[tor-talk] UseEntryGuards: 0?

Fran fatal at mailbox.org
Sun Aug 15 19:48:55 UTC 2021

Thanks for the quick reply Roger!

> First question: what do you mean by false positives? That is, is the
> monitor script telling you that it's down but actually every time
> you try manually it works? If that's what's happening, it sounds like
> there's a bug or mis-design in the monitoring approach, and that's worth
> tracking down.

 > 20 onion services are monitored by the host, sometimes 1 - 4 services
are reported down, the rest seems to be fine. Therefore I assume tor on the host
to be generally fine as well. I can open the reported onion services from my laptop
without problems, so tor on the machines running the services also seems to work.

Before using the prometheus exporter I did the checks using old school
nagios check-tcp[1] plugin in combination with torify and these issues already
occured there.

> Whereas if the problem is that actually the onion service is unreliable
> and not always reachable, then it sounds like a *true* positive from
> the monitor.

So probably it's "half true". The services are reachable, but not via every route
in the tor network, in this case not via the route the monitoring host is taking.
What surprises me is the fact that this occurs even with a hold timer of 1h in

> If they are true positives, I think it sounds like a great idea to do an
> experiment where you switch to UseEntryGuards 0 for the services where
> you don't mind having their location known. Let us know if it improves
> things. :)

Rolled it out and will report back.

> We also spoke in the past of having an 'onion service health monitor',
> which would help to pinpoint *which phase* of the connection is failing,
> and I continue to think that would be really valuable but we never quite
> got there. See e.g.
> https://gitlab.torproject.org/tpo/network-health/metrics/analysis/-/issues/13209
> https://gitlab.torproject.org/tpo/core/tor/-/issues/28841

something like that would be really great!


[1] https://www.monitoring-plugins.org/doc/man/check_tcp.html

More information about the tor-talk mailing list