Questions about running an exit relay
Hi dear list, I hope I am in the correct place for my questions regarding my tor setup. I am currently running a guard/middle relay on a vServer. The relay runs inside a docker container, exposing OrPort and DirPort externally and ControlPort and MetricsPort internally. On the same machine, but in different docker networks (except for prometheus for metrics), multiple other containers providing my personal infrastructure are running. All of them run behind caddy, which only forwards requests coming to specific subdomains on a specific domain. First of all: Is this already a bad idea? Do you seperate tor relays and personal infrastructure physically or in VMs instead of containers? Now, as netcup is my provider and they seem to tolerate exit nodes, I am thinking about allowing exits. I assume this would increase visibility of my server and maybe attract more attention. Knowing the IP address of the tor node, it could be possible to find other domains pointing to it (the PTR record however points to an irrelevant entry) and maybe find the subdomains leading to (still login-protected) infra. Do you think this is a reason not to open the relay for exits? I only have a single IPv4 address to use, additional addresses would imply additional costs. However, I do have a /64 block of IPv6 addresses. For IPv6, i could separate the tor address from the address used personally and therefore make it impossible to reach anything except tor over the designated address and covert any other domains, as they won't be associated with the tor address. Do you think this would be needed/enough? In this case, I would restrict the relay to IPv6-only exits. I am sorry if I could have found more information in the docs, but everything that I did find did not answer my questions enough. Kind regards.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello. tor@rehcamp.de wrote:
First of all: Is this already a bad idea? Do you seperate tor relays and personal infrastructure physically or in VMs instead of containers?
It really depends on your setup and what its primary purpose is. If you are planning to run multiple high-capacity relays and that is the whole purpose of your setup, then I wouldn't use containers due to incurred overhead. But there's nothing fundamentally wrong with running one that way. You don't even need to run it in a container: On Debian at least, the daemon will run unprivileged and with an AppArmor sandbox.
Now, as netcup is my provider and they seem to tolerate exit nodes, I am thinking about allowing exits. I assume this would increase visibility of my server and maybe attract more attention.
More than a decade ago, this might have been an issue back before Tor was mainstream. Nowadays, most people who are likely to encounter your IP, including IP reputation databases, know what Tor is. Thousands of people around the world run exits, so it's not going to draw personal attention, just automated attention (e.g. DMCA notices, but as you say, Netcup is tolerant of that).
Do you think this is a reason not to open the relay for exits?
No, it should be fine unless there are other circumstances in play where you would want to hide the fact that the server is running an exit. If all your other domains are personal use (i.e. there are no business policies that are being violated if you run corporate infrastructure), then there's no significant problem. That is, unless you run a self-hosted mail server. In that case, outgoing emails will always get marked as spam since they'll share the IP of an exit! I'm not familiar with Netcup's policies (I don't use them because they already make up a significant fraction of Tor's bandwidth), but you will want to make sure that your data is backed up, just on the off chance that the service is terminated for abuse.
Do you think this would be needed/enough? In this case, I would restrict the relay to IPv6-only exits.
Relays can't be IPv6-only yet. Even if you can use IPv4 for your ORPort and IPv6 for the actual exiting traffic, the ORPort is public. I think there's really no need to do that. It might actually make things worse if some site sees the IPv6 address and naïvely searches a database of ORPorts, fails to find that IPv6 there (because you are only exposing an IPv4 ORPort), and concludes that it's not an exit but is genuinely a malicious host. If anything, you *want* the extra "attention" because it screams "I am not in control of this traffic, I am just an exit relay". All the usual exit relay caveats apply, of course, but so long as you are running on a provider that is exit-friendly and you don't care about the reputation of that IP address (which is only really relevant if you are self-hosting a mail server there), it sholud be completely fine to run an exit relay. But please remember to either use Netcup's own DNS server (if it has one) or a DoT/DoH server, not unencrypted 8.8.8.8. I personally run my own local recursive DNS resolver (Unbound), but that requires a second IPv4 address and you only have one. I'd be happy to open it up over DoT so you can use it. It uses DNSSEC so it doesn't have to be trusted. And thank you for considering to run an exit! Regards, forest -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQQtr8ZXhq/o01Qf/pow+TRLM+X4xgUCaVXTVwAKCRAw+TRLM+X4 xmgwAP4t1PxAaHrnxdYgFRHsyEqQjOU7FR/ouhU3S3Ny2rmYMQEAt/aKm1jnG/F5 EuveOiggDibQeUFy1o8lfqVqwQ2fagA= =uUpH -----END PGP SIGNATURE-----
Am 29.12.2025 um 14:19:19 Uhr schrieb tor--- via tor-relays:
I only have a single IPv4 address to use, additional addresses would imply additional costs. However, I do have a /64 block of IPv6 addresses. For IPv6, i could separate the tor address from the address used personally and therefore make it impossible to reach anything except tor over the designated address and covert any other domains, as they won't be associated with the tor address.
TOR exists are often on blacklists because abusers use TOR to hide their identity. If you use your machine as an outbound proxy for web traffic or as an outgoing mail server, you might encounter issues. I've also heard about DNS servers blacklisting TOR exits. -- Gruß Marco Send unsolicited bulk mail to 1767014359muell@cartoonies.org
Marco Moock via tor-relays wrote on 1/1/26 10:16:
TOR exists are often on blacklists because abusers use TOR to hide their identity. Unfortunately, plenty of times non-exit nodes are blacklisted too. Apparently the blacklisting services don't bother differentiating the two. Italian public and state services are often unreachable from the ip of a non-exit node.
-- Marco https://metrics.torproject.org/rs.html#details/A4E74410D83705EEFF24BC265DE2B...
On Wednesday, December 31st, 2025 at 6:33 PM, tor--- via tor-relays <tor-relays@lists.torproject.org> wrote:
First of all: Is this already a bad idea? Do you seperate tor relays and personal infrastructure physically or in VMs instead of containers?
Many years ago I ran my Tor exit on on University owned desktop (I work in academic IT). This was very much allowed and know. We received a court order to preserve the data on the system and were forbidden from informing the system owner, which was awkward since they had informed the system owner... Since then I've always run my exit on a separate system on it's own IP so if there were a legal demand to turn over "the system" it would really only be that system. I'm not a lawyer but I don't think docker provides enough isolation for that. This is a pretty rare situation, and I think more rare now than it was before law enforcement came to understand Tor and the lack of useful information it has, but it's not impossible and definitely worth considering as a risk. -Jon
On 02.01.2026 18:46 Jon via tor-relays <tor-relays@lists.torproject.org> wrote:
We received a court order to preserve the data on the system and were forbidden from informing the system owner, which was awkward since they had informed the system owner...
Which data did they request?
Since then I've always run my exit on a separate system on it's own IP so if there were a legal demand to turn over "the system" it would really only be that system. I'm not a lawyer but I don't think docker provides enough isolation for that.
Can they deny you to turn the relay off? If so, you could then operate a new "system" on another IP. -- kind regards Marco Send spam to abfall1767375998@stinkedores.dorfdsl.de
participants (5)
-
forest-relay-contact@cryptolab.net -
Jon -
Marco Moock -
Marco Predicatori -
tor@rehcamp.de