Tor guesses its IP address by asking the computer for its hostname, and then resolving that hostname. Often people have old entries in their /etc/hosts file that point to old IP addresses.
If that doesn't fix it, you should use the "Address" config option to specify the IP you want it to pick. If your computer is behind a NAT and it only has an internal IP address, see the following Support entry on dynamic IP addresses.
Also, if you have many addresses, you might also want to set "OutboundBindAddress" so external connections come from the IP you intend to present to the world.
If your relay is relatively new then give it time.
Tor decides which relays it uses heuristically based on reports from Bandwidth Authorities. These authorities take measurements of your relay's capacity and, over time, directs more traffic there until it reaches an optimal load.
The lifecycle of a new relay is explained in more depth in this blog post.
If you've been running a relay for a while and still having issues then try asking on the tor-relays list.
If you allow exit connections, some services that people connect to from your relay will connect back to collect more information about you. For example, some IRC servers connect back to your identd port to record which user made the connection. (This doesn't really work for them, because Tor doesn't know this information, but they try anyway.) Also, users exiting from you might attract the attention of other users on the IRC server, website, etc. who want to know more about the host they're relaying through.
Another reason is that groups who scan for open proxies on the Internet have learned that sometimes Tor relays expose their socks port to the world. We recommend that you bind your socksport to local networks only.
In any case, you need to keep up to date with your security. See this article on security for Tor relays for more suggestions.
When an exit is misconfigured or malicious it's assigned the BadExit flag. This tells Tor to avoid exiting through that relay. In effect, relays with this flag become non-exits.
If you got this flag then we either discovered a problem or suspicious activity when routing traffic through your exit and weren't able to contact you. Please reach out to the bad-relays team so we can sort out the issue.
When upgrading your Tor relay, or moving it on a different computer, the important part is to keep the same identity keys (stored in "keys/ed25519_master_id_secret_key" and "keys/secret_id_key" in your DataDirectory).
Keeping backups of the identity keys so you can restore a relay in the future is the recommended way to ensure the reputation of the relay won't be wasted.
This means that if you're upgrading your Tor relay and you keep the same torrc and the same DataDirectory, then the upgrade should just work and your relay will keep using the same key.
If you need to pick a new DataDirectory, be sure to copy your old keys/ed25519_master_id_secret_key and keys/secret_id_key over.
Note: As of Tor 0.2.7 we are using new generation identities for relays based on ed25519 elliptic curve cryptography.
Eventually they will replace the old RSA identities, but that will happen in time, to ensure compatibility with older versions.
Until then, each relay will have both an ed25519 identity (identity key file: keys/ed25519_master_id_secret_key) and a RSA identity (identity key file: keys/secret_id_key).
You need to copy / backup both of them in order to restore your relay, change your DataDirectory or migrate the relay on a new computer.
We're looking for people with reasonably reliable Internet connections, that have at least 10 Mbit/s (Mbps) available bandwidth each way. If that's you, please consider running a Tor relay.
Even if you do not have at least 10 Mbit/s of available bandwidth you can still help the Tor network by running a Tor bridge with obfs4 support. In that case you should have at least 1 MBit/s of available bandwidth.
You're right, for the most part a byte into your Tor relay means a byte out, and vice versa. But there are a few exceptions:
If you open your DirPort, then Tor clients will ask you for a copy of the directory.
The request they make (an HTTP GET) is quite small, and the response is sometimes quite large.
This probably accounts for most of the difference between your "write" byte count and your "read" byte count.
Another minor exception shows up when you operate as an exit node, and you read a few bytes from an exit connection (for example, an instant messaging or ssh connection) and wrap it up into an entire 512 byte cell for transport through the Tor network.
If your Tor relay is using more memory than you'd like, here are some tips for reducing its footprint:
- If you're on Linux, you may be encountering memory fragmentation bugs in glibc's malloc implementation.
That is, when Tor releases memory back to the system, the pieces of memory are fragmented so they're hard to reuse.
The Tor tarball ships with OpenBSD's malloc implementation, which doesn't have as many fragmentation bugs (but the tradeoff is higher CPU load).
You can tell Tor to use this malloc implementation instead:
- If you're running a fast relay, meaning you have many TLS connections open, you are probably losing a lot of memory to OpenSSL's internal buffers (38KB+ per socket).
We've patched OpenSSL to release unused buffer memory more aggressively.
If you update to OpenSSL 1.0.0 or newer, Tor's build process will automatically recognize and use this feature.
- If you still can't handle the memory load, consider reducing the amount of bandwidth your relay advertises.
Advertising less bandwidth means you will attract fewer users, so your relay shouldn't grow as large.
MaxAdvertisedBandwidth option in the man page.
All of this said, fast Tor relays do use a lot of ram. It is not unusual for a fast exit relay to use 500-1000 MB of memory.
We aim to make setting up a Tor relay easy and convenient:
- It's fine if the relay goes offline sometimes.
The directories notice this quickly and stop advertising the relay.
Just try to make sure it's not too often, since connections using the relay when it disconnects will break.
- Each Tor relay has an exit policy that specifies what sort of outbound connections are allowed or refused from that relay.
If you are uncomfortable allowing people to exit from your relay, you can set it up to only allow connections to other Tor relays.
- Your relay will passively estimate and advertise its recent bandwidth capacity, so high-bandwidth relays will attract more users than low-bandwidth ones. Therefore, having low-bandwidth relays is useful too.
If you're using Debian or Ubuntu especially, there are a number of benefits to installing Tor from the Tor Project's repository.
ulimit -n gets set to 32768 high enough for Tor to keep open all the connections it needs.
- A user profile is created just for Tor, so Tor doesn't need to run as root.
- An init script is included so that Tor runs at boot.
- Tor runs with
--verify-config, so that most problems with your config file get caught.
- Tor can bind to low level ports, then drop privileges.
All outgoing connections must be allowed, so that each relay can communicate with every other relay.
In many jurisdictions, Tor relay operators are legally protected by the same common carrier regulations that prevent internet service providers from being held liable for third-party content that passes through their network.
Exit relays that filter some traffic would likely forfeit those protections.
Tor promotes free network access without interference.
Exit relays must not filter the traffic that passes through them to the internet.
Exit relays found to be filtering traffic will get the BadExit flag once detected.
Si l'aplicació de la llei s'interessa pel trànsit des del teu repetidor de sortida, és possible que els agents s'apoderin de la vostra computadora.
Per aquest motiu, és millor no executar el repetidor de sortida a casa o utilitzant la vostra connexió a Internet desde casa.
al contrari, considereu executar el repetidor de sortida en una instal·lació comercial que sigui compatible amb Tor.
Tingueu una adreça IP independent per al vostre repetidor de sortida i no enruteu el vostre propi trànsit a través d'ell.
Per descomptat, haureu d'evitar mantenir qualsevol informació personal o sensible a l'ordinador que allotgeu el vostre repetidor de sortida.
In simple words, it works like this:
- There is a master ed25519 identity secret key file named "ed25519_master_id_secret_key".
This is the most important one, so make sure you keep a backup in a secure place - the file is sensitive and should be protected.
Tor could encrypt it for you if you generate it manually and enter a password when asked.
- A medium term signing key named "ed25519_signing_secret_key" is generated for Tor to use.
Also, a certificate is generated named "ed25519_signing_cert" which is signed by the master identity secret key and confirms that the medium term signing key is valid for a certain period of time.
The default validity is 30 days, but this can be customized by setting "SigningKeyLifetime N days|weeks|months" in torrc.
- There is also a master public key named "ed25519_master_id_public_key, which is the actual identity of the relay advertised in the network.
This one is not sensitive and can be easily computed from "ed5519_master_id_secret_key".
Tor will only need access to the medium term signing key and certificate as long as they are valid, so the master identity secret key can be kept outside DataDirectory/keys, on a storage media or a different computer.
You'll have to manually renew the medium term signing key and certificate before they expire otherwise the Tor process on the relay will exit upon expiration.
This feature is optional, you don't need to use it unless you want to.
If you want your relay to run unattended for longer time without having to manually do the medium term signing key renewal on regular basis, best to leave the master identity secret key in DataDirectory/keys, just make a backup in case you'll need to reinstall it.
If you want to use this feature, you can consult our more detailed guide on the topic.
Great. If you want to run several relays to donate more to the network, we're happy with that.
But please don't run more than a few dozen on the same network, since part of the goal of the Tor network is dispersal and diversity.
If you do decide to run more than one relay, please set the "MyFamily" config option in the torrc of each relay, listing all the relays (comma-separated) that are under your control:
where each fingerprint is the 40 character identity fingerprint (without spaces).
That way, Tor clients will know to avoid using more than one of your relays in a single circuit.
You should set MyFamily if you have administrative control of the computers or of their network, even if they're not all in the same geographic location.
The accounting options in the torrc file allow you to specify the maximum amount of bytes your relay uses for a time period.
AccountingStart day week month [day] HH:MM
This specifies when the accounting should reset. For instance, to setup a total amount of bytes served for a week (that resets every Wednesday at 10:00am), you would use:
AccountingStart week 3 10:00
AccountingMax 500 GBytes
This specifies the maximum amount of data your relay will send during an accounting period, and the maximum amount of data your relay will receive during an account period.
When the accounting period resets (from AccountingStart), then the counters for AccountingMax are reset to 0.
Example: Let's say you want to allow 50 GB of traffic every day in each direction and the accounting should reset at noon each day:
AccountingStart day 12:00
AccountingMax 50 GBytes
Note that your relay won't wake up exactly at the beginning of each accounting period.
It will keep track of how quickly it used its quota in the last period, and choose a random point in the new interval to wake up.
This way we avoid having hundreds of relays working at the beginning of each month but none still up by the end.
If you have only a small amount of bandwidth to donate compared to your connection speed, we recommend you use daily accounting, so you don't end up using your entire monthly quota in the first day.
Just divide your monthly amount by 30. You might also consider rate limiting to spread your usefulness over more of the day: if you want to offer X GB in each direction, you could set your RelayBandwidthRate to 20*X KBytes.
For example, if you have 50 GB to offer each way, you might set your RelayBandwidthRate to 1000 KBytes: this way your relay will always be useful for at least half of each day.
AccountingStart day 0:00
AccountingMax 50 GBytes
RelayBandwidthRate 1000 KBytes
RelayBandwidthBurst 5000 KBytes # allow higher bursts but maintain average
Tor has partial support for IPv6 and we encourage every relay operator to enable IPv6 functionality in their torrc configuration files when IPv6 connectivity is available.
For the time being Tor will require IPv4 addresses on relays, you can not run a Tor relay on a host with IPv6 addresses only.
The parameters assigned in the AccountingMax and BandwidthRate apply to both client and relay functions of the Tor process.
Thus you may find that you are unable to browse as soon as your Tor goes into hibernation, signaled by this entry in the log:
Bandwidth soft limit reached; commencing hibernation.
No new connections will be accepted
The solution is to run two Tor processes - one relay and one client, each with its own config.
One way to do this (if you are starting from a working relay setup) is as follows:
- In the relay Tor torrc file, simply set the SocksPort to 0.
- Create a new client torrc file from the torrc.sample and ensure it uses a different log file from the relay.
One naming convention may be torrc.client and torrc.relay.
- Modify the Tor client and relay startup scripts to include
- In Linux/BSD/Mac OS X, changing the startup scripts to
Tor.relay may make separation of configs easier.
Great. That's exactly why we implemented exit policies.
Each Tor relay has an exit policy that specifies what sort of outbound connections are allowed or refused from that relay.
The exit policies are propagated to Tor clients via the directory, so clients will automatically avoid picking exit relays that would refuse to exit to their intended destination.
This way each relay can decide the services, hosts, and networks it wants to allow connections to, based on abuse potential and its own situation.
Read the Support entry on issues you might encounter if you use the default exit policy, and then read Mike Perry's tips for running an exit node with minimal harassment.
The default exit policy allows access to many popular services (e.g. web browsing), but restricts some due to abuse potential (e.g. mail) and some since the Tor network can't handle the load (e.g. default file-sharing ports).
You can change your exit policy by editing your torrc file.
If you want to avoid most if not all abuse potential, set it to "reject :".
This setting means that your relay will be used for relaying traffic inside the Tor network, but not for connections to external websites or other services.
If you do allow any exit connections, make sure name resolution works (that is, your computer can resolve Internet addresses correctly).
If there are any resources that your computer can't reach (for example, you are behind a restrictive firewall or content filter), please explicitly reject them in your exit policy otherwise Tor users will be impacted too.
Tor can handle relays with dynamic IP addresses just fine.
Just leave the "Address" line in your torrc blank, and Tor will guess.
Yes, you do get better anonymity against some attacks.
The simplest example is an attacker who owns a small number of Tor relays.
They will see a connection from you, but they won't be able to know whether the connection originated at your computer or was relayed from somebody else.
There are some cases where it doesn't seem to help: if an attacker can watch all of your incoming and outgoing traffic, then it's easy for them to learn which connections were relayed and which started at you.
(In this case they still don't know your destinations unless they are watching them too, but you're no better off than if you were an ordinary client.)
There are also some downsides to running a Tor relay.
First, while we only have a few hundred relays, the fact that you're running one might signal to an attacker that you place a high value on your anonymity.
Second, there are some more esoteric attacks that are not as well-understood or well-tested that involve making use of the knowledge that you're running a relay -- for example, an attacker may be able to "observe" whether you're sending traffic even if they can't actually watch your network, by relaying traffic through your Tor relay and noticing changes in traffic timing.
It is an open research question whether the benefits outweigh the risks.
A lot of that depends on the attacks you are most worried about.
For most users, we think it's a smart move.
See portforward.com for directions on how to port forward with your NAT/router device.
If your relay is running on a internal net, you need to setup port forwarding.
Forwarding TCP connections is system dependent but the firewalled-clients FAQ entry offers some examples on how to do this.
Also, here's an example of how you would do this on GNU/Linux if you're using iptables:
/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 9001 -j ACCEPT
You may have to change "eth0" if you have a different external interface (the one connected to the Internet).
Chances are you have only one (except the loopback) so it shouldn't be too hard to figure out.
There are two options you can add to your torrc file:
BandwidthRate is the maximum long-term bandwidth allowed (bytes per second).
For example, you might want to choose "BandwidthRate 10 MBytes" for 10 megabytes per second (a fast connection), or "BandwidthRate 500 KBytes" for 500 kilobytes per second (a decent cable connection).
The minimum BandwidthRate setting is 75 kilobytes per second.
BandwidthBurst is a pool of bytes used to fulfill requests during short periods of traffic above BandwidthRate but still keeps the average over a long period to BandwidthRate.
A low Rate but a high Burst enforces a long-term average while still allowing more traffic during peak times if the average hasn't been reached lately.
For example, if you choose "BandwidthBurst 500 KBytes" and also use that for your BandwidthRate, then you will never use more than 500 kilobytes per second; but if you choose a higher BandwidthBurst (like 5 MBytes), it will allow more bytes through until the pool is empty.
If you have an asymmetric connection (upload less than download) such as a cable modem, you should set BandwidthRate to less than your smaller bandwidth (Usually that's the upload bandwidth).
Otherwise, you could drop many packets during periods of maximum bandwidth usage - you may need to experiment with which values make your connection comfortable.
Then set BandwidthBurst to the same as BandwidthRate.
Linux-based Tor nodes have another option at their disposal: they can prioritize Tor traffic below other traffic on their machine, so that their own personal traffic is not impacted by Tor load.
A script to do this can be found in the Tor source distribution's contrib directory.
Additionally, there are hibernation options where you can tell Tor to only serve a certain amount of bandwidth per time period (such as 100 GB per month). These are covered in the hibernation entry below.
Note that BandwidthRate and BandwidthBurst are in Bytes, not Bits.