Hi!
I'm having issues when implementing the NoAdvertise & NoListen options of the ORPort directive and am hoping someone here might be able to point me in the right direction.
I can get Tor to successfully work as a relay without using the NoAdvertise & NoListen options of the ORPort directive, but for certain reasons I need to configure Tor on a Private Address.
### ORPort WITHOUT NoAdvertise & NoListen (SUCCEEDS) ###
Note: Successful Self-testing logs WITHOUT NoAdvertise & NoListen
Aug 13 00:26:42.000 [notice] Self-testing indicates your ORPort 198.91.60.78:443 is reachable from the outside. Excellent. Publishing server descriptor. Aug 13 00:27:49.000 [notice] Performing bandwidth self-test...done.
Note: Successful Self-testing torrc WITHOUT NoAdvertise & NoListen
# cat /tmp/torrc Nickname ASUSWRTMerlinRelay ORPort 198.91.60.78:443 SocksPort 9050 SocksPort 192.168.0.1:9050 ControlPort 9051 ExitRelay 0 DirCache 0 MaxMemInQueues 192 MB GeoIPFile /opt/share/tor/geoip Log notice file /tmp/torlog VirtualAddrNetwork 10.192.0.0/10 AutomapHostsOnResolve 1 TransPort 192.168.0.1:9040 DNSPort 192.168.0.1:9053 RunAsDaemon 1 DataDirectory /tmp/tor/torrc.d/.tordb AvoidDiskWrites 1 User tor ContactInfo tor-operator@your-emailaddress-domain
Note: Nyx shows Tor build the initial 5 measurement circuits and then successfully continues to build new circuits
# nyx nyx - gnutech-wap01 (Linux 2.6.36.4b...) Tor 0.4.5.7 (recommended) ASUSWRTMerlinRelay - 198.91.60.78:443, Control Port (open): 9051 cpu: 30.4% tor, 62.1% nyx mem: 53 MB (21.4%) pid: 14372 uptime: 05:18 fingerprint: 02DD61E41B3739C629C5CF8CEBA6000290BC3E7B flags: Fast, Running, Valid page 2 / 5 - m: menu, p: pause, h: page help, q: quit Connections (807 outbound, 9 circuit, 1 control):
Note: Openssl s_client is successfully CONNECTED to the Public Address
# openssl s_client -connect 198.91.60.78:443 CONNECTED(00000003) depth=0 CN = www.uy24fd6wkrzss.net verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = www.uy24fd6wkrzss.net verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=www.uy24fd6wkrzss.net i:/CN=www.bu5cm42gttwqzick.com --- Server certificate -----BEGIN CERTIFICATE----- MIICQzCCAaygAwIBAgIJAOPPF6uxLfr8MA0GCSqGSIb3DQEBCwUAMCMxITAfBgNV BAMMGHd3dy5idTVjbTQyZ3R0d3F6aWNrLmNvbTAeFw0yMTAzMDEwMDAwMDBaFw0y MTA5MjUwMDAwMDBaMCAxHjAcBgNVBAMMFXd3dy51eTI0ZmQ2d2tyenNzLm5ldDCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM/1zzI/PdYXIm6p1ZshOzIf AnUfauCPovIutPWBBNi9Q6um6EWYzb7DIKhmiTwijl691ktfylwVIMT8JnGO+1t1 +SooiSp4V1oSkMvoA0Whvhh3jonblvq7cD0FGz9xLVxJEs4I5LPxxDFDcfs5AHV9 wQ1rH+CnGOlBGD2X3jjOVJb1Vp9PZPj5sG4mCyBIfJdbuC1MYkXoOfmi8kY0MkV8 mB/XAODk4GmDTPG76gxAv3Da+10vcABqMNpSwraFZwcBcGOhUnmpKxRmm2dZdz7r tTLcZaaeAYJlNH4fxoG6PdmcPidLnlT4ILX44cXAf+OL4WJgWrRUUexTpI75pW0C AwEAATANBgkqhkiG9w0BAQsFAAOBgQCB9fjVciHTD0YlckPoSTzZJXHkDaBpmBVa 9/GpVLQMA9bK03AkDllycxEbSgB0bd8RjZKd1+3T7ck2FsOOzgIZP0v5U8A0uxA7 58w2yJWmomn9DaKXqwD9HHux905znq3elKzd1M5ZSbQhZdqNmsw8wZUo2ZaPCDHW wBCd2m6Ueg== -----END CERTIFICATE----- subject=/CN=www.uy24fd6wkrzss.net issuer=/CN=www.bu5cm42gttwqzick.com --- No client certificate CA names sent Peer signing digest: SHA256 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 1058 bytes and written 428 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: Session-ID-ctx: Master-Key: BC7B6CA79A1466768EAE37C7D591FB57F2D351E75B4C43AB16C8B8CBCBEB8E4BA4EDE2FEED8D4036D045F42F3F029585 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1628842910 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) ---
However, Tor fails to work as a relay using the NoAdvertise & NoListen options of the ORPort directive; even though, Openssl s_client is successfully CONNECTED to the Public Address.
### ORPort WITH NoAdvertise & NoListen (FAILS) ###
Note: Failed Self-testing logs WITH NoAdvertise & NoListen
Aug 13 01:01:46.000 [notice] Now checking whether IPv4 ORPort 198.91.60.78:443 is reachable... (this may take up to 20 minutes -- look for log messages indicating success) Aug 13 01:21:45.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at 198.91.60.78:443. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Note: Failed Self-testing torrc WITH NoAdvertise & NoListen
# cat /tmp/torrc Nickname ASUSWRTMerlinRelay ORPort 198.91.60.78:443 NoListen ORPort 192.168.0.1:9001 NoAdvertise SocksPort 9050 SocksPort 192.168.0.1:9050 ControlPort 9051 ExitRelay 0 DirCache 0 MaxMemInQueues 192 MB GeoIPFile /opt/share/tor/geoip Log notice file /tmp/torlog VirtualAddrNetwork 10.192.0.0/10 AutomapHostsOnResolve 1 TransPort 192.168.0.1:9040 DNSPort 192.168.0.1:9053 RunAsDaemon 1 DataDirectory /tmp/tor/torrc.d/.tordb AvoidDiskWrites 1 User tor ContactInfo tor-operator@your-emailaddress-domain
Note: Confirmed that the necessary PortForward between the Public & Private Addresses is in place
# iptables -t nat -S | grep :9001 -A VSERVER -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.1:9001
Note: Nyx shows Tor build the initial 5 measurement circuits, but after some time fails and only shows the outbound & control connections.
# nyx nyx - 192.168.0.1 (Linux 2.6.36.4b...) Tor 0.4.5.7 (recommended) ASUSWRTMerlinRelay - 192.168.0.1:9001, Control Port (open): 9051 cpu: 10.6% tor, 3.2% nyx mem: 55 MB (22.2%) pid: 5374 uptime: 56:32 fingerprint: 02DD61E41B3739C629C5CF8CEBA6000290BC3E7B flags: Fast, Running, Valid page 2 / 5 - m: menu, p: pause, h: page help, q: quit Connections (2289 outbound, 1 control):
Note: Openssl s_client is successfully CONNECTED to the Public Address
# openssl s_client -connect 198.91.60.78:443 CONNECTED(00000003) depth=0 CN = www.uy24fd6wkrzss.net verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = www.uy24fd6wkrzss.net verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=www.uy24fd6wkrzss.net i:/CN=www.bu5cm42gttwqzick.com --- Server certificate -----BEGIN CERTIFICATE----- MIICQzCCAaygAwIBAgIJAOPPF6uxLfr8MA0GCSqGSIb3DQEBCwUAMCMxITAfBgNV BAMMGHd3dy5idTVjbTQyZ3R0d3F6aWNrLmNvbTAeFw0yMTAzMDEwMDAwMDBaFw0y MTA5MjUwMDAwMDBaMCAxHjAcBgNVBAMMFXd3dy51eTI0ZmQ2d2tyenNzLm5ldDCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM/1zzI/PdYXIm6p1ZshOzIf AnUfauCPovIutPWBBNi9Q6um6EWYzb7DIKhmiTwijl691ktfylwVIMT8JnGO+1t1 +SooiSp4V1oSkMvoA0Whvhh3jonblvq7cD0FGz9xLVxJEs4I5LPxxDFDcfs5AHV9 wQ1rH+CnGOlBGD2X3jjOVJb1Vp9PZPj5sG4mCyBIfJdbuC1MYkXoOfmi8kY0MkV8 mB/XAODk4GmDTPG76gxAv3Da+10vcABqMNpSwraFZwcBcGOhUnmpKxRmm2dZdz7r tTLcZaaeAYJlNH4fxoG6PdmcPidLnlT4ILX44cXAf+OL4WJgWrRUUexTpI75pW0C AwEAATANBgkqhkiG9w0BAQsFAAOBgQCB9fjVciHTD0YlckPoSTzZJXHkDaBpmBVa 9/GpVLQMA9bK03AkDllycxEbSgB0bd8RjZKd1+3T7ck2FsOOzgIZP0v5U8A0uxA7 58w2yJWmomn9DaKXqwD9HHux905znq3elKzd1M5ZSbQhZdqNmsw8wZUo2ZaPCDHW wBCd2m6Ueg== -----END CERTIFICATE----- subject=/CN=www.uy24fd6wkrzss.net issuer=/CN=www.bu5cm42gttwqzick.com --- No client certificate CA names sent Peer signing digest: SHA256 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 1058 bytes and written 428 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: Session-ID-ctx: Master-Key: BC7B6CA79A1466768EAE37C7D591FB57F2D351E75B4C43AB16C8B8CBCBEB8E4BA4EDE2FEED8D4036D045F42F3F029585 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1628842910 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) ---
What am I missing? Am I implementing the NoAdvertise & NoListen options of the ORPort directive incorrectly?
Thank you for your assistance.
Respectfully,
Gary