GB - 792 KB

RelayBandwidthRate 182 KBytes  # Throttle traffic to 182kb/s

# Finally name your relay with a cool name and 
# enter an obfuscated email address email[at]email[dot]com
Nickname aCoolName
ContactInfo tor-operator [at] your-emailaddress-domain [dot] com


Please please please enter an email address! This will allow the Tor Project to reach out to you and help maintain the health of your relay and the whole network. I’d recommend making a new email or using a secondary email account because it will be public.

Remember to save your config file.

Finally, run this last line to get the server going with the new configurations.

systemctl restart tor

Look at your log file to confirm everything worked.


cat /var/log/tor/notices.log

If something seems wrong, type tor into your terminal and the command should list any errors that might have occured in your configuration file.

In about a day, your server should show up in the relay list.

Be proud and congratulate yourself for making the Tor network faster, more reliable, and safer for everyone! Please leave a comment or reach out to me on twitter and let me know how it goes! Special thanks goes out to Tek for giving suggestions and proofreading this guide!


Categories:
sysadmin-stuff


Because every coding blog needs a comments section.

Please keep comments respectful! Harassment and general arrogance will not be tolerated.