⚠️ This page is outdated, we are working on a new version ⚠️

Table of contents

Basic Setup

  • We currently use Debian; Ubuntu LTS is another good valid option.
  • Git: we keep some scripts, configuration files and templates in a git repository. We clone the git repository to the local system and use symlinks when possible. For easier re-use in parts, the example documentation below uses direct links to the configuration files at Github.

SSH key authentication only

  • We use g10code GnuPG Smartcards for ssh auth; see some notes at moba installnotes or more verbose writeup by flamsmark
  • ssh config with password auth and PAM disabled, no root login, x11forwarding disabled - change port to some port of your chosing above 1024 (when using multiple IPs: bind to one IP only)
ssh-copy-id -p $SSH_PORT user@server

IPtables firewall

This example config uses the iptables-persistent package, and by default allows world access to a random SSH port 23942 and ports 80,443 which we use for Tor. Think about limiting SSH to an IP (range) you can connect from, or use portknocking. Also, this config is optimized for high bandwidth relays: in order to avoid the conntrack module, it allows all UDP in.

sudo apt install iptables-persistent
cd /etc/iptables
wget -O iptables.v4 https://raw.githubusercontent.com/torservers/server-config-templates/master/iptables.test.rules
# you need to at least customize SSH port in it now or you will lock yourself out...
# for ipv6, add rules in /etc/iptables/iptables.v6
service iptables-persistent start

Some useful defaults

# configure hostname
hostname yourservername.xyz
vi /etc/hostname # also use yourservername.xyz
vi /etc/hosts # update to yourservername.xyz yourservername

# disable debian default that pulls in recommended packages:
cd /etc/apt/apt.conf.d
wget https://raw.githubusercontent.com/torservers/server-config-templates/master/06norecommends

apt update && apt full-upgrade
apt install sudo git less htop nload screen \
ntp apticron vnstat logcheck logcheck-database lsb-release
apt remove --purge portmap

sed -i -e 's/^# DIFF_ONLY/DIFF_ONLY/' /etc/apticron/apticron.conf # make apticron send diffs only
vnstat -u -i eth0 # setup vnstat for correct interface
cd /etc
mv aliases aliases.dist
wget https://raw.githubusercontent.com/torservers/server-config-templates/master/aliases
sed -i 's/your@email.address/actual@email.address/' /etc/aliases

unattended upgrades

We upgrade from all available package sources, let it reboot if necessary, and send mail on errors. A reasonable configuration could be to limit upgrades to the security sources. (see comments in 50unattended-upgrades)

apt install unattended-upgrades update-notifier-common
wget -p -O /etc/apt/apt.conf.d/50unattended-upgrades https://raw.githubusercontent.com/torservers/server-config-templates/master/50unattended-upgrades
cp /usr/share/unattended-upgrades/20auto-upgrades /etc/apt/apt.conf.d/20auto-upgrades # enable


Preparation & basic setup

See Installation of correct packages for Debian/Ubuntu

for multi-process installations, use tor-instance-create

Which Ports Should I Use?



We not using a standalone webserver on our relay servers.

Generate Bandwidth Stats with vnstat(i)

You can generate local graphs and render them as images with vnstati. You could serve these images with a webserver. We don’t use this any longer.

apt install vnstati
# create empty files in root-owned /var/www and change owner to www-data
cd /var/www
touch vnstat.png vnstat_d.png vnstat_m.png vnstat.xml
chown www-data:www-data vnstat*.*
# set up cron job
crontab -u www-data -e
*/10 * * * * /usr/bin/vnstati -vs -o /var/www/vnstat.png -i eth0 >/dev/null 2>&1 ;fi
*/10 * * * * /usr/bin/vnstati -d -o /var/www/vnstat_d.png -i eth0 >/dev/null 2>&1 ;fi
1 3 * * * /usr/bin/vnstati -m -o /var/www/vnstat_m.png -i eth0 >/dev/null 2>&1 ;fi
1 3 * * * /usr/bin/vnstat --xml > /var/www/vnstat.xml 2>/dev/null ;fi

Local DNS server

apt install unbound
vi /etc/resolv.conf # insert top: nameserver


Munin Resource Monitoring

Install munin-node and allow remote access from our webserver that runs munin to gather statistics at ( https://www.torservers.net/munin/ ). munin-node is the “client side component”. You might also be interested in the munin "server side component" configuration.
apt install -y munin-node
ln -s /usr/share/munin/plugins/netstat /etc/munin/plugins/netstat
rm /etc/munin/plugins/http_loadtime
rm /etc/munin/plugins/ntp_*
rm /etc/munin/plugins/postfix_*
rm /etc/munin/plugins/exim_*
sed "s/allow \\^127\\\.0\\\.0\\\.1\\$/allow ^81\\\.7\\\.13\\\.16$/" -i /etc/munin/munin-node.conf
/etc/init.d/munin-node restart

High Bandwidth Tweaks (>100 mbps?)

You might also be interested in this tor-relay thread regarding high speed relay tweaks: How to Run High Capacity Tor Relays

In general, as with all optimizations: you should only apply those that are necessary for you.

Multiple Tor Processes

Currently, Tor does not scale on multicore CPUs. If the CPU supports AES-NI crypto extensions (most modern CPUs do), one Tor process is able to handle around 400 Mbps of throughput – without AES-NI, around 100 Mbps. If your connection supports more, you will need to run multiple Tor processes. For this, on current Debian/Ubuntu releases, Tor comes with a helper to manage multiple instances.

Note that running more than two tor processes per IP address will result in those other nodes not being used on the network. You’ll see the following message in your logs:

[notice] Heartbeat: It seems like we are not in the cached consensus.



tor-instance-create <name>
# torrc for new instance is in /etc/tor/instances/<name>/torrc
systemctl enable tor@<name> # create symlinks for auto-launch of the new instance
systemctl start tor@<name>
systemctl mask tor@default # disable the default tor service

Done! On systems without systemd, you need to manually configure DataDirectory and PidFile in the torrc.

sysctl.conf kernel optimizations

Please only tweak kernel settings when necessary! Don’t change all at once, pick the ones that make sense and try them one by one over several weeks. Monitor changes carefully.

cd /etc
mv sysctl.conf sysctl.conf.dist
wget https://raw.githubusercontent.com/torservers/server-config-templates/master/sysctl.conf
# go through the settings once again! some only useful with large memory and CPU
# better tweaking probably possible; magic involved
sysctl -p

vnstat MaxBandwidth

Set MaxBandwidth to line maximum, eg. for GBit:

sed "s/MaxBandwidth 100/MaxBandwidth 1000/g" -i /etc/vnstat.conf
/etc/init.d/vnstat restart # don't reload; will stop vnstat from updating its db...


Might be useful in some cases. Only optimize when you need to!

# remove "exit" from rc.local, then
echo 'ifconfig eth0 txqueuelen 20000' >> /etc/rc.local
# Play with it. For GBit I've found values between 8000 and 16000 to be very useful, but it is hardware dependent

AES-NI Crypto Acceleration

Recent Intel and AMDs support a native AES crypto acceleration extension called AES-NI. It is well worth enabling and will save a lot of CPU cycles.

Some motherboards ship with AES-NI disabled. You can check if it is enabled:

# cat /proc/cpuinfo | grep aes
flags           : fpu [..] popcnt **aes** xsave [..] vpid