Relay Or/Dirport Unreachable
Plan: Configure relay on local cable connection (Century Link). The idea is to have the relay proofed operational the way I want it and then move it (torrc) to a droplet after it has been in operation for three days. Doing this saves cost in downloading to the droplet. Modem Zyxel C3000 _was_ set to port forward on 9001, 9030, and 9050 IP 192.XXX.X.X Turn off UpnP (plug and play) <relay fails with it on> GUFW is set to allow the above ports – reload to allow changes after much struggling/research to open ports 9001/9030 nc -zv 127.0.0.1 9001/9030 Connection to 127.0.0.1 9001 port [tcp/*] succeeded! <9030 also> Alrighty then! Tor –verify-config <many probs here, but cleared> No complaints NOTE: I know tor.Nyx should not be run as root, I get that. Tor/Nyx are running as root. I don’t know how to use debian-tor as usr. Nyx shows in it’s configuration as usr debian-tor. Su debian-tor produces a rollover back to root usr prompt. service tor start Nyx – No complaints, running as default. After just two minutes of operation the relay was running at 2 MB/s with bursts up to 3 MB/s. After the obligatory/frustrating twenty minute wait for or/dirport hand shaking I get:orport/dirport unreachable…. Adnauseum! Changed IP address to one given by tor, still unreachable. Lastly, I removed the 900l/9030 ports from the modem and installed 6969 as the orport. Changed GUFW, verified the changes took place, changed ip to real world IP 63.xxx.xxx.xxx in torrc. Hand shaking to the orport was almost immediate. Right now, the relay after twenty hours of operation is tortusing along at 20 B/s. Which to me is pure BS. Can someone give me some idea’s as to what I am doing wrong? Kathi
Hi Kathi Am 19.03.2020 um 02:28 schrieb Kathi:
Modem Zyxel C3000 _was_ set to port forward on 9001, 9030, and 9050 Port forwarding for Or/Dirport is necessary. A forward of 9050 (in its default usage) is not good. It's a SocksPort. If somebody finds it ey can use it as open Proxy.
IP 192.XXX.X.X Fine, it's your non public LAN address.
after much struggling/research to open ports 9001/9030 Good.
NOTE: I know tor.Nyx should not be run as root, I get that. Tor/Nyx are running as root. I don’t know how to use debian-tor as usr. Nyx shows in it’s configuration as usr debian-tor. Su debian-tor produces a rollover back to root usr prompt. By default Tor installs as a no-login user 'debian-tor'. So su does not work. Better don't run Tor as root, try to run the Tor daemon under 'debian-tor'.
Nyx – No complaints, running as default. After just two minutes of operation the relay was running at 2 MB/s with bursts up to 3 MB/s. After the obligatory/frustrating twenty minute wait for or/dirport hand shaking I get:orport/dirport unreachable…. Adnauseum! Is this after you moved the relay (torrc + keys) ? I read it like you moved only the torrc. The Tor keys identify the relay. They wanna be moved too. And the Tor process needs to have access to it, adopt user/group ownership. [] https://support.torproject.org/operators/upgrade-or-move/
Changed IP address to one given by tor, still unreachable. How du you mean by: Tor gave you address ?
Lastly, I removed the 900l/9030 ports from the modem and installed 6969 as the orport. I am not sure why it didn't work with 9001/9030.
Changed GUFW, verified the changes took place, changed ip to real world IP 63.xxx.xxx.xxx in torrc. Hand shaking to the orport was almost immediate. Right now, the relay after twenty hours of operation is tortusing along at 20 B/s. My understanding is you wanted to move a figured out and running relay from your domain area to an external provider. Which is possible. If you move the relay please move the keys and adopt the torrc right and to your needs. If the keys are not moved correctly Tor generates new keys and puts you back to start position. That can cause low bandwidth consensus/usage at the new begin.
Which to me is pure BS. We try to fix that.
It is helpful if you post the fingerprint and torrc file here. Thanks for working hard to get the relay run. Good luck! -- Cheers, Felix
On 19.03.2020 02:28, Kathi wrote:
NOTE: I know tor.Nyx should not be run as root, I get that. Tor/Nyx are running as root. I don’t know how to use debian-tor as usr.
~$ sudo -u debian-tor nyx -i 9051 .bashrc aliases for lazy admin ;-) # My aliases for nyx (tor & tor-instances) alias nyx='sudo -u debian-tor nyx -i 9051' #alias nyx00='sudo -u _tor-00 nyx -i 9051' #alias nyx01='sudo -u _tor-01 nyx -i 9052' #alias nyx02='sudo -u _tor-02 nyx -i 9053' If you have not yet installed or set up sudo: ~$ su - ~# apt install sudo ~# usermod -aG sudo user -- ╰_╯ Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom!
Or you could just add your user to the debian-tor group, so it will be able to access the nyx control Unix socket.
Il giorno 19 mar 2020, alle ore 19:55, lists@for-privacy.net ha scritto:
On 19.03.2020 02:28, Kathi wrote:
NOTE: I know tor.Nyx should not be run as root, I get that. Tor/Nyx are running as root. I don’t know how to use debian-tor as usr.
~$ sudo -u debian-tor nyx -i 9051
.bashrc aliases for lazy admin ;-)
# My aliases for nyx (tor & tor-instances) alias nyx='sudo -u debian-tor nyx -i 9051' #alias nyx00='sudo -u _tor-00 nyx -i 9051' #alias nyx01='sudo -u _tor-01 nyx -i 9052' #alias nyx02='sudo -u _tor-02 nyx -i 9053'
If you have not yet installed or set up sudo: ~$ su - ~# apt install sudo ~# usermod -aG sudo user
-- ╰_╯ Ciao Marco!
Debian GNU/Linux
It's free software and it gives you freedom! _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Thu, Mar 19, 2020 at 07:57:53PM +0100, Mario Costa wrote:
Or you could just add your user to the debian-tor group, so it will be able to access the nyx control Unix socket.
This is definitely imo the better approach rather than sudo'ing your nyx to the debian-tor user. If you sudo to debian-tor, then your nyx gets access to all of your Tor keys, and if nyx has a security flaw then it can do more damage. Whereas if you add your own user to the debian-tor group, and then run nyx as yourself, you are better isolated from pieces of Tor that nyx has no business being able to access. The Debian/Ubuntu instructions for doing this properly are listed at e.g. https://bugs.torproject.org/25890#comment:1 Or I'll say the updated version here: """ You might like to use the nyx relay monitor to watch your relay's activities from the command line. First, "sudo apt install nyx". Second, as the user that will be running nyx, run "sudo adduser $USER debian-tor" to add your user to the debian-tor group so it can reach Tor's controlsocket. Then log out and log back in (so your user is actually in the group), and run "nyx". """ We keep rearranging our docs and losing the instructions, and also Damian (the nyx developer) has been unenthusiastic about complicating nyx's docs with distro-specific instructions, so here we are. --Roger
The Debian/Ubuntu instructions for doing this properly are listed at e.g. https://bugs.torproject.org/25890#comment:1 Or I'll say the updated version here: """ You might like to use the nyx relay monitor to watch your relay's activities from the command line. First, "sudo apt install nyx". Second, as the user that will be running nyx, run "sudo adduser $USER debian-tor" to add your user to the debian-tor group so it can reach Tor's controlsocket. Then log out and log back in (so your user is actually in the group), and run "nyx". """
Thanks Roger. Dumbish question but if we replace 'Then log out and log back in' with 'run "reset" in your console' will that do the trick?
We keep rearranging our docs and losing the instructions, and also Damian (the nyx developer) has been unenthusiastic about complicating nyx's docs with distro-specific instructions, so here we are.
Nope, I'm not against providing them. Just awaiting noob friendly instructions for me to post. Nyx itself can autodetect when tor's auth cookie is owned by debian-tor and provide Debian specific instructions. If we provide the following will it be accurate? """ To connect to tor we require one more step. Please run the following and try nyx again... % sudo adduser $USER debian-tor % reset """
On Fri, Mar 20, 2020 at 02:55:24PM -0700, Damian Johnson wrote:
activities from the command line. First, "sudo apt install nyx". Second, as the user that will be running nyx, run "sudo adduser $USER debian-tor" to add your user to the debian-tor group so it can reach Tor's controlsocket. Then log out and log back in (so your user is actually in the group), and run "nyx". """
Thanks Roger. Dumbish question but if we replace 'Then log out and log back in' with 'run "reset" in your console' will that do the trick?
No, reset(1) just affects terminal (tty) settings, it does not affect the active group list for the current login session. There isn't a better solution than logging out and logging back in. Worse solutions that nobody should recommend as a replacement: - newgrp doesn't run the shell setup reliably in all cases. - sudo to yourself to run nyx only works with certain sudoers configs - sudo to root to run nyx results in running nyx as root, which you shouldn't. - ssh $USER@localhost leaves the terminal session in a confusing state that most non-expert users won't be prepared to understand properly -andy
On Fri, Mar 20, 2020 at 07:55:39PM -0700, Andy Isaacson wrote:
On Fri, Mar 20, 2020 at 02:55:24PM -0700, Damian Johnson wrote:
activities from the command line. First, "sudo apt install nyx". Second, as the user that will be running nyx, run "sudo adduser $USER debian-tor" to add your user to the debian-tor group so it can reach Tor's controlsocket. Then log out and log back in (so your user is actually in the group), and run "nyx". """
Thanks Roger. Dumbish question but if we replace 'Then log out and log back in' with 'run "reset" in your console' will that do the trick?
No, reset(1) just affects terminal (tty) settings, it does not affect the active group list for the current login session. There isn't a better solution than logging out and logging back in.
Agreed. Do the adduser line, and then log out and log in again, and then your nyx should work out of the box. --Roger
On 20.03.2020 09:19, Roger Dingledine wrote:
On Thu, Mar 19, 2020 at 07:57:53PM +0100, Mario Costa wrote:
Or you could just add your user to the debian-tor group, so it will be able to access the nyx control Unix socket.
This is definitely imo the better approach rather than sudo'ing your nyx to the debian-tor user.
If you sudo to debian-tor, then your nyx gets access to all of your Tor keys, and if nyx has a security flaw then it can do more damage.
Whereas if you add your own user to the debian-tor group, and then run nyx as yourself, you are better isolated from pieces of Tor that nyx has no business being able to access. .... >8
Thanks for the explanation @Roger & Mario. Is there anything wrong with usermod in terms of security? sudo adduser $USER debian-tor sudo usermod -aG debian-tor $USER @Kathi Then ignore my instructions from our private conversation later on your relay. -- ╰_╯ Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom!
On Sat, Mar 21, 2020 at 05:35:28PM +0100, lists@for-privacy.net wrote:
Whereas if you add your own user to the debian-tor group, and then run nyx as yourself, you are better isolated from pieces of Tor that nyx has no business being able to access.
Is there anything wrong with usermod in terms of security?
sudo adduser $USER debian-tor sudo usermod -aG debian-tor $USER
I don't know of anything specifically wrong with usermod -aG, but I just asked a Debian sysadmin, who said that adduser is the much better choice: adduser handles errors better and more safely, whereas usermod is a much lower level function where it's easier to hurt yourself. Sounds like a "feel free to do whichever one you like more, but for our documentation, we should be pointing people to adduser" situation. --Roger
On 23.03.2020 09:35, Roger Dingledine wrote:
Sounds like a "feel free to do whichever one you like more, but for our documentation, we should be pointing people to adduser" situation.
Thanks. OK, adduser for debian and derivatives documentation. (Is my everyday distri anyway) AFAIK adduser isn't available on all distros (eg. suse-based), and on some others it's just a symlink to useradd (redhat-based). -- ╰_╯ Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom!
participants (7)
-
Andy Isaacson -
Damian Johnson -
Felix -
Kathi -
lists@for-privacy.net -
Mario Costa -
Roger Dingledine