Over last few weeks I have been playing around with creating docker container to host a Tor node on one of my VPS servers.
As a result of those efforts I created a Github repository: https://github.com/wlk/docker-tor-relay with the Docker image, it’s also hosted on DockerHub here: https://hub.docker.com/r/wlkx/docker-tor-relay/ (and configured as
Both DockerHub and Github README provide enough information on how to use it, so I won’t go into details here, but I’ll focus on 2 Docker features that I used in this toy project.
There are many Tor images out there, but in my case I have made 2 changes.
Mounting volumes to persist state between container restarts
This is a well known Docker feature, you can share local volumes (directories or files) with the container and configure read or write access. This way when you restart the container or start new image with the same container, as long as you setup the same mount options your files will not be lost.
In this project I’m using volumes to persist Tor configuration and state across restarts, you can read more about this feature here: https://docs.docker.com/engine/tutorials/dockervolumes/#/mount-a-host-directory-as-a-data-volume
Running Docker container in a separate network
To achieve better security and isolation of the containers running on my host (remember that Tor container can be a one of many containers running on the same host) I have setup separate network to host Tor containers.
This feature is documented here: https://docs.docker.com/engine/userguide/networking/ if you’d like to know more, but I’m going to show how I configured it in my project:
Create separate network:
docker network create --driver bridge tor_network
This creates a separate network named
tor_network, you can see that it was created correctly:
$ docker network ls NETWORK ID NAME DRIVER SCOPE 9a142fb1d58a bridge bridge local 3d0b9d3ee2f6 host host local 1e28dc8c71af none null local f90795b99524 tor_network bridge local
bridge is the default one, so all containers started without network parameter specified will run in the same, default network
Run container in isolated network:
docker run -d \ --network=tor_network \ --restart always \ -p 9001:9001 \ wlkx/docker-tor-relay
--network=tor_network specifies that the container will be run in
- Verifying that it works
To check if this is working as expected I have inspected 2 containers on separate networks and I saw their IPs as:
Docker container: 172.19.0.2 Other container: 172.17.0.2
As you can see, these containers are running in separate networks without any connection between them, executing ping from one to the other fails with timeout, same for any network connectivity.
Using more advanced Docker features I was able to achieve better isolation between containers and in result better security.
docker-tor-relay is a very straightforward and save way if you’d like to help Tor network by running your own relay node.