Guide

How to run a Tor relay on a VPS

Run a Tor relay on a VPS the right way: understand middle vs bridge vs exit, heed an honest abuse warning, deploy a safe middle-relay config, and use a reduced exit policy if you go further.

Deploy VPS Lihat harga

Running a Tor relay is one of the most direct ways to support the network: you donate bandwidth, and the network gets faster and more resilient for everyone. A VPS is the natural place to do it, because a relay should run on a dedicated machine with a stable IP and generous bandwidth rather than your home connection.

But not all relays carry the same risk. The type you choose decides whether you spend your evenings watching traffic flow or answering abuse mail. This guide walks through the three relay roles, an honest warning about exit traffic, our policy on Tor, and a tested configuration you can copy. We assume a fresh no-KYC VPS running Debian or Ubuntu; if you do not have one yet, deploy takes about 60 seconds after your on-chain payment confirms.

Key facts

Three relay roles: middle (safe default, almost no complaints), bridge (helps censored users, very low risk), and exit (routes to the open internet under your IP and attracts abuse).
Middle and bridge relays are welcome on every tier; exit relays are permitted in select locations with a published ContactInfo, a reduced exit policy, and abuse responsiveness.
The hard floor is absolute and applies to Tor traffic: no CSAM, weapons trafficking, or terrorism content, no exceptions. DMCA-ignored is operational policy, not legal immunity.
Unlimited traffic on every tier means no overage for the bandwidth you donate; Cub or Scout suits a personal relay, Scout and up for higher capacity.
The included config sets ExitRelay 0 and SocksPort 0 for a pure middle relay; advanced operators switch to ExitRelay 1 with the Tor Project's reduced exit policy.
Keep the relay on a dedicated machine, never mix personal traffic, and for exits choose a free-speech jurisdiction and publish an exit notice.

Relay, bridge, exit: know the difference before you start

Every Tor relay forwards encrypted traffic, but the role you pick determines your exposure. There are three to understand:

Middle relay — passes traffic only between other Tor nodes. It never connects to the open internet on a user's behalf, so it almost never generates complaints. This is the safe default and the right choice for a first relay. A well-established middle relay may also be picked by the network to serve as a guard, the first hop in a circuit, but that is a role the directory authorities assign over time, not a separate thing you configure.
Bridge — an unlisted entry point that helps people in censored networks reach Tor. Bridges are not published in the public consensus, draw essentially no abuse, and are genuinely useful where Tor is blocked.
Exit relay — the final hop that sends traffic to ordinary websites under your server's IP. Because the destination sees your address, exits attract abuse notices, blocklisting, and occasional law-enforcement inquiries.

If you want maximum benefit with minimum hassle, run a middle relay or a bridge. Only consider an exit once you understand the operational and legal weight that comes with it.

An honest warning: exit relays attract complaints and legal inquiries

We will not sugar-coat this. An exit relay routes other people's traffic to the wider internet under your IP, which means automated abuse systems, copyright agents, and occasionally investigators will see your address as the apparent source. Expect to receive abuse reports. Many hosting providers forbid exits outright for exactly this reason, and exit IPs frequently end up on blocklists that affect mail and signups.

None of this makes running an exit wrong — exits are vital to Tor and are run lawfully every day by experienced operators and organizations. But it is real work: you need a published abuse contact, a reduced exit policy, and a willingness to respond to notices. If that sounds like more than you signed up for, a middle relay gives the network most of the value with almost none of the friction.

Our policy on Tor relays

Middle and bridge relays are welcome on every tier; they pass only intra-network traffic and are a clean use of bandwidth we are glad to support. Exit relays are permitted in select locations, but they come with conditions: you must publish a working ContactInfo, run a reduced exit policy, and respond to abuse correspondence that reaches you through the control panel.

The hard floor is absolute and applies to Tor traffic like everything else: no CSAM, no weapons trafficking, no terrorism content, no exceptions. We treat routine copyright notices as an operational matter rather than automatic takedowns, and we act on valid court orders in the server's jurisdiction. We are private, not a promise of immunity; review our acceptable-use policy and how we handle abuse reports before you run an exit. If you are unsure whether your plan fits, ask through the panel first.

Which tier suits a relay

A relay is light on disk and RAM but rewards CPU and bandwidth. Tor is largely single-threaded for crypto work, so a couple of dedicated vCPUs let you push real throughput. Because every tier here includes unlimited traffic, you never pay an overage for the bandwidth you donate, which is exactly what a relay needs.

For a personal middle relay, the Cub (1 vCPU / 2 GB) or Scout (2 vCPU / 4 GB) tier is plenty. If you want a relay that pushes meaningful capacity into the network, Scout and up are the sweet spot, and the all-NVMe offshore VPS base means the small descriptor and consensus files stay snappy. Pick a location with good peering; our Amsterdam node sits on AMS-IX and is an excellent home for a relay.

Setting nickname, ContactInfo, ORPort and bandwidth limits

A few configuration values matter for every relay regardless of role. The Nickname is a public label of up to 19 alphanumeric characters. ContactInfo should be a way the network and the Tor Project can reach you about your relay — publish a non-personal abuse handle or an abuse URL rather than anything that ties back to you; never expose a personal address you care about.

The ORPort is the TCP port other relays connect to (443 and 9001 are common choices). Bandwidth is governed by RelayBandwidthRate and RelayBandwidthBurst: the rate is your sustained ceiling and the burst absorbs short spikes. Setting an explicit cap keeps a relay predictable even though traffic is unlimited. The numbered steps below put all of this together into a working file.

Operational hygiene for a Tor relay

Treat a relay as a single-purpose machine. Do not mix your personal browsing, your website, or any service that ties back to you onto the same VPS — a relay's IP is public and, for an exit, is the apparent source of strangers' traffic. Keeping it dedicated protects both you and the relay's reputation.

Run nothing else of consequence on the box; keep the OS minimal and patched.
Set a real ContactInfo and, for exits, host a short Tor exit notice page so anyone investigating your IP understands what it is.
Monitor health with nyx and watch the systemd journal for warnings.
For an exit, route abuse correspondence through a handle you actually monitor, and respond promptly. Fast, polite replies prevent most escalations.

If you are layering this with personal Tor use, our VPS-for-Tor guide covers running a private bridge or onion service alongside good network hygiene.

Choosing a jurisdiction for a relay

For a middle relay or bridge, jurisdiction barely matters — pick a location with strong peering and low latency to the relays you will talk to. The Netherlands flagship is hard to beat on connectivity.

For an exit, jurisdiction matters a great deal, because the server's local law governs how copyright notices and orders are handled and how comfortable the surrounding environment is for exit traffic. Free-speech and free-press jurisdictions such as Sweden and Iceland are popular homes for exits, and a privacy-forward base of NL, RO, or BG keeps things straightforward. Whatever you choose, your relay remains bound by the hard floor and by valid court orders where the server sits — running it on a no-KYC VPS changes how you sign up and pay, not which laws apply to the traffic.

Deploy and update a dedicated VPS
Spin up a fresh Debian or Ubuntu LTS instance you will use only for the relay, then update it and confirm it has a clean, dedicated IPv4. As root:
apt update && apt full-upgrade -y
Pick a tier with at least 2 GB RAM (Cub or Scout) and a location with good peering. Keep this server single-purpose.
Install Tor from the official repository
Use the Tor Project's own package repository rather than the distro's older build, so you get current security fixes. Install the keyring and repo, then Tor itself:
apt install -y apt-transport-https gpg
Add the official Tor repo for your release, import its signing key, then run apt update && apt install -y tor deb.torproject.org-keyring. Verify with tor --version.
Install Nyx for monitoring
Nyx is the terminal status monitor for a running relay — it shows bandwidth, connections, and log events at a glance:
apt install -y nyx
You will launch it after the relay is up with nyx (or sudo -u debian-tor nyx depending on your setup).
Configure a middle relay (the safe default)
Edit /etc/tor/torrc and define a non-exit relay. A minimal, correct middle-relay block looks like this:
```
Nickname myRelayName
ContactInfo abuse-relay-contact (https://example.org/abuse)
ORPort 9001
ExitRelay 0
SocksPort 0
RelayBandwidthRate 10 MBytes
RelayBandwidthBurst 20 MBytes
```
Use a non-personal abuse handle or an abuse-page URL for ContactInfo, never a personal address. ExitRelay 0 and SocksPort 0 are the lines that keep this a pure middle relay — no traffic exits to the open internet, so you should not receive abuse mail.
Open the relay port in the firewall
Allow inbound TCP on your ORPort (and keep SSH open). With ufw:
ufw allow 9001/tcp
ufw allow OpenSSH then ufw enable. If you also set a DirPort, open that port too.
Start the relay and enable it on boot
Restart Tor to load the config, then enable it so it survives reboots:
systemctl restart tor@default
systemctl enable tor@default. Check status with systemctl status tor@default and confirm there are no config errors.
Verify the relay is reachable
Run nyx to watch traffic, and tail the log for the reachability confirmation:
journalctl -u tor@default -f
Look for Self-testing indicates your ORPort is reachable from the outside. Within a few hours your relay appears on the public relay list; full participation in the consensus takes a few days as it earns trust.
(Advanced) Switch to a reduced exit policy if you run an exit
Only do this if you have read our acceptable-use policy and accept the responsibility. Set ExitRelay 1 and apply the Tor Project's reduced exit policy rather than allowing all ports — it blocks the noisiest abuse vectors (peer-to-peer, mail, common attack ports) while still being useful. In /etc/tor/torrc:
```
ExitRelay 1
IPv6Exit 1
# paste the Tor Project reduced ExitPolicy ruleset here
ExitPolicy reject *:*
```
Then host a short exit-notice page on port 80, publish a real ContactInfo abuse handle or abuse-page URL, restart with systemctl restart tor@default, and be ready to handle abuse mail through the panel. The hard floor remains absolute regardless of exit policy: no CSAM, no weapons trafficking, no terrorism content, no exceptions.

FAQ

Frequently asked questions

Can I run a Tor relay on VPSCrypto?

Yes. Middle and bridge relays are welcome on every tier. Exit relays are permitted in select locations with conditions — a published ContactInfo, a reduced exit policy, and responsiveness to abuse mail. Review our acceptable-use policy first. The hard floor is absolute and applies to all Tor traffic with no exceptions: no CSAM, no weapons trafficking, no terrorism content.

What is the difference between a middle relay and an exit relay?

A middle relay only passes traffic between Tor nodes and never touches the open internet, so it rarely draws complaints. An exit relay sends traffic out to ordinary websites under your server's IP, which makes your address the apparent source and attracts abuse notices and blocklisting. Beginners should start with a middle relay.

Will I get DMCA or abuse notices for running an exit?

Almost certainly, yes. We handle routine copyright notices as an operational policy rather than automatic takedowns, but exit operators should still expect a steady stream of automated complaints. Running a reduced exit policy and publishing a clear exit notice and abuse contact will cut the volume substantially. Note this is operational policy, not legal immunity — valid court orders in the server's jurisdiction still apply. And the hard floor is absolute, with no exceptions: no CSAM, no weapons trafficking, no terrorism content, ever.

Which relay should a beginner run?

A middle relay. It is safe, stable, contributes real value to the network, and generates essentially no abuse mail. A bridge is an equally low-risk option if you specifically want to help users in censored regions. Save exit relays for when you are comfortable handling complaints.

How much bandwidth and what tier does a relay need?

Relays are light on disk and RAM but reward CPU and bandwidth. Because every tier includes unlimited traffic, you never pay overage on the bandwidth you donate. A Cub or Scout handles a solid personal relay; step up to Scout or higher if you want to push meaningful capacity. See our offshore VPS tiers for specs.

Should I run anything else on my relay server?

No. Keep the relay on a dedicated, single-purpose machine and never mix personal browsing, websites, or identifying services onto it — a relay's IP is public, and an exit's IP is the apparent source of strangers' traffic. Deploying on a no-KYC VPS keeps signup clean, but the machine itself should stay dedicated to Tor.

Terkait

Terus jelajahi.

Deploy an offshore VPS in about a minute

No-KYC, crypto-paid, all-NVMe. Pick a tier, pay in Monero or any major coin, and get root in roughly 60 seconds.

Deploy VPS Deploy API