Tor Exit Relay Setup: Complete Operator Guide for 2026

A middle relay (non-exit) carries encrypted Tor traffic between guard and exit relays. It never connects to public internet destinations. Middle relays receive essentially no abuse complaints and are suitable for operators who want to contribute without operational risk. An exit relay connects to public internet destinations on behalf of Tor users. The exit relay's IP appears in destination server logs. Exit relays receive: DMCA notices (users accessing copyrighted content), abuse reports from server operators, spam-related complaints (if Tor users send spam via the exit), and occasionally law enforcement inquiries. The Tor Project actively needs more exit relays: exit bandwidth is the scarcest resource. Running an exit relay provides the most direct benefit to Tor users.

The exit policy defines which destination IPs and ports your relay will allow. Permissive exit policy (reject private; accept *): allows connection to any public internet destination on any port. The most impactful configuration, but generates the most abuse complaints. Reduced exit policy: a curated policy that allows common, low-abuse ports while blocking high-abuse ports. The Electronic Frontier Foundation's recommended exit policy: accept common web, email, and messaging ports (80, 443, 993, 995, 143, 22, 21, 25, 465, 587, etc.) and reject known high-abuse ports (BitTorrent ports, direct SMTP to port 25 to prevent spam relaying). A specific reduced policy is published at the EFF's Tor relay operator guide. Minimal exit: accept only port 80 and 443 (web traffic). Minimal abuse exposure, lower impact than full exit, but still classified as an exit relay and significantly more valuable than a middle relay.

Many hosting providers prohibit Tor relay operation in their terms of service. Exit relay operators face additional restrictions because abuse complaints arrive at the provider's abuse desk. Suitable hosting for exit relays: dedicated servers (not shared hosting), providers with explicit Tor relay policies (some providers support or tolerate relay operation), and providers with abuse handling procedures that understand Tor. Dedicated IP addresses: run the exit relay on an IP separate from any other services - this isolates abuse complaints to the relay's IP and prevents cross-contamination. Reverse DNS: set the rDNS for the relay's IP to something that indicates it is a Tor exit relay (e.g., tor-exit.yourdomain.com). This informs server operators who receive connections from your IP that it is a Tor relay, reducing false abuse reports.

Abuse complaints are routine for exit relay operators. Standard response: maintain a standard response letter that explains Tor exit relay operation, cites the Tor Project's documentation, and provides contact information for the Tor Project. Forward the response to the abuse reporter. Many reporters accept this explanation and no further action is required. Template response text is available in the Tor Project's exit relay documentation. DMCA notices: for DMCA notices, the same explanation applies - Tor exit relays cannot identify the Tor user who made the copyright-infringing request. The Digital Millennium Copyright Act's safe harbor provisions may protect exit relay operators. Consult legal counsel familiar with your jurisdiction. Law enforcement inquiries: if you receive a request from law enforcement for user data, contact the Electronic Frontier Foundation or a qualified local attorney. Exit relays cannot provide user data (Tor's design prevents this), but legal guidance is essential for formal legal process.

Before running an exit relay: document that your relay is a Tor exit relay (not a proxy for your own traffic), keep records of your relay's fingerprint and operation dates, have legal counsel familiar with your jurisdiction available if needed, and inform your internet provider proactively (some providers will terminate without warning if surprised by abuse complaints). The EFF maintains a legal FAQ for exit relay operators (US-focused). European operators should consult local digital rights organizations. Riseup.net maintains resources for relay operators in various jurisdictions. Hosting in privacy-friendly jurisdictions (Iceland, Netherlands) where providers have experience with Tor relay operation provides more stable hosting.