[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-relays] ORPort NoAdvertise & NoListen Not Working
Hi!
I'm having issues when implementing the NoAdvertise & NoListen options of the ORPort directive and am hoping someone here might be able to point me in the right direction.
I can get Tor to successfully work as a relay without using the NoAdvertise & NoListen options of the ORPort directive, but for certain reasons I need to configure Tor on a Private Address.
### ORPort WITHOUT NoAdvertise & NoListen (SUCCEEDS) ###
Note: Successful Self-testing logs WITHOUT NoAdvertise & NoListen
Aug 13 00:26:42.000 [notice] Self-testing indicates your ORPort 198.91.60.78:443 is reachable from the outside. Excellent. Publishing server descriptor.
Aug 13 00:27:49.000 [notice] Performing bandwidth self-test...done.
Note: Successful Self-testing torrc WITHOUT NoAdvertise & NoListen
# cat /tmp/torrc
Nickname ASUSWRTMerlinRelay
ORPort 198.91.60.78:443
SocksPort 9050
SocksPort 192.168.0.1:9050
ControlPort 9051
ExitRelay 0
DirCache 0
MaxMemInQueues 192 MB
GeoIPFile /opt/share/tor/geoip
Log notice file /tmp/torlog
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 192.168.0.1:9040
DNSPort 192.168.0.1:9053
RunAsDaemon 1
DataDirectory /tmp/tor/torrc.d/.tordb
AvoidDiskWrites 1
User tor
ContactInfo tor-operator@your-emailaddress-domain
Note: Nyx shows Tor build the initial 5 measurement circuits and then successfully continues to build new circuits
# nyx
nyx - gnutech-wap01 (Linux 2.6.36.4b...) Tor 0.4.5.7 (recommended)
ASUSWRTMerlinRelay - 198.91.60.78:443, Control Port (open): 9051
cpu: 30.4% tor, 62.1% nyx mem: 53 MB (21.4%) pid: 14372 uptime: 05:18
fingerprint: 02DD61E41B3739C629C5CF8CEBA6000290BC3E7B
flags: Fast, Running, Valid
page 2 / 5 - m: menu, p: pause, h: page help, q: quit
Connections (807 outbound, 9 circuit, 1 control):
Note: Openssl s_client is successfully CONNECTED to the Public Address
# openssl s_client -connect 198.91.60.78:443
CONNECTED(00000003)
depth=0 CN = www.uy24fd6wkrzss.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = www.uy24fd6wkrzss.net
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=www.uy24fd6wkrzss.net
i:/CN=www.bu5cm42gttwqzick.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICQzCCAaygAwIBAgIJAOPPF6uxLfr8MA0GCSqGSIb3DQEBCwUAMCMxITAfBgNV
BAMMGHd3dy5idTVjbTQyZ3R0d3F6aWNrLmNvbTAeFw0yMTAzMDEwMDAwMDBaFw0y
MTA5MjUwMDAwMDBaMCAxHjAcBgNVBAMMFXd3dy51eTI0ZmQ2d2tyenNzLm5ldDCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM/1zzI/PdYXIm6p1ZshOzIf
AnUfauCPovIutPWBBNi9Q6um6EWYzb7DIKhmiTwijl691ktfylwVIMT8JnGO+1t1
+SooiSp4V1oSkMvoA0Whvhh3jonblvq7cD0FGz9xLVxJEs4I5LPxxDFDcfs5AHV9
wQ1rH+CnGOlBGD2X3jjOVJb1Vp9PZPj5sG4mCyBIfJdbuC1MYkXoOfmi8kY0MkV8
mB/XAODk4GmDTPG76gxAv3Da+10vcABqMNpSwraFZwcBcGOhUnmpKxRmm2dZdz7r
tTLcZaaeAYJlNH4fxoG6PdmcPidLnlT4ILX44cXAf+OL4WJgWrRUUexTpI75pW0C
AwEAATANBgkqhkiG9w0BAQsFAAOBgQCB9fjVciHTD0YlckPoSTzZJXHkDaBpmBVa
9/GpVLQMA9bK03AkDllycxEbSgB0bd8RjZKd1+3T7ck2FsOOzgIZP0v5U8A0uxA7
58w2yJWmomn9DaKXqwD9HHux905znq3elKzd1M5ZSbQhZdqNmsw8wZUo2ZaPCDHW
wBCd2m6Ueg==
-----END CERTIFICATE-----
subject=/CN=www.uy24fd6wkrzss.net
issuer=/CN=www.bu5cm42gttwqzick.com
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1058 bytes and written 428 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: BC7B6CA79A1466768EAE37C7D591FB57F2D351E75B4C43AB16C8B8CBCBEB8E4BA4EDE2FEED8D4036D045F42F3F029585
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1628842910
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
However, Tor fails to work as a relay using the NoAdvertise & NoListen options of the ORPort directive; even though, Openssl s_client is successfully CONNECTED to the Public Address.
### ORPort WITH NoAdvertise & NoListen (FAILS) ###
Note: Failed Self-testing logs WITH NoAdvertise & NoListen
Aug 13 01:01:46.000 [notice] Now checking whether IPv4 ORPort 198.91.60.78:443 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
Aug 13 01:21:45.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at 198.91.60.78:443. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Note: Failed Self-testing torrc WITH NoAdvertise & NoListen
# cat /tmp/torrc
Nickname ASUSWRTMerlinRelay
ORPort 198.91.60.78:443 NoListen
ORPort 192.168.0.1:9001 NoAdvertise
SocksPort 9050
SocksPort 192.168.0.1:9050
ControlPort 9051
ExitRelay 0
DirCache 0
MaxMemInQueues 192 MB
GeoIPFile /opt/share/tor/geoip
Log notice file /tmp/torlog
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 192.168.0.1:9040
DNSPort 192.168.0.1:9053
RunAsDaemon 1
DataDirectory /tmp/tor/torrc.d/.tordb
AvoidDiskWrites 1
User tor
ContactInfo tor-operator@your-emailaddress-domain
Note: Confirmed that the necessary PortForward between the Public & Private Addresses is in place
# iptables -t nat -S | grep :9001
-A VSERVER -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.1:9001
Note: Nyx shows Tor build the initial 5 measurement circuits, but after some time fails and only shows the outbound & control connections.
# nyx
nyx - 192.168.0.1 (Linux 2.6.36.4b...) Tor 0.4.5.7 (recommended)
ASUSWRTMerlinRelay - 192.168.0.1:9001, Control Port (open): 9051
cpu: 10.6% tor, 3.2% nyx mem: 55 MB (22.2%) pid: 5374 uptime: 56:32
fingerprint: 02DD61E41B3739C629C5CF8CEBA6000290BC3E7B
flags: Fast, Running, Valid
page 2 / 5 - m: menu, p: pause, h: page help, q: quit
Connections (2289 outbound, 1 control):
Note: Openssl s_client is successfully CONNECTED to the Public Address
# openssl s_client -connect 198.91.60.78:443
CONNECTED(00000003)
depth=0 CN = www.uy24fd6wkrzss.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = www.uy24fd6wkrzss.net
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=www.uy24fd6wkrzss.net
i:/CN=www.bu5cm42gttwqzick.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICQzCCAaygAwIBAgIJAOPPF6uxLfr8MA0GCSqGSIb3DQEBCwUAMCMxITAfBgNV
BAMMGHd3dy5idTVjbTQyZ3R0d3F6aWNrLmNvbTAeFw0yMTAzMDEwMDAwMDBaFw0y
MTA5MjUwMDAwMDBaMCAxHjAcBgNVBAMMFXd3dy51eTI0ZmQ2d2tyenNzLm5ldDCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM/1zzI/PdYXIm6p1ZshOzIf
AnUfauCPovIutPWBBNi9Q6um6EWYzb7DIKhmiTwijl691ktfylwVIMT8JnGO+1t1
+SooiSp4V1oSkMvoA0Whvhh3jonblvq7cD0FGz9xLVxJEs4I5LPxxDFDcfs5AHV9
wQ1rH+CnGOlBGD2X3jjOVJb1Vp9PZPj5sG4mCyBIfJdbuC1MYkXoOfmi8kY0MkV8
mB/XAODk4GmDTPG76gxAv3Da+10vcABqMNpSwraFZwcBcGOhUnmpKxRmm2dZdz7r
tTLcZaaeAYJlNH4fxoG6PdmcPidLnlT4ILX44cXAf+OL4WJgWrRUUexTpI75pW0C
AwEAATANBgkqhkiG9w0BAQsFAAOBgQCB9fjVciHTD0YlckPoSTzZJXHkDaBpmBVa
9/GpVLQMA9bK03AkDllycxEbSgB0bd8RjZKd1+3T7ck2FsOOzgIZP0v5U8A0uxA7
58w2yJWmomn9DaKXqwD9HHux905znq3elKzd1M5ZSbQhZdqNmsw8wZUo2ZaPCDHW
wBCd2m6Ueg==
-----END CERTIFICATE-----
subject=/CN=www.uy24fd6wkrzss.net
issuer=/CN=www.bu5cm42gttwqzick.com
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1058 bytes and written 428 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: BC7B6CA79A1466768EAE37C7D591FB57F2D351E75B4C43AB16C8B8CBCBEB8E4BA4EDE2FEED8D4036D045F42F3F029585
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1628842910
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
What am I missing? Am I implementing the NoAdvertise & NoListen options of the ORPort directive incorrectly?
Thank you for your assistance.
Respectfully,
Gary
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays