Advice on running your own Tor relays

As many of you may know, Tor relays are quite important to the Tor network. They allow Tor users to access .onion sites and regular internet. While hidden services (.onion sites) are great, the fact is that a lot of the internet can not be found within the Tor network. Exit relays, being one of the most essential relay types, facilitate the bridge between Tor, and the regular WWW (World Wide Web), allowing for true internet freedom.

For a good portion of 2021, we ran (and currently run) a set of Tor exit relays on dedicated servers with unmetered bandwidth. This is something that we haven’t attempted before, and typically ran guard and middle relays exclusively to not have to deal with abuse reports. Many people fear running exit relays because of legal issues some have experienced, which is completely understandable. You may also have a hard time finding a hosting provider that allows exit relays (see more below for suggestions). In this post, we will go through some of the things we’ve found to be beneficial in our endeavor to provide fast and secure infrastructure to the Tor network.

Network network network

The most important thing we’ve found is operating your own network when running exit relays.

  1. Having your own ASN (autonomous system number) is a great thing to have. It allows you to have a great deal of flexibility in what you can do with your network. Having your own ASN such as ours allows us to advertise our IPv4 and v6 prefixes on our servers or routers directly to our upstream (hosting) provider. We have more control over the routing, and our network looks unique when peering into our setup. We even have the option to establish our own private or public peering with other networks, allowing us to have direct connections to other networks (for speed and free bandwidth).
  2. Having your own IP prefixes (rented or owned) gives you autonomy. With your own IPs, you directly handle abuse complaints, as your email can be listed on the abuse contact of the IPs. With this, you do not need to be at the mercy of your hosting provider, who may or may not penalize you for every abuse complaint they receive for your exit relay. Abuse complaints nowadays are generally automated, making life challenging with many coming in per day. As we do, you can simply set up an auto-responder to reply to incoming complaints and ask that another email be reached if the complaint is serious and needs direct attention.

Hosting

This part is really up to you, but we recommend several things here.

  • A hosting or upstream provider that allows Tor relays (especially exit relays). We’ve tested a few providers, and can recommend them for Tor usage (as of 01/24/22).

    Terrahost (exits & guard/middle allowed)
    – Locations: Norway
    – Service: Dedicated & virtual servers, misc others

    BuyVM/Frantech[aff link] (exits & guard/middle allowed)
    – Locations: Las Vegas, New York, Miami & Luxembourg
    – Services: Virtual servers, misc others

    Less preferred/highly used hosts:

    Hetzner (dedicated & cloud [aff link]) (guard/middle allowed)
    – Locations: Finland, and various locations in Germany
    – Services: Dedicated & cloud servers

    OVH / SoYouStart (guard/middle allowed)
    – Locations: Global network in various countries (mainly Europe)
    – Services: Dedicated, cloud, virtual and various other services

    More info:

    Want to know how to run a relay? Check Run A Relay out.
    If you are familiar with Ansible, be sure to use ansible-relayor.
  • Dedicated hardware, with high GHz CPU cores and an unmetered network port, is the most important for Tor relays. Obviously, with the vast amount of traffic that transits the Tor network you are going to need powerful hardware, as Tor is quite resource intensive with all the encrypting and decrypting being done on the fly. You absolutely do not want noisy neighbors, commonly seen on VPS/VM providers.

    Hardware specifics to look for:
    – 3GHz+ CPU cores with at least 1 core per relay.
    – 2 GB+ of DDR3 (or higher) RAM per relay.
    – A dedicated network uplink to your provider. Bonus points for an unmetered port where you are not charged for overages.
  • Look for a stable network. Look for a provider with a stable network, that doesn’t commonly experience congestion. Congestion, and packet loss can provide a horrible experience for users on the Tor network, resulting in a slow browsing experience with timeouts.

    Network specifics to look for:
    – A well peered hosting provider with multiple public/private peerings and public transit upstreams (think; Cogent, GTT, Telia, Lumen, etc), so that you can reach Tor network users and other relays at a low latency (which improves overall Tor network performance)
    – A provider that experiences a lower level of network congestion, which results in your ability to use your full port speed most of the time. As the Tor network uses the protocol; TCP, it is important to have a consistent good and reliable network to prevent excess TCP re-transmissions, which increases latency.

Legal

Legality is important, so make sure you are following laws in your country to stay within the law.

  1. Operate your own LLC, non-profit, company, or corporation. This allows you to part yourself from your Tor exit relays. While you are obviously running them, a legally formed organization will provide you with some legal protections depending on where you live.
  2. Always follow up with serious abuse complaints or subpoenas from law enforcement. This is important, and allows you to continue operating your network as a legitimate netizen. Do take abuse complaints seriously, and try to provide advice to the reporter about the Tor network and how they can circumvent future abuse. If needed, you can also disallow users from utilizing various network ports (such as port 22 used for SSH, a common source of abuse complaints) on your exit relays.

As our journey is ever evolving, we will attempt to add to this list when we discover more along the way. If you have a suggestion, feel free to contact us, and we’ll consider adding it as well.

G’day,
Z