Running a Tor relay contributes bandwidth to the Tor network and helps more people access the internet privately. This guide covers setting up a middle relay — the most appropriate choice for most people. Middle relays carry encrypted traffic between other Tor nodes; they never see plaintext traffic and have a much lower legal risk profile than exit relays.

Exit relays (where traffic exits onto the public internet) carry more legal complexity and are outside the scope of this guide. If you want to run an exit relay, read the Tor Project’s legal guidance first.

Prerequisites

• A Linux server with a static IP address (VPS, dedicated server, or a home server with a stable connection)
• At least 10 Mbit/s of available bandwidth (uplink and downlink)
• A public IPv4 or IPv6 address
• Debian, Ubuntu, or a compatible distribution (this guide uses Debian/Ubuntu)

Step 1: Install Tor

Use the Tor Project’s official repository, not the version in your distro’s default repos (which may be outdated):

# Install dependencies
sudo apt update && sudo apt install -y curl gpg

# Add Tor Project repository
echo "deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] \
  https://deb.torproject.org/torproject.org $(lsb_release -cs) main" \
  | sudo tee /etc/apt/sources.list.d/tor.list

# Import signing key
curl -s https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc \
  | gpg --dearmor \
  | sudo tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null

# Install
sudo apt update && sudo apt install -y tor deb.torproject.org-keyring

Step 2: Configure the Relay

Edit the Tor configuration file:

sudo nano /etc/tor/torrc

Replace the contents with this relay configuration (adjust values marked with ##):

## Relay nickname (no spaces, alphanumeric only, max 19 chars)
Nickname MyPrivacyRelay

## Contact info shown in relay directory (optional but good practice)
ContactInfo your@email.example

## OR port - the port Tor uses to receive relay connections
ORPort 9001

## Directory port - serves relay consensus data to clients
DirPort 9030

## Operating as a relay (not exit, not bridge)
ExitPolicy reject *:*

## Bandwidth settings - adjust to match your available capacity
## 100 MBytes per second sustained
RelayBandwidthRate 10 MBytes
## Allow up to 20 MBytes/s burst
RelayBandwidthBurst 20 MBytes
## Optional: limit total monthly traffic (example: 500 GB/month)
# AccountingMax 500 GBytes
# AccountingStart month 1 00:00

## IPv6 support (if your server has IPv6)
# ORPort [2001:db8::1]:9001

## Log settings
Log notice file /var/log/tor/notices.log

Save and close the file.

Step 3: Configure the Firewall

Allow traffic on the ORPort and DirPort:

# UFW
sudo ufw allow 9001/tcp
sudo ufw allow 9030/tcp

# Or with iptables directly
sudo iptables -A INPUT -p tcp --dport 9001 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 9030 -j ACCEPT
sudo iptables-save | sudo tee /etc/iptables/rules.v4

Step 4: Start Tor and Enable at Boot

sudo systemctl enable tor
sudo systemctl start tor
sudo systemctl status tor

Check the log to confirm the relay is running:

sudo tail -f /var/log/tor/notices.log

Within a few minutes you should see:

[notice] Self-testing indicates your ORPort is reachable from the outside. Excellent.
[notice] Tor has successfully opened a circuit. Looks like client functionality is working.
[notice] Your Tor server's identity key fingerprint is 'MyPrivacyRelay ABCD1234...'

The identity fingerprint is your relay’s unique identifier in the Tor directory.

Step 5: Monitor Your Relay

Check relay status on Metrics Portal

After 3-4 hours, your relay should appear in the Tor relay directory. Check its status:

https://metrics.torproject.org/rs.html#search/MyPrivacyRelay

Or search by fingerprint from the log file.

Local monitoring with nyx

Nyx is a terminal status monitor for Tor:

sudo apt install nyx
sudo nyx

Nyx shows real-time bandwidth, circuit count, log messages, and relay configuration in a ncurses interface.

Check bandwidth usage

# Bytes transferred by Tor process
sudo cat /proc/$(pidof tor)/net/dev
# Or use vnstat for per-interface monthly totals
sudo apt install vnstat
vnstat -i eth0

Step 6: Relay Flags and Growth Period

New relays go through a ramp-up period of approximately 2-3 months before receiving full traffic allocation from the Tor directory authorities. This is intentional — the network builds trust in new relays incrementally.

Relay flags assigned by directory authorities:

• Running — relay is reachable
• Valid — relay fingerprint is recognized
• Guard — relay eligible to be a client’s first hop (assigned after ~8 days of stable operation)
• Fast — relay has above-median bandwidth
• Stable — relay has been online for extended periods
• HSDir — can serve hidden service descriptor lookups

You don’t need to do anything to earn these flags — they’re assigned automatically based on observed behavior.

Security Considerations

Separate user account

Tor on Debian/Ubuntu already runs as the debian-tor user. Do not run it as root. Verify:

ps aux | grep tor
# Should show: debian-tor  ...

Keep Tor updated

sudo apt update && sudo apt upgrade tor

Or automate security updates:

sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

Family key (if running multiple relays)

If you run more than one relay, declare them as a family. This prevents Tor from routing a single circuit through two of your relays:

# In torrc on each relay:
MyFamily fingerprint1,fingerprint2,fingerprint3

Get the fingerprint from: sudo cat /var/lib/tor/fingerprint

Middle Relay vs Bridge vs Exit: Quick Reference

Running a middle relay is the most accessible way to contribute to Tor. You handle only encrypted, unreadable traffic and have no visibility into what passes through your node.

Related Reading

• How to Use Tcpdump to Verify VPN Traffic Is Encrypted
• VPN Kill Switch: How It Works and Which VPNs Have Real Ones
• Air-Gapped Computer Setup for Maximum Security

Built by theluckystrike — More at zovo.one