The Tor Network relies completely on volunteers to route traffic from origin to destination.
If you plan to run an exit node, I recommend using a VPS from a privacy-friendly provider such as 1984Hosting [Link] (Iceland) or Njalla [Link] (Sweden). Refer to the reference list [Link].
TYPES OF TOR NODE
There are 3 main types of nodes:
- Guard
- The entry point of the Tor network.
- Relay
- Middle node.
- Exit
- Exit node to the public internet.
Other types, such as Bridges and Snowflakes, are non-advertised hosts that help prevent nations or organizations from blocking publicly listed nodes.
SETTING UP UNATTENDED UPGRADES
Prepare the server to automatically patch vulnerable applications and keep itself up to date.
sudo timedatectl set-timezone America/New_York sudo apt update && sudo apt upgrade -y sudo apt install unattended-upgrades apt-listchanges -y sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
Uncomment the following lines:
"${distro_id}:${distro_codename}-updates";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "17:00";
Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
Configure the auto-upgrade parameters:
sudo nano /etc/apt/apt.conf.d/20auto-upgrades
Replace the file content with:
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1"; APT::Periodic::AutocleanInterval "5"; APT::Periodic::Verbose "1";
Test for errors:
sudo unattended-upgrades --dry-run sudo cat /var/log/unattended-upgrades/unattended-upgrades.log
Then activate Unattended-Upgrades:
sudo dpkg-reconfigure -plow unattended-upgrades
Answer YES to allow automatic download and installation of stable updates.
For Enterprise Linux derivatives (e.g., CentOS, Alma, Rocky), use yum-cron to handle package updates. Note that it does not automatically reboot the system when needed (e.g., after a kernel upgrade).
INSTALLING AND CONFIGURING THE TOR NODE
sudo apt update && apt upgrade -y sudo apt install apt-transport-https -y wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | sudo gpg --dearmor | sudo tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null echo 'deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] http://deb.torproject.org/torproject.org noble main' | sudo tee /etc/apt/sources.list.d/tor-priject.list sudo apt update && sudo apt install tor -y sudo nano /etc/tor/torrc
Append or replace the entire file content with:
Nickname NodeNick ORPort 443 ExitRelay 0 SocksPort 0 ControlSocket 0 ContactInfo [email protected]
Note: Setting ExitRelay to 1 will turn this node into an exit relay.
sudo systemctl restart tor@default sudo ufw enable sudo ufw allow 443 sudo ufw status
EXIT RELAY (only enable if you know what you are doing)
Set up a reverse DNS with a name containing “tor-exit”.
Add the following lines to the torrc configuration file:
ExitRelay 1 DirPort 80 DirPortFrontPage /var/www/index.html
Download the sample Exit Notice HTML page:
wget https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html -0 DirPortFrontPage /var/www/index.html
Allow traffic on port 80 through the firewall and restart the tor service:
sudo ufw allow 80 sudo systemctl restart tor@default
Install a fast, reliable, uncensored DNS resolver on localhost:
sudo apt install unbound -y sudo cp /etc/resolv.conf /etc/resolv.conf.backup echo nameserver 127.0.0.1 | sudo tee /etc/resolv.conf sudo chattr +i /etc/resolv.conf
Enable Unbound to start on boot:
sudo systemctl enable --now unbound
ADDITIONAL INFORMATION
The server should appear in the directory [Link] within 3 hours.
Each node goes through 4 phases in its lifecycle:
- 1st – 0 to 3 days
- Unmeasured
- 2nd – 3 to 8 days
- Remote Measurement
- 3rd – 8 to 68 days
- Ramping Up as a Guard Relay
- 4th – 68+ days
- Steady-state Guard Relay
Read more about the node lifecycle at [Link].
It is recommended to back up your Tor Identity Keys:
scp -r [email protected]:/var/lib/tor/keys .
Note: Port 22 may need to be allowed in the firewall before copying. Remember to block it afterward, or restrict access to a trusted source only.
Alternatives to running a Tor Node include Tor Bridge [Link] and Tor Snowflake [Link]. All types of volunteers are needed to keep the internet free and accessible.
TRAFFIC MONITORING AND LIMITING
Consider setting traffic limits to avoid overage fees from your ISP.
Append the following lines to /etc/tor/torrc:
AccountingStart day 0:00 AccountingMax 50 GBytes RelayBandwidthRate 25 MBytes RelayBandwidthBurst 100 MBytes
Note: Speed values are in Megabytes, not Megabits.
The graph below shows CPU and bandwidth usage for a new node under different configurations:

- A – Unmeasured (not relaying traffic yet).
- B – Remote Measurement followed by ramping up as a Guard Relay (traffic relayed progressively).
- C – A 35GB per-direction limit was applied to control total data usage.
- D – Both a daily limit and a speed cap of 1.5 MByte/s were applied, which resulted in higher CPU usage.
Do not be surprised if your node consumes 6TB of traffic (inbound + outbound) in under 3 days:

Monitor traffic in real-time with Tor Nyx [Link]:
sudo apt-get install nyx -y sudo nano /etc/tor/torrc
Append the following lines:
ControlPort 9051 CookieAuthentication 1
Restart Tor and launch Nyx:
sudo systemctl restart tor@default nyx
To run Nyx as another user, update the permissions of the token file:
sudo chmod 777 /run/tor/control.authcookie
Customize your Nyx console by editing:
nano .nyx/config
Examples can be found at [Link].
BONUS
As an alternative to unattended-upgrades, try uCareSystem [Link]:
wget https://github.com/Utappia/uCareSystem/releases/download/v25.07.22/ucaresystem-core_25.07.22_all.deb sudo apt install ./ucaresystem-core_*.deb sudo ucaresystem-core