### Contents 1. [Introduction](#art-1) 2. [Installation](#art-2) 3. [Configuration](#art-3) 1. [Tor SOCKS/HTTP proxy](#art-3-1) 2. [Tor relay](#art-3-2) 3. [Hidden service](#art-3-3) 4. [Miscellaneous](#art-4) 1. [Nyx — status monitor for Tor nodes](#art-4-1) 2. [Notes](#art-4-2) ### 1. Introduction {#art-1} In this article I'll show you how to setup your own Tor proxy (SOCKS5 and HTTP), relay, and hidden service. ### 2. Installation {#art-2} Install `tor` package using your package manager. You definitely want to have control over your node and monitor it. For that purpose there is `nyx` tool. I'll cover it in 3.1 section. Any program can be passed through Tor using `torify` from `torsocks` package. ### 3. Configuration {#art-3} Tor is already bundled with a great documented `torrc-dist` file. You may just copy a `torrc-dist` file and name it as `torrc` and change what you need. #### 3.1. Tor SOCKS/HTTP proxy {#art-3-1} Here is an example of SOCKS/HTTP proxy settings: SocksPort 192.168.0.100:9050, [ipv6 address]:9050 HTTPTunnelPort 192.168.0.100:8118, [ipv6 address]:8118 SocksPolicy accept 192.168.0.0/24 SocksPolicy accept6 [012:3fe1:337::]/48 SocksPolicy reject * BandwithRate 70MBits BandwithBurst 100MBits ExcludeNodes {ru}, {ua}, {by}, {kz}, {??} ExcludeExitNodes {ru}, {ua}, {by}, {kz}, {??} `SocksPort` assigns IP-address and port for SOCKS5 proxy to listen on. `HTTPTunnelPort` is for HTTP proxy. You may leave just port number to listen on all interfaces. `SocksPolicy` option has the form `accept|reject IP-subnet[, ...`. It points which subnetwork is dis-/allowed to use SOCKS proxy, so there may be multiple entries. For example, `SocksPolicy accept 192.168.1.0/24` is allowing everyone from that network to use it. In order to forbid all other networks add `reject *` after all `SocksPolicy` entries. You may preffer to have them on separate lines for the sake of readability. `BandwithRate` and `BandwithBurst` set the average and maximum speed of incoming and outgoing connections for proxy. `BandwithBurst` must be greater or equal to `BandwithRate`. E.g. values may look like `70MBits`, `10MBytes`, `5MB`. `HTTPTunnelPort` enables HTTP proxy, set it to desireable IP:Port. There are also `ExcludeNodes` and `ExcludeExitNodes` options that are the comma separated lists of forbidden nodes. There may be placed country codes, address patterns and identity fingerprints of nodes to never use in circuits. They are looking like `{ru}, {??}, 123.45.*`. I recommend to leave there at least `{??}` to forbid misconfigured nodes or nodes of an unknown origin, especially for exit nodes. #### 3.2. Tor relay {#art-3-2} Here is an example of relay settings. ORPort 8443, [::]:8443 Nickname Anon Address example.org ContactInfo Anon RelayBandwithRate 8MBits RelayBandwithBurst 10MBits AccountingMax 6 GB # Every midnight. AccountingStart day 00:00 # Every 3rd day of month. AccountingStart month 3 00:00 # In case you don't want to be an exit node. ExitPolicy reject *:* To enable a Tor relay you need to set `ORPort` option. You should also provide some information. You have to set `Nickname` option that is a name of a relay. Also, optionally, yet recommended, you may fill `ContactInfo` option with your e-mail address. If you leave your e-mail address Tor weather service will send you a notification if your node goes down. You can also set `Address` option if you have a domain name or set it to your white IP-address. Otherwise, if you don't add it or comment out it, Tor will guess it. `RelayBandwithRate` and `RelayBandwithBurst` are the same as `BandwithRate` and `BandwithBurst` but for relay. Add `ExitPolicy reject *:*` to disable exit node if you don't need it. I found out that setting `ExitRelay` to 0 doesn't disable an exit node, so you must add rejecting policy. `AccountingMax` and `AccountingStart` are used to limit traffic for given period. #### 3.3. Hidden service {#art-3-3} There are two mandatory options to work with: `HiddenServiceDir` and `HiddenServicePort`. Of course, there are many other options, e.g. client authentication. But in simple case all you need are those two options above. Every hidden service starts with `HiddenServiceDir ` directory that contains public and secret keys, hostname for a hidden service and a directory called `authorized_clients` that stores info on all clients that are authorized to access this hidden service. And at least one `HiddenServicePort ` sets port to listen to in Tor network as first parameter and the second one is a service that you want to give access from Tor to. E.g. `HiddenServicePort 80 localhost:8201` for webserver. It allows you to give access to many services by one Tor hostname. Example: HiddenServiceDir /var/lib/tor/hidden-services/website HiddenServicePort 80 localhost:8201 HiddenServicePort 25 192.168.1.160:25 ### 4. Miscellaneous {#art-4} #### 4.1. Nyx — status monitor for Tor nodes {#art-4-1} You have to set `ControlPort` option to desired port, it will listen on localhost. If you need access from outside then set it to IP:9051. Also, you need to set `DisableDebuggerAttachment` option to 0, otherwise you'll not be able to use nyx. At least in my case nyx cannot connect with this option being set to 1. Example: ControlPort 192.168.1.200:9051 DisableDebuggerAttachment 0 You may install it using package manager, but guaranteed last version can be installed from Python's `pip` package manager (`pip install nyx`). #### 4.2. Notes {#art-4-2} I hope you have a static IP-address or your IP changes once a month at least, otherwise you'll never become a guard (entry) node. An option `AvoidDiskWrites` is usefull in case you're running from SSD or SD card. You have to make a backup of `/var/lib/tor/keys` folder to save your node's cryptographic identity keys. They are used to identify your node. You can see stats on your node at metrics.torproject.org. To find your node use what you put in `Nickname` parameter or a fingerprint that is shown in nyx.