Re: [tor-relays] Why is my Tor bridge relay not getting any traffic?

2019-08-27 Thread teor 
Hi,

> On 28 Aug 2019, at 14:21, Hikari  wrote:
> 
> So, it's just that few people receive my bridge from BridgeDB. So it's a 
> guard relay, right? What am I lacking to receive a guard flag?

Guards and Bridges are different.

Bridges are secret entry nodes for a few Tor clients.

Guards are public entry nodes for any Tor client.
But they are easier to block, because they are public.

> And what about being a middle relay?  Shouldn't it be used more frequently in 
> this mode?

Middle relays are public middle nodes for any Tor client.

Bridges can't be used as middles, because bridge addresses are secret.

> I have obfs3 and obfs4 enabled, but I've never tested them. And never got any 
> error message either.

You can test them with Tor Browser, but it takes a bit of cut and paste work.
Look up the obfs4 instructions for the location of the bridge line file.

If you'd like to get more bridge traffic, start another few bridges on different
ports on the same IP, or different IPs.

> Another question. I currently have Address setting on torrc pointing to a 
> domain handled by no-ip. I have 2 ISPs in load balancing, and before this 
> setting I was having very frequent log messages saying my IP had changed, 
> because each time Tor made its test it was using a different route. Isn't it 
> possible to use Tor in load balancing?

There are different kinds of load balancing.

Tor relays and bridges can only advertise a single IPv4 address.
Tor relays can also advertise an IPv6 address.
We're working on dual-stack advertised addresses for bridges.

So Tor works well when your AS announces your relay's IP address on multiple
upstream routers.

If you have different IP addresses for each upstream, you can:
* Run a separate Tor instance for each address, or
* Set (inbound) Address to one upstream, and OutboundBindAddress to another.

> I'm buying a Ubiquiti EdgeRouter X to put OpenWRT. If everything works, in 
> the near future I'll have IPv6 and load balancing working, but no-ip seems to 
> not support IPv6. How should I setup my relay to use both ISPs and IPv4 + 
> IPv6 with dynamic addresses?

Address supports DNS for IPv4 addresses.

IPv6 is only supported for ORPort (relays) and ServerTransportListenAddr 
(bridges).
Tor doesn't have support for dynamic IPv6 yet.

Can your provider allocate static IPv6?
It should have a pool of millions of IPv6 addresses, so static should be easy.

We're trying to make IPv6 support better, but I don't know when we will
get funding to fix these particular issues.

T


signature.asc
Description: Message signed with OpenPGP
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] attack on my Finland exit/backup directory [9B31F1F1C1554F9FFB3455911F82E818EF7C7883]

2019-08-27 Thread teor 
Hi,

> On 28 Aug 2019, at 14:34, potlatch  wrote:
> 
> I still haven't been able to rid myself of the Iranian servers revealed on 
> the NYX connections page.I don't know their purpose but they slow the 
> relay by about 85%.  I have dropped them in the iptable input chain, 
> restarted the VPS, but they show up after a day or two in spite.

Maybe you could:
* rate-limit new connections from that address block, or
* limit the total number of connections from that address block.

I have used similar firewall settings to deal with client DDoS on guard relays.
Search the list archives for detailed instructions.

> Today there were 121 of them with a large range of IPs.  There have been as 
> many as 1400 in a single day.  None have identifiable hashed fingerprints.
> I've enclosed a couple attachments of my input table (partial) and the NYX 
> connection page (also partial).

Please don't publicly post user IP addresses.

Publishing user IP addresses can put users in danger, particularly in repressive
countries, and for users who are targeted by their state authorities.

Future posts from your email address will require moderator approval.

> Can anyone enlighten me regarding this situation?  I will probably dump the 
> exit relay if I can't fix this intrusion.  Thanks people!!

Thanks for running a relay. I realise that this extra traffic is annoying.
But your relay is helping other Tor users, and other relays, by soaking up
this extra traffic.

We are working on a solution to this issue, but it might take some time.

T



signature.asc
Description: Message signed with OpenPGP
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Why is my Tor bridge relay not getting any traffic?

2019-08-27 Thread Hikari 
So, it's just that few people receive my bridge from BridgeDB. So it's a 
guard relay, right? What am I lacking to receive a guard flag?


And what about being a middle relay?  Shouldn't it be used more 
frequently in this mode?


I have obfs3 and obfs4 enabled, but I've never tested them. And never 
got any error message either.




Another question. I currently have Address setting on torrc pointing to 
a domain handled by no-ip. I have 2 ISPs in load balancing, and before 
this setting I was having very frequent log messages saying my IP had 
changed, because each time Tor made its test it was using a different 
route. Isn't it possible to use Tor in load balancing?


I'm buying a Ubiquiti EdgeRouter X to put OpenWRT. If everything works, 
in the near future I'll have IPv6 and load balancing working, but no-ip 
seems to not support IPv6. How should I setup my relay to use both ISPs 
and IPv4 + IPv6 with dynamic addresses?


Thanks a lot for the help and patience!
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Why is my Tor bridge relay not getting any traffic?

2019-08-27 Thread Hikari 

a got it! so that's why my monitor isn't counted lol

I'll get a Tor Browser running to test it later then, and also its speed.


On 28/08/2019 12:22 AM, Roger Dingledine wrote:

On Tue, Aug 27, 2019 at 11:22:33PM +0200, Tor Patatje wrote:

You don't connect to your bridge, you connect to the tor network if you use
the socks5. So yes, the check passes, because it's being sent over the tor
network, not using your bridge but using tor's socks5 proxy.

[...]
And why is it reporting 0 unique clients even though my monitor connects
to it?

It connects to Tor's SOCKS and goes to check.torproject.org, if it
receives a text back and this text has congratulations message it calls
hc-ping.com. So, wasn't my monitor meant to be counted?

Right -- your test is trying to use your bridge as a local client on
the socks port, like you are the local user.

Whereas the client count that your bridge tracks is how many people,
using their own external Tor, make a TLS connection to your bridge
(and then build circuits through your bridge to other Tor relays).

So the user count is working correctly -- it is ignoring the local socks
connections, because they don't represent external users. It will only
count people who connect to your ORPort and, if you're offering obfs4,
to your obfs4 port.

Hope that helps,
--Roger

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] attack on my Finland exit/backup directory [9B31F1F1C1554F9FFB3455911F82E818EF7C7883]

2019-08-27 Thread potlatch 
I still haven't been able to rid myself of the Iranian servers revealed on the 
NYX connections page.I don't know their purpose but they slow the relay by 
about 85%.  I have dropped them in the iptable input chain, restarted the VPS, 
but they show up after a day or two in spite.  Today there were 121 of them 
with a large range of IPs.  There have been as many as 1400 in a single day.  
None have identifiable hashed fingerprints.
I've enclosed a couple attachments of my input table (partial) and the NYX 
connection page (also partial).
Can anyone enlighten me regarding this situation?  I will probably dump the 
exit relay if I can't fix this intrusion.  Thanks people!!
-potlatch

Sent with [ProtonMail](https://protonmail.com) Secure Email. Copy/paste from NYX connection page:


  5.58.172.86:36094 (ua)  -->  185.100.86.128:9001
F99AC266F27B4DE798AD35E0507E92CC2B2D37CC  snap269   
  
 │ 5.62.197.249:30167 (ir) -->  185.100.86.128:9001UNKNOWN
   UNKNOWN  

 │ 5.74.53.239:53198 (ir)  -->  185.100.86.128:9001UNKNOWN
   UNKNOWN  
   
 │ 5.74.134.131:35586 (ir) -->  185.100.86.128:9001UNKNOWN
   UNKNOWN  

 │ 5.74.201.30:49994 (ir)  -->  185.100.86.128:9001UNKNOWN
   UNKNOWN  

 │ 5.78.85.136:16886 (ir)  -->  185.100.86.128:9001UNKNOWN
   UNKNOWN  

 │ 5.79.68.161:42070 (nl)  -->  185.100.86.128:9001UNKNOWN
   UNKNOWN  
   
 │ 5.79.68.161:42249 (nl)  -->  185.100.86.128:9001UNKNOWN
   UNKNOWN  
   
 │ 5.79.79.133:58878 (nl)  -->  185.100.86.128:9001
D079D6818926684C5979C18171FB18862A4A5792  beerbox   
  
 │ 5.106.15.187:34071 (ir) -->  185.100.86.128:9001UNKNOWN
   UNKNOWN  
   
 │ 5.106.19.20:59146 (ir)  -->  185.100.86.128:9001UNKNOWN
   UNKNOWN  
   
 │ 5.106.42.80:35670 (ir)  -->  185.100.86.128:9001UNKNOWN
   UNKNOWN  

 │ 5.106.60.101:44159 (ir) -->  185.100.86.128:9001UNKNOWN
   UNKNOWN  
   
 │ 5.106.102.99:41222 (ir) -->  185.100.86.128:9001UNKNOWN
   UNKNOWN  

 │ 5.106.104.39:51174 (ir) -->  185.100.86.128:9001UNKNOWN
   UNKNOWN  
   
 │ 5.106.121.163:50244 (ir)-->  185.100.86.128:9001UNKNOWN
   UNKNOWN  

 │ 5.106.137.101:48599 (ir)-->  185.100.86.128:9001UNKNOWN
   UNKNOWN  

 │ 5.106.223.36:33400 (ir) -->  185.100.86.128:9001UNKNOWN
   UNKNOWN  
   
 │ 5.115.47.135:42094 (ir) -->  185.100.86.128:9001UNKNOWN
   UNKNOWN  

 │ 5.115.58.244:25599 (ir) -->  185.100.86.128:9001UNKNOWN
   UNKNOWN  
   
 │ 5.115.60.187:38099 (ir) -->  185.100.86.128:9001UNKNOWN
   UNKNOWN  
   
 │ 5.115.70.18:44016 (ir)  -->  185.100.86.128:9001UNKNOWN
   UNKNOWN  
   
 │ 5.115.133.149:30367 (ir)-->  185.100.86.128:9001UNKNOWN
   UNKNOWN  

 │ 5.115.151.171:3110 (ir) -->  185.100.86.128:9001UNKNOWN

Re: [tor-relays] Why is my Tor bridge relay not getting any traffic?

2019-08-27 Thread Roger Dingledine 
On Tue, Aug 27, 2019 at 11:22:33PM +0200, Tor Patatje wrote:
> You don't connect to your bridge, you connect to the tor network if you use
> the socks5. So yes, the check passes, because it's being sent over the tor
> network, not using your bridge but using tor's socks5 proxy.

> > [...]
> > And why is it reporting 0 unique clients even though my monitor connects
> > to it?
> > 
> > It connects to Tor's SOCKS and goes to check.torproject.org, if it
> > receives a text back and this text has congratulations message it calls
> > hc-ping.com. So, wasn't my monitor meant to be counted?

Right -- your test is trying to use your bridge as a local client on
the socks port, like you are the local user.

Whereas the client count that your bridge tracks is how many people,
using their own external Tor, make a TLS connection to your bridge
(and then build circuits through your bridge to other Tor relays).

So the user count is working correctly -- it is ignoring the local socks
connections, because they don't represent external users. It will only
count people who connect to your ORPort and, if you're offering obfs4,
to your obfs4 port.

Hope that helps,
--Roger

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Why is my Tor bridge relay not getting any traffic?

2019-08-27 Thread Tor Patatje 
You don't connect to your bridge, you connect to the tor network if you 
use the socks5. So yes, the check passes, because it's being sent over 
the tor network, not using your bridge but using tor's socks5 proxy.


Also in your config you have set the socks port to 9031, but in this 
line of code you connect to port 90. Probably a typo but just FYI.



On 27/08/2019 20:02, Hikari wrote:

Thanks a lot.

So is it normal to have little traffic when in bridge mode? But why is 
reported speed so slow?


And why is it reporting 0 unique clients even though my monitor 
connects to it? I forgot to add the monitor code, here it is:


#!/bin/bash

if [[ $(curl --socks5 localhost:90 --socks5-hostname localhost:90 -s 
https://check.torproject.org/ | cat | grep -m 1 Congratulations | 
xargs) ]]; then

    curl -s https://hc-ping.com/abcdefgh &> /dev/null
 fi

It connects to Tor's SOCKS and goes to check.torproject.org, if it 
receives a text back and this text has congratulations message it 
calls hc-ping.com. So, wasn't my monitor meant to be counted?




On 27/08/2019 12:24 PM, Philipp Winter wrote:

On Mon, Aug 26, 2019 at 07:03:22PM -0300, Hikari wrote:
What might be wrong? Or is it normal for a Tor bridge relay be this 
idle?

This is my torrc removing identifiable data.

There may be nothing wrong at all.  See the following page for more
context: 



Feel free to email me your bridge's fingerprint and I will look up what
bucket your bridge is in.  For what it's worth, bridge operators are
hopefully soon able to do this themselves once we are done with this
ticket: 

Cheers,
Philipp
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Why is my Tor bridge relay not getting any traffic?

2019-08-27 Thread Hikari 

Thanks a lot.

So is it normal to have little traffic when in bridge mode? But why is 
reported speed so slow?


And why is it reporting 0 unique clients even though my monitor connects 
to it? I forgot to add the monitor code, here it is:


#!/bin/bash

if [[ $(curl --socks5 localhost:90 --socks5-hostname localhost:90 -s 
https://check.torproject.org/ | cat | grep -m 1 Congratulations | xargs) 
]]; then

curl -s https://hc-ping.com/abcdefgh &> /dev/null
 fi

It connects to Tor's SOCKS and goes to check.torproject.org, if it 
receives a text back and this text has congratulations message it calls 
hc-ping.com. So, wasn't my monitor meant to be counted?




On 27/08/2019 12:24 PM, Philipp Winter wrote:

On Mon, Aug 26, 2019 at 07:03:22PM -0300, Hikari wrote:

What might be wrong? Or is it normal for a Tor bridge relay be this idle?
This is my torrc removing identifiable data.

There may be nothing wrong at all.  See the following page for more
context: 

Feel free to email me your bridge's fingerprint and I will look up what
bucket your bridge is in.  For what it's worth, bridge operators are
hopefully soon able to do this themselves once we are done with this
ticket: 

Cheers,
Philipp
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Why is my Tor bridge relay not getting any traffic?

2019-08-27 Thread Philipp Winter 
On Mon, Aug 26, 2019 at 07:03:22PM -0300, Hikari wrote:
> What might be wrong? Or is it normal for a Tor bridge relay be this idle?
> This is my torrc removing identifiable data.

There may be nothing wrong at all.  See the following page for more
context: 

Feel free to email me your bridge's fingerprint and I will look up what
bucket your bridge is in.  For what it's worth, bridge operators are
hopefully soon able to do this themselves once we are done with this
ticket: 

Cheers,
Philipp
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Improving throughput on weak CPU?

2019-08-27 Thread teor 
Hi all,

Jochen sent this reply to the list, with a 4 MB attachment, which
is a bit big.

I don't think it contains anything sensitive, but I'll check before
forwarding it to anyone else.

I've discarded the message and attachment from the moderation queue.

Here's the message:

> Hi,
> 
> I have attached a profile of the main thread, over 30 seconds, to this
> e-mail.
> 
> Let me know if you need anything else.
> 
> Regards,
> 
> Jochen

T

--
teor
--



signature.asc
Description: Message signed with OpenPGP
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays