s7r wrote: > Hi there, > > Thanks for running a relay. > > IPv6 is not intended to be used that way. IPv6 was designed to ensure > end to end connectivity, given it's not a scarce resource each device > should have its own public IPv6 address and you can implement whatever > filters or restrictions the haproxy provides at an upstream firewall or > router or something. > > Back to the subject, your setup will not work because your Tor daemon is > not listening on any IPv6 address. > > > You have this line in your torrc: > > ORPort [2001:41d0:1:84bc::1]:9001 NoListen > > and this means to advertise this address and port in the descriptor but > NOT BIND TO IT. > > So, you must add a secondary NoAdvertise address, where the Tor daemon > can actually bind and listen to. That is why the cleanest way was to > have the public IPv6 address assigned directly to the box. The same as > you did for IPv4 actually. > > You can do some forwarding between haproxy and the Tor server to still > advertise the haproxy public IPv6 address and somehow forward using link > local addresses (fe80::/16) or 6-to-4 (::ffff:192:168:1:2 or whatever > NAT IPv4 class you use) between haproxy and Tor, but this seams > overkill. You need to make sure nothing blocks or drops ICMPv6 (IPv6 > needs it) and also you are not filtering fe80::/16 and fc00:/16 classes > as well as UDP port 546. Remember that link local IPv6 addresses change > if you change the interface (ethernet port) or even its name, so you > must always update the rules and torrc config. This is why I am telling > you it's overkill, and I am only explaining how to theoretically do it > in order for your to understand how things work, not to actually do it > because it's pointless and overkill. > > Then you would have (if the Tor server would actually have this link > local address - this is just a dumb example): > ORPort [fe80:cafe:cafe::2]:9001 NoAdvertise > > So it would bind to it. > > Hope this clarifies. Please assign the IPv6 directly, there are exactly > 0 reasons not to do it. > > -s7r > > Charly Ghislain wrote: >> ok, maybe i haven't waited that long. I will put it back and come back >> to you in a couple of days. >> I must say I would be surprised it would take so long to check connectivity. >> >> >> On Sat, Feb 23, 2019 at 4:02 PM Blicky <tor@xxxxxxxxxx >> <mailto:tor@xxxxxxxxxx>> wrote: >> >> Hi, >> >> For how long have you advertised the v6 address? My relays also received >> the UnreachableIpv6 flag shortly after I setup IPv6, but after 24 hours >> that automatically turned into ReachableIPv6. I'm guessing it takes some >> time for the measurements to take place and propagate. >> >> I can reach your IPv6 address on that port, so the network configuration >> is fine, at least. >> >> Regards, >> >> Blicky. >> >> On 2019-02-23, Charly Ghislain wrote: >> > Hi all, >> > >> > My tor relay has got the UnreachableIpv6 flag set once i mentionned an >> > OrPort with my ipv6 address. >> > >> > From what i can tell, my server is reachable over ipv6, and can >> contact the >> > directory authorities through ipv6 (following the instructions >> found there: >> > >> https://trac.torproject.org/projects/tor/wiki/TorRelayGuide#Makesurerelayportscanbereached >> > ). >> > >> > The node is behind an haproxy that relays ipv6 traffic to natted >> ipv4 (with >> > no logging for those concerned). It seems to work fine for web >> content over >> > ipv6, and traffic on both ips (v4 and v6) goes through this channel. >> > >> > I can successfully telnet my node ORPort using my v6 address. The >> ports >> > have been defined this way in torrc: >> > ORPort 0.0.0.0:9001 NoAdvertise >> > ORPort 91.121.79.188:9001 NoListen >> > ORPort [2001:41d0:1:84bc::1]:9001 NoListen >> > >> > Is there a way to make a tor client connect to a specific relay to >> debug >> > this kind of connectivity issues? Or any other mean? >> > >> > In the meantime ive removed the advertized ip6. >> > >> > Regards, >> > >> > Charly >> And thanks for actually discovering a potential bug with this weird setup -- I have just logged #29570 : https://trac.torproject.org/projects/tor/ticket/29570 So we may avoid this happening even in rare use cases.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays