git.schokokeks.org
Repositories
Help
Report an Issue
tor-webwml.git
Code
Commits
Branches
Tags
Suche
Strukturansicht:
bc28b2c82
Branches
Tags
bridges
docs-debian
jobs
master
press-clips
tor-webwml.git
docs
en
tor-doc-relay.wml
clean up the configuring-your-relay docs. make it clearer that you have to consider an exit policy.
Roger Dingledine
commited
bc28b2c82
at 2009-06-24 07:21:10
tor-doc-relay.wml
Blame
History
Raw
## translation metadata # Revision: $Revision$ # Translation-Priority: 2-medium #include "head.wmi" TITLE="Tor: Relay Configuration Instructions" <div class="center"> <div class="main-column"> <h1>Configuring a Tor relay</h1> <!-- BEGIN SIDEBAR --> <div class="sidebar-left"> <h3>Config Steps</h3> <ol> <li><a href="<page docs/tor-doc-relay>#install">Download & Install</a></li> <li><a href="<page docs/tor-doc-relay>#setup">Configuration</a></li> <li><a href="<page docs/tor-doc-relay>#check">Check & Confirm</a></li> <li><a href="<page docs/tor-doc-relay>#after">Final Steps</a></li> </ol> </div> <!-- END SIDEBAR --> <hr /> <p> The Tor network relies on volunteers to donate bandwidth. The more people who run relays, the faster the Tor network will be. If you have at least 20 kilobytes/s each way, please help out Tor by configuring your Tor to be a relay too. We have many features that make Tor relays easy and convenient, including <a href="<page faq>#RelayFlexible">rate limiting for bandwidth, exit policies so you can limit your exposure to abuse complaints, and support for dynamic IP addresses</a>. </p> <p>Having relays in many different places on the Internet is what makes Tor users secure. <a href="https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#RelayAnonymity">You may also get stronger anonymity yourself</a>, since remote sites can't know whether connections originated at your computer or were relayed from others.</p> <p>You can run a Tor relay on pretty much any operating system, but see <a href="https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#RelayOS">this FAQ entry</a> for advice about which ones work best and other problems you might encounter.</p> <hr /> <a id="zero"></a> <a id="install"></a> <h2><a class="anchor" href="#install">Step One: Download and Install Tor</a></h2> <br /> <p>Before you start, you need to make sure that Tor is up and running. </p> <p>For Windows users, this means at least <a href="<page docs/tor-doc-windows>#installing">step one</a> of the Windows Tor installation howto. Mac OS X users need to do at least <a href="<page docs/tor-doc-osx>#installing">step one</a> of OS X Tor installation howto. Linux/BSD/Unix users should do at least <a href="<page docs/tor-doc-unix>#installing">step one</a> of the Unix Tor installation howto. </p> <p>If it's convenient, you might also want to use it as a client for a while to make sure it's actually working.</p> <hr /> <a id="setup"></a> <h2><a class="anchor" href="#setup">Step Two: Set it up as a relay</a></h2> <br /> <ol> <li>Verify that your clock and timezone are set correctly. If possible, synchronize your clock with public <a href="http://en.wikipedia.org/wiki/Network_Time_Protocol">time servers</a>. </li> <li> <strong>Windows / OS X Configuration</strong>: <ol> <li>Right click on the Vidalia icon in your task bar. Choose <tt>Control Panel</tt>.</li> <li>Click <tt>Setup Relaying</tt>.</li> <li>Choose <tt>Relay Traffic for the Tor network</tt> if you want to be a public relay (recommended), or choose <tt>Help censored users reach the Tor network</tt> if you want to be a <a href="<page bridges>">bridge</a> for users in countries that censor their Internet.</li> <li>Enter a nickname for your relay. (Optional, enter contact information.)</li> <li>Leave <tt>Attempt to automatically configure port forwarding</tt> clicked. Push the <tt>Test</tt> button to see if it works. If it does work, great. If not, see number 4 below.</li> <li>Choose the <tt>Bandwidth Limits</tt> tab. Select how much bandwidth you want to provide for Tor users like yourself.</li> <li>Choose the <tt>Exit Policies</tt> tab. If you want to allow others to use your relay for these services, don't change anything. Un-check the services you don't want to allow people to <a href="<page faq>#RunARelayBut">reach from your relay</a>. If you want to be a non-exit relay, un-check all services.</li> <li>Click the <tt>Ok</tt> button. See Step Three below for confirmation that the relay is working correctly.</li> </ol> <br /> <strong>Linux / BSD Configuration</strong>: <ul> <li>Edit the bottom part of <a href="https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#torrc">your torrc file</a>. Make sure to define ORPort and <a href="<page faq>#RunARelayBut">look at ExitPolicy</a> if you want to be a public relay (recommended), or just add <a href="<page bridges>#RunningABridge">these lines</a> if you want to be a <a href="<page bridges>">bridge</a> for users in countries that censor their Internet. <!-- If you installed from source, create the DataDirectory if necessary and make sure it's owned by the user that will be running tor. --> </li> </ul></li> <li> If you are using a firewall, open a hole in your firewall so incoming connections can reach the ports you configured (ORPort, plus DirPort if you enabled it). Make sure you allow all outgoing connections, so your relay can reach the other Tor relays. </li> <li>Restart your relay. If it <a href="https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#Logs">logs any warnings</a>, address them. </li> <li>Subscribe to the <a href="http://archives.seul.org/or/announce/">or-announce</a> mailing list. It is very low volume, and it will keep you informed of new stable releases. You might also consider subscribing to <a href="http://archives.seul.org/or/talk/">or-talk</a> (higher volume), where new development releases are announced. </li> <li> Have a look at the manual. The <a href="<page tor-manual>">manual</a> for the latest stable version provides a list of all the possible configuration options for both clients and relays. If you are running the development version of Tor, the manual is available <a href="<page tor-manual-dev>">here</a>. </li> </ol> <hr /> <a id="check"></a> <h2><a class="anchor" href="#check">Step Three: Make sure it is working</a></h2> <br /> <p>As soon as your relay manages to connect to the network, it will try to determine whether the ports you configured are reachable from the outside. This may take up to 20 minutes. Look for a <a href="https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#Logs">log entry</a> like <tt>Self-testing indicates your ORPort is reachable from the outside. Excellent.</tt> If you don't see this message, it means that your relay is not reachable from the outside — you should re-check your firewalls, check that it's testing the IP and port you think it should be testing, etc. </p> <p>When it decides that it's reachable, it will upload a "server descriptor" to the directories. This will let clients know what address, ports, keys, etc your relay is using. You can <a href="http://moria.seul.org:9032/tor/status/authority">load one of the network statuses manually</a> and look through it to find the nickname you configured, to make sure it's there. You may need to wait a few seconds to give enough time for it to make a fresh directory.</p> <hr /> <a id="after"></a> <h2><a class="anchor" href="#after">Step Four: Once it is working</a></h2> <br /> <p> We recommend the following steps as well: </p> <p> 8. Read <a href="https://wiki.torproject.org/noreply/TheOnionRouter/OperationalSecurity">this document</a> to get ideas how you can increase the security of your relay. </p> <p> 9. If you want to run more than one relay that's great, but please set <a href="https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#MultipleRelays">the MyFamily option</a> in all your relays' configuration files. </p> <p> 10. Decide about rate limiting. Cable modem, DSL, and other users who have asymmetric bandwidth (e.g. more down than up) should rate limit to their slower bandwidth, to avoid congestion. See the <a href="https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#LimitBandwidth">rate limiting FAQ entry</a> for details. </p> <p> 11. Back up your Tor relay's private key (stored in "keys/secret_id_key" in your DataDirectory). This is your relay's "identity," and you need to keep it safe so nobody can read the traffic that goes through your relay. This is the critical file to keep if you need to <a href="https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#UpgradeRelay">move or restore your Tor relay</a> if something goes wrong. </p> <p> 12. If you control the name servers for your domain, consider setting your reverse DNS hostname to 'anonymous-relay', 'proxy' or 'tor-proxy', so when other people see the address in their web logs, they will more quickly understand what's going on. Adding the <a href="https://tor-svn.freehaven.net/svn/tor/trunk/contrib/tor-exit-notice.html">Tor exit notice</a> on a vhost for this name can go a long way to deterring abuse complaints to you and your ISP if you are running an exit node. </p> <p> 13. If your computer isn't running a webserver, please consider changing your ORPort to 443 and your DirPort to 80. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. Win32 relays can simply change their ORPort and DirPort directly in their torrc and restart Tor. OS X or Unix relays can't bind directly to these ports (since they don't run as root), so they will need to set up some sort of <a href="https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#ServerForFirewalledClients"> port forwarding</a> so connections can reach their Tor relay. If you are using ports 80 and 443 already but still want to help out, other useful ports are 22, 110, and 143. </p> <p> 14. If your Tor relay provides other services on the same IP address — such as a public webserver — make sure that connections to the webserver are allowed from the local host too. You need to allow these connections because Tor clients will detect that your Tor relay is the <a href="https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#ExitEavesdroppers">safest way to reach that webserver</a>, and always build a circuit that ends at your relay. If you don't want to allow the connections, you must explicitly reject them in your exit policy. </p> <p> 15. (Unix only). Make a separate user to run the relay. If you installed the OS X package or the deb or the rpm, this is already done. Otherwise, you can do it by hand. (The Tor relay doesn't need to be run as root, so it's good practice to not run it as root. Running as a 'tor' user avoids issues with identd and other services that detect user name. If you're the paranoid sort, feel free to <a href="https://wiki.torproject.org/noreply/TheOnionRouter/TorInChroot">put Tor into a chroot jail</a>.) </p> <p> 16. (Unix only.) Your operating system probably limits the number of open file descriptors per process to 1024 (or even less). If you plan to be running a fast exit node, this is probably not enough. On Linux, you should add a line like "toruser hard nofile 8192" to your /etc/security/limits.conf file (where toruser is the user that runs the Tor process), and then restart Tor if it's installed as a package (or log out and log back in if you run it yourself). </p> <p> 17. If you installed Tor via some package or installer, it probably starts Tor for you automatically on boot. But if you installed from source, you may find the initscripts in contrib/tor.sh or contrib/torctl useful. </p> <p> When you change your Tor configuration, remember to verify that your relay still works correctly after the change. Be sure to set your "ContactInfo" line in the torrc so we can contact you if you need to upgrade or something goes wrong. If you have problems or questions, see the <a href="<page documentation>#Support">Support</a> section or <a href="<page contact>">contact us</a> on the tor-ops list. Thanks for helping to make the Tor network grow! </p> <hr /> <p>If you have suggestions for improving this document, please <a href="<page contact>">send them to us</a>. Thanks!</p> </div><!-- #main --> </div> #include <foot.wmi>