Hello,
I have set up a VM at my home server (via fiber DSL) to work as a Tor relay. I have set up port forwarding for ORport and DirPort (defaults, 9001 and 9030). The logs don't give me any useful information — or, possibly, I fail to grok anything useful ;-)
The following happens every couple of hours:
Jun 07 09:36:19.000 [notice] Heartbeat: It seems like we are not in the cached consensus. Jun 07 09:36:19.000 [notice] Heartbeat: Tor's uptime is 17:59 hours, with 0 circuits open. I've sent 2.71 MB and received 32.26 MB. Jun 07 09:36:19.000 [notice] Average packaged cell fullness: 13.454%. TLS write overhead: 12% Jun 07 09:36:19.000 [notice] Circuit handshake stats since last time: 0/0 TAP, 14/14 NTor. Jun 07 09:36:19.000 [notice] Since startup, we have initiated 0 v1 connections, 0 v2 connections, 0 v3 connections, and 21 v4 connections; and received 0 v1 connections, 0 v2 connections, 0 v3 connections, and 216 v4 connections. Jun 07 09:36:19.000 [notice] DoS mitigation since startup: 0 circuits rejected, 0 marked addresses. 0 connections closed. 0 single hop clients refused. Jun 07 15:36:19.000 [notice] Heartbeat: It seems like we are not in the cached consensus. Jun 07 15:36:19.000 [notice] Heartbeat: Tor's uptime is 23:59 hours, with 0 circuits open. I've sent 3.18 MB and received 42.36 MB. Jun 07 15:36:19.000 [notice] Average packaged cell fullness: 13.454%. TLS write overhead: 14% Jun 07 15:36:19.000 [notice] Circuit handshake stats since last time: 0/0 TAP, 0/0 NTor. Jun 07 15:36:19.000 [notice] Since startup, we have initiated 0 v1 connections, 0 v2 connections, 0 v3 connections, and 21 v4 connections; and received 0 v1 connections, 0 v2 connections, 0 v3 connections, and 284 v4 connections. Jun 07 15:36:19.000 [notice] DoS mitigation since startup: 0 circuits rejected, 0 marked addresses. 0 connections closed. 0 single hop clients refused. Jun 07 21:36:19.000 [notice] Heartbeat: It seems like we are not in the cached consensus. Jun 07 21:36:19.000 [notice] Heartbeat: Tor's uptime is 1 day 5:59 hours, with 0 circuits open. I've sent 3.66 MB and received 53.04 MB. Jun 07 21:36:19.000 [notice] Average packaged cell fullness: 13.454%. TLS write overhead: 16% Jun 07 21:36:19.000 [notice] Circuit handshake stats since last time: 0/0 TAP, 0/0 NTor. Jun 07 21:36:19.000 [notice] Since startup, we have initiated 0 v1 connections, 0 v2 connections, 0 v3 connections, and 21 v4 connections; and received 0 v1 connections, 0 v2 connections, 0 v3 connections, and 351 v4 connections. Jun 07 21:36:19.000 [notice] DoS mitigation since startup: 0 circuits rejected, 0 marked addresses. 0 connections closed. 0 single hop clients refused.
What should I look into?
Thanks,
On Thu, Jun 07, 2018 at 11:37:26PM -0500, Gunnar Wolf wrote:
The following happens every couple of hours:
All of these log entries are fine and normal except this one:
Jun 07 09:36:19.000 [notice] Heartbeat: It seems like we are not in the cached consensus. Jun 07 15:36:19.000 [notice] Heartbeat: It seems like we are not in the cached consensus. Jun 07 21:36:19.000 [notice] Heartbeat: It seems like we are not in the cached consensus.
First, did your relay find itself reachable (both ORPort and DirPort) at startup? Look for lines like
Jun 05 12:47:50.013 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent.
and
Jun 05 12:48:43.824 [notice] Self-testing indicates your DirPort is reachable from the outside. Excellent. Publishing server descriptor.
Second, assuming yes for the first question, I wonder if the directory authorities are (still) finding it reachable. You can check the recent votes at https://collector.torproject.org/recent/relay-descriptors/votes/ or try the (easier to use if it works for you) interface at the bottom of https://consensus-health.torproject.org/#relayinfo
Maybe your port forwarding is expiring after a little while?
--Roger
Roger Dingledine dijo [Fri, Jun 08, 2018 at 01:20:19AM -0400]:
First, did your relay find itself reachable (both ORPort and DirPort) at startup? Look for lines like
Jun 05 12:47:50.013 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent.
and
Jun 05 12:48:43.824 [notice] Self-testing indicates your DirPort is reachable from the outside. Excellent. Publishing server descriptor.
Jun 06 15:36:26.000 [notice] Self-testing indicates your DirPort is reachable from the outside. Excellent. Jun 06 15:36:27.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
So, yes :)
Second, assuming yes for the first question, I wonder if the directory authorities are (still) finding it reachable. You can check the recent votes at https://collector.torproject.org/recent/relay-descriptors/votes/ or try the (easier to use if it works for you) interface at the bottom of https://consensus-health.torproject.org/#relayinfo
Maybe your port forwarding is expiring after a little while?
My fingerprint is C0417071C3754885296F4A5935AC1BC1CABDBC31. I see all authorities give me "V2Dir" and "Valid", but only three (longc, bastet, moria1) give "Running".
I use my ISP-provided fiber modem. Maybe it is expiring the connections when idle. Is there a way to request a heartbeat to be sent?
See if you can route to all the authorities. Tor requires that all relays are able to contact all directory authorities.
In my case tcptraceroute would not get to all the authorities. For some authorities my ISP was not routing to them.
On 8 June 2018 at 17:35, Gunnar Wolf gwolf@gwolf.org wrote:
Roger Dingledine dijo [Fri, Jun 08, 2018 at 01:20:19AM -0400]:
First, did your relay find itself reachable (both ORPort and DirPort) at startup? Look for lines like
Jun 05 12:47:50.013 [notice] Self-testing indicates your ORPort is
reachable from the outside. Excellent.
and
Jun 05 12:48:43.824 [notice] Self-testing indicates your DirPort is
reachable from the outside. Excellent. Publishing server descriptor.
Jun 06 15:36:26.000 [notice] Self-testing indicates your DirPort is reachable from the outside. Excellent. Jun 06 15:36:27.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
So, yes :)
Second, assuming yes for the first question, I wonder if the directory authorities are (still) finding it reachable. You can check the recent votes at https://collector.torproject.org/recent/relay-descriptors/votes/ or try the (easier to use if it works for you) interface at the bottom of https://consensus-health.torproject.org/#relayinfo
Maybe your port forwarding is expiring after a little while?
My fingerprint is C0417071C3754885296F4A5935AC1BC1CABDBC31. I see all authorities give me "V2Dir" and "Valid", but only three (longc, bastet, moria1) give "Running".
I use my ISP-provided fiber modem. Maybe it is expiring the connections when idle. Is there a way to request a heartbeat to be sent? _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
One thought. Try making sure you are running the newest version of the tor software. I say this because I know directory authorities recently started rejecting relays running older versions of tor. Another thing I might check if possible is if your router has a limit for how many simultaneous connections it can handle as if your router has a limit in this, this can cause issues with running a tor server as tor can require hundreds of connections at once.
Sent from my iPhone
On Jun 8, 2018, at 4:53 PM, Graeme Neilson graeme@lolux.net wrote:
See if you can route to all the authorities. Tor requires that all relays are able to contact all directory authorities.
In my case tcptraceroute would not get to all the authorities. For some authorities my ISP was not routing to them.
On 8 June 2018 at 17:35, Gunnar Wolf gwolf@gwolf.org wrote: Roger Dingledine dijo [Fri, Jun 08, 2018 at 01:20:19AM -0400]:
First, did your relay find itself reachable (both ORPort and DirPort) at startup? Look for lines like
Jun 05 12:47:50.013 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent.
and
Jun 05 12:48:43.824 [notice] Self-testing indicates your DirPort is reachable from the outside. Excellent. Publishing server descriptor.
Jun 06 15:36:26.000 [notice] Self-testing indicates your DirPort is reachable from the outside. Excellent. Jun 06 15:36:27.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
So, yes :)
Second, assuming yes for the first question, I wonder if the directory authorities are (still) finding it reachable. You can check the recent votes at https://collector.torproject.org/recent/relay-descriptors/votes/ or try the (easier to use if it works for you) interface at the bottom of https://consensus-health.torproject.org/#relayinfo
Maybe your port forwarding is expiring after a little while?
My fingerprint is C0417071C3754885296F4A5935AC1BC1CABDBC31. I see all authorities give me "V2Dir" and "Valid", but only three (longc, bastet, moria1) give "Running".
I use my ISP-provided fiber modem. Maybe it is expiring the connections when idle. Is there a way to request a heartbeat to be sent? _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Graeme Neilson dijo [Sat, Jun 09, 2018 at 11:53:20AM +1200]:
See if you can route to all the authorities. Tor requires that all relays are able to contact all directory authorities.
In my case tcptraceroute would not get to all the authorities. For some authorities my ISP was not routing to them.
This seems to be the issue - I'm attaching a screenshot of «mtr» trying to reach all of the directory authorities from said server.
So, it seems my ISP does not want us to run relays ☹ Can you think of any way my connection (oversized for my regular uses) can be put to use for Tor? I guess it would not work as a bridge either, would it?
On Mon, 11 Jun 2018 at 20:30 Gunnar Wolf gwolf@iiec.unam.mx wrote:
Graeme Neilson dijo [Sat, Jun 09, 2018 at 11:53:20AM +1200]:
See if you can route to all the authorities. Tor requires that all relays are able to contact all directory
authorities.
In my case tcptraceroute would not get to all the authorities. For some authorities my ISP was not routing to them.
This seems to be the issue - I'm attaching a screenshot of «mtr» trying to reach all of the directory authorities from said server.
So, it seems my ISP does not want us to run relays ☹ Can you think of any way my connection (oversized for my regular uses) can be put to use for Tor? I guess it would not work as a bridge either, would it? _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hi
Traceroute requires support by all hops on the way, and that's not a given. Try pinging the DA's instead or connecting to their tor ports.
Only Dizum doesn't respond to ping requests, but it has a "welcome" page on 80.
dannenberg dannenberg.torauth.de 193.23.244.244 80 443 tor26 86.59.21.38 86.59.21.38 80 443 longclaw 199.58.81.140 199.58.81.140 80 443 bastet 204.13.164.118 204.13.164.118 80 443 maatuska 171.25.193.9 171.25.193.9 443 80 moria1 128.31.0.34 128.31.0.34 9131 9101 dizum 194.109.206.212 194.109.206.212 80 443 gabelmoo 131.188.40.189 131.188.40.189 80 443 Faravahar 154.35.175.225 154.35.175.225 80 443
Regards Seb
r1610091651 dijo [Mon, Jun 11, 2018 at 09:34:55PM +0200]:
Traceroute requires support by all hops on the way, and that's not a given. Try pinging the DA's instead or connecting to their tor ports.
Only Dizum doesn't respond to ping requests, but it has a "welcome" page on 80.
dannenberg dannenberg.torauth.de 193.23.244.244 80 443 tor26 86.59.21.38 86.59.21.38 80 443 longclaw 199.58.81.140 199.58.81.140 80 443 bastet 204.13.164.118 204.13.164.118 80 443 maatuska 171.25.193.9 171.25.193.9 443 80 moria1 128.31.0.34 128.31.0.34 9131 9101 dizum 194.109.206.212 194.109.206.212 80 443 gabelmoo 131.188.40.189 131.188.40.189 80 443 Faravahar 154.35.175.225 154.35.175.225 80 443
OK, thanks for this extra insight. Still, the answer is consistent: I got ping replies only from longclaw, bastet and moria1. I was also unable to connect to dizum via HTTP (which I could from my work connection).
Do you have an alternative choice of ISP? In many countries, you often do (e.g. Europe, East Asia). In others, you usually don't (e.g. USA, small island nations). If you don't, another option is a VPN with a public IP address (that is, if you are willing to pay for one).
Once Verizon FiOS (US FTTH ISP) blocked the consensus node tor26 (86.59.21.38) and just tor26 and I thought that was absurd, but this is on a whole another level. At least Verizon still let me run a Tor relay (they technically ban it, but nobody enforces it), and I did get tor26 unblocked after posting on the NANOG mailing list. At least I still had the cable company here as well, but in the US cable usually sucks (some have cable as their only option if you don't want 1.5-6mbps DSL).
Maybe your ISP hates Tor and doesn't want you to run a relay. Most broadband ISPs in countries which don't block Tor usually let you run a relay even if their TOS says it's not allowed, but if you don't have net neutrality in your country, an ISP can freely block consensus nodes to prevent you from being a relay. Unfortunate, but probably is true in your case. If you are willing to get political, you should push for net neutrality in your country.
-Neel Chauhan
===
On 2018-06-11 14:29, Gunnar Wolf wrote:
Graeme Neilson dijo [Sat, Jun 09, 2018 at 11:53:20AM +1200]:
See if you can route to all the authorities. Tor requires that all relays are able to contact all directory authorities.
In my case tcptraceroute would not get to all the authorities. For some authorities my ISP was not routing to them.
This seems to be the issue - I'm attaching a screenshot of «mtr» trying to reach all of the directory authorities from said server.
So, it seems my ISP does not want us to run relays ☹ Can you think of any way my connection (oversized for my regular uses) can be put to use for Tor? I guess it would not work as a bridge either, would it?
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Neel Chauhan dijo [Mon, Jun 11, 2018 at 05:38:31PM -0400]:
Do you have an alternative choice of ISP? In many countries, you often do (e.g. Europe, East Asia). In others, you usually don't (e.g. USA, small island nations). If you don't, another option is a VPN with a public IP address (that is, if you are willing to pay for one).
I do have a choice, but to be honest, it's a hassle; I want to run my relay from my home connection; our current ISP is by far the country's leading provider, and it is among the few to offer service over fiber.
I guess my nest step will be to talk to their end-user service. It's... Well, it's very very very much not fun to sit by the phone for ~30 minutes to have them repeat to me to use only a reasonably new Windows version and make sure I don't have a virus :-P But I will try.
Maybe your ISP hates Tor and doesn't want you to run a relay. Most broadband ISPs in countries which don't block Tor usually let you run a relay even if their TOS says it's not allowed, but if you don't have net neutrality in your country, an ISP can freely block consensus nodes to prevent you from being a relay. Unfortunate, but probably is true in your case. If you are willing to get political, you should push for net neutrality in your country.
Right. I will find it out. In fact, looking at the terms of service, I see this point broadly prohibits being a Tor relay:
(for a non-commercial, home kind of line, clients will not) (...) Give telecommunications services and/or carry activities such as transport or reorigintation of public switched traffic, originated in a different city or country, or give call back or bypass services.
This is in the _telephony_ part of the contract, and it relates to a very different issue, but it still resounds very much of Tor. (The same paragraph is repeated, word by word, in the Internet part of the document - Even though the language comes from the telephony world).
I'm thinking, although this bridges into a different project, whether this should be covered by the OONI tests (for which I also run a probe).
Hi,
Gunnar Wolf:
I guess my nest step will be to talk to their end-user service. It's... Well, it's very very very much not fun to sit by the phone for ~30 minutes to have them repeat to me to use only a reasonably new Windows version and make sure I don't have a virus :-P But I will try.
Did anything come out from the support service?
I'm thinking, although this bridges into a different project, whether this should be covered by the OONI tests (for which I also run a probe).
Looking at the TCP connect test results may shed some more light.
BTw thank you for running relay(s) and probe(s).
Cheers, ~Vasilis
On 12 Jun 2018, at 04:29, Gunnar Wolf gwolf@iiec.unam.mx wrote:
So, it seems my ISP does not want us to run relays ☹ Can you think of any way my connection (oversized for my regular uses) can be put to use for Tor? I guess it would not work as a bridge either, would it?
Your relay will work as a bridge if the bridge authority is reachable from your IP address.
Otherwise, you could run a private bridge, or a snowflake reflector.
T
Yes, I would agree that running an obfuscated bridge would be a good idea, as the network could use some more of those.
I could only find the instructions for running a vanilla (non obfuscated) bridge on the tor website, but did some research, and found a guide to running an obfuscated bridge here
https://www.youtube.com/watch?v=vVZ_NEC6Bp4 https://www.youtube.com/watch?v=vVZ_NEC6Bp4
The OS he is performing this from is Linux, which is what most relays are running off of. I would suggest you try seeing how this works out and then contacting back,
Let us know what you think.
On Jun 14, 2018, at 11:46 PM, teor teor2345@gmail.com wrote:
On 12 Jun 2018, at 04:29, Gunnar Wolf gwolf@iiec.unam.mx wrote:
So, it seems my ISP does not want us to run relays ☹ Can you think of any way my connection (oversized for my regular uses) can be put to use for Tor? I guess it would not work as a bridge either, would it?
Your relay will work as a bridge if the bridge authority is reachable from your IP address.
Otherwise, you could run a private bridge, or a snowflake reflector.
T _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Keifer Bly:
I could only find the instructions for running a vanilla (non obfuscated) bridge on the tor website
this might be useful: https://trac.torproject.org/projects/tor/wiki/doc/PluggableTransports/obfs4p...
tor-relays@lists.torproject.org