github/tor-guard-relay
1
1
Fork 0
mirror of https://github.com/r3bo0tbx1/tor-guard-relay.git synced 2026-04-06 00:32:04 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
tor-guard-relay/docs/MULTI-MODE.md
rE-Bo0t.bx1 be4f2bc125 feat(v1.1.7): Happy Family support (Tor 0.4.9+ FamilyId) 
🔧 New tool: gen-family - generate/view Happy Family keys
  - Supports --force flag to overwrite existing keys without backup prompt

🐳 Dockerfiles: gen-family in both Dockerfile and Dockerfile.edge

🔧 Entrypoint:
- Phase 2: detect *.secret_family_key, log found keys (informational only)
- Guard/exit config gen: append FamilyId + MyFamily from ENV vars
- Bridge intentionally excluded

📊 Status tool: show family key count + Happy Family config state

📚 Docs:
- README: Happy Family section (generate / import), persistence table, flowchart
- ARCHITECTURE: all mermaid diagrams updated (Phase 2, config gen, tools, dirs)
- TOOLS: full gen-family reference with examples and exit codes
- DEPLOYMENT, MIGRATION, MIGRATION-V1.1.X, TROUBLESHOOTING: 5 -> 6 tools
- FAQ, example configs: version bump + FamilyId/MyFamily placeholders
- Directory authority voting: how 9 dirauths vote on relay flags (5/9 consensus)
- CIISS v2 ContactInfo: field reference, generator link, proof:uri-rsa verification
- All TOR_CONTACT_INFO examples updated to CIISS v2 format across templates and docs

📋 Templates:
- Guard/exit/multi-relay compose: TOR_FAMILY_ID + TOR_MY_FAMILY env vars
- All cosmos-compose + docker-compose versions -> 1.1.7

👷 CI: validate.yml gen-family in 8 spots (threshold 6), security tests, quick-test

🛡️ SECURITY.md: 1.1.7 active, 1.1.6 maintenance, gen-family in tools list

🔖 Version bump 1.1.6 -> 1.1.7 across 30+ files, tool count 5 -> 6, CHANGELOG entry

No breaking changes. TOR_FAMILY_ID and TOR_MY_FAMILY are optional.
2026-03-02 16:23:10 +08:00

536 lines
14 KiB
Markdown
Raw Permalink Blame History

# 🔄 Multi-Mode Relay Guide - Tor Guard Relay
Complete guide to running Guard/Middle relays, Exit relays, and obfs4 Bridges.
---
## Table of Contents
- [Overview](#overview)
- [Mode Comparison](#mode-comparison)
- [Guard/Middle Relay Mode](#guardmiddle-relay-mode)
- [Exit Relay Mode](#exit-relay-mode)
- [obfs4 Bridge Mode](#obfs4-bridge-mode)
- [Configuration Methods](#configuration-methods)
- [Environment Variables Reference](#environment-variables-reference)
- [Switching Modes](#switching-modes)
- [Troubleshooting](#troubleshooting)
---
## Overview
The Tor Guard Relay container now supports **three relay modes**:
| Mode | Purpose | Public Visibility | Legal Risk | Bandwidth Needs |
|------|---------|------------------|------------|-----------------|
| **Guard/Middle** | Entry/routing relay | High | Low | Medium-High |
| **Exit** | Exit traffic to internet | High | **HIGH** | High |
| **Bridge** | Help censored users | Hidden | Low | Low-Medium |
### Key Features
-**Dynamic Configuration** - Generate config from environment variables
-**obfs4 Support** - Pluggable transport for bridges
-**Backwards Compatible** - Still supports mounting config files
-**Secure Defaults** - Guard/middle as default mode
---
## Mode Comparison
### Guard/Middle Relay (Default)
**What it does:**
- Acts as entry point (guard) or routing node (middle) in Tor circuits
- Does NOT handle exit traffic to the internet
- Published in the main Tor directory
**Best for:**
- Operators who want to contribute without legal complexity
- Stable, high-bandwidth connections
- Long-term operation (8+ days to earn Guard flag - requires at least 5 of 9 directory authorities to vote in consensus)
**Requirements:**
- Public IP with ports 9001, 9030 accessible
- Stable uptime (99%+ recommended)
- 10+ Mbps bandwidth recommended
### Exit Relay
**What it does:**
- Allows Tor traffic to exit to the internet
- Your IP is associated with all exit traffic
- Published in the main Tor directory
**Best for:**
- Experienced operators who understand legal implications
- Datacenters with abuse handling
- Dedicated servers/IPs
**⚠️ CRITICAL REQUIREMENTS:**
- **Understand legal risks** - read [EFF Tor Legal FAQ](https://community.torproject.org/relay/community-resources/eff-tor-legal-faq/)
- Prepare for abuse complaints
- Inform your ISP
- Set up abuse@ email address
- Have legal resources available
- Use dedicated IP/server
### obfs4 Bridge
**What it does:**
- Helps users in censored countries connect to Tor
- NOT published in main directory (distributed via BridgeDB)
- Uses obfs4 to make traffic look random
**Best for:**
- Operators in non-censored countries
- Lower bandwidth contributions
- Helping circumvent censorship
**Requirements:**
- Stable IP with ports 9001, 9002 accessible
- Less bandwidth than relays (10+ Mbps sufficient)
- Not blocked by censors in target countries
---
## Guard/Middle Relay Mode
### Quick Start with Environment Variables
```bash
docker run -d \
--name tor-guard-relay \
--network host \
--restart unless-stopped \
-e TOR_RELAY_MODE=guard \
-e TOR_NICKNAME=MyGuardRelay \
-e TOR_CONTACT_INFO="your-email@example.com" \
-e TOR_BANDWIDTH_RATE="50 MBytes" \
-e TOR_BANDWIDTH_BURST="100 MBytes" \
-v tor-guard-data:/var/lib/tor \
-v tor-guard-logs:/var/log/tor \
r3bo0tbx1/onion-relay:latest
```
### Docker Compose
```yaml
version: '3.8'
services:
tor-guard-relay:
image: r3bo0tbx1/onion-relay:latest
container_name: tor-guard-relay
restart: unless-stopped
network_mode: host
environment:
TOR_RELAY_MODE: guard
TOR_NICKNAME: MyGuardRelay
TOR_CONTACT_INFO: "your-email@example.com"
TOR_BANDWIDTH_RATE: "50 MBytes"
TOR_BANDWIDTH_BURST: "100 MBytes"
volumes:
- tor-guard-data:/var/lib/tor
- tor-guard-logs:/var/log/tor
volumes:
tor-guard-data:
tor-guard-logs:
```
Save as `docker-compose.yml` and run:
```bash
docker-compose up -d
```
### Verification
```bash
# Check status
docker exec tor-guard-relay status
# View logs
docker logs -f tor-guard-relay
# Get fingerprint
docker exec tor-guard-relay fingerprint
```
---
## Exit Relay Mode
### ⚠️ Before You Start
**READ THIS FIRST:**
1. [EFF Tor Legal FAQ](https://community.torproject.org/relay/community-resources/eff-tor-legal-faq/)
2. [Tor Abuse Response Templates](https://community.torproject.org/relay/community-resources/tor-abuse-templates/)
3. [Good/Bad ISPs for Exit Relays](https://community.torproject.org/relay/community-resources/good-bad-isps/)
**Exit Relay Checklist:**
- [ ] Read and understand legal implications
- [ ] Prepared to handle abuse complaints
- [ ] Informed ISP (recommended)
- [ ] Set up abuse@ email address
- [ ] Using dedicated IP/server
- [ ] Have abuse response template ready
- [ ] Have legal resources available if needed
### Quick Start
```bash
docker run -d \
--name tor-exit-relay \
--network host \
--restart unless-stopped \
-e TOR_RELAY_MODE=exit \
-e TOR_NICKNAME=MyExitRelay \
-e TOR_CONTACT_INFO="your-email@example.com <0xPGP_KEY>" \
-e TOR_BANDWIDTH_RATE="50 MBytes" \
-e TOR_BANDWIDTH_BURST="100 MBytes" \
-v tor-exit-data:/var/lib/tor \
-v tor-exit-logs:/var/log/tor \
r3bo0tbx1/onion-relay:latest
```
### Exit Policy
By default, uses the **Reduced Exit Policy** (Tor Project recommended):
- Allows common services (HTTP, HTTPS, SSH, email, etc.)
- Blocks high-risk ports
- Good starting point for exit operators
**Custom Exit Policy:**
```bash
-e TOR_EXIT_POLICY="accept *:80,accept *:443,reject *:*"
```
**More restrictive (HTTPS only):**
```bash
-e TOR_EXIT_POLICY="accept *:443,reject *:*"
```
### Docker Compose
See [templates/docker-compose-exit.yml](../templates/docker-compose-exit.yml) for complete example.
### Handling Abuse Complaints
**Standard Response Template:**
```
This is a Tor exit relay (https://www.torproject.org/).
The IP address you reported is not the source of the activity.
Tor is an anonymity network that helps people protect their
privacy and security online.
For more information about Tor and exit relays:
- What is Tor: https://www.torproject.org/about/overview.html
- Tor and abuse: https://blog.torproject.org/blog/tips-running-exit-node
If you have concerns about specific traffic, please contact
the destination website directly. The exit relay operator
does not control the traffic passing through the relay.
Contact: your-email@example.com
```
---
## obfs4 Bridge Mode
### Quick Start
```bash
docker run -d \
--name tor-bridge \
--network host \
--restart unless-stopped \
-e TOR_RELAY_MODE=bridge \
-e TOR_NICKNAME=MyTorBridge \
-e TOR_CONTACT_INFO="your-email@example.com" \
-e TOR_ORPORT=9001 \
-e TOR_OBFS4_PORT=9002 \
-e TOR_BANDWIDTH_RATE="10 MBytes" \
-e TOR_BANDWIDTH_BURST="20 MBytes" \
-v tor-bridge-data:/var/lib/tor \
-v tor-bridge-logs:/var/log/tor \
r3bo0tbx1/onion-relay:latest
```
### Docker Compose
See [templates/docker-compose-bridge.yml](../templates/docker-compose-bridge.yml) for complete example.
### Getting Your Bridge Line
**After 24-48 hours**, your bridge will be registered and you can get the bridge line:
```bash
# Method 1: Check pt_state directory
docker exec tor-bridge cat /var/lib/tor/pt_state/obfs4_bridgeline.txt
# Method 2: Search logs
docker exec tor-bridge grep "bridge line" /var/log/tor/notices.log
# Method 3: Check pt_state directory contents
docker exec tor-bridge ls -la /var/lib/tor/pt_state/
```
Output will look like:
```
Bridge obfs4 <IP>:<PORT> <FINGERPRINT> cert=<CERT> iat-mode=0
```
### Sharing Your Bridge
**IMPORTANT:**
- Only share with people you trust
- Do NOT publish publicly (defeats the purpose)
- Users can also request bridges from [BridgeDB](https://bridges.torproject.org/)
### Verification
```bash
# Check if obfs4proxy is running
docker exec tor-bridge pgrep -a obfs4proxy
# Check bridge status
docker exec tor-bridge status
```
---
## Configuration Methods
The container supports **two configuration methods**:
### Method 1: Environment Variables (Recommended for Simple Setups)
**Pros:**
✓ No config file to maintain
✓ Easy to change settings
✓ Good for simple setups
✓ Works well with orchestration tools
**Cons:**
✗ Less flexible for advanced options
✗ Cannot set all possible Tor directives
**Example:**
```bash
docker run -d \
-e TOR_RELAY_MODE=guard \
-e TOR_NICKNAME=MyRelay \
-e TOR_CONTACT_INFO="email@example.com" \
...
```
### Method 2: Config File Mount (Advanced)
**Pros:**
✓ Full control over Tor configuration
✓ Can use any Tor directive
✓ Better for complex setups
**Cons:**
✗ Need to maintain config file
✗ Less portable
**Example:**
```bash
docker run -d \
-v $(pwd)/relay.conf:/etc/tor/torrc:ro \
...
```
### Can I Use Both?
Yes! If you mount a config file, it takes precedence over environment variables.
The container will detect the mounted file and skip dynamic config generation.
---
## Environment Variables Reference
### Core Configuration
| Variable | Default | Description |
|----------|---------|-------------|
| `TOR_RELAY_MODE` | `guard` | Relay mode: `guard`, `exit`, or `bridge` |
| `TOR_NICKNAME` | _(required)_ | Relay nickname (1-19 alphanumeric chars) |
| `TOR_CONTACT_INFO` | _(required)_ | Contact email (+ optional PGP key) |
### Network Ports
| Variable | Default | Description |
|----------|---------|-------------|
| `TOR_ORPORT` | `9001` | Tor connection port |
| `TOR_DIRPORT` | `9030` | Directory service port (not used for bridges) |
| `TOR_OBFS4_PORT` | `9002` | obfs4 pluggable transport port (bridges only) |
### Bandwidth
| Variable | Default | Description |
|----------|---------|-------------|
| `TOR_BANDWIDTH_RATE` | _(none)_ | Sustained bandwidth (e.g., `50 MBytes`) |
| `TOR_BANDWIDTH_BURST` | _(none)_ | Burst bandwidth (e.g., `100 MBytes`) |
### Exit Policy (Exit Mode Only)
| Variable | Default | Description |
|----------|---------|-------------|
| `TOR_EXIT_POLICY` | Reduced Exit Policy | Custom exit policy (comma-separated) |
Example: `TOR_EXIT_POLICY="accept *:80,accept *:443,reject *:*"`
### Advanced
| Variable | Default | Description |
|----------|---------|-------------|
| `TOR_DATA_DIR` | `/var/lib/tor` | Tor data directory |
| `TOR_LOG_DIR` | `/var/log/tor` | Tor log directory |
| `TOR_CONFIG` | `/etc/tor/torrc` | Tor configuration file path |
| `DEBUG` | `false` | Enable debug output |
---
## Switching Modes
You can switch between modes by changing `TOR_RELAY_MODE` and restarting:
### From Guard to Exit
```bash
docker stop tor-relay
docker rm tor-relay
docker run -d \
--name tor-relay \
-e TOR_RELAY_MODE=exit \
-e TOR_NICKNAME=MyExitRelay \
... # Same volumes
```
**⚠️ WARNING:** Switching to exit mode has legal implications. Read the Exit Relay section first.
### From Guard to Bridge
```bash
docker stop tor-relay
docker rm tor-relay
docker run -d \
--name tor-relay \
-e TOR_RELAY_MODE=bridge \
-e TOR_NICKNAME=MyBridge \
-e TOR_OBFS4_PORT=9002 \
... # Same volumes
```
**Note:** Your relay will get a new identity when switching modes.
---
## Troubleshooting
### Configuration Not Generating
**Symptom:** Container starts but uses placeholder config
**Solution:**
1. Make sure no config file is mounted at `/etc/tor/torrc`
2. Set required environment variables:
- `TOR_NICKNAME`
- `TOR_CONTACT_INFO`
3. Check logs: `docker logs <container>`
### Bridge Line Not Appearing
**Symptom:** Bridge line file doesn't exist after 24+ hours
**Solution:**
1. Check both ports are accessible: `9001` and `9002`
2. Verify obfs4proxy is running: `docker exec <container> pgrep obfs4proxy`
3. Check logs for obfs4proxy errors: `docker logs <container> | grep obfs4`
4. Wait 48 hours - bridge distribution takes time
### Exit Relay - Too Many Abuse Complaints
**Symptom:** Receiving excessive abuse complaints
**Solutions:**
1. Switch to more restrictive exit policy (HTTPS only)
2. Consider running as guard relay instead
3. Check if your ISP supports exit relays: [Good/Bad ISPs](https://community.torproject.org/relay/community-resources/good-bad-isps/)
4. Use abuse complaint template to respond efficiently
### Ports Not Accessible
**Symptom:** `ORPort not reachable` in status
**Solution:**
```bash
# Check firewall
sudo ufw status
# Open required ports
sudo ufw allow 9001/tcp
sudo ufw allow 9030/tcp # Guards/exits only
sudo ufw allow 9002/tcp # Bridges only
# Test from outside
nc -zv <your-ip> 9001
```
### Low/No Traffic
**Symptom:** Relay shows very little bandwidth usage
**Normal for:**
- New relays (2-8 weeks to build reputation)
- Bridges (intentionally low visibility)
- Guards without Guard flag (need 8+ days uptime - at least 5 of 9 directory authorities must agree in consensus)
**Check:**
1. Verify relay is reachable: `docker exec <container> status`
2. Check Tor Metrics: https://metrics.torproject.org/rs.html
3. Ensure adequate bandwidth: `TOR_BANDWIDTH_RATE`
---
## Resources
### Official Tor Project
- [Relay Setup Guide](https://community.torproject.org/relay/setup/)
- [Bridge Setup Guide](https://community.torproject.org/relay/setup/bridge/)
- [Relay Requirements](https://community.torproject.org/relay/relays-requirements/)
- [Tor Metrics](https://metrics.torproject.org/)
- [BridgeDB](https://bridges.torproject.org/)
### Legal & Compliance
- [EFF Tor Legal FAQ](https://community.torproject.org/relay/community-resources/eff-tor-legal-faq/)
- [Abuse Response Templates](https://community.torproject.org/relay/community-resources/tor-abuse-templates/)
- [Good/Bad ISPs](https://community.torproject.org/relay/community-resources/good-bad-isps/)
### Technical Documentation
- [obfs4 Specification](https://gitlab.com/yawning/obfs4)
- [Tor Manual](https://2019.www.torproject.org/docs/tor-manual.html.en)
### This Project
- [Main README](../README.md)
- [Deployment Guide](DEPLOYMENT.md)
- [Tools Documentation](TOOLS.md)
- [Monitoring Guide](MONITORING.md)
---
**Made with 💜 for a freer, uncensored internet**
*Protecting privacy, one relay at a time* 🧅✨
Reference in New Issue View Git Blame Copy Permalink