[tor-talk] UseEntryGuards: 0?

Roger Dingledine arma at torproject.org
Sun Aug 15 18:44:00 UTC 2021

On Sun, Aug 15, 2021 at 04:22:53PM +0200, Fran wrote:
> I run some onion v3 services, some are also available in the "clear net", some
> only as onion services. I monitor[1] reachability of the onion services which results
> in quite some false positives, although  I configured alertmanager to alert after > 1 hour (!)
> of failed connection attempts.  I'd like to reduce these false positives and thought
> of using "UseEntryGuards: 0" to have circuits been rebuild more often.
> I'd only do this for the onion services which are also reachable in the non-tor internet
> and therefore their IP adresses are known anyway.

First question: what do you mean by false positives? That is, is the
monitor script telling you that it's down but actually every time
you try manually it works? If that's what's happening, it sounds like
there's a bug or mis-design in the monitoring approach, and that's worth
tracking down.

Whereas if the problem is that actually the onion service is unreliable
and not always reachable, then it sounds like a *true* positive from
the monitor.

If they are true positives, I think it sounds like a great idea to do an
experiment where you switch to UseEntryGuards 0 for the services where
you don't mind having their location known. Let us know if it improves
things. :)

We also spoke in the past of having an 'onion service health monitor',
which would help to pinpoint *which phase* of the connection is failing,
and I continue to think that would be really valuable but we never quite
got there. See e.g.


More information about the tor-talk mailing list