Configuring a Tor relay on Debian/Ubuntu

The Tor network relies on volunteers to donate bandwidth. The more people who run relays, the faster the Tor network will be. If you have at least 250 kilobytes/s each way, please help out Tor by configuring your Tor to be a relay too.

Step One: Download and Install Tor

If you're on Debian, start with "apt-get install tor".

Do not use the packages in Ubuntu's universe. If you're on Ubuntu or if you want to track newer Tor packages, follow the Tor on Ubuntu or Debian instructions to use our repository.

For other Unix/Linux users, you can download Tor from one of our repositories.

Step Two: Set it up as a relay

1. Make sure your clock, date, and timezone are set correctly. Install the ntp or openntpd (or similar) package to keep it that way.

2. Edit the bottom part of /etc/tor/torrc. Define an ORPort. Note that public relays default to being exit relays — either change your ExitPolicy line or read our guidelines for exit relay operators. Be sure to set your ContactInfo line so we can contact you if you need to upgrade or something goes wrong.

3. If you are using a firewall, open a hole in your firewall so incoming connections can reach the ports you configured (ORPort, plus DirPort if you enabled it). If you have a hardware firewall (Linksys box, cablemodem, etc) you might like Also, make sure you allow all outgoing connections too, so your relay can reach the other Tor relays.

4. Restart your relay: "service tor reload" (as root).

Step Three: Make sure it is working

Once your relay connects to the network, it will try to determine whether the ports you configured are reachable from the outside. This step is usually fast, but it may take a few minutes. Look for a log entry in your /var/log/tor/log like Self-testing indicates your ORPort is reachable from the outside. Excellent. If you don't see this message, it means that your relay is not reachable from the outside — you should re-check your firewalls, check that it's testing the IP and port you think it should be testing, etc.

When it decides that it's reachable, it will upload a "server descriptor" to the directory authorities, to let clients know what address, ports, keys, etc your relay is using. After a few hours (to give it enough time to propagate), you can query Atlas or Globe to see whether your relay has successfully registered in the network.

Step Four: Once it is working

5. Read about operational security to get ideas how you can increase the security of your computer.

6. Decide about rate limiting. Cable modem, DSL, and other users who have asymmetric bandwidth (e.g. more down than up) should rate limit to their slower bandwidth, to avoid congestion. See the rate limiting FAQ entry for details.

7. If your computer isn't running a webserver, and you haven't set AccountingMax, please consider changing your ORPort to 443 and/or your DirPort to 80. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.

8. Consider backing up your Tor relay's private key ("/var/lib/tor/keys/secret_id_key"). You'll need this identity key to move or restore your Tor relay.

9. If you run an exit relay (great!), don't miss out on our Exit Guidelines, including setting your reverse DNS hostname to make it obvious that you're a Tor exit relay, and serving the Tor exit notice page on your DirPort.

10. Subscribe to the tor-announce mailing list. It is very low volume, and it will keep you informed of new stable releases. As a relay operator, you should consider subscribing to the tor-relays mailing list too. We have more mailing lists as well.

11. Read the "Lifecycle of a New Relay" document to learn what sort of activity and usage patterns you can expect during your relay's first weeks of operation.

12. If you want to run more than one relay that's great, but please set the MyFamily option in all your relays' configuration files.

13. You might like to use the arm relay monitor to watch your relay's activities from the command line. First, "sudo apt-get install tor-arm". Second, as the user that will be running arm, run "sudo adduser $USER debian-tor" to add your user to the debian-tor group so it can reach Tor's controlsocket. Then log out and log back in (so your user is actually in the group), and run "arm".

14. When you change your Tor configuration, remember to verify that your relay still works correctly after the change.

If you have suggestions for improving this document, please send them to us. Thanks!