Tor Network

More Raspberry Pi Projects

Project 6 — Tor Relay

What you will build A Tor middle relay — your Pi becomes part of the network that enables private, censorship-resistant internet access for people worldwide
Difficulty Beginner-friendly — installation is simple; understanding Tor takes longer
Time to complete 1 – 2 hours to set up; a few days to reach full speed as the relay builds reputation
What you will need Raspberry Pi (any model with Ethernet), uncapped or high-cap broadband, ISP permission if needed

Ethics, Legality, and Who Should Run This

🔵 Read this section before proceeding

The Tor network exists to protect the privacy and freedom of expression of people living under oppressive regimes, journalists communicating with sources, whistleblowers, and anyone who needs to communicate without surveillance. Running a relay is a meaningful contribution to digital rights.

Is it legal? In the UK, EU, USA, and most democratic countries: yes, running a middle relay is legal. The Tor Project has a detailed legal FAQ at community.torproject.org. The Electronic Frontier Foundation (EFF) has also repeatedly defended relay operators.

Check your ISP's terms of service — some residential ISPs prohibit running servers. The safest approach is to contact your ISP and explain you wish to run a Tor relay. Most don't object; a few do.

  • A middle relay only passes encrypted Tor traffic between other Tor nodes. It never sees the content or destination of any traffic. This is what you will set up here.
  • A guard (entry) relay is the first hop in a Tor circuit. It knows a client's IP, but not the destination. Slightly higher scrutiny than middle relays.
  • An exit relay is the last hop — it makes the final connection to websites on behalf of Tor users. Exit operators receive complaints and legal scrutiny. Do not run an exit relay on a home connection.

How Tor Works

When someone uses the Tor Browser, their traffic is wrapped in three layers of encryption and routed through three volunteer-operated relays before reaching its destination. Each relay decrypts one layer — like peeling an onion — and forwards the traffic to the next hop. No single relay knows both the origin and destination of any connection.

A Tor circuit — your Pi is one of the middle hops
Tor Userencrypted ×3
──►
Guard Relayknows user IP
──►
Middle Relay← your Pi
──►
Exit Relayknows destination
──►
Websitesees exit IP only

Your Pi (middle relay) only ever sees: encrypted data from a Tor IP → encrypted data to another Tor IP. It knows neither the user nor the destination.

Relay Types — Why We're Running a Middle Relay

Guard / Entry Relay The first hop in a Tor circuit. Knows the user's real IP address. Needs to be stable and fast. Listed in the Tor consensus directory. Risk level: low-moderate
✓ Middle Relay — recommended for home use Passes encrypted traffic between guard and exit relays. Never knows the user or destination. No abuse complaints. Perfectly safe to run at home. Risk level: minimal ← you are here
Exit Relay The final hop — makes connections to the open web on behalf of Tor users. Receives abuse complaints, DMCA notices, and law enforcement enquiries. Not suitable for home use. Risk level: high — do not run at home

What You Will Need

🍓 Any Raspberry Pi Even a Pi 3B+ is capable. A Pi 4 is ideal — its Gigabit Ethernet and faster CPU handle higher bandwidth relays comfortably.
🔌 Wired Ethernet Connect your Pi via Ethernet, not Wi-Fi. The Tor network expects stable, consistent connectivity — Wi-Fi drops affect your relay's reputation and bandwidth allocation.
📶 Uncapped broadband A busy relay can use 100 GB+ per month. Check your plan's data cap and set bandwidth limits in Tor's config to stay comfortably under it.
🔀 Port forwarding Forward your chosen ORPort (9001) from your router to the Pi's local IP. This allows inbound Tor circuit connections.
🌐 Hostname or static IP Your relay needs a consistent public address. A DDNS hostname works well (e.g. duckdns.org) — Tor will use it in the relay descriptor.
📧 Contact email The Tor directory includes an operator contact in relay descriptors. This is used by the Tor team for security notifications — use an obfuscated address or a dedicated address.

Step 1 — Install Tor

The Tor Project maintains its own Debian/Raspberry Pi OS repository, which provides newer versions than the standard apt archive:

# Add the Tor Project's official repository
pi@raspberrypi:~$ sudo apt install -y apt-transport-https gnupg

pi@raspberrypi:~$ curl -fsSL https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | \
  sudo gpg --dearmor -o /usr/share/keyrings/tor-archive-keyring.gpg

pi@raspberrypi:~$ echo "deb [arch=arm64 signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main" | \
  sudo tee /etc/apt/sources.list.d/tor.list

pi@raspberrypi:~$ sudo apt update
pi@raspberrypi:~$ sudo apt install -y tor deb.torproject.org-keyring
If you're running 32-bit Raspberry Pi OS, change arch=arm64 to arch=armhf in the repository line. Check your architecture with dpkg --print-architecture.
pi@raspberrypi:~$ sudo systemctl status tor
● tor.service - Anonymizing overlay network for TCP
     Active: active (running)

Step 2 — Configure Your Relay

All relay configuration lives in /etc/tor/torrc. Back up the original first, then replace it with a clean relay config:

pi@raspberrypi:~$ sudo cp /etc/tor/torrc /etc/tor/torrc.bak
pi@raspberrypi:~$ sudo nano /etc/tor/torrc

Replace (or add) the following settings — read each comment before setting your values:

# ── Relay identity ─────────────────────────────────────────────────
Nickname          MyPiRelay         # public name for your relay (letters/digits only, max 19 chars)
ContactInfo       your_email_AT_example.com  # obfuscate to reduce spam

# ── Ports ──────────────────────────────────────────────────────────
ORPort            9001             # the port other relays connect to — must be forwarded in your router
DirPort           0                # set to 9030 to serve directory info (optional, helps the network)

# ── Exit policy — IMPORTANT ────────────────────────────────────────
ExitPolicy        reject *:*        # refuse ALL exit traffic — makes this a middle relay only

# ── Bandwidth limits ───────────────────────────────────────────────
RelayBandwidthRate  1 MB            # sustained rate (1 MB/s = ~2.6 TB/month)
RelayBandwidthBurst 2 MB            # peak burst rate

# ── Optional: limit total monthly bandwidth ────────────────────────
# AccountingMax    500 GB           # stop accepting circuits after 500 GB
# AccountingStart  month 1 00:00    # reset counter on the 1st of each month

# ── Logging ────────────────────────────────────────────────────────
Log               notice file /var/log/tor/notices.log

# ── Data directory ─────────────────────────────────────────────────
DataDirectory     /var/lib/tor

Choose your bandwidth limits sensibly

RelayBandwidthRateApproximate monthly dataSuitable for
100 KB~26 GB/monthVery capped connections, low-end Pi
500 KB~130 GB/monthModerate cap, good contribution
1 MB~260 GB/monthGood broadband, solid relay
5 MB~1.3 TB/monthFibre connection, high-bandwidth relay
Set RelayBandwidthRate to comfortably less than your total broadband speed — you still need bandwidth for your own browsing and other services running on the Pi. Setting it to your full line speed will make your internet unusable while the relay is active.

Step 3 — Open the Firewall and Forward the Port

# Allow Tor's ORPort through ufw (if you're using ufw)
pi@raspberrypi:~$ sudo ufw allow 9001/tcp
pi@raspberrypi:~$ sudo ufw reload

In your router's admin panel, add a port forwarding rule:

  • External port: 9001 (TCP)
  • Internal IP: your Pi's local IP address
  • Internal port: 9001

Verify the port is reachable from outside your network using canyouseeme.org or a similar tool.

Step 4 — Start and Verify Your Relay

pi@raspberrypi:~$ sudo systemctl restart tor
pi@raspberrypi:~$ sudo tail -f /var/log/tor/notices.log
Nov 01 10:14:22.000 [notice] Tor has successfully opened a circuit.
Nov 01 10:14:23.000 [notice] Bootstrapped 100% (done): Done
Nov 01 10:14:45.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent.

The critical line is "Self-testing indicates your ORPort is reachable". If you see this, your relay is correctly set up and is now connecting to the Tor network.

It takes 2–4 days before your relay is included in the Tor consensus and starts receiving significant traffic. New relays are gradually ramped up by the bandwidth authorities as they prove stability. Don't be discouraged if you see little traffic initially — this is normal.

Step 5 — Monitor Your Relay with Nyx

Nyx is a terminal-based dashboard for Tor relays — it shows real-time bandwidth, circuit counts, connection details, and log output in a polished interface.

pi@raspberrypi:~$ sudo apt install -y nyx

Allow your user to connect to Tor's control port:

pi@raspberrypi:~$ sudo nano /etc/tor/torrc

Add at the end:

# ── Control port for nyx ───────────────────────────────────────────
ControlPort       9051
CookieAuthentication 1
CookieAuthFileGroupReadable 1
DataDirectoryGroupReadable 1
pi@raspberrypi:~$ sudo usermod -aG debian-tor $USER
pi@raspberrypi:~$ sudo systemctl restart tor
pi@raspberrypi:~$ nyx
arm - Tor Relay Monitor (192.168.1.42:9051)
NicknameMyPiRelay (middle)
FingerprintA3B4C5D6E7F8...
Bandwidth↓ 342 KB/s ↑ 318 KB/s
Limit1.0 MB/s burst 2.0 MB/s
Traffic↓ 12.4 GB ↑ 11.9 GB
Circuits47 active
Uptime3 days 14:22:07
Upload████████████░░░░░░░░ 61%

Press m for the menu, / to navigate pages (bandwidth graph, connection list, configuration), q to quit.

Step 6 — Find Your Relay on Metrics.Torproject.org

Once your relay has been running for about 24 hours and has been included in the consensus, it will appear on the Tor Project's public relay search:

  • Go to metrics.torproject.org/rs.html
  • Search for your relay's Nickname or fingerprint
  • You'll see bandwidth history, uptime, flags (Stable, Fast, Guard), and your position in the Tor network
  • Share the link — running a relay is worth being proud of

Your relay earns flags from the directory authorities as it proves itself:

FlagMeaningHow to earn it
RunningCurrently onlineImmediate — just be reachable
ValidListed in consensusWithin a few hours of first connecting
StableLong uptime, reliableAfter ~7 days of stable operation
FastBandwidth above medianTypically within 2–3 days
GuardEligible as entry nodeAfter ~8 days with Stable + Fast
HSDirHidden service directoryAfter ~96 hours, with Stable flag

Step 7 — Set Up Monthly Bandwidth Accounting (Optional)

If your broadband plan has a monthly data cap, use Tor's accounting feature to automatically pause the relay once it reaches a limit:

pi@raspberrypi:~$ sudo nano /etc/tor/torrc
# Pause relay after 300 GB in each calendar month
AccountingMax    300 GB
AccountingStart  month 1 00:00   # reset on 1st of each month
pi@raspberrypi:~$ sudo systemctl restart tor

# Check accounting status at any time:
pi@raspberrypi:~$ sudo -u debian-tor tor --quiet --hush -f /etc/tor/torrc --Accounting
# or via nyx → press 'c' for the configuration page

You can also split the accounting symmetrically so both upload and download are counted equally:

AccountingMax    300 GB
AccountingRule   sum    # count upload + download combined (default)
# AccountingRule max    # count whichever direction is higher

Troubleshooting

⚠ Log shows "Your ORPort is not reachable" — relay is not connecting
Port 9001 is not reachable from outside your network. Check in this order: (1) port forwarding is set up in your router with the correct internal IP; (2) sudo ufw status — confirm port 9001 is allowed; (3) confirm Tor is actually listening: sudo ss -tlnp | grep 9001; (4) test from outside your network at canyouseeme.org. If you're behind carrier-grade NAT (CG-NAT), your ISP may not give you a public IP — contact them to request one, or switch to a bridge relay configuration that doesn't require a forwarded port.
⚠ Relay is running but receives almost no traffic
This is normal for the first 2–4 days. New relays are ramped up slowly as the bandwidth authorities measure and verify them. Check metrics.torproject.org after 24 hours — if your relay appears but shows very low consensus weight, just wait. If it still hasn't appeared after 48 hours, check that your relay's Nickname is unique (search on metrics.torproject.org) and that the fingerprint in /var/lib/tor/fingerprint matches what Tor is reporting.
⚠ Nyx shows "Unable to connect to tor" — control port error
Your user doesn't have permission to read Tor's cookie file. Run sudo usermod -aG debian-tor $USER, then log out and back in (the group change only takes effect in new sessions). Also confirm the four control port lines are in torrc and Tor has been restarted since adding them. Check the cookie file exists: ls -la /var/lib/tor/control_auth_cookie.
⚠ ISP contact says running a relay is not allowed
If your ISP won't allow it, you have a few options: (1) switch to a more permissive ISP (business-tier broadband almost always allows servers); (2) run a Tor bridge instead — a bridge is an unlisted relay that helps users in censored regions, and typically generates far less traffic and scrutiny than a public relay; (3) donate bandwidth time on a VPS instead — many VPS providers explicitly welcome Tor relays.
⚠ Tor is using more bandwidth than the limit set in torrc
The limits in torrc are per-second averages, not absolute caps. RelayBandwidthBurst allows brief spikes above RelayBandwidthRate. For a true monthly cap, use AccountingMax. If you're still seeing overuse, check there isn't a second Tor process running: ps aux | grep tor. Also confirm the limits in torrc match what nyx reports — if torrc was edited after Tor started, restart Tor to apply the changes.
⚠ Receiving unexpected contacts or emails about relay operation
The Tor Project occasionally sends security advisories to relay operators via the ContactInfo email — these are legitimate and helpful. If you receive complaints about abuse, respond politely with an explanation that you are running a Tor middle relay (not an exit), which neither originates traffic nor can see its content or destination. The EFF's legal FAQ provides sample response templates. Consider joining the tor-relays mailing list where operators share experiences and advice.

Quick Reference

TaskCommand / Location
Start / stop / restart Torsudo systemctl start|stop|restart tor
Watch Tor log livesudo tail -f /var/log/tor/notices.log
Launch nyx monitornyx
View relay fingerprintsudo cat /var/lib/tor/fingerprint
Check Tor is listeningsudo ss -tlnp | grep 9001
Tor main config/etc/tor/torrc
Tor data directory/var/lib/tor/
Tor log file/var/log/tor/notices.log
Reload config (no restart)sudo systemctl reload tor
Check architecture for repodpkg --print-architecture
Search for your relaymetrics.torproject.org/rs.html
Check port is reachablecanyouseeme.org
Relay operator guidelinescommunity.torproject.org/relay
Legal FAQ (EFF)Tor Legal FAQ
Tor relay mailing listtor-relays list