Running a Tor relay (Liberation Day special)
Today is Liberation Day in the Netherlands. We celebrate the 75th anniversary of the end of Nazi occupation during World War II. A perfect day to write about freedom!
This article was supposed to go along with a meeting for (aspiring) relay operators in the Netherlands, but times being what they are, the meeting had to be cancelled. Thanks to the HVIV foundation for their intentions on making the meeting a success, and I hope that we can have our meeting soon. Let's try to move the discussion online for now!
Tor is a network of routers, so called 'relays', that anonymize Internet traffic through a process called onion routing. A technique originally developed by the U.S. Navy, onion routing takes Internet traffic through multiple relays before forwarding it to the final destination. Encryption aids in keeping the source and destination of the traffic secret. The sender encrypts the traffic with the keys of the intermediary relays, and each relay 'peels' off one layer of encryption, revealing where the resulting data should be sent next.
The Tor software (most notably the relay software and the Tor Browser) is developed by the Tor Project. Users of this software include ordinary people who value their privacy, but also activists, whistleblowers, abuse victims, stalker targets and dissidents of oppressive regimes. There are media organizations that rely on the anonymity provided by Tor for protecting their sources, as well as law enforcement organizations that use Tor for undercover operations and anonymous tip lines. And finally, militaries use Tor to protect field agents and support intelligence gathering. It was the military that pioneered on onion routing technologies after all.
Read more about Tor's history and design.
Now, onto relay operations. Let's see if I can answer your questions.
Should I run a relay?
If you are comfortable behind a computer, then yes, you should! The Tor network becomes faster, safer and more stable if you were to run a relay. Tor thrives on the diversity of its users and relay operators. The larger and more diverse the network, the harder it is to spy on any individual user.
What type of relay should I run?
There are three types of relays: guard, middle and exit. Their names refer to their positions in the network: the user connects to the guard relay, the guard connects to the middle relay, the middle connects to the exit relay, and the exit connects to the requested service (e.g. a website). As each relay forwards Tor traffic with their own IP address as the source of the traffic, it will appear to the requested service as if the exit relay is initiating the connection. You can imagine that this can cause trouble when someone is abusing the Tor network. It is therefore discouraged to run an exit relay unless you thoroughly understand the potential (technical and legal) consequences.
There is another option that you can try when you have limited bandwidth available, and that is running a Tor bridge. Bridges are essential to users in regimes where access to the Tor network is restricted. Access to Tor relays can easily be blocked because Tor traffic can be identified as such through network analysis, and because there is a public list of all Tor relays. There is no public list of all bridges on the other hand, and traffic between users and bridges is obfuscated to make it a lot harder to identify it as Tor traffic.
So back to your choice of relay: new exit relays are most appreciated because of their scarcity, but operating one should not be undertaken without fully understanding the risks involved. Next are guard/middle relays for when you have enough bandwidth available, and bridges when bandwidth is limited. Learn more about network, system and uptime requirements on Tor's relay operations website.
Where should I run my relay?
Whatever you do, DO NOT RUN AN EXIT RELAY FROM YOUR HOME. Doing so is highly discouraged as it will expose you to much higher risks of harassment and legal trouble. It will also make your own web browsing miserable because of all the "I'm not a robot" captchas and blocked pages. Running a bridge or a guard/middle relay from home is probably fine, but I felt the need to make it extra clear that it is not worth it to run an exit from your house. I've met people who, against all advise, still decided to run an exit from their apartment. They couldn't access their favourite tech website for months and got threatening calls from their Internet provider. And that's actually quite a good outcome considering the possibility of law enforcement kicking your door in for something that went through your exit relay.
You should run an exit relay with a dedicated IP address at a (professional) hosting facility with a competent abuse department. That last part may be hard to find out, but it's a good idea to contact the hosting provider and explain your intentions beforehand. It's a better option than having all of your services terminated for abuse of the terms of service and also contributes to a better understanding of Tor in the hosting world.
Guard and middle relays can usually be hosted anywhere given that doing so does not violate the law or any agreements with the hosting provider. However, if you have multiple hosting providers to pick from, choose one that doesn't host any relays already. Having lots and lots of relays at one hosting provider is not good for the diversity (and therefore security) of the Tor network.
How should I configure my relay?
This topic has been widely discussed before, hence I shall just point to the excellent documentation on the relay operations website. Try asking on the tor-relays mailing list if you need help. There are kind people on that list, including members of the Tor Project and yours truly :)
The Tor network benefits most from relays running on non-Linux systems (this is again because of diversity). Most relays run on Debian GNU/Linux. If you are comfortable running a relay on Windows, Mac OS, FreeBSD, OpenBSD or something more exotic, please do!
More (technical) considerations for running a relay can be found on Tor's relay operations website.
Additional considerations for exit relays
I run an exit relay (VrijHeid) together with another member of the Coloclue network association. Coloclue's abuse team consists of dedicated volunteers (who we are very thankful of). They receive abuse notifications from time to time which they forward to us. We ignore the notifications that look automated, but otherwise always send a kind and informative response. You can find our templates below (which were kindly provided by my former colleague, Bits of Freedom's Rejo Zenger). They may need some adjustments if you're outside of the Netherlands. In case of doubt, contact a lawyer.
As you can probably tell, proper abuse management is vital to running an exit relay. These were the steps that we took to reduce the burden on the abuse team:
- Use a reduced exit policy to prevent most email and BitTorrent abuse.
- Set the reverse DNS record (PTR) of the IP address to tor-exit.<domain>.
- Host a webpage that explains Tor on the IP address of the exit relay.
- Set up an email address that can be used to contact us directly and publish this address along with an informative notice in the relevant WHOIS database (see this RIPE database lookup).
Fully utilizing multiple CPU cores
If your relay hardware has multiple CPU cores, you should consider running one instance of the Tor software for every core. This ensures the best CPU utilization because Tor is single-threaded. The Tor network allows for up to two Tor instances per IP address. If you don't have enough IP addresses, you can try asking your hosting provider for more.
Your second (and third, fourth, and so on) Tor instance can run off of a copy of your 'torrc' configuration file. You will need to change some settings though:
- DataDirectory must be unique.
- SOCKSPort must be unique (or just disable it by setting it to 0).
- ControlPort must be unique.
- ORPort must be unique.
- DirPort must be unique.
- MyFamily must list the fingerprints of your other relay instances.
- ContactInfo must be set on all relay instances.
- It's convenient to make Nickname unique as well.
My relay runs on OpenBSD, where adding a second Tor service is quite simple. Just create a symlink like /etc/rc.d/tor2 that points to /etc/rc.d/tor, enable the service and modify the command flags with 'rcctl set tor2 flags -f /etc/tor/torrc2'. This ensures that the 'tor2' service is started with its own configuration file. You'll also need to add a 'tor2' section (the name must be the same as the service) to /etc/login.conf. Now you can start the second relay instance.
Conclusion
Go run a relay if you can! And if you can't, consider donating time or money to the Tor Project. COVID-19 has financially hit the Tor Project hard, too.
The mailing lists are a great way to get help and to contribute. Hope to see you on the tor-relays list, or at the next relay operators meeting!
Want to learn more about the history and festivities regarding Liberation Day in the Netherlands? Visit the website of the National Committee for 4 and 5 May.
Download
Abuse response template
OpenDocument Text, 16 kB
Law enforcement response template
OpenDocument Text, 12 kB