[tor-relays] Debugging ipv6 conenctivity
s7r at sky-ip.org
Sat Feb 23 16:24:28 UTC 2019
Thanks for running a relay.
IPv6 is not intended to be used that way. IPv6 was designed to ensure
end to end connectivity, given it's not a scarce resource each device
should have its own public IPv6 address and you can implement whatever
filters or restrictions the haproxy provides at an upstream firewall or
router or something.
Back to the subject, your setup will not work because your Tor daemon is
not listening on any IPv6 address.
You have this line in your torrc:
ORPort [2001:41d0:1:84bc::1]:9001 NoListen
and this means to advertise this address and port in the descriptor but
NOT BIND TO IT.
So, you must add a secondary NoAdvertise address, where the Tor daemon
can actually bind and listen to. That is why the cleanest way was to
have the public IPv6 address assigned directly to the box. The same as
you did for IPv4 actually.
You can do some forwarding between haproxy and the Tor server to still
advertise the haproxy public IPv6 address and somehow forward using link
local addresses (fe80::/16) or 6-to-4 (::ffff:192:168:1:2 or whatever
NAT IPv4 class you use) between haproxy and Tor, but this seams
overkill. You need to make sure nothing blocks or drops ICMPv6 (IPv6
needs it) and also you are not filtering fe80::/16 and fc00:/16 classes
as well as UDP port 546. Remember that link local IPv6 addresses change
if you change the interface (ethernet port) or even its name, so you
must always update the rules and torrc config. This is why I am telling
you it's overkill, and I am only explaining how to theoretically do it
in order for your to understand how things work, not to actually do it
because it's pointless and overkill.
Then you would have (if the Tor server would actually have this link
local address - this is just a dumb example):
ORPort [fe80:cafe:cafe::2]:9001 NoAdvertise
So it would bind to it.
Hope this clarifies. Please assign the IPv6 directly, there are exactly
0 reasons not to do it.
Charly Ghislain wrote:
> ok, maybe i haven't waited that long. I will put it back and come back
> to you in a couple of days.
> I must say I would be surprised it would take so long to check connectivity.
> On Sat, Feb 23, 2019 at 4:02 PM Blicky <tor at blicky.net
> <mailto:tor at blicky.net>> wrote:
> For how long have you advertised the v6 address? My relays also received
> the UnreachableIpv6 flag shortly after I setup IPv6, but after 24 hours
> that automatically turned into ReachableIPv6. I'm guessing it takes some
> time for the measurements to take place and propagate.
> I can reach your IPv6 address on that port, so the network configuration
> is fine, at least.
> On 2019-02-23, Charly Ghislain wrote:
> > Hi all,
> > My tor relay has got the UnreachableIpv6 flag set once i mentionned an
> > OrPort with my ipv6 address.
> > From what i can tell, my server is reachable over ipv6, and can
> contact the
> > directory authorities through ipv6 (following the instructions
> found there:
> > ).
> > The node is behind an haproxy that relays ipv6 traffic to natted
> ipv4 (with
> > no logging for those concerned). It seems to work fine for web
> content over
> > ipv6, and traffic on both ips (v4 and v6) goes through this channel.
> > I can successfully telnet my node ORPort using my v6 address. The
> > have been defined this way in torrc:
> > ORPort 0.0.0.0:9001 NoAdvertise
> > ORPort 22.214.171.124:9001 NoListen
> > ORPort [2001:41d0:1:84bc::1]:9001 NoListen
> > Is there a way to make a tor client connect to a specific relay to
> > this kind of connectivity issues? Or any other mean?
> > In the meantime ive removed the advertized ip6.
> > Regards,
> > Charly
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: OpenPGP digital signature
More information about the tor-relays