[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] ORPort NoAdvertise & NoListen Not Working



Gary C. New wrote:
All:

After reviewing several packet-traces of Tor bound directly to the Public Address:Port vs Tor bound to the Private Address:Port and Advertising the Public Address:Port, I believe I may have found the the issue.

It appears that when Tor is bound directly to the Public Address:Port, the initial measurement connections are initiated from External Tor Nodes via High-Ports to the Public Address:Port over TLSv1.2 or TLSv1.3 successfully passing self-test. However, when Tor is bound to the Private Address:Port and Advertising the Public Address:Port, the initial measurement connections are initiated from External Tor Nodes via High-Ports to the Public Address:Port over TLSv1.0. Tor does not like the TLSv1.0 connections and Resets the them; thus, failing the self-test.

The question is... Why are the initial measurement connections initiated from External Tor Nodes via High-Ports with the Private Address:Port binding and Public Advertised Address:Port combination over TLSv1.0?

Has anyone successfully implemented the Private Address:Port binding and Public Advertised Address:Port combination that successfully passes self-test whom would be kind enough to share their configuration?

Is there a way to force the External Tor Nodes that initiate the measurement connections to use TLSv1.2 or TLSv1.3 with the Private Address:Port binding and Public Advertised Address:Port combination?

Thanks, again, for your assistance.

Respectfully,


Gary



Thanks for running a relay Gary.

Your problem does not make much sense for me, I need more information about your setup. I am using the Public IP NoListen and Private IP NoAdvertise configuration fine, the self test passes.

Where is the Public IP in your setup assigned to? A router in your home/enterprise ? Or something upstream at your ISP? What kind of connection do you have from your ISP?

I saw in previous posts to this thread that you are using this setup because your ISP blocks port 9001 (Tor relay) -- are you sure they just blindly block the PROTOCOL:PORT configurations (such as TCP:9001) or are they doing some deep packet inspections on all ports in order to block Tor more efficiently?

Tor (when runs as a relay) is not designed to protect or hide the fact that it's running Tor from your ISP / upstream provider or network administrator. Which is why, they could inspect, detect and terminate Tor traffic regardless your put in on port 443. They can see you are listening on port 443 but it's not a HTTPS daemon there. They can see this if they look for it in the first place, that is why I am asking if you are 100% sure they only block the PROTOCOL:PORT combination or are they doing any advanced filtering for Tor?



Attachment: OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays