Tor, short for The Onion Router, is an anonymity network that enables users to browse the internet anonymously by encrypting their traffic and routing it through a series of nodes. These nodes can be run by anyone, and the final node, known as the exit node, is responsible for sending traffic back onto the regular internet. Running a Tor exit node is an important way to contribute to the privacy and freedom of the internet, but it requires some technical expertise and responsibility. In this blog post, we’ll walk you through the process of hosting a Tor exit node.
Step 0: Consider before deploy#
Here are some things to consider:
- Legal considerations: In some countries, hosting a Tor exit node is illegal, and you could face legal consequences for doing so. You should research the laws in your country and make sure that hosting a Tor exit node is legal before proceeding.
- Bandwidth and resource consumption: Tor exit nodes can consume a lot of bandwidth, and you will need to have a fast and reliable internet connection to handle the traffic. You may also need to pay for additional bandwidth if your hosting plan has a bandwidth cap.
- Technical expertise: Hosting a Tor exit node requires some technical expertise and experience with Linux administration. You will need to set up a server, install and configure Tor software, and maintain the node to ensure that it is running smoothly.
- Risks associated with illegal activity: As an exit node operator, you may be held responsible for any illegal activity that passes through your node. While Tor is designed to protect the anonymity of its users, it is not foolproof, and law enforcement agencies may be able to trace activity back to your node.
- Reputation risk: Hosting a Tor exit node may attract unwanted attention and scrutiny from law enforcement agencies, as well as from your internet service provider and other organizations. It is important to consider the potential risks to your reputation before proceeding.
There are three types of Tor nodes that you can host: middle/guard nodes, bridge nodes, and exit nodes. Middle nodes are relays that help to route traffic between different nodes in the Tor network, but do not serve as the final node for traffic leaving the network. Bridge nodes are similar to middle nodes, but they are not publicly listed in the Tor directory, which can help users bypass censorship and surveillance. Exit nodes, on the other hand, are the final nodes for traffic leaving the Tor network and provide a gateway for users to access the regular internet anonymously. However, hosting an exit node comes with significant legal and ethical responsibilities, as exit nodes can be used to route traffic for illegal activities. The decision to host a Tor node, and what type of node to host, should be made after careful consideration of the risks and benefits, and in compliance with the Tor Project's guidelines and policies.
Step 1: Choose a Location#
The first step in hosting a Tor exit node is to choose a location for your server. You will want to choose a location with a fast and reliable internet connection, as well as a high bandwidth cap or an unlimited plan, since exit nodes can consume a lot of bandwidth. It’s also important to choose a location where Tor is legal and not blocked, as hosting an exit node in a country where Tor is not allowed can result in legal issues.
Step 2: Set Up Your Server#
Once you have chosen a location, you will need to set up a server. You can use a virtual private server (VPS) or a dedicated server, depending on your budget and needs. You will need to install a Linux operating system, such as Ubuntu or Debian, and configure it for use as a Tor exit node. The Tor Project provides detailed instructions for setting up a Tor exit node on Linux.
Step 3: Install and Configure Tor#
Next, you will need to install the Tor software and configure it for use as an exit node. You can install Tor using the package manager for your Linux distribution, or you can download and install it from the Tor Project’s website. Once installed, you will need to configure Tor to run as an exit node, which involves editing the Tor configuration file. The Tor Project provides detailed instructions for configuring Tor as an exit node.
The Tor Project provides a variety of documentation to guide you through the installation process:https://community.torproject.org/onion-services/setup/install/.
I also found this video useful during setup: https://www.youtube.com/watch?v=EMZqZ3XX8Eo
#!/bin/bash
# Step 1: Install apt-transport-https
sudo apt install apt-transport-https
# Step 2: Add Tor repository to sources.list.d
OS_CODENAME=$(lsb_release -c | awk '{print $2}')
ARCHITECTURE=$(dpkg --print-architecture)
sudo tee /etc/apt/sources.list.d/tor.list >/dev/null <<EOF
deb [arch=${ARCHITECTURE} signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org ${OS_CODENAME} main
deb-src [arch=${ARCHITECTURE} signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org ${OS_CODENAME} main
deb [arch=${ARCHITECTURE} signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org tor-experimental-${OS_CODENAME} main
deb-src [arch=${ARCHITECTURE} signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org tor-experimental-${OS_CODENAME} main
deb [arch=${ARCHITECTURE} signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org tor-nightly-main-${OS_CODENAME} main
deb-src [arch=${ARCHITECTURE} signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org tor-nightly-main-${OS_CODENAME} main
EOF
# Step 3: Add GPG key for Tor repository
wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | sudo gpg --dearmor | sudo tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null
# Step 4: Install Tor and Debian keyring
sudo apt update
sudo apt install tor deb.torproject.org-keyring
If you are on Debian/Ubuntu, you can simply copy-pasting above command to a shell file (e.g. tor.sh) and run:
chmod u+x tor.sh
sudo ./tor.sh
to install the Tor, and then modify the configuration file located at `/etc/tor/torrc` using your preferred text editor.
Here are two different configurations for the torrc file:
For an exit relay:
(Tor Project mentioned that, "If you want to be a useful exit relay you must at least allow destination ports 80 and 443.")
Exitpolicy accept *:443
Exitpolicy accept *:80
Exitpolicy reject *:*
ExitRelay 1
For a bridge that only relays traffic:
Exitpolicy reject *:*
Please note that setting Exitpolicy reject : does not mean that the node will not forward any traffic. It means that the node will not be used as an exit point for Tor traffic.
To allow for relaying other services through your Tor node, you can add the following line to your torrc file:
Exit policy accept *.*
However, it is not recommended to do so as some ports may be commonly used for DDoS attacks or email spamming. To prevent abuse, it is advised to avoid opening any email or other ports that may be susceptible to spam or misuse.
In my personal opinion, I would only allow HTTP/HTTPS traffic to exit through my Tor node.
ORPort 20308
Exitpolicy accept *:443
Exitpolicy accept *:80
Exitpolicy reject *:*
ExitRelay 1
Nickname yourtorrelaynickname
ContactInfo youremail@mail.com
IPv6Exit 1
To set up an obfs4 bridge, use the following additional lines:
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
ServerTransportListenAddr obfs4 0.0.0.0:40001
ExtORPort auto
Read more about obfs4 bridge setup on https://community.torproject.org/relay/setup/bridge
For hosting different types of relay nodes, Tor Project has a wiki: https://community.torproject.org/relay/setup/
For exit node, it is required to setup your local dns resolver:
Debian/Ubuntu
The following commands install unbound, backup your DNS configuration, and tell the system to use the local resolver:
apt install unbound
cp /etc/resolv.conf /etc/resolv.conf.backup
echo nameserver 127.0.0.1 > /etc/resolv.conf
To avoid unwanted configuration changed (for example by the DHCP client):
chattr +i /etc/resolv.conf
The Debian configuration ships with QNAME minimization (RFC7816) enabled by default, so you don't need to enable it explicitly. The Unbound resolver you just installed also does DNSSEC validation.
If you are running systemd-resolved with its stub listener, you may need to do a bit more than just that. Please refer to the resolved.conf manpage.
Step 4: Test Your Exit Node#
After you have configured Tor, you will want to test your exit node to make sure it is working properly. You can use the Tor Browser to test your exit node by connecting to a website and verifying that your IP address is listed as the exit node IP address. You can also use the Tor Metrics website to monitor the bandwidth usage and performance of your exit node.
To see if your exit node is running, check this bulk list: https://check.torproject.org/torbulkexitlist
Step 5: Monitor Your Exit Node#
Once your exit node is up and running, it’s important to monitor it to ensure that it is not being used for malicious purposes. The Tor Project provides a list of recommended monitoring tools and techniques, including using log analysis software to track the traffic passing through your exit node and monitoring the Tor Metrics website for unusual activity. It’s also a good idea to regularly check the Tor Project’s guidelines for running an exit node to make sure you are complying with their policies.
Tor Project also provides a helpful page for post-install and good practice: https://community.torproject.org/relay/setup/post-install/
Elsa node is an Tor exit node I am currently running, see: https://metrics.torproject.org/rs.html#search/elsa
Conclusion#
Running a Tor exit node can be a rewarding way to contribute to the privacy and freedom of the internet, but it requires some technical expertise and responsibility. By following the steps outlined in this blog post, you can set up and run a Tor exit node that provides a valuable service to the Tor network while maintaining the security and privacy of both your server and its users.