Setting up a Tor proxy, relay and hidden service

0. Introduction

In this article I'll show you how to setup your own Tor proxy (SOCKS5 and HTTP), relay, and hidden service.

1. Installation

Install tor package using your package manager.

You definitely want to have control over your node and monitor it. For that purpose there is nyx tool. I'll cover it in 3.1 section.

Any program can be passed through Tor using torify from torsocks package.

2. Configuration

Tor is already bundled with a great documented torrc-dist file. You may just copy a torrc-dist file and name it as torrc and change what you need.

2.1. Tor SOCKS/HTTP proxy

Here is an example of SOCKS/HTTP proxy settings:

SocksPort 192.168.0.100:9050, [ipv6 address]:9050
HTTPTunnelPort 192.168.0.100:8118, [ipv6 address]:8118

SocksPolicy accept 192.168.0.0/24
SocksPolicy accept6 [012:3fe1:337::]/48
SocksPolicy reject *

BandwithRate 70MBits
BandwithBurst 100MBits

ExcludeNodes {ru}, {ua}, {by}, {kz}, {??}
ExcludeExitNodes {ru}, {ua}, {by}, {kz}, {??}

SocksPort assigns IP-address and port for SOCKS5 proxy to listen on. HTTPTunnelPort is for HTTP proxy. You may leave just port number to listen on all interfaces.

SocksPolicy option has the form accept|reject IP-subnet[, ...]. It points which subnetwork is dis-/allowed to use SOCKS proxy, so there may be multiple entries. For example, SocksPolicy accept 192.168.1.0/24 is allowing everyone from that network to use it. In order to forbid all other networks add reject * after all SocksPolicy entries. You may preffer to have them on separate lines for the sake of readability.

BandwithRate and BandwithBurst set the average and maximum speed of incoming and outgoing connections for proxy. BandwithBurst must be greater or equal to BandwithRate. E.g. values may look like 70MBits, 10MBytes, 5MB.

HTTPTunnelPort enables HTTP proxy, set it to desireable IP:Port.

There are also ExcludeNodes and ExcludeExitNodes options that are the comma separated lists of forbidden nodes. There may be placed country codes, address patterns and identity fingerprints of nodes to never use in circuits. They are looking like {ru}, {??}, 123.45.*. I recommend to leave there at least {??} to forbid misconfigured nodes or nodes of an unknown origin, especially for exit nodes.

2.2. Tor relay

Here is an example of relay settings.

ORPort 8443, [::]:8443
Nickname Anon
Address example.org
ContactInfo Anon <anon@example.org>

RelayBandwithRate 8MBits
RelayBandwithBurst 10MBits

AccountingMax 6 GB
# Every midnight.
AccountingStart day 00:00
# Every 3rd day of month.
AccountingStart month 3 00:00

# In case you don't want to be an exit node.
ExitPolicy reject *:*

To enable a Tor relay you need to set ORPort option.

You should also provide some information. You have to set Nickname option that is a name of a relay. Also, optionally, yet recommended, you may fill ContactInfo option with your e-mail address.

If you leave your e-mail address Tor weather service will send you a notification if your node goes down.

You can also set Address option if you have a domain name or set it to your white IP-address. Otherwise, if you don't add it or comment out it, Tor will guess it.

RelayBandwithRate and RelayBandwithBurst are the same as BandwithRate and BandwithBurst but for relay.

Add ExitPolicy reject *:* to disable exit node if you don't need it. I found out that setting ExitRelay to 0 doesn't disable an exit node, so you must add rejecting policy.

AccountingMax and AccountingStart are used to limit traffic for given period.

2.3 Hidden service

There are two mandatory options to work with: HiddenServiceDir and HiddenServicePort.

Of course, there are many other options, e.g. client authentication. But in simple case all you need are those two options above.

Every hidden service starts with HiddenServiceDir <path> directory that contains public and secret keys, hostname for a hidden service and a directory called authorized_clients that stores info on all clients that are authorized to access this hidden service.

And at least one HiddenServicePort <tor port> <host:port of service> sets port to listen to in Tor network as first parameter and the second one is a service that you want to give access from Tor to. E.g. HiddenServicePort 80 localhost:8201 for webserver.

It allows you to give access to many services by one Tor hostname.

Example:

HiddenServiceDir /var/lib/tor/hidden-services/website
HiddenServicePort 80 localhost:8201
HiddenServicePort 25 192.168.1.160:25

3. Miscellaneous

3.1. Nyx — status monitor for Tor nodes

You have to set ControlPort option to desired port, it will listen on localhost. If you need access from outside then set it to IP:9051. Also, you need to set DisableDebuggerAttachment option to 0, otherwise you'll not be able to use nyx. At least in my case nyx cannot connect with this option being set to 1.

Example:

ControlPort 192.168.1.200:9051
DisableDebuggerAttachment 0

You may install it using package manager, but guaranteed last version can be installed from Python's pip package manager (pip install nyx).

3.2. Notes

I hope you have a static IP-address or your IP changes once a month at least, otherwise you'll never become a guard (entry) node.

An option AvoidDiskWrites is usefull in case you're running from SSD or SD card.

You have to make a backup of /var/lib/tor/keys folder to save your node's cryptographic identity keys. They are used to identify your node. You can see stats on your node at metrics.torproject.org. To find your node use what you put in Nickname parameter or a fingerprint that is shown in nyx.