This Docker image will run the latest version of Tor server available on Arch Linux. It will run Tor as an unprivileged regular user, as recommended by torproject.org.
| Registry | Image Name |
|---|---|
| Docker Hub | else/tor-node |
| Container Registry | ghcr.io/elsbrock/tor-node |
The image is distroless, meaning that it is missing a userland (using FROM scratch). This minimizes the attack surface and keeps the image extremely small. It also helps to keep the software updated. Whenever a new release of tor is published in Arch Linux, it will be automatically picked up.
Tor and its dependencies are kept up to date with the help of Renovate. PRs to update dependencies that pass the build are merged automatically and a new Docker image version is published subsequently.
Releases are currently not automated, ie. the
:latesttag is not updated automatically – if you want to followmaster, use:master. Note that:masterwill be updated at least once per week, whereas:latestwill only be updated every once in a while until automation is in place.
The Docker image can be automatically updated on the Docker host using Watchtower.
The Tor network relies on volunteers to donate bandwidth. The more people who run relays, the faster the Tor network will be. If you have at least 2 megabits/s for both upload and download, please help out Tor by configuring your server to be a Tor relay too.
Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.
- Tor prevents people from learning your location or browsing habits.
- Tor is for web browsers, instant messaging clients, and more.
- Tor is free and open source for Windows, Mac, Linux/Unix, and Android
- Prerequisites: A Linux server with Docker installed (see Install Docker and Docker Compose below)
- Public access to the configured ports
To start the Tor node with the default configuration, run the following command:
docker run -d --init --name=tor-node --net=host --restart=always \
-v tor-data:/var/lib/tor \
else/tor-nodeThis command will run a Tor relay server with a safe default configuration (not as an exit node). Note though that this container is using the host network, ie. all ports are published by default on the host running the container.
The server will autostart after restarting the host system. All Tor data will be preserved in a Docker volume, even if you upgrade or remove the container. See below on how to backup the server identity.
Check with docker logs -f tor-node If you see the message: [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor. at the bottom after a while, your server started successfully. Then wait a bit longer and search for your server on the Relay Search.
It is recommended to provide an email address at which the node operator can be reached. You may also want to configure additional options to control your monthly data usage, or to run Tor as a hidden obfuscated bridge. Look at the Tor manual with all Configuration File Options. This requires the configuration to be customized.
For customization you can create *.conf files in the tor-config volume containing valid Tor configuration directives. These directives are included from the main config located in /etc/tor/torrc which is is baked into the image.
Example
Nickname ieditedtheconfig
ContactInfo Random Person <random-person AT example dot com>
# Run Tor only as a server (no local applications)
SocksPort 0
ControlSocket 0
To modify your Tor configuration, create another folder containing your configs and create a *.conf file, e.g.
mkdir -vp tor-config
nano tor-config/mynode.confThen mount your customized Tor config from the current directory of the host into the container with this command:
docker run -d --init --name=tor-node --net=host --restart=always \
-v $PWD/tor-config:/etc/torrc.d:ro \
-v tor-data:/var/lib/tor \
else/tor-node
When upgrading your Tor relay, or moving it on a different computer, it is important part to keep the same identity keys. Keeping backups of the identity keys so you can restore a relay in the future is the recommended way to ensure the reputation of the relay won't be wasted.
mkdir -vp tor-data/keys/ && \
docker cp tor-node:/var/lib/tor/keys/secret_id_key ./tor-data/keys/ && \
docker cp tor-node:/var/lib/tor/keys/ed25519_master_id_secret_key ./tor-data/keys/
You can also reuse these identity keys from a previous Tor relay server installation, to continue with the same Fingerprint and ID, by inserting the following lines, in the previous command:
-v $PWD/tor-data/keys/secret_id_key:/var/lib/tor/keys/secret_id_key \
-v $PWD/tor-data/keys/ed25519_master_id_secret_key:/var/lib/tor/ed25519_master_id_secret_key \
Adapt the example docker-compose.yml with your settings or clone it from Github. By default it will start the tor node as well as a Watchtower instance to keep the container updated.
- Configure the
docker-compose.ymland optionally the custom config file with your individual settings. Possibly installgitfirst.
cd /opt && git clone https://github.com/elsbrock/tor-node.git && cd tor-node
nano docker-compose.yml
- Start a new instance of the Tor relay server and display the logs.
docker-compose up -d
docker-compose logs -f
No commands can be executed inside the container since it is missing a userland. You can expose the ControlPort via a custom config to connect from other containers to it.
If your host supports IPv6, please enable it! The host system needs to have IPv6 activated. From your host server try to ping any IPv6 host: ping6 google.com Then find out your external IPv6 address with this command (from dnsutils):
dig +short -6 myip.opendns.com aaaa @resolver1.ipv6-sandbox.opendns.com
If that works fine, activate IPv6 for Docker by adding the following to the file daemon.json on the docker host and restarting Docker.
- use the IPv6 subnet/64 address from your provider for
fixed-cidr-v6
nano /etc/docker/daemon.json
{
"ipv6": true,
"fixed-cidr-v6": "21ch:ange:this:addr::/64"
}
systemctl restart docker && systemctl status docker
The sample Tor relay server configurations use network_mode: host which makes it easier to use IPv6.
- Next make your Tor relay reachable via IPv6 by adding the applicable IPv6 address at the ORPort line in your custom Tor configuration:
nano tor-config/mynode.conf
# should contain
# ORPort [IPv6-address]:9001
- Restart the container and test, that the Tor relay can reach the outside world:
docker-compose restart
docker-compose logs
You should see something like this in the log: [notice] Opening OR listener on [2200:2400:4400:4a61:5400:4ff:f444:e448]:9001
- IPv6 info for Tor and Docker:
- A Tor relay operators IPv6 HOWTO
- Walkthrough: Enabling IPv6 Functionality for Docker & Docker Compose
- Basic Configuration of Docker Engine with IPv6
- Docker, IPv6 and –net=”host”
- Docker Networking 101 – Host mode
- When using the host network driver for a container, that container’s network stack is not isolated from the Docker host. If you run a container which binds to port 9001 and you use host networking, the container’s application will be available on port 9001 on the host’s IP address.
Links how to install
After the installation process is finished, you may need to enable the service and make sure it is started (e.g. CentOS).
systemctl enable docker
systemctl start docker
Please use the latest Docker engine available (do not use the possibly outdated engine that ships with your distro's repository).
- MIT
Credits go out to
- chriswayg/tor-server used as the basis for this image
- Arch Linux Tor package