[tor-relays] ORPort NoAdvertise & NoListen Not Working

s7r s7r at sky-ip.org
Tue Aug 17 15:36:24 UTC 2021 

Gary C. New wrote:
> All:
> 
> After reviewing several packet-traces of Tor bound directly to the 
> Public Address:Port vs Tor bound to the Private Address:Port and 
> Advertising the Public Address:Port, I believe I may have found the the 
> issue.
> 
> It appears that when Tor is bound directly to the Public Address:Port, 
> the initial measurement connections are initiated from External Tor 
> Nodes via High-Ports to the Public Address:Port over TLSv1.2 or TLSv1.3 
> successfully passing self-test. However, when Tor is bound to the 
> Private Address:Port and Advertising the Public Address:Port, the 
> initial measurement connections are initiated from External Tor Nodes 
> via High-Ports to the Public Address:Port over TLSv1.0. Tor does not 
> like the TLSv1.0 connections and Resets the them; thus, failing the 
> self-test.
> 
> The question is... Why are the initial measurement connections initiated 
> from External Tor Nodes via High-Ports with the Private Address:Port 
> binding and Public Advertised Address:Port combination over TLSv1.0?
> 
> Has anyone successfully implemented the Private Address:Port binding and 
> Public Advertised Address:Port combination that successfully passes 
> self-test whom would be kind enough to share their configuration?
> 
> Is there a way to force the External Tor Nodes that initiate the 
> measurement connections to use TLSv1.2 or TLSv1.3 with the Private 
> Address:Port binding and Public Advertised Address:Port combination?
> 
> Thanks, again, for your assistance.
> 
> Respectfully,
> 
> 
> Gary
> 
> 

Thanks for running a relay Gary.

Your problem does not make much sense for me, I need more information 
about your setup. I am using the Public IP NoListen and Private IP 
NoAdvertise configuration fine, the self test passes.

Where is the Public IP in your setup assigned to? A router in your 
home/enterprise ? Or something upstream at your ISP? What kind of 
connection do you have from your ISP?

I saw in previous posts to this thread that you are using this setup 
because your ISP blocks port 9001 (Tor relay) -- are you sure they just 
blindly block the PROTOCOL:PORT configurations (such as TCP:9001) or are 
they doing some deep packet inspections on all ports in order to block 
Tor more efficiently?

Tor (when runs as a relay) is not designed to protect or hide the fact 
that it's running Tor from your ISP / upstream provider or network 
administrator. Which is why, they could inspect, detect and terminate 
Tor traffic regardless your put in on port 443. They can see you are 
listening on port 443 but it's not a HTTPS daemon there. They can see 
this if they look for it in the first place, that is why I am asking if 
you are 100% sure they only block the PROTOCOL:PORT combination or are 
they doing any advanced filtering for Tor?



-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20210817/a3018b4f/attachment.sig>

More information about the tor-relays mailing list