Tor Network
More Raspberry Pi Projects
Project 6 — Tor Relay
Ethics, Legality, and Who Should Run This
🔵 Read this section before proceeding
The Tor network exists to protect the privacy and freedom of expression of people living under oppressive regimes, journalists communicating with sources, whistleblowers, and anyone who needs to communicate without surveillance. Running a relay is a meaningful contribution to digital rights.
Is it legal? In the UK, EU, USA, and most democratic countries: yes, running a middle relay is legal. The Tor Project has a detailed legal FAQ at community.torproject.org. The Electronic Frontier Foundation (EFF) has also repeatedly defended relay operators.
Check your ISP's terms of service — some residential ISPs prohibit running servers. The safest approach is to contact your ISP and explain you wish to run a Tor relay. Most don't object; a few do.
- A middle relay only passes encrypted Tor traffic between other Tor nodes. It never sees the content or destination of any traffic. This is what you will set up here.
- A guard (entry) relay is the first hop in a Tor circuit. It knows a client's IP, but not the destination. Slightly higher scrutiny than middle relays.
- An exit relay is the last hop — it makes the final connection to websites on behalf of Tor users. Exit operators receive complaints and legal scrutiny. Do not run an exit relay on a home connection.
How Tor Works
When someone uses the Tor Browser, their traffic is wrapped in three layers of encryption and routed through three volunteer-operated relays before reaching its destination. Each relay decrypts one layer — like peeling an onion — and forwards the traffic to the next hop. No single relay knows both the origin and destination of any connection.
Your Pi (middle relay) only ever sees: encrypted data from a Tor IP → encrypted data to another Tor IP. It knows neither the user nor the destination.
Relay Types — Why We're Running a Middle Relay
What You Will Need
Step 1 — Install Tor
The Tor Project maintains its own Debian/Raspberry Pi OS repository, which provides newer versions than the standard apt archive:
# Add the Tor Project's official repository pi@raspberrypi:~$ sudo apt install -y apt-transport-https gnupg pi@raspberrypi:~$ curl -fsSL https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | \ sudo gpg --dearmor -o /usr/share/keyrings/tor-archive-keyring.gpg pi@raspberrypi:~$ echo "deb [arch=arm64 signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main" | \ sudo tee /etc/apt/sources.list.d/tor.list pi@raspberrypi:~$ sudo apt update pi@raspberrypi:~$ sudo apt install -y tor deb.torproject.org-keyring
arch=arm64 to arch=armhf in the repository line. Check your architecture with dpkg --print-architecture.
pi@raspberrypi:~$ sudo systemctl status tor ● tor.service - Anonymizing overlay network for TCP Active: active (running)
Step 2 — Configure Your Relay
All relay configuration lives in /etc/tor/torrc. Back up the original first, then replace it with a clean relay config:
pi@raspberrypi:~$ sudo cp /etc/tor/torrc /etc/tor/torrc.bak pi@raspberrypi:~$ sudo nano /etc/tor/torrc
Replace (or add) the following settings — read each comment before setting your values:
# ── Relay identity ───────────────────────────────────────────────── Nickname MyPiRelay # public name for your relay (letters/digits only, max 19 chars) ContactInfo your_email_AT_example.com # obfuscate to reduce spam # ── Ports ────────────────────────────────────────────────────────── ORPort 9001 # the port other relays connect to — must be forwarded in your router DirPort 0 # set to 9030 to serve directory info (optional, helps the network) # ── Exit policy — IMPORTANT ──────────────────────────────────────── ExitPolicy reject *:* # refuse ALL exit traffic — makes this a middle relay only # ── Bandwidth limits ─────────────────────────────────────────────── RelayBandwidthRate 1 MB # sustained rate (1 MB/s = ~2.6 TB/month) RelayBandwidthBurst 2 MB # peak burst rate # ── Optional: limit total monthly bandwidth ──────────────────────── # AccountingMax 500 GB # stop accepting circuits after 500 GB # AccountingStart month 1 00:00 # reset counter on the 1st of each month # ── Logging ──────────────────────────────────────────────────────── Log notice file /var/log/tor/notices.log # ── Data directory ───────────────────────────────────────────────── DataDirectory /var/lib/tor
Choose your bandwidth limits sensibly
| RelayBandwidthRate | Approximate monthly data | Suitable for |
|---|---|---|
100 KB | ~26 GB/month | Very capped connections, low-end Pi |
500 KB | ~130 GB/month | Moderate cap, good contribution |
1 MB | ~260 GB/month | Good broadband, solid relay |
5 MB | ~1.3 TB/month | Fibre connection, high-bandwidth relay |
RelayBandwidthRate to comfortably less than your total broadband speed — you still need bandwidth for your own browsing and other services running on the Pi. Setting it to your full line speed will make your internet unusable while the relay is active.
Step 3 — Open the Firewall and Forward the Port
# Allow Tor's ORPort through ufw (if you're using ufw) pi@raspberrypi:~$ sudo ufw allow 9001/tcp pi@raspberrypi:~$ sudo ufw reload
In your router's admin panel, add a port forwarding rule:
- External port:
9001(TCP) - Internal IP: your Pi's local IP address
- Internal port:
9001
Verify the port is reachable from outside your network using canyouseeme.org or a similar tool.
Step 4 — Start and Verify Your Relay
pi@raspberrypi:~$ sudo systemctl restart tor pi@raspberrypi:~$ sudo tail -f /var/log/tor/notices.log Nov 01 10:14:22.000 [notice] Tor has successfully opened a circuit. Nov 01 10:14:23.000 [notice] Bootstrapped 100% (done): Done Nov 01 10:14:45.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent.
The critical line is "Self-testing indicates your ORPort is reachable". If you see this, your relay is correctly set up and is now connecting to the Tor network.
Step 5 — Monitor Your Relay with Nyx
Nyx is a terminal-based dashboard for Tor relays — it shows real-time bandwidth, circuit counts, connection details, and log output in a polished interface.
pi@raspberrypi:~$ sudo apt install -y nyx
Allow your user to connect to Tor's control port:
pi@raspberrypi:~$ sudo nano /etc/tor/torrc
Add at the end:
# ── Control port for nyx ─────────────────────────────────────────── ControlPort 9051 CookieAuthentication 1 CookieAuthFileGroupReadable 1 DataDirectoryGroupReadable 1
pi@raspberrypi:~$ sudo usermod -aG debian-tor $USER pi@raspberrypi:~$ sudo systemctl restart tor pi@raspberrypi:~$ nyx
Press m for the menu, ←/→ to navigate pages (bandwidth graph, connection list, configuration), q to quit.
Step 6 — Find Your Relay on Metrics.Torproject.org
Once your relay has been running for about 24 hours and has been included in the consensus, it will appear on the Tor Project's public relay search:
- Go to metrics.torproject.org/rs.html
- Search for your relay's Nickname or fingerprint
- You'll see bandwidth history, uptime, flags (Stable, Fast, Guard), and your position in the Tor network
- Share the link — running a relay is worth being proud of
Your relay earns flags from the directory authorities as it proves itself:
| Flag | Meaning | How to earn it |
|---|---|---|
Running | Currently online | Immediate — just be reachable |
Valid | Listed in consensus | Within a few hours of first connecting |
Stable | Long uptime, reliable | After ~7 days of stable operation |
Fast | Bandwidth above median | Typically within 2–3 days |
Guard | Eligible as entry node | After ~8 days with Stable + Fast |
HSDir | Hidden service directory | After ~96 hours, with Stable flag |
Step 7 — Set Up Monthly Bandwidth Accounting (Optional)
If your broadband plan has a monthly data cap, use Tor's accounting feature to automatically pause the relay once it reaches a limit:
pi@raspberrypi:~$ sudo nano /etc/tor/torrc
# Pause relay after 300 GB in each calendar month AccountingMax 300 GB AccountingStart month 1 00:00 # reset on 1st of each month
pi@raspberrypi:~$ sudo systemctl restart tor # Check accounting status at any time: pi@raspberrypi:~$ sudo -u debian-tor tor --quiet --hush -f /etc/tor/torrc --Accounting # or via nyx → press 'c' for the configuration page
You can also split the accounting symmetrically so both upload and download are counted equally:
AccountingMax 300 GB AccountingRule sum # count upload + download combined (default) # AccountingRule max # count whichever direction is higher
Troubleshooting
sudo ufw status — confirm port 9001 is allowed; (3) confirm Tor is actually listening: sudo ss -tlnp | grep 9001; (4) test from outside your network at canyouseeme.org. If you're behind carrier-grade NAT (CG-NAT), your ISP may not give you a public IP — contact them to request one, or switch to a bridge relay configuration that doesn't require a forwarded port./var/lib/tor/fingerprint matches what Tor is reporting.sudo usermod -aG debian-tor $USER, then log out and back in (the group change only takes effect in new sessions). Also confirm the four control port lines are in torrc and Tor has been restarted since adding them. Check the cookie file exists: ls -la /var/lib/tor/control_auth_cookie.RelayBandwidthBurst allows brief spikes above RelayBandwidthRate. For a true monthly cap, use AccountingMax. If you're still seeing overuse, check there isn't a second Tor process running: ps aux | grep tor. Also confirm the limits in torrc match what nyx reports — if torrc was edited after Tor started, restart Tor to apply the changes.Quick Reference
| Task | Command / Location |
|---|---|
| Start / stop / restart Tor | sudo systemctl start|stop|restart tor |
| Watch Tor log live | sudo tail -f /var/log/tor/notices.log |
| Launch nyx monitor | nyx |
| View relay fingerprint | sudo cat /var/lib/tor/fingerprint |
| Check Tor is listening | sudo ss -tlnp | grep 9001 |
| Tor main config | /etc/tor/torrc |
| Tor data directory | /var/lib/tor/ |
| Tor log file | /var/log/tor/notices.log |
| Reload config (no restart) | sudo systemctl reload tor |
| Check architecture for repo | dpkg --print-architecture |
| Search for your relay | metrics.torproject.org/rs.html |
| Check port is reachable | canyouseeme.org |
| Relay operator guidelines | community.torproject.org/relay |
| Legal FAQ (EFF) | Tor Legal FAQ |
| Tor relay mailing list | tor-relays list |