+ +

Configuring a Tor server

+
+ +

The Tor network relies on volunteers to donate bandwidth. If you have +at least 20 kilobytes/s each way, please help out Tor by configuring +your Tor to be a server too. Having servers in many different pieces +of the Internet gives users more robustness against curious telcos and +brute force attacks.

+ +

Setting up a Tor server is easy and convenient: +

Tor has built-in support for rate +limiting. Further, if you have a fast link +but want to limit the number of bytes per day +(or week or month) that you donate, check out the hibernation +feature. +
Each Tor server has an exit +policy that specifies what sort of outbound connections are allowed +or refused from that server. If you are uncomfortable allowing people +to exit from your server, you can set it up to only allow connections +to other Tor servers. +
It's fine if the server goes offline sometimes. The directories +notice this quickly and stop advertising the server. Just try to make +sure it's not too often, since connections using the server when it +disconnects will break. +
We can handle servers with dynamic IPs just fine, as long as the +server itself knows its IP. Have a look at this + +entry in the FAQ. +
If your server is behind a NAT and it doesn't know its public +IP (e.g. it has an IP of 192.168.x.y), you'll need to set up port +forwarding. Forwarding TCP connections is system dependent but this FAQ entry offers some examples on how to do this. +
Your server will passively estimate and advertise its recent +bandwidth capacity, so high-bandwidth servers will attract more users than +low-bandwidth ones. Therefore having low-bandwidth servers is useful too. +

+ +

Step Zero: Download and Install Tor and Privoxy

+
+ +

Before you start, you need to make sure that Tor is up and running. +

+ +

For Windows users, this means at least step one +of the Windows Tor installation howto. Mac OS X users need to do at least +step one +of OS X Tor installation howto. Linux/BSD/Unix users should do at least +step one +of the Unix Tor installation howto. +

+ +

If it's convenient, you might also want to use it as a client for a +while to make sure it's actually working.

+ +

Step One: Set it up as a server

+
+ +

1. Verify that your clock is set correctly. If possible, synchronize +your clock with public time servers. Make sure name resolution works +(that is, your computer can resolve addresses correctly). +
2. Edit the bottom part of your torrc. (See this +FAQ entry for help.) +Make sure to define at least Nickname and ORPort. Create the DataDirectory +if necessary, and make sure it's owned by the user that will be running +tor. +
3. If you are using a firewall, open a hole in your firewall so +incoming connections can reach the ports you configured (ORPort, plus +DirPort if you enabled it). Make sure you allow all outgoing connections, +so your server can reach the other Tor servers. +
4. Start your server: if you installed from source you can just +run tor, whereas packages typically launch Tor from their +initscripts or startup scripts. If it logs any warnings, address them. (By +default Tor logs to stdout, but some packages log to /var/log/tor/ +instead. You can edit your torrc to configure log locations.) +
5. Subscribe to the or-announce +mailing list. It is very low volume, and it will keep you informed +of new stable releases. You might also consider subscribing to or-talk (higher volume), +where new development releases are announced. +

+ +

Step Two: Make sure it's working

+
+ +

As soon as your server manages to connect to the network, it will +try to determine whether the ports you configured are reachable from +the outside. This may take several minutes. The log entries will keep +you informed of its progress.

+ +

When it decides that it's reachable, it will upload a "server +descriptor" to the directories. This will let other clients know +what address, ports, keys, etc your server is using. You can load the directory manually and +look through it to find the nickname you configured, to make sure it's +there. You may need to wait a few seconds to give enough time for it to +make a fresh directory.

+ +

Once you are convinced it's working, Register your server. +Send mail to tor-ops@freehaven.net with a +subject of '[New Server] <your server's nickname>' and +include the following information in the message: +

Your server's nickname
The fingerprint for your server's key (the contents of the +"fingerprint" file in your DataDirectory -- on Windows, look in +\username\Application Data\tor\ or \Application Data\tor\; +on OS X, look in /Library/Tor/var/lib/tor/; and on Linux/BSD/Unix, +look in /var/lib/tor or ~/.tor) +
Who you are, so we know whom to contact if a problem arises
What kind of connectivity the new server will have

+If you like, sign your mail using PGP.
+Registering your server reserves your nickname so nobody else can take it, +and lets us contact you if you need to upgrade or something goes wrong. +

+ +

Step Three: Once it's working

+
+ +

+Optionally, we recommend the following steps as well: +

+ +

6 (Unix only). Make a separate user to run the server. If you +installed the OS X package or the deb or the rpm, this is already +done. Otherwise, you can do it by hand. (The Tor server doesn't need to +be run as root, so it's good practice to not run it as root. Running +as a 'tor' user avoids issues with identd and other services that +detect user name. If you're the paranoid sort, feel free to put Tor +into a chroot jail.) +
7. Decide what exit policy you want. By default your server allows +access to many popular services, but we restrict some (such as port 25) +due to abuse potential. You might want an exit policy that is +less restrictive or more restrictive; edit your torrc appropriately. +If you choose a particularly open exit policy, you might want to make +sure your ISP is ok with that choice. +
8. If you installed from source, you may find the initscripts in +contrib/tor.sh or contrib/torctl useful if you want to set up Tor to +start at boot. +
9. If you control the name servers for your domain, consider setting +your hostname to 'anonymous' or 'proxy' or 'tor-proxy', so when other +people see the address in their web logs, they will more quickly +understand what's going on. +
10. If your computer isn't running a webserver, please consider +changing your ORPort to 443 and your DirPort to 80. Many Tor +users are stuck behind firewalls that only let them browse the +web, and this change will let them reach your Tor server. Win32 +servers can simply change their ORPort and DirPort directly +in their torrc and restart Tor. OS X or Unix servers can't bind +directly to these ports, so they will need to set up some sort of +port forwarding so connections can reach their Tor server. If you are +using ports 80 and 443 already but still want to help out, other useful +ports are 22, 110, and 143. +

+ +When you change your Tor configuration, be sure to restart Tor, and +remember to verify that your server still works correctly after the +change. + +

+ +

If you have suggestions for improving this document, please post +them on our bugtracker in the +website category. Thanks!

+ +