Tor Relay Server Configuration: Complete Setup Guide

Introduction

The Tor (The Onion Router) network represents one of the most important privacy and censorship circumvention tools on the internet, providing anonymous communication for millions of users worldwide. By routing traffic through a global network of volunteer-operated relays, Tor protects user identity, location, and browsing activity from surveillance and traffic analysis.

Running a Tor relay contributes directly to the strength and capacity of the Tor network, helping journalists, activists, whistleblowers, and ordinary users maintain privacy and bypass censorship in oppressive regimes. Relay operators donate bandwidth and computing resources, creating a decentralized infrastructure resistant to single points of failure or control.

This comprehensive guide walks you through deploying and operating a Tor relay server on Linux. You'll learn the differences between relay types (middle relay, exit relay, bridge), installation procedures, configuration options, bandwidth management, security considerations, monitoring, and best practices for responsible relay operation.

Whether supporting internet freedom, contributing to privacy infrastructure, learning about anonymity networks, or providing censorship resistance, running a Tor relay offers a meaningful way to strengthen global internet privacy.

Use Case Overview

Why Run a Tor Relay?

Operating a Tor relay provides several benefits to the network and community:

Support Privacy and Freedom: Enable people worldwide to communicate privately, access information freely, and circumvent censorship in countries with restricted internet access.

Increase Network Capacity: More relays mean faster speeds for all Tor users. Your bandwidth directly improves the experience for journalists, activists, and everyday users seeking privacy.

Censorship Resistance: Bridge relays specifically help users in censored regions connect to Tor when direct connections are blocked by governments.

Decentralization: Diverse relay operators across many countries and networks make Tor more resilient against attacks and single points of failure.

Educational Value: Running a relay teaches networking concepts, privacy technologies, and the technical foundations of anonymity systems.

Community Contribution: Many relay operators run relays as a form of digital activism, supporting values of privacy, freedom of expression, and open internet access.

Relay Types Explained

Middle Relay (Non-Exit):

  • Function: Relays traffic between other Tor relays
  • Risk: Low (no external internet traffic exits from your IP)
  • Bandwidth: Can be generous with bandwidth allocation
  • Responsibility: Minimal, no abuse complaints
  • Recommended: Ideal first relay type, safest option

Exit Relay:

  • Function: Final relay where traffic exits to destination servers
  • Risk: High (destination sees your IP address)
  • Bandwidth: Requires robust abuse complaint handling
  • Responsibility: Significant, requires careful configuration
  • Legal: Understand local laws, use reduced exit policy
  • Not Recommended: For home connections or without ISP approval

Bridge Relay:

  • Function: Unlisted relays helping users bypass censorship
  • Risk: Low (no exit traffic)
  • Bandwidth: Can start small
  • Responsibility: Minimal
  • Purpose: Critical for users in censored countries
  • Distribution: Address given privately to users needing access

Guard Relay (Entry):

  • Function: Entry point into Tor network
  • Risk: Low (no exit traffic)
  • Requirements: High uptime, stable bandwidth
  • Recommendation: Achieved automatically with good uptime

Common Deployment Scenarios

Data Center Relay: VPS or dedicated server with abundant bandwidth, ideal for middle or guard relays contributing substantial capacity.

Home Connection Relay: Residential connection donating spare bandwidth, typically middle relay with bandwidth limits to avoid affecting household usage.

Educational Institution: University or organization relay demonstrating commitment to internet freedom and privacy research.

Bridge Relay for Censored Users: Unlisted bridge helping users in China, Iran, or other countries where Tor is blocked access the network.

Exit Relay (Advanced): Dedicated exit relay with proper legal considerations, reduced exit policy, and abuse complaint handling procedures.

Raspberry Pi Relay: Low-power relay on embedded hardware, contributing modest bandwidth economically.

Requirements

System Requirements

Minimum Requirements (Small Middle Relay):

  • CPU: 1 core at 1.5+ GHz
  • RAM: 512MB
  • Storage: 10GB
  • Network: 1 Mbps sustained upload/download
  • OS: Ubuntu 20.04/22.04, Debian 11/12

Recommended Requirements (Medium Middle/Guard Relay):

  • CPU: 2 cores at 2.0+ GHz
  • RAM: 2GB
  • Storage: 20GB
  • Network: 10+ Mbps sustained, 100 GB/month+ bandwidth
  • OS: Ubuntu 22.04 LTS

High-Performance Requirements (Fast Guard/Exit Relay):

  • CPU: 4+ cores at 2.5+ GHz
  • RAM: 4-8GB
  • Storage: 50GB SSD
  • Network: 100+ Mbps sustained, 10 TB/month+ bandwidth
  • OS: Ubuntu 22.04 LTS

Bandwidth Considerations

Bandwidth Requirements:

  • Minimum: 1 Mbps sustained (30 GB/month)
  • Good: 10 Mbps sustained (300 GB/month)
  • Excellent: 100 Mbps sustained (3 TB/month)

Connection Type:

  • VPS/Dedicated: Ideal, usually unmetered or high limits
  • Home Connection: Possible, but limit bandwidth to avoid affecting household
  • Business Connection: Check acceptable use policy

Sustained vs Burst: Tor requires sustained bandwidth, not just burst. Test actual upload/download speeds.

Legal Considerations

Exit Relay Legal Issues:

  • Exit relay operators may receive abuse complaints
  • Understand local laws regarding liability for user traffic
  • DMCA notices, copyright complaints common for exits
  • Some ISPs prohibit exit relays in terms of service
  • Consider consulting legal counsel for exit relays

Middle/Bridge Relay:

  • Generally no legal issues
  • Traffic doesn't exit from your IP
  • Minimal abuse potential

Recommendations:

  • Start with middle relay to learn
  • Only run exit if you understand legal implications
  • Use reduced exit policy for exits
  • Have abuse complaint handling procedure

Network Requirements

Static IP Recommended: While not required, static IP improves relay stability and guard promotion chances.

Port Configuration:

  • ORPort: 9001/TCP (recommended) - Tor relay port
  • DirPort: 9030/TCP (optional) - Directory information
  • ControlPort: 9051/TCP (local only) - Control connection

Firewall: Must allow incoming connections on ORPort.

ISP Policy: Check terms of service, some ISPs prohibit relay operation or have bandwidth limits.

Prerequisites Knowledge

  • Basic Linux system administration
  • Understanding of networking and firewall configuration
  • Awareness of Tor network principles
  • Commitment to stable operation (high uptime important)

Step-by-Step Setup

Step 1: Install Tor

Add Tor repository for latest stable version:

Ubuntu/Debian:

# Add Tor Project repository
sudo apt install apt-transport-https -y

# Add GPG key
wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | sudo tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null

# Add repository
echo "deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/tor.list

# Update and install
sudo apt update
sudo apt install tor tor-geoipdb -y

CentOS/Rocky Linux:

sudo dnf install epel-release -y
sudo dnf install tor -y

Verify installation:

tor --version

Step 2: Configure Middle Relay

Edit Tor configuration:

sudo nano /etc/tor/torrc

Add basic middle relay configuration:

# Relay nickname (alphanumeric, 19 characters max)
Nickname YourRelayNickname

# Contact information (visible publicly)
ContactInfo [email protected]

# Relay type (middle relay = no exit policy)
ExitPolicy reject *:*

# Relay port
ORPort 9001

# Directory port (optional, helps with bandwidth credits)
DirPort 9030

# Bandwidth limits (adjust based on your capacity)
# Values in KB/s
RelayBandwidthRate 1024 KB    # 1 MB/s sustained
RelayBandwidthBurst 2048 KB   # 2 MB/s burst

# Monthly bandwidth limit (optional)
# AccountingMax 500 GB
# AccountingStart month 1 00:00

# DNS resolver
ServerDNSResolvConfFile /etc/resolv.conf

# Logging
Log notice file /var/log/tor/notices.log

Configuration Parameters:

  • Nickname: Public relay name, no spaces
  • ContactInfo: Email or GPG key for operators to contact you
  • ExitPolicy reject :: Middle relay (no exit traffic)
  • ORPort: Relay communication port
  • RelayBandwidthRate: Sustained bandwidth limit
  • AccountingMax: Optional monthly bandwidth cap

Step 3: Configure Firewall

Allow Tor relay ports:

# UFW (Ubuntu/Debian)
sudo ufw allow 9001/tcp
sudo ufw allow 9030/tcp

# Firewalld (CentOS/Rocky)
sudo firewall-cmd --permanent --add-port=9001/tcp
sudo firewall-cmd --permanent --add-port=9030/tcp
sudo firewall-cmd --reload

Step 4: Start Tor Relay

Enable Tor service:

sudo systemctl enable tor
sudo systemctl start tor

Check status:

sudo systemctl status tor

View logs:

sudo tail -f /var/log/tor/notices.log

Look for lines indicating successful startup:

Bootstrapped 100%: Done
Self-testing indicates your ORPort is reachable from the outside.

Step 5: Verify Relay Operation

Check relay is running:

sudo ss -tlnp | grep tor

Should show Tor listening on configured ports.

Monitor Tor status:

sudo journalctl -u tor -f

Step 6: Find Your Relay on Tor Metrics

Wait 2-3 hours for relay to appear in network consensus.

Visit Tor Metrics: https://metrics.torproject.org/rs.html

Search for your relay nickname or IP address.

You'll see:

  • Relay fingerprint
  • Bandwidth statistics
  • Flags (Fast, Stable, Running, etc.)
  • Network position

Configuration

Bridge Relay Configuration

Configure bridge relay to help censored users:

sudo nano /etc/tor/torrc

Bridge configuration:

# Bridge relay
BridgeRelay 1

# Required for bridge
PublishServerDescriptor bridge

# Relay information
Nickname YourBridgeNickname
ContactInfo [email protected]

# Ports
ORPort 9001
ExtORPort auto

# No exit
ExitPolicy reject *:*

# Bandwidth
RelayBandwidthRate 1024 KB
RelayBandwidthBurst 2048 KB

# Optional: obfs4 pluggable transport (recommended for censorship resistance)
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
ServerTransportListenAddr obfs4 0.0.0.0:9002

# Logging
Log notice file /var/log/tor/notices.log

Install obfs4proxy:

sudo apt install obfs4proxy -y

Open obfs4 port:

sudo ufw allow 9002/tcp

Restart Tor:

sudo systemctl restart tor

Get bridge line for distribution:

sudo cat /var/lib/tor/pt_state/obfs4_bridgeline.txt

Share this bridge line privately with users needing access (don't post publicly).

Exit Relay Configuration (Advanced)

WARNING: Only run exit relay if you understand legal implications and have ISP approval.

Reduced exit policy (recommended for exits):

Nickname YourExitNickname
ContactInfo [email protected] abuse-report-address

# Exit relay with reduced exit policy
ExitPolicy accept *:80          # HTTP
ExitPolicy accept *:443         # HTTPS
ExitPolicy accept *:6667-6697   # IRC
ExitPolicy reject *:*

# Bandwidth
RelayBandwidthRate 5120 KB
RelayBandwidthBurst 10240 KB

# Ports
ORPort 9001
DirPort 9030

# Additional exit configuration
IPv6Exit 0
ExitPolicyRejectPrivate 1
ExitRelay 1

Abuse Handling:

  • Setup dedicated abuse email
  • Monitor abuse@your-domain
  • Respond promptly to complaints
  • Consider legal consultation

Bandwidth Accounting

Limit monthly bandwidth to avoid overages:

# Start accounting on 1st of each month at midnight
AccountingStart month 1 00:00

# Maximum 500 GB per month
AccountingMax 500 GB

# Bandwidth allocation
RelayBandwidthRate 1536 KB    # 1.5 MB/s
RelayBandwidthBurst 3072 KB   # 3 MB/s

Tor will hibernate when limit reached until next accounting period.

Multiple Relay Instances

Run multiple relays on one server:

Create second instance configuration:

sudo cp /etc/tor/torrc /etc/tor/torrc-2
sudo nano /etc/tor/torrc-2

Configure different ports:

DataDirectory /var/lib/tor-2
PidFile /var/run/tor/tor-2.pid

Nickname YourRelayNickname2
ORPort 9011
DirPort 9040
ControlPort 9061

# Different bandwidth allocation
RelayBandwidthRate 512 KB

Create systemd service:

sudo cp /lib/systemd/system/[email protected] /etc/systemd/system/[email protected]

Start second instance:

sudo systemctl enable tor@2
sudo systemctl start tor@2

Contact Information Best Practices

Provide detailed contact information:

ContactInfo Random Person <nobody AT example dot com> - 1234567890

Or use GPG key:

ContactInfo 0x1234567890ABCDEF Random Person <nobody AT example.com>

Include abuse email for exit relays:

ContactInfo [email protected] 0xABCDEF1234567890 Exit Operator

Monitoring and Maintenance

Monitor Relay Statistics

Install nyx (Tor monitoring tool):

sudo apt install nyx -y

Run nyx:

sudo -u debian-tor nyx

Provides real-time view of:

  • Bandwidth usage
  • Current connections
  • Circuit information
  • Log messages

Check Relay Metrics

Use Tor Metrics website:

Search for your relay to see:

  • Bandwidth graphs
  • Uptime statistics
  • Network flags
  • Consensus weight

Use Atlas:

Detailed relay information and historical data.

Bandwidth Monitoring

Monitor actual bandwidth usage:

# Using vnstat
sudo apt install vnstat -y
vnstat -i eth0 -l

Track monthly usage:

vnstat -m

Log Rotation

Configure log rotation:

sudo nano /etc/logrotate.d/tor

Add:

/var/log/tor/*.log {
    daily
    rotate 14
    compress
    delaycompress
    notifempty
    missingok
    create 0640 debian-tor debian-tor
    sharedscripts
    postrotate
        systemctl reload tor > /dev/null 2>&1 || true
    endscript
}

System Updates

Keep system and Tor updated:

# Update regularly
sudo apt update && sudo apt upgrade -y

# Tor updates
sudo apt install tor tor-geoipdb

Restart Tor after updates:

sudo systemctl restart tor

Security Considerations

Relay Isolation

Run Tor relay in isolated environment:

Consider containerization:

# Using Docker
docker run -d --name tor-relay \
    -p 9001:9001 \
    -v /etc/tor/torrc:/etc/tor/torrc \
    -v tor-data:/var/lib/tor \
    --restart unless-stopped \
    tor:latest

System Hardening

Harden relay server:

# Disable unnecessary services
sudo systemctl disable bluetooth
sudo systemctl disable cups

# Enable automatic security updates
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure unattended-upgrades

Firewall Configuration

Restrict access:

# Only allow necessary ports
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp   # SSH
sudo ufw allow 9001/tcp # OR Port
sudo ufw allow 9030/tcp # Dir Port
sudo ufw enable

SSH Security

Secure SSH access:

sudo nano /etc/ssh/sshd_config

Configure:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes

Restart SSH:

sudo systemctl restart sshd

Fail2ban Protection

Install fail2ban to prevent brute force:

sudo apt install fail2ban -y

Enable for SSH:

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Troubleshooting

Relay Not Appearing in Network

Check Tor is running:

sudo systemctl status tor

View logs:

sudo tail -100 /var/log/tor/notices.log

Look for errors.

Verify port reachability:

Use external port checker or:

telnet YOUR_PUBLIC_IP 9001

From external host.

Check firewall:

sudo ufw status

Ensure ORPort is allowed.

Wait for consensus:

New relays take 2-6 hours to appear in network consensus.

Low Bandwidth/No Clients

Check bandwidth limits:

RelayBandwidthRate 1024 KB

Increase if you can support more.

Verify uptime:

Relays need high uptime (weeks/months) to gain Stable and Guard flags.

Check advertised bandwidth:

grep "Bandwidth" /var/log/tor/notices.log

Tor may not advertise full bandwidth immediately.

Network connectivity:

Ensure server has good internet connectivity and low latency.

Relay Not Getting Guard Flag

Requirements for Guard flag:

  • 8+ days uptime
  • MTBF (Mean Time Between Failures) of 8+ days
  • Sufficient bandwidth
  • Stable flag

Check current flags:

Visit Tor Metrics and search for your relay.

Improve uptime:

Minimize restarts, keep relay running continuously.

Accounting Hibernation

If relay hibernates unexpectedly:

Check accounting status:

grep "Accounting" /var/log/tor/notices.log

Increase AccountingMax:

AccountingMax 1000 GB

Or remove accounting limits if possible.

Best Practices

Operational Best Practices

  • High Uptime: Maintain 99%+ uptime for Guard consideration
  • Stable Bandwidth: Provide consistent bandwidth, avoid fluctuations
  • Regular Updates: Keep Tor and system packages current
  • Monitor Logs: Check logs periodically for issues
  • Backup Configuration: Save torrc and keys

Community Engagement

  • Relay Operator Mailing List: Subscribe to tor-relays mailing list
  • Documentation: Read official Tor relay documentation
  • Community: Join #tor-relays IRC channel
  • Reporting Issues: Report bugs to Tor Project

Scaling Up

Growing your relay contribution:

  1. Start with middle relay
  2. Increase bandwidth gradually
  3. Monitor performance
  4. Consider multiple relay instances
  5. Upgrade hardware as needed

Conclusion

You now operate a Tor relay contributing to global internet privacy and freedom. Your bandwidth and uptime directly help millions of Tor users maintain anonymity and bypass censorship.

Key achievements:

  • Privacy infrastructure contribution supporting anonymity worldwide
  • Censorship resistance helping users in oppressive regimes
  • Network strengthening improving capacity and performance
  • Responsible operation with proper security and monitoring
  • Community participation in internet freedom movement

Running a Tor relay is an ongoing commitment. Maintain high uptime, keep systems updated, and respond to any operational issues promptly. The Tor community and users worldwide appreciate your contribution to internet privacy and freedom.

Thank you for supporting internet freedom!