Why is my Tor bridge relay not getting any traffic?
Hello everybody! I used to run a Tor bridge on Windows at home, where I have a 300/150 Mbps ISP. This Windows has memory leak and crashes after some hours, ad I believe that was making my bridge never get traffic. A few weeks ago I moved it to a Ubuntu server, also at home. I use uptimerobot.com to monitor if its port is reachable from outside and healthchecks.io to monitor if traffic entering from its local SOCKS port is reaching check.torproject.org. It's always up and reachable. But nyx reports it's rarely getting any traffic, and its bandwidth never surpasses 1KB/s. Its log heartbeat reports very little download and upload and always claims to has seen 0 unique clients. But how come, if my healthchecks.io monitor's curl call uses it every few minutes? metrics.torproject.org reports correct dates and uptime. Advertised Bandwidth is 58KB/s, way above what nyx reports. Flags are Fast, Running, V2Dir, Valid. What might be wrong? Or is it normal for a Tor bridge relay be this idle? This is my torrc removing identifiable data. |## Configuration file for a typical Tor user ## Last updated 9 October 2013 for Tor 0.2.5.2-alpha. ## (may or may not work for much older or much newer versions of Tor.) ## A handle for your relay, so people don't have to refer to it by key. Nickname MyNick ContactInfo mycontact ## Entry policies to allow/deny SOCKS requests based on IP address. SocksPort 9031 #SocksPort ::9031 #SocksPort 0.0.0.0:80 #SOCKSPolicy accept 192.168.* ## Send all messages of level 'notice' or higher to /var/log/tor/notices.log Log notice file /var/log/tor/notices.log ## Send every possible message to /var/log/tor/debug.log #Log debug file /var/log/tor/debug.log ## Use the system log instead of Tor's logfiles #Log notice syslog ## Uncomment this to start the process in the background... or use RunAsDaemon 1 ## The directory for keeping all the keys/etc. By default, we store ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. DataDirectory /var/lib/tor ## The port on which Tor will listen for local connections from Tor ## controller applications, as documented in control-spec.txt. ControlPort 9051 ## If you enable the controlport, be sure to enable one of these ## authentication methods, to prevent attackers from accessing it. CookieAuthentication 1 ################ This section is just for relays ##################### # ## See https://www.torproject.org/docs/tor-doc-relay for details. ## The IP address or full DNS name for incoming connections to your ## relay. Leave commented out and Tor will guess. Address hikari.mydomain.com ## Required: what port to advertise for incoming Tor connections. ORPort 80 ## Uncomment this to mirror directory information for others. Please do ## if you have enough bandwidth. DirPort 9030 # what port to advertise for directory connections ServerTransportPlugin obfs3,obfs4 exec /usr/bin/obfs4proxy #ExtORPort 0.0.0.0:8000 ExtORPort 9041 ## Uncomment to return an arbitrary blob of html on your DirPort. Now you ## can explain what Tor is if anybody wonders why your IP address is ## contacting them. See contrib/tor-exit-notice.html in Tor's source ## distribution for a sample. #DirPortFrontPage /etc/tor/tor-exit-notice.html ExitPolicy reject *:* # don't run as an exit node BridgeRelay 1 # bridge PublishServerDescriptor 1 # published on bridge directory DB BridgeRecordUsageByCountry 1 # it's nice to see the country codes of users you are assisting #BandwidthRate 512000 #RelayBandwidthBurst 512000 #RelayBandwidthRate 512000 CellStatistics 1 PaddingStatistics 1 DirReqStatistics 1 EntryStatistics 1 ExitPortStatistics 1 ConnDirectionStatistics 1 HiddenServiceStatistics 1 ExtraInfoStatistics 1 #If non-zero, try to write to disk less frequently than we would otherwise. This is useful when running on flash memory or other media that support only a limited number of writes. (Default: 0) AvoidDiskWrites 0|
On Mon, Aug 26, 2019 at 07:03:22PM -0300, Hikari wrote:
What might be wrong? Or is it normal for a Tor bridge relay be this idle? This is my torrc removing identifiable data.
There may be nothing wrong at all. See the following page for more context: <https://community.torproject.org/relay/setup/bridge/post-install/> Feel free to email me your bridge's fingerprint and I will look up what bucket your bridge is in. For what it's worth, bridge operators are hopefully soon able to do this themselves once we are done with this ticket: <https://bugs.torproject.org/29480> Cheers, Philipp
Thanks a lot. So is it normal to have little traffic when in bridge mode? But why is reported speed so slow? And why is it reporting 0 unique clients even though my monitor connects to it? I forgot to add the monitor code, here it is: #!/bin/bash if [[ $(curl --socks5 localhost:90 --socks5-hostname localhost:90 -s https://check.torproject.org/ | cat | grep -m 1 Congratulations | xargs) ]]; then curl -s https://hc-ping.com/abcdefgh &> /dev/null fi It connects to Tor's SOCKS and goes to check.torproject.org, if it receives a text back and this text has congratulations message it calls hc-ping.com. So, wasn't my monitor meant to be counted? On 27/08/2019 12:24 PM, Philipp Winter wrote:
On Mon, Aug 26, 2019 at 07:03:22PM -0300, Hikari wrote:
What might be wrong? Or is it normal for a Tor bridge relay be this idle? This is my torrc removing identifiable data. There may be nothing wrong at all. See the following page for more context: <https://community.torproject.org/relay/setup/bridge/post-install/>
Feel free to email me your bridge's fingerprint and I will look up what bucket your bridge is in. For what it's worth, bridge operators are hopefully soon able to do this themselves once we are done with this ticket: <https://bugs.torproject.org/29480>
Cheers, Philipp _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
You don't connect to your bridge, you connect to the tor network if you use the socks5. So yes, the check passes, because it's being sent over the tor network, not using your bridge but using tor's socks5 proxy. Also in your config you have set the socks port to 9031, but in this line of code you connect to port 90. Probably a typo but just FYI. On 27/08/2019 20:02, Hikari wrote:
Thanks a lot.
So is it normal to have little traffic when in bridge mode? But why is reported speed so slow?
And why is it reporting 0 unique clients even though my monitor connects to it? I forgot to add the monitor code, here it is:
#!/bin/bash
if [[ $(curl --socks5 localhost:90 --socks5-hostname localhost:90 -s https://check.torproject.org/ | cat | grep -m 1 Congratulations | xargs) ]]; then curl -s https://hc-ping.com/abcdefgh &> /dev/null fi
It connects to Tor's SOCKS and goes to check.torproject.org, if it receives a text back and this text has congratulations message it calls hc-ping.com. So, wasn't my monitor meant to be counted?
On 27/08/2019 12:24 PM, Philipp Winter wrote:
On Mon, Aug 26, 2019 at 07:03:22PM -0300, Hikari wrote:
What might be wrong? Or is it normal for a Tor bridge relay be this idle? This is my torrc removing identifiable data. There may be nothing wrong at all. See the following page for more context: <https://community.torproject.org/relay/setup/bridge/post-install/>
Feel free to email me your bridge's fingerprint and I will look up what bucket your bridge is in. For what it's worth, bridge operators are hopefully soon able to do this themselves once we are done with this ticket: <https://bugs.torproject.org/29480>
Cheers, Philipp _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Tue, Aug 27, 2019 at 11:22:33PM +0200, Tor Patatje wrote:
You don't connect to your bridge, you connect to the tor network if you use the socks5. So yes, the check passes, because it's being sent over the tor network, not using your bridge but using tor's socks5 proxy.
[...] And why is it reporting 0 unique clients even though my monitor connects to it?
It connects to Tor's SOCKS and goes to check.torproject.org, if it receives a text back and this text has congratulations message it calls hc-ping.com. So, wasn't my monitor meant to be counted?
Right -- your test is trying to use your bridge as a local client on the socks port, like you are the local user. Whereas the client count that your bridge tracks is how many people, using their own external Tor, make a TLS connection to your bridge (and then build circuits through your bridge to other Tor relays). So the user count is working correctly -- it is ignoring the local socks connections, because they don't represent external users. It will only count people who connect to your ORPort and, if you're offering obfs4, to your obfs4 port. Hope that helps, --Roger
ahhhh got it! so that's why my monitor isn't counted lol I'll get a Tor Browser running to test it later then, and also its speed. On 28/08/2019 12:22 AM, Roger Dingledine wrote:
On Tue, Aug 27, 2019 at 11:22:33PM +0200, Tor Patatje wrote:
You don't connect to your bridge, you connect to the tor network if you use the socks5. So yes, the check passes, because it's being sent over the tor network, not using your bridge but using tor's socks5 proxy.
[...] And why is it reporting 0 unique clients even though my monitor connects to it?
It connects to Tor's SOCKS and goes to check.torproject.org, if it receives a text back and this text has congratulations message it calls hc-ping.com. So, wasn't my monitor meant to be counted? Right -- your test is trying to use your bridge as a local client on the socks port, like you are the local user.
Whereas the client count that your bridge tracks is how many people, using their own external Tor, make a TLS connection to your bridge (and then build circuits through your bridge to other Tor relays).
So the user count is working correctly -- it is ignoring the local socks connections, because they don't represent external users. It will only count people who connect to your ORPort and, if you're offering obfs4, to your obfs4 port.
Hope that helps, --Roger
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
So, it's just that few people receive my bridge from BridgeDB. So it's a guard relay, right? What am I lacking to receive a guard flag? And what about being a middle relay? Shouldn't it be used more frequently in this mode? I have obfs3 and obfs4 enabled, but I've never tested them. And never got any error message either. Another question. I currently have Address setting on torrc pointing to a domain handled by no-ip. I have 2 ISPs in load balancing, and before this setting I was having very frequent log messages saying my IP had changed, because each time Tor made its test it was using a different route. Isn't it possible to use Tor in load balancing? I'm buying a Ubiquiti EdgeRouter X to put OpenWRT. If everything works, in the near future I'll have IPv6 and load balancing working, but no-ip seems to not support IPv6. How should I setup my relay to use both ISPs and IPv4 + IPv6 with dynamic addresses? Thanks a lot for the help and patience!
Hi,
On 28 Aug 2019, at 14:21, Hikari <tux@hikari.me> wrote:
So, it's just that few people receive my bridge from BridgeDB. So it's a guard relay, right? What am I lacking to receive a guard flag?
Guards and Bridges are different. Bridges are secret entry nodes for a few Tor clients. Guards are public entry nodes for any Tor client. But they are easier to block, because they are public.
And what about being a middle relay? Shouldn't it be used more frequently in this mode?
Middle relays are public middle nodes for any Tor client. Bridges can't be used as middles, because bridge addresses are secret.
I have obfs3 and obfs4 enabled, but I've never tested them. And never got any error message either.
You can test them with Tor Browser, but it takes a bit of cut and paste work. Look up the obfs4 instructions for the location of the bridge line file. If you'd like to get more bridge traffic, start another few bridges on different ports on the same IP, or different IPs.
Another question. I currently have Address setting on torrc pointing to a domain handled by no-ip. I have 2 ISPs in load balancing, and before this setting I was having very frequent log messages saying my IP had changed, because each time Tor made its test it was using a different route. Isn't it possible to use Tor in load balancing?
There are different kinds of load balancing. Tor relays and bridges can only advertise a single IPv4 address. Tor relays can also advertise an IPv6 address. We're working on dual-stack advertised addresses for bridges. So Tor works well when your AS announces your relay's IP address on multiple upstream routers. If you have different IP addresses for each upstream, you can: * Run a separate Tor instance for each address, or * Set (inbound) Address to one upstream, and OutboundBindAddress to another.
I'm buying a Ubiquiti EdgeRouter X to put OpenWRT. If everything works, in the near future I'll have IPv6 and load balancing working, but no-ip seems to not support IPv6. How should I setup my relay to use both ISPs and IPv4 + IPv6 with dynamic addresses?
Address supports DNS for IPv4 addresses. IPv6 is only supported for ORPort (relays) and ServerTransportListenAddr (bridges). Tor doesn't have support for dynamic IPv6 yet. Can your provider allocate static IPv6? It should have a pool of millions of IPv6 addresses, so static should be easy. We're trying to make IPv6 support better, but I don't know when we will get funding to fix these particular issues. T
Thanks a lot for taking the time to explain me! Quoting teor <teor@riseup.net>:
Hi,
On 28 Aug 2019, at 14:21, Hikari <tux@hikari.me> wrote:
So, it's just that few people receive my bridge from BridgeDB. So it's a guard relay, right? What am I lacking to receive a guard flag?
Guards and Bridges are different.
Bridges are secret entry nodes for a few Tor clients.
Guards are public entry nodes for any Tor client. But they are easier to block, because they are public.
And what about being a middle relay? Shouldn't it be used more frequently in this mode?
Middle relays are public middle nodes for any Tor client.
Bridges can't be used as middles, because bridge addresses are secret.
Now I get it. Is it worthy running a public middle relay at home? Or is it possible sites will block my IP and I should stick with a bridge as it is now? I suppose a guard relay isn't advised, right?
I have obfs3 and obfs4 enabled, but I've never tested them. And never got any error message either.
You can test them with Tor Browser, but it takes a bit of cut and paste work. Look up the obfs4 instructions for the location of the bridge line file.
Does Tor Browser for Windows come with obfs4? How to enable it? I could also try running Tails on a VM if it has obfs4.
If you'd like to get more bridge traffic, start another few bridges on different ports on the same IP, or different IPs.
Do you know any tutorial teaching how to run multiple Tor instances? I did it with Transmission and had some trouble but did it. I suppose I'll need to duplicate /etc/tor and /var/log/tor and have 2 systemctl files pointing to the correct torrc. And also point nyx to the correct instance. I just run it without parameters.
Another question. I currently have Address setting on torrc pointing to a domain handled by no-ip. I have 2 ISPs in load balancing, and before this setting I was having very frequent log messages saying my IP had changed, because each time Tor made its test it was using a different route. Isn't it possible to use Tor in load balancing?
There are different kinds of load balancing.
Tor relays and bridges can only advertise a single IPv4 address. Tor relays can also advertise an IPv6 address. We're working on dual-stack advertised addresses for bridges.
So Tor works well when your AS announces your relay's IP address on multiple upstream routers.
What's an AS? I'm still working on getting IPv6 working. My Cisco RV340's WebUI doesn't have settings for enabling ULA and neither for delegating global prefix. I just bought a new router and will try to put OpenWRT on it, and hope to be able to setup everything then. In early monitorings I'm noticing that one of my ISPs, the one I'm able to use global prefix, hasn't changed mine for over a week. But my server's IP is changing a few times every day inside the same prefix. When (and if) I get everything working, I hope to have 1 no-ip domain for each ISP IPv4 address, and get 1 fixed IPv6 ULA and an equivalent global IP for each ISP global prefix and keep it fixed as long as ISPs don't change their prefix. It's gonna take a few months to set it all. Regarding Tor, maybe I'll need to run 1 instance for each ISP's IPv4+IPv6 combination. IPv4 will be easy, IDK how to make it know which IPv6 to use, if I'm unable to get no-ip working for IPv6.
If you have different IP addresses for each upstream, you can: * Run a separate Tor instance for each address, or * Set (inbound) Address to one upstream, and OutboundBindAddress to another.
Sorry I didn't understand the second option.
I'm buying a Ubiquiti EdgeRouter X to put OpenWRT. If everything works, in the near future I'll have IPv6 and load balancing working, but no-ip seems to not support IPv6. How should I setup my relay to use both ISPs and IPv4 + IPv6 with dynamic addresses?
Address supports DNS for IPv4 addresses.
IPv6 is only supported for ORPort (relays) and ServerTransportListenAddr (bridges). Tor doesn't have support for dynamic IPv6 yet.
Well that's troubling lol so I think I won't be able to use IPv6, unless ISPs leave static global prefixes and I'm able to set a relative fixed ULA. Is it possible to set Tor to use a specific network device?
Can your provider allocate static IPv6? It should have a pool of millions of IPv6 addresses, so static should be easy.
As I said, I'm monitoring IPv6 and the working ISP's global prefix hasn't changed in a week, but IPv6 addr is changing. They won't wanna provide fixed global prefix, because they wanna charge for fixed IP. They are also serving only a /64 prefix. And blocking some most common ports. My guess is that they haven't get dynamic global prefix allocation working yet, so they are just leaving it be for now. I also haven't tried turning modem off to see that forces prefix to change.
We're trying to make IPv6 support better, but I don't know when we will get funding to fix these particular issues.
Yeah I understand it. Most ppl and even teleco companies aren't worried with IPv6. Some routers as mine don't have proper UI for IPv6 settings either.
Hi,
On 28 Aug 2019, at 23:44, tux@hikari.me wrote:
Quoting teor <teor@riseup.net>:
On 28 Aug 2019, at 14:21, Hikari <tux@hikari.me> wrote:
So, it's just that few people receive my bridge from BridgeDB. So it's a guard relay, right? What am I lacking to receive a guard flag?
Guards and Bridges are different.
Bridges are secret entry nodes for a few Tor clients.
Guards are public entry nodes for any Tor client. But they are easier to block, because they are public.
And what about being a middle relay? Shouldn't it be used more frequently in this mode?
Middle relays are public middle nodes for any Tor client.
Bridges can't be used as middles, because bridge addresses are secret.
Now I get it.
Is it worthy running a public middle relay at home? Or is it possible sites will block my IP and I should stick with a bridge as it is now?
You should stick with a bridge.
I suppose a guard relay isn't advised, right?
There is no setting that lets operators make their relays middles or guards. Instead, all non-exits have some chance of being a middle or a guard. For new or slow relays, the chance of being a guard might be zero.
I have obfs3 and obfs4 enabled, but I've never tested them. And never got any error message either.
You can test them with Tor Browser, but it takes a bit of cut and paste work. Look up the obfs4 instructions for the location of the bridge line file.
Does Tor Browser for Windows come with obfs4? How to enable it?
Yes. Enter an obfs4 bridge line in the bridge settings. See the bridges part of the Tor Browser manual: https://tb-manual.torproject.org/bridges/
I could also try running Tails on a VM if it has obfs4.
Tails has Tor Browser with obfs4.
If you'd like to get more bridge traffic, start another few bridges on different ports on the same IP, or different IPs.
Do you know any tutorial teaching how to run multiple Tor instances? I did it with Transmission and had some trouble but did it.
I don't know what Transmission is.
I suppose I'll need to duplicate /etc/tor and /var/log/tor and have 2 systemctl files pointing to the correct torrc.
And also point nyx to the correct instance. I just run it without parameters.
ansible-relayor is good, but I don't know if it supports bridges. See the Tor Relay Guide: https://trac.torproject.org/projects/tor/wiki/TorRelayGuide#ConfigurationMan...
Another question. I currently have Address setting on torrc pointing to a domain handled by no-ip. I have 2 ISPs in load balancing, and before this setting I was having very frequent log messages saying my IP had changed, because each time Tor made its test it was using a different route. Isn't it possible to use Tor in load balancing?
There are different kinds of load balancing.
Tor relays and bridges can only advertise a single IPv4 address. Tor relays can also advertise an IPv6 address. We're working on dual-stack advertised addresses for bridges.
So Tor works well when your AS announces your relay's IP address on multiple upstream routers.
What's an AS?
A network on the internet.
I'm still working on getting IPv6 working. My Cisco RV340's WebUI doesn't have settings for enabling ULA and neither for delegating global prefix. I just bought a new router and will try to put OpenWRT on it, and hope to be able to setup everything then.
In early monitorings I'm noticing that one of my ISPs, the one I'm able to use global prefix, hasn't changed mine for over a week. But my server's IP is changing a few times every day inside the same prefix.
When (and if) I get everything working, I hope to have 1 no-ip domain for each ISP IPv4 address, and get 1 fixed IPv6 ULA and an equivalent global IP for each ISP global prefix and keep it fixed as long as ISPs don't change their prefix.
It's gonna take a few months to set it all.
Regarding Tor, maybe I'll need to run 1 instance for each ISP's IPv4+IPv6 combination. IPv4 will be easy, IDK how to make it know which IPv6 to use, if I'm unable to get no-ip working for IPv6.
Set the IPv6 address as an ORPort in the relay config. But bridges can only advertise one obfs4 address right now. So I wouldn't worry too much about IPv6 yet.
If you have different IP addresses for each upstream, you can: * Run a separate Tor instance for each address, or * Set (inbound) Address to one upstream, and OutboundBindAddress to another.
Sorry I didn't understand the second option.
I don't think it will work very well for bridges anyway.
I'm buying a Ubiquiti EdgeRouter X to put OpenWRT. If everything works, in the near future I'll have IPv6 and load balancing working, but no-ip seems to not support IPv6. How should I setup my relay to use both ISPs and IPv4 + IPv6 with dynamic addresses?
Address supports DNS for IPv4 addresses.
IPv6 is only supported for ORPort (relays) and ServerTransportListenAddr (bridges). Tor doesn't have support for dynamic IPv6 yet.
Well that's troubling lol so I think I won't be able to use IPv6, unless ISPs leave static global prefixes and I'm able to set a relative fixed ULA.
Your router might be changing the address?
Is it possible to set Tor to use a specific network device?
No, that happens at the OS level.
Can your provider allocate static IPv6? It should have a pool of millions of IPv6 addresses, so static should be easy.
As I said, I'm monitoring IPv6 and the working ISP's global prefix hasn't changed in a week, but IPv6 addr is changing.
They won't wanna provide fixed global prefix, because they wanna charge for fixed IP. They are also serving only a /64 prefix. And blocking some most common ports.
Wow that's unhelpful.
My guess is that they haven't get dynamic global prefix allocation working yet, so they are just leaving it be for now. I also haven't tried turning modem off to see that forces prefix to change.
T
participants (6)
-
Hikari -
Philipp Winter -
Roger Dingledine -
teor -
Tor Patatje -
tux@hikari.me