[tor-relays] Exit Relay throughput

William Kane ttallink at googlemail.com
Sat Jun 20 13:26:04 UTC 2020 

Also - 4000 connections sounds like your OS limiting the amount of
open file descriptors, when I still used to run exit relays, it was at
least 6500 connections just for all the other Tor relays, which should
now be 7000.

You should at the very least allow 8192 open file descriptors.

If you launch Tor using systemd, use 'systemctl edit <service_name>'
to create an override such as:

[Service]
LimitNOFILE=8192

You might also want to raise the limits in limits.conf, the location
of this file might be different across different distributions, but
generally (at least on Debian and Arch Linux) you can find it at
/etc/security/limits.conf.

Don't forget to reboot.

2020-06-20 13:10 GMT, William Kane <ttallink at googlemail.com>:
> Tor already has code that avoids having multiple nodes from a single
> /16 range or from the same AS (correct me on that one if I'm wrong,
> not totally sure about it) in the same circuit, so as long as your
> MyFamily setting is set correctly, I see no problem here.
>
> Throughput is important as you will be able to serve more clients at
> once, so AES hardware acceleration and a CPU with very good single
> thread performance are important.
>
> However, running a high-capacity node under an AS like OVH or Hetzner
> has certain anonymity implications, since many Tor nodes already
> already being run there, a single wire-tap on their peers / up-streams
> is enough to capture the traffic of around 15-25% of all tor nodes
> (got the numbers from the top of my head, for exact numbers check out
> Tor Metrics @ https://metrics.torproject.org/networksize.html).
>
> Ideally go for a hoster in an uncommon, underdeveloped (Tor-wise)
> country that only hosts a handful, if any, of Tor Nodes and colocate
> if you have the hardware, time and money - this helps spread out Tor
> nodes across as many countries as possible, which makes it harder for
> adversaries to control all of Tor's traffic at once.
>
> You should also allocate a small IP range for yourself, and ask them
> to modify the whois so it shows an e-mail address you control as the
> abuse address.
>
> Hope this was helpful.
>
> William
>
> 2020-06-20 12:30 GMT, torix at protonmail.com <torix at protonmail.com>:
>> Dear List,
>>
>> How important is the throughput on an exit relay? I realize that more is
>> always better, making it harder to associate exit packets with input ones
>> at
>> the other end. My numbers: For the same price I can buy 2 exit relays
>> that
>> run about 3500 to 4000 connections or one that runs about 4300 to 4700
>> connections. The actual daily throughput varies a good deal, but the
>> cheaper
>> ones show about 15-20% less throughput, at around 330 GiB/day when I look
>> at
>> vnstat.
>>
>> Can I assume 2 is almost always better than one? Or is there a threshold
>> below which packets are too easily tracked? I have no common sense about
>> this.
>>
>> TIA,
>>
>> --Torix
>>
>> Sent with [ProtonMail](https://protonmail.com) Secure Email.
>

More information about the tor-relays mailing list