- tor-relays - lists.torproject.org

recommended way to run 0.4.7 on armhf?
by ilf 25 Nov '23

25 Nov '23

What's the recommended way to run 0.4.7 on armhf? > The package repository [deb.torproject.org] does not offer 32-bit ARM > architecture (armhf) images (yet). https://support.torproject.org/apt/tor-deb-repo/ Debian has 0.4.7 in bullseye-backports. But Raspbian doesn't have bullseye-backports: http://raspbian.raspberrypi.org/raspbian/dists/ -- ilf If you upload your address book to "the cloud", I don't want to be in it.

3 6

obfs4 bridge current setup is not entirely clear
by s7r 13 Nov '23

13 Nov '23

Hi, I ran into some new IP space and I decided to change a cluster of obfs4 bridges that are more than 4 year old. When I set them up I don't remember spending so much time. So, Debian latest and Tor latest from deb.torproject.org nightly. GoLang from the official website (as it's the latest version) and obfs4proxy cloned from its default git repository. 1. The page at https://community.torproject.org/relay/setup/bridge/debian-ubuntu/ needs a small revision. This page must be changed, for Debian it doesn't work simply $ edit tor@.service tor(a)default.service , change to NoNewPrivileges=no, save and quit. For me it only worked by editing /lib/systemd/system/tor@.service and /lib/systemd/system/tor(a)default.service with NoNewPrivileges=no and then: $ sudo systemctl daemon-reload. Setcap command is ok but it also need to mention to install the package in Debian libcap2-bin as well as an additional step: Under Debian, if obfs4proxy is installed in a different place, for example like in its git documentation /usr/local/bin/obfs4proxy then you also need to edit this file: /etc/apparmor.d/abstractions/tor and add one line (or change the default obfs4proxy line to): /usr/local/bin/obfs4proxy Pix, Substitute path if different and then: $ sudo systemctl restart apparmor. ------------------------------------------------ 2. It was recommended on the mail list that obfs4 bridges should not open their ORPorts publicly to prevent scanning the entire 1-65536 port range and determine it's a Tor bridge. OK. But if you try: ORPort 127.0.0.1:auto ORPort [::1]:auto AssumeReachable 1 # needed to skip ORPort reachability test Tor will start but it will constantly complain in the log with: [warn] The IPv4 ORPort address 127.0.0.1 does not match the descriptor address REAL_IPv4_ADDRESS. If you have a static public IPv4 address, use 'Address <IPv4>' and 'OutboundBindAddress <IPv4>'. If you are behind a NAT, use two ORPort lines: 'ORPort <PublicPort> NoListen' and 'ORPort <InternalPort> NoAdvertise'. [warn] The IPv6 ORPort address ::1 does not match the descriptor address REAL_IPv6_ADDRESS. If you have a static public IPv4 address, use 'Address <IPv6>' and 'OutboundBindAddress <IPv6>'. If you are behind a NAT, use two ORPort lines: 'ORPort <PublicPort> NoListen' and 'ORPort <InternalPort> NoAdvertise'. I guess it's OK to continue to run it even with this as I do understand the log messages and it's the desired effect, but isn't it confusing for less experienced users? They might think something is wrong when it is not. The recommended way is to add a simple logic to skip that check, because we can't remove it, it's vital necessary for relays (not bridges) behind NAT or dynDNS or whatever. So if BridgeRelay 1 is set and $some_transport enabled, ignore the ORPort and descriptor check / log. and instead check the pluggable transport if port open and listening. Or even better, code a pluggable transport port reachability test before building and uploading the descriptor, by cloning the code that does this for ORPorts to the pluggable transport ports. This would need a proposal that covers all use cases. 3. ServerTransportListenAddr can be used just once and it's difficult for dual-stack which is now the vast majority. It's known for many years that each pluggable transport supports just one ServerTransportListenAddr line, the second one is simply ignored. Tickets for this exist. So what is the best way to for an user to open both IPv4 and IPv6 pluggable transport ports? In Debian I have achieved it by using as wildcard ServerTransportListenAddr [::]:80 since the wildcard [::] under Debian binds to all IPv4 and IPv6 addresses on all interfaces, but this might not be the same for all operating systems. Also, how does BridgeDB determine in case wildcard [::] is used if the pluggable transport is IPv4, IPv6 or both? Which one is used when BridgeDB sends this bridge to clients?

3 4

Relay no longer acting as a gaurd node?
by Jonathan Proulx 12 Nov '23

12 Nov '23

Hi All, A little while ago one of my relays switched from usually acting as a guard node to never acting as a guard node: https://metrics.torproject.org/rs.html#details/9715C81BA8C5B0C698882035F75C… Doesn't matter to me if it's a guard or not jsut want to understand what's changed and if it's a problem. Do I have a misconfiguration? -Jon

6 5

"Failed to find node for hop #1 of our path"
by William Denton 12 Nov '23

12 Nov '23

Lately my relay hasn't been seeing much traffic, which I didn't notice for a while, but now I'm turning my attention to it. I just updated to 0.4.8.9 and see these notices (with some lines cut out): [all the startup stuff looks normal, ending with success] Nov 09 13:07:31.000 [notice] External address seen and suggested by a directory authority: 24.212.137.85 Nov 09 13:08:29.000 [notice] Self-testing indicates your ORPort 24.212.137.85:9001 is reachable from the outside. Excellent. Publishing server descriptor. Nov 09 13:10:39.000 [notice] Performing bandwidth self-test...done. [but then] Nov 09 13:36:42.000 [notice] Tor has not observed any network activity for the past 521 seconds. Disabling circuit build timeout recording. Nov 09 13:38:03.000 [notice] Failed to find node for hop #1 of our path. Discarding this circuit. Nov 09 13:38:03.000 [notice] Our circuit 0 (id: 151) died due to an invalid selected path, purpose Hidden service: Pre-built vanguard circuit. This may be a torrc configuration issue, or a bug. Nov 09 13:39:24.000 [notice] Failed to find node for hop #1 of our path. Discarding this circuit. Nov 09 13:40:10.000 [notice] Failed to find node for hop #1 of our path. Discarding this circuit. [later] Nov 09 14:01:27.000 [notice] Failed to find node for hop #1 of our path. Discarding this circuit. Nov 09 14:01:34.000 [notice] Tor now sees network activity. Restoring circuit build timeout recording. Network was down for 2013 seconds during 43 circuit attempts. Nov 09 14:02:35.000 [notice] No circuits are opened. Relaxed timeout for circuit 2627 (a Measuring circuit timeout 3-hop circuit in state doing handshakes with channel state open) to 60000ms. However, it appears the circuit has timed out anyway. Nov 09 14:02:44.000 [notice] Tor has not observed any network activity for the past 66 seconds. Disabling circuit build timeout recording. Nov 09 14:04:03.000 [notice] Failed to find node for hop #1 of our path. Discarding this circuit. Nov 09 14:06:24.000 [notice] Failed to find node for hop #1 of our path. Discarding this circuit. There are hundreds of those notices about failing to find a node for hop #1. (I don't know why it complains about the network being down to 2013 seconds (over half an hour), because I didn't notice anything, but there were scores of the same warnings before that.) What would cause this, or what could I do to identify the problem? Bill Denton -- William Denton https://www.miskatonic.org/ Librarian, artist and licensed private investigator. Toronto, Canada CO₂: 419.18 ppm (Mauna Loa Observatory, 2023-11-07)

2 1

Re: [tor-relays] Relay no longer acting as a gaurd node?
by denny.obreham＠a-n-o-n-y-m-e.net 12 Nov '23

12 Nov '23

On 11/9/23 16:03, Jonathan Proulx wrote: > A little while ago one of my relays switched from usually acting as a > guard node to never acting as a guard node: > > https://metrics.torproject.org/rs.html#details/9715C81BA8C5B0C698882035F75C… > > > Doesn't matter to me if it's a guard or not jsut want to understand > what's changed and if it's a problem. Do I have a misconfiguration? I had a similar event about a month ago and everything came back to normal on its own. I found that the following answer to my question on this mailing list was very helpful: https://lists.torproject.org/pipermail/tor-relays/2023-September/021334.html

1 0

Money for relay operators and email addresses
by code9n＠pm.me 04 Nov '23

04 Nov '23

tl;dr: Paying relay operators - yes, once it's decided how to share out the money. Requiring valid email addresses - yes. imo s. It goes against the purely altruistic bit of me to say this but I definitely see the advantage of paying relay operators. I run one pretty powerful relay on a commercial vps, costs me around $200 a year. I'd run more but the money starts to pile up . . . so if I got significant enough recompense I would run more - good for Tor. Also, has it been decided exactly how the money will be shared out? If it's on the number or relays you operate that will incentivize many slow, weak relays at the expense of a few fast, good ones - bad for Tor. If it's on advertised bandwidth, is that hack-able? It changes over time, do you take the average? The figure on accounting day? Do you go on the bytes per second? Terabytes per month? The consensus weight? Do you pay more for exit nodes as they're more 'useful', more, valuable to the network as a whole? How about guards as opposed to middle, or bridges, snowflakes, etc.? Do you reward / penalize operators for / not keeping their relays up to date, etc.? Also paying for nodes could make it more viable for three letter agencies, etc. to run more relays, but I doubt it's about money for them as much as it is for us. Or for relay abusers like those that were stealing crypto wallet creds. On the whole it's probably better for tor to pay than not to, imo, (from the relay operators donations pot). Or someone could run a DoS attack by earning a significant proportion of all the money in the pot then shutting down their relays all at once. Especially if the network grows to rely on the donations money. All of this 'sharing out donations money' thing is moot if the amount of money we'd each receive is trivial compared to the cost of running relays . . . xxxxxxxxxxxxxxxxxxxx On the subject of requiring valid email addresses, I can't see any good reason not to do so. It would be quite difficult to run a relay completely anonymously, especially if you have to pay for anything. If you can achieve that, an email address that's not link-able to you shouldn't be beyond your ability. And there are potentially occasions when Tor might want to contact you discreetly. If you're doing something foolish or wrong do you really want it pointed out in a general announcement? My only reservation would be regarding receiving spam but as, I think it was @Boldsuck, said, that's not much of an issue in practice.

1 0

Please upgrade to new Tor release 0.4.7.16 or 0.4.8.8 ASAP!
by gus 03 Nov '23

03 Nov '23

Dear relay operators, Today (2023-11-03) the Network Team has released new Tor versions 0.4.7.16 and 0.4.8.8[1]. These updates contains a fix to a remote crash bug (TROVE 2023 004). It is highly recommended that all relay operators upgrade to the new versions as soon as possible to maintain the network stability and security. For those running their Tor relay using the Tor Debian repository, expect the new deb package to be available soon. The patches prevents the issue from causing a crash in Tor. However, it will make Tor more noisy when the bug is triggered, including logging information about the remote peer that is the source or destination of the circuit in the path. Such information is important for our developers to diagnose the specific invariant within Tor's TLS logic that does not hold. Eventually, a new version of Tor will need to be released in the future that will remove the verbose logging of this issue. Please note that this bug is specific to Tor relays and does not impact Tor clients or Tor powered apps (Tor Browser, Orbot, OnionShare). Thank you, Gus [1] https://forum.torproject.org/t/security-release-0-4-7-16-and-0-4-8-8/10064 -- The Tor Project Community Team Lead

1 0

Proposal: Restrict ContactInfo to Mandatory Email Address
by Georg Koppen 01 Nov '23

01 Nov '23

Hello everyone! As indicated in our bug tracker a while ago[1] we have some strong incentives to redo our ContactInfo field. I've collected all the different use cases and combined them in a single proposal, discussing some potential concerns and future work we could get built upon it. The work is tracked on Gitlab as well[2] feel free to provide feedback there or here on the list as a follow-up to this announcement. For your convenience the proposal text is included below (if you like reading the .md file on Gitlab, see my personal repository for the latest draft[3]). """ ``` Filename: 100-contactinfo-mandatory-email-address.md Title: Restricting ContactInfo to Mandatory Email Address Author: Georg Koppen Created: 2023-10-21 Status: Open ``` ## Overview This document proposes to change the ContactInfo field from a free text field to one that is only allowing an email address. Additionally, providing such an email address will be required after this proposal is implemented. This is a normative document. ## Motivation Being able to reach out to and contact relay operators (bridge operators are included in that group) is important for our day-to-day work at Tor. While this has been brought up in the past as helpful in our fight against malicious relays, it goes well beyond that use case and is affecting general network health work, community-building efforts and quickly deploying anti-censorship related security fixes among other things. Tor is providing a `torrc` configuration option, `ContactInfo`, which is supposed to contain an email address (potentially obfuscated) under which the relay operator may be reached. However, in practise this does not work very well for two reasons: 1. `ContactInfo` is a free-form field which allows the operator to include not just email addresses but essentially any kind of text they want. This results in a lot of overhead when trying to contact all operators and failures to do so because not everything added to `ContactInfo` is a way to actually contact operators or undoing `ContactInfo` obfuscation turns out to be too hard. 2. `ContactInfo` can be empty as it is not required for all operators and in cases where it is supposed to be required (e.g. for operators running more than one relay) the requirement is not enforced. Over the years different teams at Tor developed different workarounds to the issues mentioned above without addressing them directly. The goal of this proposal is to make those workarounds obsolete. ## Fixing ContactInfo As briefly mentioned in the [Overview section](#overview) the idea of this proposal is deceptively simple: `ContactInfo` will be turned into a field allowing just an email address, under which the operator can be reached. Moreover, providing such an address will be a requirement for all operators regardless whether they run one relay or many of them, or bridges. Why will we require an email address and not, say, a domain set up somewhere or an account on our forum instead? Firstly, a lot of those other potential options require a valid email address themselves in the first place and would therefore just raise the costs for relay operators. Secondly, email still scales way better than other alternatives allowing us to reach more people in less time. And, thirdly, email addresses are required anyway in other network related infrastructure parts, e.g. the RIPE database for IP address space allocation comes to mind or abuse contacts for dealing with potentially malicious Tor traffic/Tor users. Even though this proposal will not lay out the envisioned changes at a technical level (for that to happen we'll need a corresponding [tor-spec] proposal later on) there are a number of details to consider mainly stemming from the status quo existing for years and the accumulated usage patterns of the `ContactInfo` field "in the wild". The remainder of this proposal will be devoted to explain those details and address potential concerns related to them. ## Implementation The C-Tor codebase is in maintenance mode and not accepting any new features anymore (with a very narrow set of exceptions). We therefore plan to have this change included solely in the upcoming Arti relay work. Note: while we'll be using `ContactInfo` throughout this proposal it does no mean that the respective configuration option for Arti relay will be the same. It could just be [`contact`] or something else. The important point is that this proposal applies to whatever is providing the argument for the "contact" keyword in the server descriptor then. Requiring a syntactically correct email address in an Arti relay configuration option is necessary but not sufficient for our purposes. Otherwise `ContactInfo` values like `nobody(a)example.com`, which is used by some relays and bridges in the Tor network at the time of writing this proposal, would be acceptable. However, in that case there would be no way to get into contact with respective relay operators. We intend to solve that problem by deploying an email verification service: relays without a verified `ContactInfo` value won't be allowed on the network. ## Concerns There are some concerns related to this proposal which we should discuss and address where needed. The following sections will outline them and explain why (and how) we think they are non-issues or can be mitigated. ### Backward compatibility and breakage of external tooling What do we do with `ContactInfo` strings that are not email addresses already? The main goal should be to make the transitioning process to the new `ContactInfo` string as smooth and easy for relay operators as possible. The good news is that we plan to have a transitioning tool for the overall change of C-Tor relays to Arti relays anyway and having the `ContactInfo` change be part of that should help. Running an awareness campaign and providing up-to-date documentation to reach operators that need to fix (or even set up) their `ContactInfo` manually should further minimize the risk of losing relays in the network and volunteers running them to begin with. However, even if it were possible to extract an email address from the C-Tor relay configuration of any C-Tor relay or bridge without manual intervention by the operator there is another problem to consider: there is often additional information available in current `ContactInfo` strings, which sometimes external tools got built upon. One well-known example for that is [`OrNetStats`] which aims at displaying statistics related to relays and bridges in the Tor network. One important piece of it is grouping the displayed information around so-called Authenticated Relay Operator IDs (AROIs) were possible, which got developed in the [ContactInfo Information Sharing Specification] \(CIISS) and is making use of overloading the `ContactInfo` field with additional information besides an email address. While we can't avoid breaking tools when evolving the `ContactInfo` semantics we can provide ways for those tools to get adapted to the new reality. For that we propose to create an additional configuration option that includes the non-email address information in the `ContactInfo` field and is made public in extra-info descriptors. Even though we believe validated email addresses as proposed in this proposal together with the planned [happy families proposal] and [proposal 347] provide similar benefits as the AROI mechanism, and hence make it superfluous, if someone would still like to center their relays statistics around AROIs they could do so by extracting the necessary information from extra-info descriptors after this proposal got implemented. ### Spam Exposing an email address without obfuscation in the `ContactInfo` field is a potential spam risk which is why some operators have resorted to obfuscating it, often in very creative ways. However, we do think that those efforts are not effective if we want to retain a way of being able to reach operators by email. Moreover, our own and others' experience of running relays and providing an unobfuscated email address as `ContactInfo` shows that spam right now is actually not an issue. That might change in the future, though, which is why we strongly recommend to use a dedicated and long-term email address in the `ContactInfo` field. The long-term part is particularly important, as this proposal turns that email address into a validated relay operator ID, which is valuable for building trust over the longer run. ## Impact on relay operators and the growth of trust in the Tor network As can be seen in the previous sections, the proposed changes in this document can come with a cost for relay operators. However, we do not expect them to have a lasting impact on our relay operator community and the health of the network as those changes are mainly accompanied by a one-time transition cost that puts a burden on our current relay operators. And that one-time cost we try to keep as low as possible. Additionally, we might lose or alienate some of our current and potential new operators, as they might not want to provide any (verifiable) email address at all as a requirement for running relays, but rather prefer participation anonymously. However, in order to fight malicious relays we need to strengthen our community and get to build connections and contacts with each other, which is hard if there is no way to get into contact to begin with. As outlined at the begin of this document, a lack of contact information makes other day-to-day work at Tor hard or impossible as well. Thus, overall we believe providing a working email address when running relays is a small cost compared to the improvements of the health of our network and the safety of our users. There is another benefit which comes with this proposal: the validated email address can essentially work as a relay operator ID (similar to the above mentioned AROI). While we do deal with single relays or families of them when we are trying to determine whether they pose a danger to our users, what we are ultimately aiming at is the operator behind them. Having something like a relay operator ID does help with that part. But there is more: it allows us to think better about trust on the Tor network and how we might be able to implement ideas like "operator X is only allowed to run Y% of the Tor network" or "unknown operators are only allowed to run Z% of Tor's network capacity", to name just two. There are a number of proposals both [trust][torspec 103] [related][relay-search 40001] and [not trust-related][team 220] that would benefit from having relay operator IDs available. ## Acknowledgements Big thanks go to @gus and @ahf for discussions and feedback around this proposal idea, which improved this document considerably. [tor-spec]: https://gitlab.torproject.org/tpo/core/torspec [`contact`]: https://gitlab.torproject.org/tpo/core/arti/-/issues/870#note_2906252 [`OrNetStats`]: https://nusenu.github.io/OrNetStats/ [ContactInfo Information Sharing Specification]: https://nusenu.github.io/ContactInfo-Information-Sharing-Specification/ [happy families proposal]: https://gitlab.torproject.org/tpo/core/torspec/-/blob/82ba302230911cafd8683… [proposal 347]: https://gitlab.torproject.org/tpo/core/torspec/-/blob/523404500320ba9700fe5… [torspec 103]: https://gitlab.torproject.org/tpo/core/torspec/-/issues/103 [relay-search 40001]: https://gitlab.torproject.org/tpo/network-health/metrics/relay-search/-/iss… [team 220]: https://gitlab.torproject.org/tpo/network-health/team/-/issues/220 """ Thanks, Georg [1] https://gitlab.torproject.org/tpo/core/arti/-/issues/870 [2] https://gitlab.torproject.org/tpo/community/relays/-/issues/71 [3] https://gitlab.torproject.org/gk/policies/-/blob/prop100/100-contactinfo-ma…

3 3

Discuss. Why not split donations to Tor relay owners?
by torrrelays＠riseup.net 01 Nov '23

01 Nov '23

I provided some high speed Tor nodes (non-exits and guards) but I quit in this year to make some space for my other projects. I would continue collaborating by keep Tor nodes online if I receive some donation. Is it just me, because I received $0 for running those Tor relays. So my proposal is this: 1. make a donate-torrelay-owner.tpo website 2. let Tor relay owners link their PayPal/Striple/BitCoin/OpenCollective/AmazonPay/GooglePay/Whatever account 3. the Tor project and other good folks put money into the large bottle (donate-torrelay-owner website) 4. the donation then split by the participants & send to each accounts monthly By doing this, you are creating sustainable mechanism to keep Tor nodes running and other people who have access to their servers may join. More Tor nodes will be added to the network & owners get paid at least. Win-win. Please do this!

8 11

Re: [tor-relays] Proposal: Restrict ContactInfo to Mandatory Email Address
by denny.obreham＠a-n-o-n-y-m-e.net 31 Oct '23

31 Oct '23

On 10/31/2023 03:09 PM tor(a)nullvoid.me wrote .. > My only concern with your solution is anyone can pretend to be the owner of a relay. - What do you have to say to a relay owner that cannot be said publicly? - What do you have to say that needs a reply? In the rare cases where you would have a valid answer for the above questions, the actual email address in the ContactInfo is good enough, and - assuming there are none - you could ask to include a temporary code in the ContactInfo for authentification when someone contacts you on your request. The point is if you have to contact all relay operators, you don't need to look for their email addresses in ContactInfo. All you need is to post the message publicly, easily accessible by each relay owner (a personalized RSS feed comes to mind).

1 0