Skip to main content.

Running a Tor relay, bridge, exit or hidden service


Live demo in BSD Now Episode 008 | Originally written by TJ for | Last updated: 2015/01/17

NOTE: the author/maintainer of the tutorial(s) is no longer with the show, so the information below may be outdated or incorrect.

The Tor network, in few words, is a way to anonymize internet traffic. It relies on volunteers to donate bandwidth. The more people who run relays, the faster the Tor network will be. All of the BSDs make excellent choices for Tor. You can even get a free t-shirt! - more on that later. This tutorial will show you how to setup your BSD system as either a relay, a bridge, an exit node or a hidden service. I'll also describe what each of those terms mean. Running an exit node comes with its own set of legalities; you should carefully read all the links in this tutorial before deciding to run one. Relays, bridges and hidden services pose no legal threat to you since they just pass around encrypted traffic to other nodes.


A relay is a system running the Tor software that relays packets between nodes. They're the "middleman" of the network, handing packets from the users to the exits. Usually, your packets go between multiple relays before eventually exiting to the clearnet. That way, no single node knows the full chain of addresses. Let's get started by installing Tor and throwing together a configuration file. If you're using FreeBSD, the following steps should be done after installing the port:

# sysctl net.inet.ip.random_id=1
# echo 'net.inet.ip.random_id=1' >> /etc/sysctl.conf
# touch /var/log/tor
# chown _tor:_tor /var/log/tor

Let's get a configuration in place now. Tor's config file is in /etc on OpenBSD, and /usr/local/etc on FreeBSD.

# vi /usr/local/etc/tor/torrc

Add the following, changing them to your needs.

ORPort 9001
Nickname BSDNow
RelayBandwidthRate 1024 KB
RelayBandwidthBurst 1024 KB
ContactInfo your name <your@email>
ExitPolicy reject *:*

This will set up a relay to listen on port 9001 and limit the traffic to one megabyte per second. A sample torrc file is included by default; check it for more options. If you have more bandwidth and CPU power to spare, feel free to turn up the speeds. You'll need to open port 9001 in your firewall to allow incoming connections from other nodes. Take a moment to read the Tor security guidelines before opening your relay to the public. Now we add an entry so that Tor autostarts when we reboot. Then, we start the service. You should have your clock synced via NTP before running a node. For FreeBSD:

# echo 'tor_enable="YES"' >> /etc/rc.conf
# service tor start

Or OpenBSD:

# echo 'pkg_scripts="tor"' >> /etc/rc.conf.local
# /etc/rc.d/tor start

Hopefully you'll see a message like "Self-testing indicates your ORPort is reachable from the outside. Excellent." Once the relay has been running for a few hours, you can check on its status via this site or by checking the /var/log/tor file. Relays can use a lot of bandwidth, depending on what limits you put in place. You probably don't want to run one on your home connection without cutting the speeds back. A cheap VPS is ideal. If you run a relay with at least two months' of uptime and an average of 500kb/s of traffic, you can get a free shirt.


A bridge is an unlisted relay that lets people get to normal relays. There is no published list of all bridges, so we have no idea how many there may be. Their purpose is to help people in countries like China that actively filter and block Tor. Running a bridge will use much less bandwidth than a normal relay, so it's usually fine to run on a home connection. The configuration is very simple. Open the torrc file and add the following, changing them to your needs.

SocksPort 0
ORPort 9001
BridgeRelay 1
ExitPolicy reject *:*

Open the port, add the daemon to startup and start the service like before.


Exit nodes are where the traffic leaves the Tor network to go out to the regular internet (or the "clear" net). Without exit nodes, no one could access anything through Tor except hidden services. They're very important and there can never be enough of them. The problem is that people often use Tor for illegal things, and running an exit node will make all malicious traffic appear to be from your location, so you may be subject to erroneous police investigations. There are many helpful tips for running one safely and legally though. Nine times out of ten, you just need to explain what Tor is and what an exit node does. The FBI has lightened up their aggressive behavior against exit nodes in recent times after realizing that seizing one doesn't actually stop anyone from doing anything bad. The Tor wiki has many helpful hints on running an exit, so be sure to read the links at the end of this tutorial. Edit your torrc with the following:

ORPort 9001
Nickname BSDNow
RelayBandwidthRate 1024 KB
RelayBandwidthBurst 1024 KB
ContactInfo your name <your@email>
ExitPolicy accept *:20-23     # FTP, SSH, telnet
ExitPolicy accept *:43        # WHOIS
ExitPolicy accept *:53        # DNS
ExitPolicy accept *:79-81     # finger, HTTP
ExitPolicy accept *:88        # kerberos
ExitPolicy accept *:110       # POP3
ExitPolicy accept *:143       # IMAP
ExitPolicy accept *:194       # IRC
ExitPolicy accept *:220       # IMAP3
ExitPolicy accept *:389       # LDAP
ExitPolicy accept *:443       # HTTPS
ExitPolicy accept *:464       # kpasswd
ExitPolicy accept *:531       # IRC/AIM
ExitPolicy accept *:543-544   # Kerberos
ExitPolicy accept *:554       # RTSP
ExitPolicy accept *:563       # NNTP over SSL
ExitPolicy accept *:636       # LDAP over SSL
ExitPolicy accept *:706       # SILC
ExitPolicy accept *:749       # kerberos 
ExitPolicy accept *:873       # rsync
ExitPolicy accept *:902-904   # VMware
ExitPolicy accept *:981       # Remote HTTPS management for firewall
ExitPolicy accept *:989-995   # FTP over SSL, telnets, IMAP over SSL, etc
ExitPolicy accept *:1194      # OpenVPN
ExitPolicy accept *:1220      # QT Server Admin
ExitPolicy accept *:1293      # PKT-KRB-IPSec
ExitPolicy accept *:1500      # VLSI License Manager
ExitPolicy accept *:1533      # Sametime
ExitPolicy accept *:1677      # GroupWise
ExitPolicy accept *:1723      # PPTP
ExitPolicy accept *:1755      # RTSP
ExitPolicy accept *:1863      # MSNP
ExitPolicy accept *:2082      # Infowave Mobility Server
ExitPolicy accept *:2083      # Secure Radius Service (radsec)
ExitPolicy accept *:2086-2087 # GNUnet, ELI
ExitPolicy accept *:2095-2096 # NBX
ExitPolicy accept *:2102-2104 # Zephyr
ExitPolicy accept *:3128      # SQUID
ExitPolicy accept *:3389      # MS WBT
ExitPolicy accept *:3690      # SVN
ExitPolicy accept *:4321      # RWHOIS
ExitPolicy accept *:4643      # Virtuozzo
ExitPolicy accept *:5050      # MMCC
ExitPolicy accept *:5190      # ICQ
ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL
ExitPolicy accept *:5228      # Android Market
ExitPolicy accept *:5900      # VNC
ExitPolicy accept *:6660-6669 # IRC
ExitPolicy accept *:6679      # IRC SSL  
ExitPolicy accept *:6697      # IRC SSL  
ExitPolicy accept *:8000      # iRDMI
ExitPolicy accept *:8008      # HTTP alternate
ExitPolicy accept *:8074      # Gadu-Gadu
ExitPolicy accept *:8080      # HTTP Proxies
ExitPolicy accept *:8087-8088 # Simplify Media SPP Protocol, Radan HTTP
ExitPolicy accept *:8332-8333 # BitCoin
ExitPolicy accept *:8443      # PCsync HTTPS
ExitPolicy accept *:8888      # HTTP Proxies, NewsEDGE
ExitPolicy accept *:9418      # git
ExitPolicy accept *:9999      # distinct
ExitPolicy accept *:10000     # Network Data Management Protocol
ExitPolicy accept *:11371     # OpenPGP hkp (http keyserver protocol)
ExitPolicy accept *:12350     # Skype
ExitPolicy accept *:19294     # Google Voice TCP
ExitPolicy accept *:19638     # Ensim control panel
ExitPolicy accept *:23456     # Skype
ExitPolicy accept *:33033     # Skype
ExitPolicy reject *:*

This is what's called a "reduced exit policy" and will help against people using BitTorrent and other things that might result in excessive DMCA notices being sent your way. You can, of course, allow traffic to any port. It's up to you and what you're comfortable with. Open the port as usual You're advised to subscribe to some Tor mailing lists for announcements and discussion: here and here. Some links that you should definitely read before running an exit node:

Exit nodes should NOT be run on home connections. They should only be used in a datacenter where bandwidth is not an issue. You'd much rather the police raid a server rack in another country than your house, right?

Hidden Service

A hidden service is basically a server with a hidden IP address. Hidden services cannot be accessed over the internet; they must go through the Tor network. You can run pretty much any service you want this way - websites, IRC networks, FTP archives, really anything you can think of. Whatever actual service you decide to run, you'll need to be careful in configuring it. You don't want the real address of the server to be leaked at any point, and this can happen in very many ways. I can't go into depth about each type of service, so you'll have to do your research. It's also important that your service only listens on the localhost address, not your public address. In my example, I'm going to run a website in this example. I'll make a directory for the "_tor" user to keep the private key and hostname files in, then edit the config:

# mkdir /home/torguy
# chown _tor:_tor /home/torguy

Edit the torrc and add the following, adjusting to your setup:

HiddenServiceDir /home/torguy
HiddenServicePort 80

You don't need to open any ports to run a hidden service; it can be run from behind a firewall (at your house, for example) with no issues. Tor will create two files in /home/torguy: private_key and hostname. The private key is a file you want to guard closely. If someone else gets a hold of it, they will be able to impersonate your hidden service. The hostname file contains the .onion address that your hidden service can be reached by. That's the address you give to other people if you want them to be able to access your service. From this point, configure your web server to listen on and people will be able to access it anonymously!

The Tor network needs all the help it can get to fight against censorship and defend privacy. Running any kind of node is a big help. There's also a BSD-specific Tor mailing list that you might consider joining here.

Latest News

New announcement


We understand that Michael Dexter, Brad Davis, and George Rosamond think there should be more real news....

Two Year Anniversary


We're quickly approaching our two-year anniversary, which will be on episode 105. To celebrate, we've created a unique t-shirt design, available for purchase until the end of August. Shirts will be shipped out around September 1st. Most of the proceeds will support the show, and specifically allow us to buy...

New discussion segment


We're thinking about adding a new segment to the show where we discuss a topic that the listeners suggest. It's meant to be informative like a tutorial, but more of a "free discussion" format. If you have any subjects you want us to explore, or even just a good name...

How did you get into BSD?


We've got a fun idea for the holidays this year: just like we ask during the interviews, we want to hear how all the viewers and listeners first got into BSD. Email us your story, either written or a video version, and we'll read and play some of them for...

Episode 281: EPYC Server battle


Direct Download:MP3 AudioVideo Headlines scp client multiple vulnerabilities Overview SCP clients from multiple vendors are susceptible to a malicious scp server performing unauthorized changes to target directory and/or client output manipulation. Description Many scp clients fail to verify if the objects returned by the scp server match those it asked for. This issue dates back to 1983 and...

Episode 280: FOSS clothing


Direct Download:MP3 AudioVideo Headlines A EULA in FOSS clothing? There was a tremendous amount of reaction to and discussion about my blog entry on the midlife crisis in open source. As part of this discussion on HN, Jay Kreps of Confluent took the time to write a detailed response — which...

Episode 279: Future of ZFS


Direct Download:MP3 AudioVideo Headlines The future of ZFS in FreeBSD The sources for FreeBSD's ZFS support are currently taken directly from Illumos with local ifdefs to support the peculiarities of FreeBSD where the Solaris Portability Layer (SPL) shims fall short. FreeBSD has regularly pulled changes from Illumos and tried to push...

Episode 278: The real McCoy


Direct Download:MP3 AudioVideo Interview - Kirk McKusick - 25 years of FreeBSD How Kirk got started in BSD, at the very beginning Predicting the Future How the code and community grew The leadership of the project, and how it changed over time UFS over the years (reading disks from 1982 in 2018) Conferences The rise and fall of...