Direct Exit to a different IP.
I naively thought that the proxy lines in torrc could to that via an https proxy. Alas that's not what that line is for!
I got an impression from earlier chats a while ago that exiting to a non-advertised IP was regarded as simply not cricket, in that the internet should know the IP or Tor exits exiting. The trouble now is too many are sites apply blanket bans on Tor exits.
I failed get a Tor on my VPS to use a VPN as the final exit, as my knowledge of routing is too limited. I kept cutting myself off from the branch I was sitting on fiddling with this remotely.
As some exits to do manage this, I wonder if anyone can post be a script or point me in the right direction as to how they do it.
Scenario: Set up a VPN connection. Have a script that in effect offers split tunnelling for TOR to allow exit via the VPN. The OR port needs to remain local fixed IP. The default route of the VPN server remains local.
Doing everything in and out via most VPNs would not be useful as these services have very dynamic IPs.
Gerry
Detecting exit nodes is error prone, as you point out. Some exit nodes have their traffic exit a different address than their listening port. Hey does Exonerator handle these?
Right. It's not trivial for tor to figure out what exit relays are multi-homed -- at least not without actually establishing circuits and fetching content over each exit relay.
I just finished an exitmap scan and found 17 exit relays that exit from an IP address that is different from what's listed in the consensus:
This mode of operation, regardless of how it happens, is not in itself a problem, nor cause for alarm. In fact, the nature of these "exit IP different than ORPort" relays can and often does assist users in circumventing censorship... a fundamental use case of Tor. For instance, the arbitrary automated and blind blocking via dumb blocklists that prevent even such most basic user activity and human right to knowledge as simply reading websites via Tor. Such blocking examples can often be found here: https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBl ockingTor
It's also entirely up to the exit operator to determine if the third party non contractual / SLA exonerator service is of any particular use or benefit to them or not... perhaps they have other notary means, or are immune or not subject to any such legal or jurisdictional issues, for which it becomes moot.
Similarly, realtime TorDNSEL and the like could be considered to be censorship enabling tools.
-----Original Message----- From: tor-relays [mailto:tor-relays-bounces@lists.torproject.org] On Behalf Of teor Sent: 25 November 2017 07:31 To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] Tor Metrics issue
On 25 Nov 2017, at 17:36, Arisbe arisbe@cni.net wrote:
In the immediate past I monitored both my relays and my bridges through atlas. So, now with Tor Metrics, I don't see my bridges. Am I doing something wrong or are they not in the data base?
How do you search for your relays and bridges?
T _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Dr Gerard Bulger:
Direct Exit to a different IP.
I naively thought that the proxy lines in torrc could to that via an https proxy. Alas that's not what that line is for!
I got an impression from earlier chats a while ago that exiting to a non-advertised IP was regarded as simply not cricket, in that the internet should know the IP or Tor exits exiting. The trouble now is too many are sites apply blanket bans on Tor exits.
Starting with tor 0.3.0.x if your exit relay has multiple public IP addresses you can use one of them for exiting only without the need of an additional VPN (which degrades performance), but keep in mind that this not-announced exiting IP address will also be listed in the list of exit addresses. https://collector.torproject.org/recent/exit-lists/
I'm not sure how much difference it makes depending on your exit relay bandwidth (smaller exits will likely benefit more from it).
https://www.torproject.org/docs/tor-manual.html.en#OutboundBindAddressExit ansible-relayor even supports automating this.
The trouble now is too many are sites apply blanket bans on Tor exits.
Starting with tor 0.3.0.x if your exit relay has multiple public IP addresses you can use one of them for exiting only without the need of an additional VPN (which degrades performance)
Depending on setup, shuffling exit traffic between two private points (via whatever means, your own, or a commercial service) may not be terrible performance compared to another tor hop, to internet issues, or to otherwise poor performance in the tor circuit and its boxes. Such shuffling of already exited traffic no longer uses the tor process with its associated crypto and other CPU / RAM overhead, has no need to be encrypted, and adds one more bind / localhost / lan / wan hop which can be quite fast in comparison.
this not-announced exiting IP address will also be listed in the list of exit addresses. https://collector.torproject.org/recent/exit-lists/
Thankfully this is not the only list that the "internet" subscribes to. Many other lists do not list such addresses. Holes in censorship are a good thing.
Including around hosters that do let you run relays but don't let you run exit traffic, thus making you shuffle it elsewhere, made easier if some market dynamic has bandwidth nearly free to the operator.
tor-relays@lists.torproject.org
-
Dr Gerard Bulger -
grarpamp -
nusenu