s7r wrote:
Hi there,
Thanks for running a relay.
IPv6 is not intended to be used that way. IPv6 was designed to ensure end to end connectivity, given it's not a scarce resource each device should have its own public IPv6 address and you can implement whatever filters or restrictions the haproxy provides at an upstream firewall or router or something.
Back to the subject, your setup will not work because your Tor daemon is not listening on any IPv6 address.
You have this line in your torrc:
ORPort [2001:41d0:1:84bc::1]:9001 NoListen
and this means to advertise this address and port in the descriptor but NOT BIND TO IT.
So, you must add a secondary NoAdvertise address, where the Tor daemon can actually bind and listen to. That is why the cleanest way was to have the public IPv6 address assigned directly to the box. The same as you did for IPv4 actually.
You can do some forwarding between haproxy and the Tor server to still advertise the haproxy public IPv6 address and somehow forward using link local addresses (fe80::/16) or 6-to-4 (::ffff:192:168:1:2 or whatever NAT IPv4 class you use) between haproxy and Tor, but this seams overkill. You need to make sure nothing blocks or drops ICMPv6 (IPv6 needs it) and also you are not filtering fe80::/16 and fc00:/16 classes as well as UDP port 546. Remember that link local IPv6 addresses change if you change the interface (ethernet port) or even its name, so you must always update the rules and torrc config. This is why I am telling you it's overkill, and I am only explaining how to theoretically do it in order for your to understand how things work, not to actually do it because it's pointless and overkill.
Then you would have (if the Tor server would actually have this link local address - this is just a dumb example): ORPort [fe80:cafe:cafe::2]:9001 NoAdvertise
So it would bind to it.
Hope this clarifies. Please assign the IPv6 directly, there are exactly 0 reasons not to do it.
-s7r
Charly Ghislain wrote:
ok, maybe i haven't waited that long. I will put it back and come back to you in a couple of days. I must say I would be surprised it would take so long to check connectivity.
On Sat, Feb 23, 2019 at 4:02 PM Blicky <tor@blicky.net mailto:tor@blicky.net> wrote:
Hi, For how long have you advertised the v6 address? My relays also received the UnreachableIpv6 flag shortly after I setup IPv6, but after 24 hours that automatically turned into ReachableIPv6. I'm guessing it takes some time for the measurements to take place and propagate. I can reach your IPv6 address on that port, so the network configuration is fine, at least. Regards, Blicky. On 2019-02-23, Charly Ghislain wrote: > Hi all, > > My tor relay has got the UnreachableIpv6 flag set once i mentionned an > OrPort with my ipv6 address. > > From what i can tell, my server is reachable over ipv6, and can contact the > directory authorities through ipv6 (following the instructions found there: > https://trac.torproject.org/projects/tor/wiki/TorRelayGuide#Makesurerelayportscanbereached > ). > > The node is behind an haproxy that relays ipv6 traffic to natted ipv4 (with > no logging for those concerned). It seems to work fine for web content over > ipv6, and traffic on both ips (v4 and v6) goes through this channel. > > I can successfully telnet my node ORPort using my v6 address. The ports > have been defined this way in torrc: > ORPort 0.0.0.0:9001 NoAdvertise > ORPort 91.121.79.188:9001 NoListen > ORPort [2001:41d0:1:84bc::1]:9001 NoListen > > Is there a way to make a tor client connect to a specific relay to debug > this kind of connectivity issues? Or any other mean? > > In the meantime ive removed the advertized ip6. > > Regards, > > Charly
And thanks for actually discovering a potential bug with this weird setup -- I have just logged #29570 :
https://trac.torproject.org/projects/tor/ticket/29570
So we may avoid this happening even in rare use cases.