How to setup a Tor relay or Tor bridge
18th June, 2009
For those in Iran. Here is a guide in Farsi for installing Tor so you can surf the web without censorship: http://greenoolo.pieceoftheworld.org/
IMPORTANT UPDATE (23/06/09): New email addresses have been added, and others updated. If you have Tor setup in bridge mode, resend your connection information to us.
IMPORTANT UPDATE #2: When posting in the comments section do not post your normal email address, do not use your name/alias (make up a new one) or post other personally identifiable information. This is very important.
UPDATE: slseveral sends this interesting read: http://blog.torproject.org/blog/measuring-tor-and-iran That might ease those wondering if we’re actually helping 
What is Tor? (from https://www.torproject.org/)
“Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location. Tor works with many of your existing applications, including web browsers, instant messaging clients, remote login, and other applications based on the TCP protocol.”
This is something of great value to our friends in Iran.
Get Tor
(all found at https://www.torproject.org/easy-download.html.en)
Os X: https://www.torproject.org/dist/vidalia-bundles/vidalia-bundle-0.2.0.34-0.1.10-universal.dmg
Windows: https://www.torproject.org/dist/vidalia-bundles/vidalia-bundle-0.2.0.34-0.1.10.exe
Linux/Unix/src: https://www.torproject.org/download-unix.html.en
and install (detailed instructions Windows, Os X) (short version: double click install file)
Relay or Bridge?
A relay will be a proxy in the Tor network and help speed up the network for the people using it – a bridge, on the other hand, will enable people to reach the Tor network if the relays are blacklisted. If you setup a bridge, you will need to get its address to the people that are going to use it (more on that later. Short: do not post it publicly).
IMPORTANT: We’re going to need both sorts (mostly relays though), so please answer the poll (at the end) on which type you’ve set up. And if the type doesn’t matter to you, please check the poll to see how others have chosen and balance it up.
Relay:
(from https://www.torproject.org/docs/tor-doc-relay.html.en#setup)
- Right click on the Vidalia icon in your task bar. Choose Control Panel.
- Click Setup Relaying.
- Choose Relay Traffic for the Tor network.
- Enter a nickname for your relay. (Optional, enter contact information.)
- Change ports from the default ports (needs to be >1024 on Os X and Linux/Unix)
- If you have UPnP: Choose Attempt to automatically configure port forwarding. Push the Test button to see if it works. If it does work, great. If not, see “Firewall/router” below.
- Choose the Bandwidth Limits tab. Select how much bandwidth you want to provide for Tor users like yourself.
- Choose the Exit Policies tab. If you want to allow others to use your relay for these services, don’t change anything. Un-check the services you don’t want to allow through your relay. If you want to be a non-exit relay, un-check all services.
- Click the Ok button. See “Check if it works” below for confirmation that the relay is working correctly.
Firewall/Router:
If you are using a firewall, open a hole in your firewall/router so incoming connections can reach the ports you configured (Relay Port (plus Directory Port if you enabled it)). Make sure you allow all outgoing connections, so your relay can reach the other Tor relays.
Check if it works:
Restart your relay. If it logs any warnings, address them. Look at the updates at the end of the post for help resolving issues that arise.
As soon as your relay manages to connect to the network, it will try to determine whether the ports you configured are reachable from the outside. This may take up to 20 minutes. Look for a log entry like Self-testing indicates your ORPort is reachable from the outside. Excellent. If you don’t see this message, it means that your relay is not reachable from the outside — you should re-check your firewalls, check that it’s testing the IP and port you think it should be testing, etc.
And now what?
Well, congratulations, this is it. People can now surf the internet without fear of filtering/blocking or surveillance. Collect your karma points and continue following https://twitter.com/#search?q=%23IranElection or http://www.huffingtonpost.com/2009/06/13/iran-demonstrations-viole_n_215189.html
Bridge:
- Right click on the Vidalia icon in your task bar. Choose Control Panel.
- Click Setup Relaying.
- Click Help censored users reach the Tor network
- Enter a nickname for your relay. (Optional, enter contact information.)
- Change ports from the default ports (needs to be >1024 on Os X and Linux/Unix)
- If you have UPnP: Choose Attempt to automatically configure port forwarding. Push the Test button to see if it works. If it does work, great. If not, see “Firewall/router” below.
- Choose the Bandwidth Limits tab. Select how much bandwidth you want to provide for Tor users like yourself.
- Click the Ok button. See “Check if it works” below for confirmation that the bridge is working correctly.
- Now scroll down to “Get the address to those that need it” and follow the instructions. Do NOT publish your connection information in the comments.
Firewall/Router:
If you are using a firewall, open a hole in your firewall/router so incoming connections can reach the ports you configured (Relay Port (plus Directory Port if you enabled it)). Make sure you allow all outgoing connections, so your relay can reach the other Tor relays.
Check if it works:
Restart your bridge. If it logs any warnings, address them. Look at the updates at the end of the post for help resolving issues that arise.
As soon as your bridge manages to connect to the network, it will try to determine whether the ports you configured are reachable from the outside. This may take up to 20 minutes. Look for a log entry like Self-testing indicates your ORPort is reachable from the outside. Excellent. If you don’t see this message, it means that your relay is not reachable from the outside — you should re-check your firewalls, check that it’s testing the IP and port you think it should be testing, etc.
Get that address to those that need it (IMPORTANT)
After successfully setting up the bridge, click “Setup Relay” and you will see your IP port and a string of chars, this is your bridge address.
Your bridge address is not posted publicly, you need to get it to those that need it.
Email this bridge address to anonygreen@gmail.com, gr88proxies@googlegroups.com, tor@austinheap.com, 
irancurtain@iansbrain.com and protesterhelp@gmail.com or Direct Message (private message) in Twitter to @iran09, @austinheap, @protesterhelp, @persiankiwi or @stopahmadi. If you email be sure to include “Tor bridge” in the subject line.
And now what?
Well, congratulations, this is it. People can now surf the internet without fear of filtering/blocking or surveillance. Collect your karma points and continue following https://twitter.com/#search?q=%23IranElection or http://www.huffingtonpost.com/2009/06/13/iran-demonstrations-viole_n_215189.html
Poll:
Update 1:
GeoIP error:
Ian Says:
download this http://git.torproject.org/checkout/tor/master/src/config/geoip and put it in C:\Documents and Settings\{username}\Application Data\Tor\
Open ports in the router:
Carl Says:
Then you need to forward that port from your router to your computer.
See: http://portforward.com/ for info and howto:s
Update2:
DNS hijacking:
From David and slseveral:
http://dnsresolvers.com/ got me past the hijacking errors (Verizon FIOS DNS servers.)
Update3:
DIR Port not reachable, but OR port is.
Boogs says:
“THE SOLUTION, at least for me, was to download the latest unstable version at http://www.torproject.org/download.html.en and presto, now everything works just like it should. There must be a bug in the latest stable version.”
How can you help, 2nd edition.
Talk to friends and spread the word of the Iranian struggle for freedom. Refer them to this guide if you think it was good.
If you know Farsi, please help translate
If I can confirm that my initial bridge is working correctly, I’m happy to:
1) Widely distribute IP’s
2) Confirm that machines are being used
3) Would like to know when they start to be blocked, automate if possible
4) Fire up new machines as some become blocked, update list of available servers
5) Shut down blocked machines
6) Repeat as needed
I’m willing to run as many servers as required in US and EU. With some help I’m confident this can be automated.
[...] Another writeup and where to send TOR bridges How to setup a Tor relay or Tor bridge How to help #iranelection [...]
The TOR authority also distribute bridge addresses when requested, which means it might also be shared. By design you cannot help one group of people more than the others, which is equivalent to some sort of censorship. Once people get into the TOR network via bridges, all the relays are equally shared. Any user helps because the traffic are mashed up to be untraceable (provided the network is not overloaded).
Also geoip mentioned above don’t work for the stable version, but require the newer development version.
Some details here:
http://bit.ly/zAajH
http://iran.whyweprotest.net/keeping-your-anonymity-iran/802-show-your-solidarity-how-setup-tor-relay-via-gui.html#post5188
[...] For anyone interested, here's more information about setting up a Tor relay or bridge to help Iranian activists and/or, more generally, the cause [...]
Would like some confirmation or negation as two whether I’m on the right path to solving bridge/exit-relay setup trouble. I’ll list what current setup and what I’m thinking about changing it to.
Current setup problem:
internet –> FIOS router (dhcp currently gives out 192.168.1.xxx, can be changed) –> Vonage Router (dhcp gives out 192.168.15.xxx, can’t be changed) Netgear WPN824v2 (dhcp currently gives out 192.168.0.xxx, can be changed) –> PC running Tor and Vidalia where i’ll be running bridge/exit relay
The two ports I’ve configged for the bridge are forwarded to the next thing in the chain (so on the fios router the two ports are forwarded to the vonage router’s internal IP where the same two ports are forwarded to the netgear’s IP which forward’s those to ports to the PC running tor/vidalia.)
After 20 minutes logs show ports not reachable. I’ve triple-checked all port forwardings to no avail.
Here’s what I’m thinking:
Since I can’t change the middle router (vonage) to dole out a different IP block than 192.168.15.xxx, change the other two to that block, so i’ll have:
interwebs –> FIOS router giving out 192.168.15.xxx –> Vonage router still giving out 192.168.15.xxx –> Netgear giving out 192.168.15.xxx –> PC with the Tor bridge on it.
Questions are:
1) Will this work or with the router conflict, all wanting to be boss?
2) If it works, can I then just set up port forwarding on the FIOS router directly to the PC’s internal IP?
Going to take some time due to number of devices connected to the netgear at present with assigned IPs, so wanting a sanity check before I dig in.
TIA
Correction to question 1) at the end there:
1) Will this work or will the routers conflict, all wanting to be boss?
My guess is the router keeps outside separated from inside. So it shouldn’t matter. There might of course be some interesting side effects, I don’t know for certain. Most of all i think it is confusing and i can’t see how it would help.
The question that strikes me is why you have this setup. Why not have a router at the border and then have the others just function as switches?
I have a setup with multiple dhcp:s as well. But that is to separate my open wifi from my home network. Do you really need the segmentation you have right now?
Thanks for the reply Carl.
Sadly, yes, needed. FIOS router lacks features I need, vonage router has no wifi but must be in the loop for the voip to work. netgear has needed features and wifi.
Since posting the above I discovered that the netgear was randomly nuking my port forwards. a little googling indicated that it is a known bug. disabling SPI Firewall stops the bug. restarted, waiting/watching logs now now to see if ports are accessible.
Work around of disabling SIP firewall didn’t fix. still nuking port forward rules. found new firmware version. will upgrade and try again tmw night.
Good luck! And please post back success/fail
And I quote:
“Jun 24 22:56:11.544 [Notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.”
Sending info to contacts listed above shortly.
[...] up “relays” and “bridges” that can be accessed by people in Iran—and this is something you yourself can do that can be of considerable benefit to Iranians trying to reach out to the rest of [...]
here is my information for my Tor relay bridge:
*.*.*.*:* *************************************** (mod: do NOT publish connection information here, send it to the email addresses listed in the howto above)
Peace and freedom for Iran !
Steve Mahfouz
Please do not publish your bridge IP address in public like this, send it only in private email to those listed in the article.
Try to get yourself a new ipaddress by using the “ip release” and “ip renew” command, then when you see you have gotten a new ipaddress, then generate the new bridge relay address and send it in private email to the emailaddresses listed in this article
I’m trying to set up a bridge, but I’m not sure if it works. I have not received confirmation trough self testing, but I do both receive and send data the bandwidth graph tells me it received 105 KB and sent 186 KB.
Some questions : I have a WAN and a LAN address. The WAN address is shown in the bridge address. Is this wrong? It is the same though as shown when I check my ip-adress on http://www.ip-adress.com
Can this be a router issue or an ISP issue?
I checked the info and it says that the address resolves to private IP address 192.168.*.*
I tried to access my router, but I failed. My housemate changed the password and can’t fix it.
I’ll try something else tomorrow.
Ah, good.
This is all good. The WAN address is your external address, the one people need to reach you. Your LAN address is the address you computer has internally and uses when communicating with the router.
Confirmation can take some time. Have you configured your router correctly? (Port forwarding?)
Set up a bridge but how do I know if it’s working ok? Message log hasn’t done anything for a while and bandwidth usage barely changes.
Thank you for your help!
Before you can see traffic on your bridge someone we have forwarded your bridge to must explicitly connect to it. It can take time, and it may even never happen.
I don’t know how quickly they identify and block bridges, but some time ahead yours may be needed.
If you feel you need more immediate feedback i suggest running a relay instead.
I’ll stay as a bridge for now as there’s a lot less of them according to your poll. Just hope that it works ok.
Thanks
If the message log doesn’t do anything, check if you have your port forwarded to the router. That’s what stopped it for me.
[...] You can learn how to do both through easy steps shown here: http://anonygreen.wordpress.com/2009/06/18/how-to-setup-a-tor-relay-or-tor-bridge/ [...]
Bah. ORPort Reachable, DirPort is not. Port Forwardings are set up the same except for the port numbers of course.
Thoughts? (reading thread, haven’t seen it yet, but not done reading…)
Carl, safe to assume that your comments about not needing the DirPort refer to relays rather than bridges? Bridges need the DirPort, yes?
From what I’ve been able to gather; no, they don’t.
Your bridge connects to the tor network and those accessing your bridge need only that. I’ll try to find more info on what the DIR port does when i can find the time.
I saw 2 green connection lines to Iran late last night.
Carl, I can’t find your comment to me anywhere here; but you’re right – I don’t feel comfortable with these instructions! Thank you, anyway. BTW, what do I do with this Tor thing I downloaded????
The comments wound up in the “About” section of this blog, so i removed them. But you got my answers in an email.
If you already installed it you can remove it by clicking the “Uninstall” icon in the “Vidalia bundle” folder in your start menu.
If you did not install it, there is nothing you need to do to.
Thank you
Just got back from work and checked my bridge’s log, found a lot of messages saying almost same thing:
Notice: We tried for 15 seconds to connection to ‘[scrubbed]‘ using exit ‘…….’. Retrying on a new cuircuit.
Notice: Tried for 120 seconds to get a connection to [scrubbed]:80. Giving up.
I’m assuming something isn’t working right?
Closing in on 24 hours since I emailed my bridge info to the email addresses above. I didn’t receive any email replies, but something seems to be happening…
Bandwidth usage shows…
Recv: 7.93 MB
Sent: 3.13 MB
This seems to bode well, though I expected heavier usage based on the graph here:
http://blog.torproject.org/blog/measuring-tor-and-iran
Well, one could expect quite a bit of lag between the time bridge is up until it’s IP has found it’s way to user. At least that is my experience.
Thanks for the link, really interesting read! And good to see that we are doing something useful
Link goes in a top update, with credit given to you. Cheers!
I’m also having issues with my Dirport being unreachable. This would be easier for me to resolve on my Windows machine, but I’m running this off my Macbook and don’t know how to tweak settings as well. Any ideas?
It’s ok to disable the DIR port
I have been having the DirPort Warning message upon using my bridge. From what I can gather online (see website link) this is a bug. The workaround is to disable the Dirport as apparently bridges do not need it.
Hope that helps anyone.
FOR THOSE HAVING TROUBLE WITH THEIR DIRPORT NOT BEING REACHABLE, I was having the same problem. It was frustrating because I wasn’t behind a router and my ORport was working just fine, so I couldn’t figure out what the problem was.
THE SOLUTION, at least for me, was to download the latest unstable version at http://www.torproject.org/download.html.en and presto, now everything works just like it should. There must be a bug in the latest stable version. (This is on XP SP3, by the way.)
Let’s get those bridges going!
Cheers mate! Your solution goes as an update to the guide, with attribution ofc
sweet, will get it tonight. Thanks!
I’m not liking the fact that http://www.torproject.org isn’t responding to http requests right now. not liking that at all. can’t help but wonder if there are bad guys involved.
Not liking that at all… Let’s hope not
back up today.
\o/
Yup. 0.2.1.16 fixed the DirPort accessibility issue for me too.
Note to other taking this route: Pay attention during upgrade. Don’t let the update it overwrite your settings file (default option.) Click the correct button for the keeping of your existing settings to maintain happiness level.
Thx again Boogs.
[...] This post was Twitted by joshuakchance [...]
I run a relay, but not an open one. (e.g. the sites that can be exited from my relay are limited – this is to prevent file-sharing complains from the RIAA).
What sites (specific news, communication, etc) are most important to the people of IRAN, and blocked?
Thanks, Erik
Can’t really say. But my guess would be:
Social: Twitter Facebook Myspace?
Communication: Gmail/GTalk Yahoo/YahooMail MSN/hotmail others
News: bbc, bbc persia others
Please amend the list if you’ve got more.
Methinks popular e-mail hosts should have priority. Twitter is less known and used than some people might have you think.
Ah, right you are. Left out the most obvious one
[...] This post was Twitted by areyoufitenough [...]
I’m still getting this message when trying to run a relay:
Jun 30 07:33:22.322 [Warning] Your server (74.138.222.208:9050) has not managed to confirm that its ORPort is reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
I tried opening up the port on AirPort as mentioned elsewhere on this thread, but that didn’t help.
Any last suggestions before I give up?
Sorry mate. If you’ve opened the port in your router (airport) correctly, and made exceptions for Tor in the os x firewall (if it is enabled, which it usually is not). Then i cannot see why it’s not working.
Maybe you are behind a NAT? Have you successfully opened ports to your computer in the past?
I’ve never tried to open ports before. I don’t think I’m behind an NAT, but how would I know? I’m trying to run the relay on a computer at my home and my ISP is Insight.
Thanks!
There is a site that can help you with portforwarding (portforward.com). Check that everything is correctly configured and the port you redirect in your router is the same that you have specified in Tor.
[...] http://anonygreen.wordpress.com/2009/06/18/how-to-setup-a-tor-relay-or-tor-bridge/ [...]
[...] http://anonygreen.wordpress.com/2009/06/18/how-to-setup-a-tor-relay-or-tor-bridge/ [...]
[...] http://anonygreen.wordpress.com/2009/06/18/how-to-setup-a-tor-relay-or-tor-bridge/ [...]