Re: [tor-relays] Relay in Japan being marked as a US relay?
The reality is that there's multiple IP databases, and each operates differently. 198.0.0.0/8 is an ARIN IP allocation, and even though the server's in Japan, the IP addresses are allocated to a US company, in this case Choopa/Vultr. This is why some databases show the IP in the USA: they might look at the first allocation after the RIR, which says "USA". When I ran Tor exit relays on leased IP space, some abuse reports went directly to me, but some went to the IP lessors, not realizing IP leasing and reallocations are now commonplace. -Neel On Thu, Jan 18 2024 at 12:50:22 PM -0600, NodNet wrote: I think tor and Tor Project use IPFire's DB for GeoIP lookups, and 198.13.48.219 shows the following: NETWORK: 198.13.48.0/20 AUTONOMOUS SYSTEM: AS20473 - AS-CHOOPA COUNTRY: United States of America https://www.ipfire.org/projects/location/lookup/198.13.48.219 On 1/18/2024 11:22 AM, Jag Talon wrote: Hello, I have a relay in Japan with the IP of 198.13.48.219, but it's being marked as being in the US. I've tried using different websites like www.iplocation.net, iplocation.io, and www.wolframalpha.com and they're all telling me that the IP is in Japan. I'm wondering if perhaps there's an issue with the GeoIP lookup? Or perhaps an outdated database? Thanks! ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Short heads up
On 2022-12-25 00:27, Frank Steinborn via tor-relays wrote: Hi friends, I made some smaller tweaks over the last few hours which should especially help relays on nearly OOM or thrashing situations (making use of Zswap + MGLRU if available). The rules themselves are just the same, so no changes there. I had an exit relay which was constantly DDoSed. Instance CPU usage was 40%. Had the IP change (for another reason tho) and it didn't go away, the DDoS targeted that particular fingerprint. That server had two relays, one fortunately unaffected. I ended up just changing the fingerprint for the affected one. Now I have to wait for the ramp-up phase, yay! Merry christmas, Frank Best, Neel --- Original Message --- On Sunday, December 4th, 2022 at 11:25 PM, Frank Steinborn wrote: Hi, I want to show you my anti DDoS solution for my relays (aswell ;-). It works without ipset, but with a mix of the recent and hashlimit iptables modules. What is does: * If one IP address tries to make 7 SYN connection attempts per second, they are locked out for 300 seconds. If they try another connection in that timeframe, the timer is reset and they are locked out for another 300 seconds. * Threre are no more SYNs allowed if 4 connections are already in use to the ORPort. It works very well for me. Other solutons are far more aggressive but I feel my solution works perfectly against the attacks, even if they are not that aggresive. On top of that, I feel its more easy to implement into ones existing firewall solution. You can find the repo here: https://github.com/steinex/tor-ddos Feel free to give it a shot and feedback would be much appreciated! Greetings, steinex ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Tor Exit: Complaints of IP being used for "spam" despite exit policy
Hi, On 2022-05-04 12:31, li...@for-privacy.net wrote: Yes, unfortunately you get this SPAM abuse, although it is clear that the mail was submitted via a webmailer :-( Probably true. Sometimes I think "is my FreeBSD exploited and being used to send spam", but then I also see Linux relays on other ISPs also on the blocklists. It's actually very unlikely that a longer running exit can send mails. ;-) I can't even send myself log mails from my exit IP's because all IP's are blacklisted. On abusix.com and similar. If you need to send emails, you could: a. use Sendgrid or Mailgun or whatever to send emails if they don't block exit IPs from connecting to their SMTP relays b. Run your own SMTP relay on a $3.5 VPS to forward emails If possible, try to get an ARIN SWIP record: https://blog.torproject.org/tips-running-exit-node/ 5. Get ARIN registration I could look into that. I do have a LLC that I could use for the SWIP record if needed. 99% of the abuse is f*cking auto-generated stuff from tools like fail2ban. If you reply, you will not get an answer or 'message is undeliverable' back. Probably true. Psychz is still more automated but not so much, but I do know some hosts where abuse is very automated to the extent that they ignore automated complaints. Think AWS, Azure, OVH, or DigitalOcean, or a Big Telecom provider like Comcast, AT, Deutsche Telekom, Telefonica, etc. On the opposite end of the spectrum, some hosts such as GTHost and Primcast both asked me to turn off my exit relay due to "too much abuse" because their abuse departments are very manual. BuyVM is similarly priced (although my Psychz is an special offer) and solid but has too many exits. OVH and TerraHost only allow exits on much more expensive dedicated servers. Prgmr and HostMaze allow exits but has so-so peering. https://rdp.sh/ is not overcrowded yet. Thanks for the suggestion. I prefer to run my exits on FreeBSD (well, I am a FreeBSD committer), but I will keep rdp.sh in mind in case I need a new host. We all hope with you. As I've mentioned here before, IPv6 only relays are important. An AS with IPv6/48 is affordable. Then it's much easier to set up your own bulletproof ISP. That sounds good :-). I'd love to have my own ASN, but don't have the mental or financial bandwidth to do this right now. Fortunately Psychz got off my case, for now at least :-). -Neel ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Tor Exit: Complaints of IP being used for "spam" despite exit policy
Hi, A day or two ago, my Tor exit host, Psychz Networks, has sent me complaints about my IPs being used to send "spam" despite me having blocked Port 25 (and 465/587) in the exit policy. Psychz threatened to block Port 25 even when my exit policy explicitly blocks 25/465/587. The URLs I got were from Cisco Talos: * https://talosintelligence.com/reputation_center/lookup?search=104.149.136.246#email-history * https://talosintelligence.com/reputation_center/lookup?search=104.149.133.54#email-history Sometimes I think "is my FreeBSD exploited and being used to send spam", but then I also see Linux relays on other ISPs also on the blocklists. Yes, I am aware Tor exit relays will land on blacklists. But getting complaints from spam is new, especially when my relays are blocking SMTP. I am worried I would have to find a new host if they continue complaining. Darn, Psychz has been one of the more reliable exit hosts (on-and-off) for many years, although they are more vigilant on abuse than say BuyVM. BuyVM is similarly priced (although my Psychz is an special offer) and solid but has too many exits. OVH and TerraHost only allow exits on much more expensive dedicated servers. Prgmr and HostMaze allow exits but has so-so peering. I just hope Psychz doesn't continue to complain. -Neel ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] OVHcloud does not allow Tor exit relays on VPS/cloud services
Hi, I was running a pair of Tor exit relays on OVH, and when I sent an response, I got this as a reply: === As provided in our Service Specific Terms, Anonymization services, such as TOR, are not permitted on OVHcloud's VPS or Public Cloud services. We request that you immediately cease utilizing your current subscriptions as a TOR exit node. Failure to comply with this request may result in the suspension and/or termination of your servers and/or account in accordance with our Terms of Service. https://us.ovhcloud.com/legal/service-specific-terms === It seems OVH does not allow Tor exit relays on "cloud" or "VPS" subscriptions anymore. In the past when I used OVH for exits I had no issues, so they must have changed their TOS. I am assuming OVH dedicated servers are fine. I guess I'm moving the two exit relays to Terrahost. Terrahost is more expensive but I already have exits there and they are excellent. I never had a great experience with OVH. -Neel ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] [Censorship in Russia] Make HTTPS/Moat captcha more complex?
On 2021-12-22 22:42, Gary C. New via tor-relays wrote: I know it might be a fundamental change to the Tor network, but would it be possible to obfuscate the Tor bridge/relay addresses with their respective fingerprints; similar, to the I2P network? I've often thought that this aspect of the I2P network is one that is implemented well. Perhaps Directory Authorities could preform fingerprint to address resolution? I think it would be extremely beneficial if neither bridge or relay addresses were published in the wild. It would make great strides in further buffering the Tor network from various black-listing/censorship techniques. The thing is, while Tor itself is decentralized, the directory authorities and fallback directories are not. For a Tor client to bootstrap, you need a list of relays to be able to connect to. And in turn you have to contact the dirauths or the fallbacks. While you could use an I2P-style or more recently blockchain-style setup, I believe there was a reason for Tor to use centralized dirauths. I can't seem to find the article/FAQ right now, even though I had it a few years ago. I'm guessing it's to prevent malicious dirauths, unlike how Bitcoin could get manipulated by bad actors with a decentralized authority system. Respectfully, Gary -Neel ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Is Tor Actually "Blocked" In Russia, or Are Some Users Unblocked for now?
Hi tor-relays@, While I don't live in Russia, nor are my parents from Russia (they're from India), today, I noticed these articles that some people noticed Tor is blocked in Russia (sorry for being late): https://ntc.party/t/ooni-reports-of-tor-blocking-in-certain-isps-since-2021-12-01/1477 https://forum.torproject.net/t/tor-blocked-in-russia-how-to-circumvent-censorship/982 Yet, when I look at Tor Relay Status, I noticed many relays hosted on Russian residential ISPs are still online, and only a few aren't: Moscow City Telephone: *https://metrics.torproject.org/rs.html#search/as:AS25513 Rostelecom: * https://metrics.torproject.org/rs.html#search/as:AS12389 * https://metrics.torproject.org/rs.html#search/as:AS42610 * https://metrics.torproject.org/rs.html#search/as:AS34168 Vimpelcom: * https://metrics.torproject.org/rs.html#search/as:AS8371 * https://metrics.torproject.org/rs.html#search/as:AS8402 MTS: * https://metrics.torproject.org/rs.html#search/as:AS60496 I didn't notice a big reduction in "relay" users on Metrics: https://metrics.torproject.org/userstats-relay-country.html?start=2021-09-06=2021-12-05=ru=off But did see an increase in "bridge" users: https://metrics.torproject.org/userstats-bridge-country.html?start=2021-09-06=2021-12-05=ru And most Ooni results still show Tor can connect fine: https://explorer.ooni.org/search?until=2021-12-06=2021-11-29_cc=RU_name=tor I feel it could be possible it's one of the two: * Most likely, the censorship rollout is in stages. Some users are blocked but other's aren't, where it wasn't rolled out is still unblocked. * Less likely, but Russia found people could use pluggable transports, like HTTPS obfs4 bridges and maybe they found blocking Tor itself is ineffective, or trying to block "meek" users ended up blocking Microsoft and ASP.NET/Azure-based webapps. Disclaimer: I work at Microsoft, but not on Azure as of now. I did however interview for a position in the Azure umbrella (not on the CDN however). -Neel Chauhan ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] IPv6 reachability tests fail on CenturyLink IPv6 6rd - reachability broken?
Hi, I recently moved into a home with CenturyLink Fiber and moved my FreeBSD relays to the said home. Fingerprints: https://metrics.torproject.org/rs.html#details/B0F9BA27944FA59E3B1A182208FF7C0CFF5497B2 https://metrics.torproject.org/rs.html#details/DB710B14D7329B7289CFCC547F48EF53F812C40D In my relay logs, while IPv4 works fine, I get these IPv6 errors: Aug 26 18:47:01.000 [notice] Auto-discovered IPv6 address [REDACTED]:143 has not been found reachable. However, IPv4 address is reachable. Publishing server descriptor without IPv6 address. Aug 26 19:47:01.000 [notice] Auto-discovered IPv6 address [REDACTED]:143 has not been found reachable. However, IPv4 address is reachable. Publishing server descriptor without IPv6 address. [2 similar message(s) suppressed in last 2400 seconds] CenturyLink does use 6rd for IPv6 in case that matters, however I can telnet the relay ORPort via IPv6 from a VPS. My firewall is an OPNsense box which terminates PPPoE/6rd. I am running tor-0.4.6.4-rc. Yes I know it's not the "latest", but I usually run the "beta" versions on my relays from FreeBSD pkg. Rebooting both my OPNsense box and my server doesn't work. The same relay fingerprints/torrcs/keys worked fine on Google Fiber/Webpass native IPv6 in another address. I'm guessing IPv6 reachability tests aren't working right now since it worked with CL 6rd earlier today, or maybe CL misconfigured their network. It's not a biggie for me, but while I could go Comcast with better IPv6, I'd rather have a high bandwidth relay than an IPv6 one with Comcast's slow uploads/caps. Other Seattle ISPs like Webpass, Wave, and Atlas aren't in my new home. -Neel Chauhan === https://www.neelc.org/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Relay on CentOS8
On 2021-08-20 05:08, Totor be wrote: Hi all As you might be aware, CentOS is switching from CentOS Linux to CentOS Stream https://www.centos.org/cl-vs-cs/ They provides a straightfowrarw way to migrate from Lunix to Stream: #dnf swap centos-linux-repos centos-stream-repos #dnf distro-sync I have migrated a relay running in a small VM and everything seems to run fine Before migrating my production relay, I would appreciate any feedback from other CentOS users on this migration: disk space required, eventual issues envountered and more generally do's & don'ts I'm a FreeBSD user, but if you don't want CentOS Stream, there are AlmaLinux and Rocky Linux, both which focus on being a spiritual successor to pre-Stream CentOS. For you, I'd recommend looking at Alma/Rocky as opposed to CentOS Stream, but IMHO you should compare all three. However I have never run RHEL-based distros as a "server" (I've always run FreeBSD there) so I can't tell you my experiences. Thanks a lot! -Neel === https://www.neelc.org/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Tor non-exit relays and Hulu in 2021
Hi tor-relays@, Long time no see. Lately I'm more involved with the FreeBSD community, but I still run Tor relays though! I'm moving into a new house in Seattle, WA which has CenturyLink Fiber. However, I'm moving in with people who watch Hulu. I remember Hulu blocked Tor middle relay IPs back in 2016-7, but haven't seen recent information on this. Does Hulu still block Tor middle relay IPs in 2021? I'm also considering adding a static IP block but not sure if CenturyLink is willing to give static IPs to me. I signed up for a "business" account but since it's a "residential" address CL's systems may not 'allow' this [1], so that's why I'm asking. Comcast is not an option for me despite technically being "available" for obvious well-documented reasons. After all, CenturyLink is giving me 1 Gbps Fiber, not 1.5 Mbps DSL. -Neel Chauhan === FOOTNOTES === [1] - https://www.reddit.com/r/centurylink/comments/p6cs1t/cbrasstatic_ip_block_wanpppoe_ip_dynamic_or_static/h9d0q6n?utm_source=share_medium=web2x=3 ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Tor bandwidth scanner "longclaw" slow to the US West Coast
Hi juga, Sorry for the delayed response. On 2020-08-18 10:05, juga wrote: thanks for reporting this issue. Replying inline: No problem. Tor bandwidth scanners and directory authorities not necessarily run in the same machine/IP and it's the case of longclaw's bandwidth scanner, which is located in the US East Coast. Good to know. If the reason for lower bandwidth measurements is the location -it could be other reasons- then it's weird that it would affect the US West Coast and not Europe, given it's located in the US East Coast. Thanks for telling me. It seems weird, West Coast congestion maybe? To understand why this is happening, it's very helpful that you give us this information. I personally suspect it might not be related to the scanner location. We'll investigate this as part of the issue you opened at https://gitlab.torproject.org/tpo/network-health/sbws/-/issues/40014. It might take some weeks, since a lot of the work done on this topic is volunteer work. Apologies in advance about it. Understood. I don't mind helping if you need help. I am a Core Tor contributor, but am also open to working with sbws. Is anyone else hosting West Coast relays having this issue? Good question. Is "longclaw" actually measuring bandwidth from Europe? If so, WHY? No, it's not measuring bandwidth from Europe. Good to hear. I got in contact with "longclaw"'s admin and he wasn't too helpful. It looks to me that the longclaw's admin has been helpful if they have suggested you to write to this mailing list, so that more people can check this issue and/or they have suggested you to report an issue in gitlab so that the bandwidth scanner developers won't forget about it :) Also, not all directory authorities run bandwidth scanners and not all of them know about the complexity on how bandwidth is determined. Hope it helps. I guess it's really easy to complain and blame longclaw's admin. It could also be peering, but I am not sure. Wave does have congestion issues from time to time, but this affects more than Tor. Sometimes, faravahar also may have this issue, but not to the same extent, and I can't confirm if this is true. Thank you for responding. Best, juga -Neel ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Tor bandwidth scanner "longclaw" slow to the US West Coast
Surprisingly, longclaw stopped measuring and the consensus weights shot up. My home ISP, "Wave G" has shitty peering so it didn't shot up as much. But my Psychz dedicated server fortunately did see a solid increase. -Neel On 2020-08-19 16:02, i...@backplanedns.org wrote: Same here https://metrics.torproject.org/rs.html#details/29BBD80A1702C7FDEF6557C492F44E9EBAB2854A _Sent from my T-Mobile 4G LTE device_ -- Original message-- From: Eddie Date: Wed, Aug 19, 2020 6:40 PM To: tor-relays@lists.torproject.org; Cc: Subject:Re: [tor-relays] Tor bandwidth scanner "longclaw" slow to the US West Coast Not sure if my relay is similar, but I've been seeing a slow fall in consensus weight and advertised bandwidth over the past few months even though absolutely nothing has changed at my end. Well, apart from me *increasing* the RelayBandwidth settings. Also before I shut my relay down for a couple of weeks late last year, it had, and maintained guard status for about 6 months. Now it yo-yos in and out of guard on a regular basis. https://metrics.torproject.org/rs.html#details/D195E5CE8AE77BAC91673E6CFB7BD0AF57281646 Cheers. On 8/15/2020 5:41 PM, Neel Chauhan wrote: Hi, Is anyone else hosting West Coast relays having this issue? Is "longclaw" actually measuring bandwidth from Europe? If so, WHY? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Tor bandwidth scanner "longclaw" slow to the US West Coast
Hi, I believe the Tor bandwidth scanner nicknamed "longclaw" is measuring relays in the US West Coast worse than other bandwidth scanners in North America. This happens on multiple ISPs, both ones I have and ones I don't. This includes two Tor exit instances on a dedicated server hosted in Los Angeles on Psychz Networks (AS40676): https://metrics.torproject.org/rs.html#details/156AAC3FAD1ACC8906316519DCB444B8C77E4EBF https://metrics.torproject.org/rs.html#details/A69CEB30328B1E85C6B167FECAF2F509CBD9517F And two Tor non-exit instances on a home server in Seattle on Wave Broadband (AS11404), using a symmetrical Gigabit link: https://metrics.torproject.org/rs.html#details/B0F9BA27944FA59E3B1A182208FF7C0CFF5497B2 https://metrics.torproject.org/rs.html#details/DB710B14D7329B7289CFCC547F48EF53F812C40D The consensus weight values from longclaw are much lower than other North American bandwidth scanners, according to https://consensus-health.torproject.org/. This also affects other relays/ISPs on the West Coast US/Canada, such as Emerald Onion, AT U-verse, Sonic.net, and QuadraNet. The same ISPs/hosts in the East Coast aren't affected. This discrepancy in the measurement disproportionately favors European and East Coast US/Canada relays at the expense of West Coast relays, centralizing the Tor network even further than it already was. This wasn't an issue in the past, even as early as a few months ago. It only started appearing around June. Is anyone else hosting West Coast relays having this issue? Is "longclaw" actually measuring bandwidth from Europe? If so, WHY? I got in contact with "longclaw"'s admin and he wasn't too helpful. Best, Neel Chauhan === https://www.neelc.org/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] West Coast US Tor Relays Slow - Low Consensus Weight versus East Coast
Hi network-health@/tor-relays@ mailing lists, I noticed one thing: Tor relays on the West Coast US (and Canada) are generally slower than those on say the East Coast and in Europe. I moved to the West Coast this January, but this was not an issue in the past when looking at dedicated servers I had from the West Coast prior to this year. These are two middle relay instances on an Gigabit FTTH connection (Wave G in Redmond, WA): https://metrics.torproject.org/rs.html#details/B0F9BA27944FA59E3B1A182208FF7C0CFF5497B2 https://metrics.torproject.org/rs.html#details/DB710B14D7329B7289CFCC547F48EF53F812C40D The Consensus Weight often is slower than the Advertised Bandwidth, and isn't ramping up despite having lots of bandwidth. I set RelayBandwidthRate to about 500 Mbps on each instance. This isn't just a Wave G problem, this affects almost every relay in the West Coast including other Gigabit ISPs such as AT (AS7018) and Sonic (AS46375), as well as hosting companies and colocation facilities. For instance, my Los Angeles-based Exit relays at Psychz Networks (AS40676) show this issue (however they are new): https://metrics.torproject.org/rs.html#details/156AAC3FAD1ACC8906316519DCB444B8C77E4EBF https://metrics.torproject.org/rs.html#details/A69CEB30328B1E85C6B167FECAF2F509CBD9517F Even Emerald Onion has this issue: https://metrics.torproject.org/rs.html#details/09DCA3360179C6C8A5A20DDDE1C54662965EF1BA What is causing this issue and is there a solution? Is it backbone congestion due to COVID-19? The high load on dirauths? sbws regressions? Can I help fix this issue? I am a Core Tor contributor and am open to also working on sbws. Is there a way to optimize my relays (they run FreeBSD). -Neel === https://www.neelc.org/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Directory Authority servers still using excessive bandwidth
Hi tor-relays@, I have noticed that despite fixing bugs in the past, the directory authority relays are still using excessively high amounts of bandwidth, when looking at Relay Search: Examples: * https://metrics.torproject.org/rs.html#details/7EA6EAD6FD83083C538F44038BBFA077587DD755 * https://metrics.torproject.org/rs.html#details/9695DFC35FFEB861329B9F1AB04C46397020CE31 * https://metrics.torproject.org/rs.html#details/BD6A829255CB08E66FBE7D3748363586E46B3810 And many more. I'm asking since I'm having an issue with low consensus weights on a symmetrical "Gigabit" pipe, and I am suspecting the overloaded authority servers are a factor. Are they? It could also be my current ISP's (Wave Broadband) crap peering, but would I really want to use Comcast? -Neel === https://www.neelc.org/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Consensus weight/Advertised bandwidth low on "Gigabit" ISP, despite ISP equipment upgrades
Hi tor-relays@, I run a FreeBSD-based Tor relay across two instances on "Wave G", a Gigabit ISP in the Seattle metro. You may also know them as CondoInternet or CascadeLink, but I joined only this year on a Wave-branded service. These relays have had low consensus weights since I got the service in January. The instances are below: * https://metrics.torproject.org/rs.html#details/8FABF4D266DF95216F6C646C6D6D4611D3DCF484 * https://metrics.torproject.org/rs.html#details/CE06BA1EA45FD32A79EAF7FE6A3B1919E7FE585B My server and router are fine, I am in the single digits in terms of CPU use on both. The same exact server and router on Verizon FiOS in New York never gave me this issue. There was an underlying ISP performance issue impacting me which led consensus weight values to be low, but my ISP has since upgraded their equipment in my building. In general, my Internet performance has improved by magnitudes. However, my consensus weight has stayed more or less flat since the equipment upgrade, instead of jumping higher. What gives? How long would it usually take for the bandwidth scanners to measure the higher bandwidths? Should I re-key my relays and start from scratch? About switching ISPs, I'm not switching to Comcast for obvious well-documented reasons, and neither CenturyLink nor Frontier/Ziply Fiber serve me, not even copper. Best, Neel Chauhan === https://www.neelc.org/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Consensus Weight low when compared to Advertised Bandwidth
Hi, After having my Primcast.com dedicated server suspended, I signed up for a dedicated server from Psychz Networks in their Dallas location to run a FreeBSD-powered Tor exit relay. https://metrics.torproject.org/rs.html#details/9B6672E247BC4656915DF03A470D4B5BC2E7601F While Psychz is a bit more expensive than Primcast/ServerRoom (and that is with an special offer), I get a slightly faster server and far better customer support. One problem is that the consensus weight value is rather low in proportion to the advertised bandwidth value, when they should be approximately similar. In fact, my server's CPU usage never goes beyond 1%. Is this normal now that sbws is being deployed? Or is it bad peering on my relay? -Neel === https://www.neelc.org/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Windows Relay Setup
Tor 0.2.4.23 is EOLed and is blacklisted from the network. Vidalia is also EOL and unmaintained. Also see: https://blog.torproject.org/removing-end-life-relays-network If you want a Windows relay, you'll have to configure manually whether you like it or not. It's hard (Tor is Unix-native), and performance sucks when compared to Linux/BSD/macOS, but on the positive Windows is still better for relay diversity than Linux. If there is Linux malware hurting the Tor network, we shouldn't just hope for BSD variants to keep us alive. Closed source or not, we should also consider Windows as an alternative relay OS (if you have a license or are willing to buy one). And I'm saying this as someone who runs FreeBSD relays and a FreeBSD desktop myself. You can also use a VM, and it may be easier, but if I were you, just use the expert bundle and try to configure Tor as a NT service. You won't have to worry about a hypervisor and will help relay diversity along the way. -Neel === https://www.neelc.org/ On 2019-10-17 15:20, William Pate wrote: I finally got around to playing with this some more. Thank you for your message, Bruce. I searched for Vidalia and found an old bundle that appears to work perfectly on my Windows 10 machine. Steps I took: 1. Download Vidalia Bundle 0.2.4.23 from http://vidalia-bundle.en.lo4d.com/ 2. Extract 3. Install 4. Start 5. The Vidalia Control Panel will pop-up 6. In settings, I changed the Tor executable from the one included with the Vidalia Bundle to the current version of Tor elsewhere on my system. Like I said, it *appears* to be working. Can't find it in relay search yet, but I only set it up moments ago. Nickname is inadequate Contact is willp...@disroot.org William Pate willp...@pm.me 512-947-3311 inadequate.net ‐‐‐ Original Message ‐‐‐ On Sunday, July 14, 2019 1:44 AM, Barton Bruce wrote: William, On 7/11/2019 6:58 PM, William Pate wrote: > I'm interested in hosting a Windows-based relay, if anyone can point me to a good tutorial. I've tried the most common ones. > > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays There used to be a VIDALIA (sp?) kit that could simply be downloaded and run on a windows machine. I then worked for an ISP/CLEC and had lots of bandwidth so ran Vidaalia on a 64 bit Windows 7 Ultimate machine on my desk at work. I never did hear why something had changed at the tor project so that stopped working, but do remember a rude snippy condescending reply from someone on the mailing list so I lost interest. I did get the head Tor guy from the Central Square Cambridge office of TOR to come speak at a local networking group's monthly meeting we held at a MicroSlush faclity in Burlington, MA and it was well received by a packed audience. I think he now has left TOR and works for some ISP. This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Cherryservers (formerly balticservers) account terminated for exit relay
If you want an alternative exit relay host (other than the common ones like OVH, Scaleway, or Hetzner), one option is Server Room/Primcast (same company). I use Primcast for a 300 Mbps FreeBSD exit and have been happy with them. Server Room/Primcast is not the "best" provider, but they are good enough for the purpose of an exit and being less popular (as of now) helps with relay diversity. However, you will need a reduced exit policy with SR/Primcast. I have a **very** restrictive exit policy only allowing Ports 53, 80, 443, and 8080 (so I get less complaints). If you want a custom OS, you will need iLO (HP/HPE's remote management, Primcast uses HP/HPE servers). An older server (pre-2011) may mean you'll need Windows and Internet Explorer (NOT MS Edge) to use the console, while a newer server will work with HTML5 on Windows/Mac/Linux/BSD/etc. -Neel === https://www.neelc.org/ On 2019-07-30 02:15, Chris Kerr wrote: I just heard from the hosting provider cherryservers.com that they are terminating my account (after 2.5 years) where I run the exit relay "ostwaldripening" (46.166.162.53), because they no longer wish to host tor exit nodes. I tried to create an account on trac.torproject.org to edit the "GoodBadISPs" wiki page, but the spam blocking stopped me from doing so. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Running gigabit relay
By "NUC" I was meaning the low-end Celeron boxes. A NUC with a i7-8650U should work for Tor and a dedicated AP. It won't be as good as a desktop or server CPU, but for your use case it's fine as a relay and AP/router. However, the built-in Wi-Fi is usually only a single band at once. -Neel On 2019-07-27 01:38, Mitar wrote: Hi! On Fri, Jul 26, 2019 at 12:08 PM Neel Chauhan wrote: About the server, I have a powerful HPE ProLiant as mentioned earlier, but like other said at minimum you need a i5/i7 CPU, or an equivalent Xeon or AMD CPU. So this means no NUCs or HPE MicroServers. Hm, why not NUCs? There are NUCs with 8th Generation Intel CPUs: https://ark.intel.com/content/www/us/en/ark/products/series/129705/intel-nuc-kit-with-8th-generation-intel-core-processors.html For example, this one uses i7-8650U Processor: https://ark.intel.com/content/www/us/en/ark/products/130392/intel-nuc-kit-nuc7i7dnke.html Based on what I read in all the replies (thank you all!) this should be more than enough? I was thinking of not really using a dedicated router, but hopefully configure NUC's WiFi into an AP. This is all I really need. I just hope I can configure it as a dual-band AP. I am not yet clear about that part. Mitar ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Running gigabit relay
About having a relay on gigabit symmetrical FTTH, you don't just need a good server, you also need a good NAT router unless you want to use your server as a NAT router as well. I don't have Sonic or Gigabit Fiber (from any ISP), but I have 300mbps symmetrical Verizon FiOS in Brooklyn, NY running a Tor middle relay. A Linksys running OpenWrt and many low-power Mini PC "firewall" boxes were a bottleneck even on 300 Mbps for Tor, despite having a powerful Xeon 4108 HPE ProLiant ML110 Gen10 and having no Verizon router in my setup. I dabbled with using my ML110 as a PF firewall (I run FreeBSD), but yesterday, I installed a HP ProDesk 400 G4 as an OPNsense firewall (because I didn't want a single point of failure, and so I can remotely access iLO). So your firewall needs to be more powerful than an average one because at least for me Tor has ~1 connections at once, and that is with Tor only measuring half my 300Mbps. Your Gigabit will mean far more than that running Tor. So a low power HP T620 Plus or Qotom box won't work as a firewall in this case. My "bottleneck" could also be Verizon's peering that Sonic may not have. After all, Sonic supports Net Neutrality and Verizon opposes NN. About the server, I have a powerful HPE ProLiant as mentioned earlier, but like other said at minimum you need a i5/i7 CPU, or an equivalent Xeon or AMD CPU. So this means no NUCs or HPE MicroServers. -Neel === https://www.neelc.org/ On 2019-07-26 01:31, Mitar wrote: Hi! I have Sonic Fiber which offers gigabit symmetric connection. I am thinking of using it for gigabit Tor relay, but I wonder what would be good hardware to use for something like that. Information I have found [1] is from 2010 so I wonder if there are any updates? Is there any simple small box I could use? Like Intel NUC? Information here [2] says that one can get 400 Mbps with AES-NI. And so with two processes limit per my public IP this would be around 800 Mbps then. Is this still a reasonable expectation? Do I have to care about the network card to serve gigabit (besides its being nominally gigabit)? What would be memory requirements for such a device? [1] https://www.mail-archive.com/or-talk@freehaven.net/msg14159.html [2] https://www.torservers.net/wiki/setup/server Mitar ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Verizon.com blocked on Tor Middle Relay on FiOS
Hi, I have a Tor middle relay on Verizon FiOS. If I try to access Verizon.com on the FiOS connection running a Tor middle relay, I get this error: Access denied, in accordance with Verizon Information Security Policy Please contact us if there is a legitimate business need to access this content. They gave an email address to the EdgeCast NOC that I contacted, but the EdgeCast support said I should contact FiOS and not EdgeCast, even though I think the blocking is on EdgeCast's side (if it was on FiOS then I would get a "Hmm. We’re having trouble finding that site" error from Firefox). Other Verizon sites such as Verizon Wireless and Verizon Media/Oath properties like AOL/Yahoo/Tumblr/HuffPost/etc. are not blocked on FiOS running Tor (heck, I can even sign up for Tumblr on exit relays), even though these other Verizon sites also use EdgeCast. For those who have middle relays on their home broadband connection (not bridge or exit), both on Verizon FiOS and other ISPs regardless of country or technology, please test for if Verizon.com is blocked. Thank You, Neel Chauhan ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Email Blocked by ISP
Looking at your email address, you have an ISP assigned email. Unless you work for Spectrum, you shouldn't use an ISP email account. I'd advise you either: * Sign up for a third-party email service like Gmail, Outlook, ProtonMail, or Tutanota * If you can maintain one, run your own email server (I do this myself but many don't recommend it as email servers are complex) Assuming you have a middle relay, I don't think the relay caused the email problems. I believe someone hacked your email, whether through a hacker attacking the Spectrum email server or a virus/malware gaining access to your email via a browser exploit. Check for this first. -Neel On 2019-05-16 13:31, K. Besig wrote: I've run a home relay on and off for several years and recently, for the first time, had my email blocked by the ISP rendering it impossible to login into my 3rd party mail sever. When I contacted support I was informed my email password had been reset due to activity that resembled e-bombing/mass mailing. Only after submitting to a system scan while the rep waited on the phone,was I able to reset my password. I moved several months ago and went from a TWC legacy account to a Spectrum account. Wondering if anything other than lowering my tor bandwidth would keep them off my back... ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Trouble Running Middle Relay On Google Cloud Debian VBS
Keifer,
I think your Cron script is problematic.
The script:
0 0 1 * * apt-get update apt update && apt install -y --only-upgrade tor
killall tor tor
Would kill Tor and since you don't have "&& tor" after the "killall
tor", it is not restarting it.
But I'd advise just giving up on cron. For automatic updates, you should
look into unattended-upgrades instead of using cron.
Also, forcefully killing Tor using cron isn't a good idea because it
would terminate circuits using your relay instead of gracefully stopping
them.
Disclaimer: I don't run Debian on my relays. I run FreeBSD relays. I
have used Debian on my desktop briefly in 2012 before switching to
FreeBSD as a desktop. I have never **really** run Debian as a server so
I can't help you further with unattended-upgrades.
-Neel
===
https://www.neelc.org/
On 2019-05-16 01:26, Keifer Bly wrote:
Hi all,
So I am starting a new middle relay using a VPS hosted on Google Cloud
running Debian. though the relay is running, it is not appearing in
the consensus after 10 hours. Here is the tor log, any thoughts on
what is going on would be greatly appreciated thank you.
May 15 18:23:47.096 [notice] Opening OR listener on 0.0.0.0:65534 [1]
May 15 18:23:47.000 [notice] Parsing GEOIP IPv4 file
/usr/share/tor/geoip.
May 15 18:23:47.000 [notice] Parsing GEOIP IPv6 file
/usr/share/tor/geoip6.
May 15 18:23:47.000 [notice] Configured to measure statistics. Look
for the *-stats files that will first be written to the data directory
in 24 hours from now.
May 15 18:23:47.000 [warn] You are running Tor as root. You don't need
to, and you probably shouldn't.
May 15 18:23:47.000 [notice] Your Tor server's identity key
fingerprint is 'torworld 3A4E582092E7C6B822EC01F4D76F680F6C65B0A2'
May 15 18:23:47.000 [notice] Bootstrapped 0%: Starting
May 15 18:23:50.000 [notice] Bootstrapped 80%: Connecting to the Tor
network
May 15 18:23:51.000 [notice] Guessed our IP address as 35.238.140.120
(source: 193.23.244.244).
May 15 18:23:52.000 [notice] Bootstrapped 85%: Finishing handshake
with first hop
May 15 18:23:52.000 [notice] Bootstrapped 90%: Establishing a Tor
circuit
May 15 18:23:53.000 [notice] Tor has successfully opened a circuit.
Looks like client functionality is working.
May 15 18:23:53.000 [notice] Bootstrapped 100%: Done
May 15 18:23:53.000 [notice] Now checking whether ORPort
35.238.140.120:65534 [2] is reachable... (this may take up to 20
minutes -- look for log messages indicating success)
May 15 18:23:54.000 [notice] Self-testing indicates your ORPort is
reachable from the outside. Excellent.
May 15 18:23:56.000 [notice] Performing bandwidth self-test...done.
May 16 00:23:50.000 [notice] Heartbeat: It seems like we are not in
the cached consensus.
May 16 00:23:50.000 [notice] Heartbeat: Tor's uptime is 5:59 hours,
with 0 circuits open. I've sent 789 kB and received 7.41 MB.
May 16 00:23:50.000 [notice] Average packaged cell fullness: 100.000%.
TLS write overhead: 27%
May 16 00:23:50.000 [notice] Circuit handshake stats since last time:
0/0 TAP, 6/6 NTor.
May 16 00:23:50.000 [notice] Since startup, we have initiated 0 v1
connections, 0 v2 connections, 0 v3 connections, and 8 v4 connections;
and received 1 v1 connections, 0 v2 connections, 0 v3 connections, and
6 v4 connections.
May 16 00:23:50.000 [notice] DoS mitigation since startup: 0 circuits
rejected, 0 marked addresses. 0 connections closed. 0 single hop
clients refused.
May 16 00:58:51.000 [warn] Received http status code 404 ("Not found")
from server '45.62.242.212:9030 [3]' while fetching consensus
directory.
I also had another thing I wanted to ask. I am working on a crontab
script to automatically update and restart the tor relay once a month
automatically, as I am already running a bridge on another network
that needs to be updated manually.
Does this script look like it would get the job done? I don't have
much experience with crontab.
# m h dom mon dow command
0 0 1 * * apt-get update apt update && apt install -y --only-upgrade
tor killall tor tor
root@instance-1:/home/keifer_bly#
Thank you very much.
--Keifer
Links:
--
[1] http://0.0.0.0:65534
[2] http://35.238.140.120:65534
[3] http://45.62.242.212:9030
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] firewall ports needed to run a middle relay
If you have fiber to the home or another symmetrical speed broadband connection (like some wireless ISPs like Webpass), you may have a lot of upstream speed. In this case it's perfect for Tor relays. If you do, invest in a good router with a big enough NAT table if you don't have one, flash custom firmware if your router supports it and is powerful enough, or reuse your old desktop as a pfSense box. I have Verizon FiOS FTTH and use a Linksys WRT1900AC running OpenWRT instead of a Verizon gateway. Some ISPs may force you to use their router, like AT in some parts of the US who forces 802.X authentication to use VDSL/FTTH that is only spoken on their router. But your uplink probably is crappy if you have cable, DSL, or fixed wireless. -Neel === https://www.neelc.org/ On 2019-04-25 17:48, nusenu wrote: to...@protonmail.com: I need to move to a new router, which, unlike the old Verizon home router, doesn't have a quick DMZ host to which I attach the tor telay's local ip address. So I think I need to do port forwarding, and for that what rules do I need? My torrc config has: ControlPort 9052 ORPort 8443 DirPort 8080 So I forwarded 8443 and just in case, 8080. But the number of my connexions kept dropping, so I put it back in the DMZ and it started getting new ones again. Trying to figure out if I screwed up the config gui, or if I need to add other ports. Did I miss a port? Forwarding the ORPort and DirPort (if you set one) is all you need but home broadband uplinks frequently are not made for the amount of concurrent sessions a tor relay usually has to handle. So failures might still happen even if you setup the port-forwarding part correctly. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Advertised Bandwidth/Consensus Weight Dropping: Is Verizon FiOS throttling Tor Relays?
Hi tor-relays@ mailing list, I run the following Tor middle relay on a 300 Mbps symmetrical Verizon FiOS connection: https://metrics.torproject.org/rs.html#details/2A65713649C1FD68764DBF43C46363168BE8C942 My setup is as follows: * HPE MicroServer Gen10 (AMD X3421) running FreeBSD 12.0 * Tor relay in FreeBSD 12.0 jail, with "RelayBandwidthRate 0" * Linksys WRT1900AC running OpenWrt The Linksys is connected directly to Verizon's ONT (which converts fiber/GPON to Ethernet) and no Verizon-branded router is used in my setup. The problem is that after setting up my relay, I had my Tor Advertised Bandwidth and Consensus Weight values trend downwards for the past week. Sometimes, I have occasional spikes in consensus weight. This relay has a new fingerprint, but used this server with another fingerprint as well. On the previous fingerprint, I reached a peak of 19.5 MB/s (~160 Mbps) for the Advertised Bandwidth but has dropped to ~10 MB/s (~80 Mbps). The previous fingerprint also had the same server and router. I am thinking the issue is one of the two: 1. Tor bandwidth authority nodes are overloaded or have bad connectivity to Verizon 2. Verizon is intentionally throttling Tor on FiOS 3. The relay ramp-up phase is still in action for my relay and I need to wait I am suspecting reason 2, as I had seen my bandwidth values drop, and unable to reach higher values. For some reason, other relays on AS701 (Verizon's AS Number) have higher Advertised Bandwidth/Consensus Weight values than me (around ~18.7MB/s on the fastest relay): https://metrics.torproject.org/rs.html#search/as:AS701 Sometimes, the other FiOS relays can go up to ~23 MB/s (~184 Mbps). Is Verizon throttling Tor or are Tor bandwidth authority nodes just overloaded (or have bad peering with Verizon)? Or is it just the relay ramp-up phase in action? Thank You, Neel Chauhan ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Relay C19B33758B3A5144894233EC4C95D7985B9FD101
On 2019-04-05 11:31, li...@for-privacy.net wrote: Am 05.04.2019 10:58, schrieb ylms: can someone point me at some information about this warning? "[WARN] Error binding network socket: Address already in use [991 duplicates hidden]" Log message is clear: You have assigned a port number twice. Either two Tor-instances run on the same (TCP) port numbers or you have given Tor a port number, which already has another system process. 'netstat -lptu' or successor 'ss -lptu' gives you an overview. One thing that could happen (but may not apply to you) is your SOCKSPort. Set it to 0 to not listen, or to a random number if you have to listen for SOCKS connections. -Neel === https://www.neelc.org/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Tor Exit Relay CPU Usage Running at 100% for 1 MB/s on FreeBSD
Hi tor-relays@ mailing list, I have set up two exit relays on a FreeBSD 12.0 dedicated server: https://metrics.torproject.org/rs.html#details/1CD029594B08E07F29B9420410C2E34DB71FBB28 https://metrics.torproject.org/rs.html#details/A0EB2BD840838FAD51BDAD86B0BA3908FADFAE05 Looking at my top stats, I get CPU usage of 100% most of the time (meaning 95% of the time) on both instances pushing around ~1 MB/s with both instances. The server is a HP Blade server and has a single Intel Xeon L5520 CPU with 16GB of RAM. Tor is configured to have 150 Mbps per instance, with a total of two instances. Why am I getting this abnormal CPU usage? What's the solution? I don't want to use Linux but can use another *BSD or Solaris/Illumos if I must. -Neel === https://www.neelc.org ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Tor relay on Verizon FiOS/FTTH: Advertised Bandwidth capped at ~19.5MiB/s
Hi Roger, The very short answer is that this could all be normal. You might find some of the ideas in this wiki page useful: https://trac.torproject.org/projects/tor/wiki/doc/MyRelayIsSlow Among the most important points: * It's actually bad for the network for relays to be hitting their capacity -- since it means user traffic is intentionally delayed at that relay. Good to know. I know my relay can't hit 100% of its capacity 24/7. I want the "consensus weight" and the "advertised bandwidth" to see my bandwidth. * Exit relays tend to attract as much traffic as they can provide, since exit capacity is scarce in the network right now. But for non-exit relays, you shouldn't be surprised if they don't fill their available bandwidth. The traffic your relay receives has to do with how the load balancing works, and actual total traffic from clients varies over time. Understood. * The "torflow" bandwidth authority measurement system is pretty clearly broken, in that it measures relays badly. This is known, and we've been working to fix it, but "how come I have this weird bandwidth weight" is a common question over the past few years. :( Makes sense. I hope torflow gets replaced soon. So in summary, it might be that something on your side is unnecessarily limiting your relay performance, but it could also just be that the "luck of the draw" from the load balancing system is what gave you this load. I thought of many reasons: my router, Verizon's backbone, Verizon's FiOS edge network, or just Tor's crappy load balancing system (which I hopes gets fixed soon). If you want to use more of your bandwidth, consider running two relays as somebody suggested in this thread. Or just sit back and be happy at your nice relay contribution. :) I set up another relay to increase my bandwidth. If that doesn't help, I will look into replacing my WRT1900AC with a pfSense or Ubiquiti box. (Another option is that you could open up your exit policy, but that's probably a poor idea for a relay running at home.) I probably won't. Aside from the obvious reasons, I won't run an exit from home because: * I would get blacklisted from too many websites * Most ISPs don't want to give you you more than one IPv4 address to separate Tor traffic from everything else unless you go business class * Verizon would probably notice my "exit" relay from abuse complaints and then would say "you can't do this on FiOS" unless I go business class I run an exit from a dedicated server (not a OVH/Online.net/Scaleway/Hetzner, but one from a host called GTHost). Thanks! --Roger You're welcome. -Neel === https://www.neelc.org/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Tor relay on Verizon FiOS/FTTH: Advertised Bandwidth capped at ~19.5MiB/s
Roman, But then again the upload will be barely utilized by typical residential Internet users. True. Still my recommendation is to test your bandwidth in multiple ways first, be it speedtest.net, or (better yet) https://github.com/sivel/speedtest-cli, or iperf3 servers, if you can find any near your location. I am getting 300 Mbps in both directions. If tests show that you do get near 300 Mbit both directions, the next step would be to just set up two instances of Tor, as I suggested before in your thread[1]. Actually fun to see my prediction from back then coming true precisely (with regard to getting only 200 Mbit). [1] https://www.mail-archive.com/tor-relays@lists.torproject.org/msg15819.html Being capped at 200 Mbps was because `powerd` wasn't enabled on my FreeBSD, and "turbo" frequencies weren't being used. Enabling `powerd` means I feel my relay can handle 300 Mbps (and CPU usage dropped because the clock speed increased). Previously 10 MB/s (80 Mbps) took 30% of CPU, now the same amount of bandwidth takes 20%. Running two instances is the universal solution which should improve Tor's bandwidth utilization on almost any connection. I'll look at this. I feel it's my Linksys WRT1900AC because consumer routers aren't designed for the traffic high-bandwidth Tor relays handle, even after flashing things like OpenWrt. Also see: https://arstechnica.com/gadgets/2016/09/the-router-rumble-ars-diy-build-faces-better-tests-tougher-competition/ Would running two instances help with a consumer router's limited NAT Table? -Neel === https://www.neelc.org/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Bandwidth limiting at relay or network?
I usually do it in torrc, but am experimenting with letting my ISP/host (Verizon FiOS and GTHost.com) traffic shaping do this on unmetered connections. The reason for this is because I learned about bandwidth accounting as mentioned on an earlier post here: https://lists.torproject.org/pipermail/tor-relays/2018-December/016780.html (https://lists.torproject.org/pipermail/tor-relays/2018-December/016780.html) Tor spends resources doing bandwidth accounting if you set RelayBandwidthRate and RelayBandwidthBurst. So the runoff is: torrc is convenient, but doing it externally can offload the shaping and free the Tor process to do other things (after all, Tor is still singlethreaded) but adds complexity to your OS/network setup. -Neel === https://www.neelc.org/ January 14, 2019 10:09 PM, "Isaac Grover, Aileron I.T." mailto:igro...@aileronit.com?to=%22Isaac%20Grover,%20Aileron%20I.T.%22%20)> wrote: Good evening fellow relay operators, I haven’t ever taken the time to configure bandwidth limits in torrc, always preferring to manage it at the firewall as we have other bandwidth limits set there as well. However, I’m curious - what do other relay operators prefer? Make your day great, Isaac Grover, Senior I.T. Consultant Aileron I.T. – “ Because #ProactiveIsBetter ” O: 715-377-0440 (javascript:false), F:715-690-1029 (javascript:false), W: www.aileronit.com (http://www.aileronit.com/) LinkedIn: https://www.linkedin.com/in/IsaacGrover/ (https://www.linkedin.com/in/IsaacGrover/) YouTube: https://www.youtube.com/channel/UCqrwZNFKdR-guKtuQzFPObQ (https://www.youtube.com/channel/UCqrwZNFKdR-guKtuQzFPObQ) ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] 300mbps FreeBSD Tor relay on HPE MicroServer Gen10 (AMD X3421)
Hi George, > At some point, I want to get a few network-heavy FreeBSD involved in > optimizing Tor on FreeBSD. It should not take a lot to do, since the > networking stack is optimized out of the box, but my FreeBSD nodes never > hit much more than 10mbps. I hope you get to optimize high-bandwidth Tor on FreeBSD as well. I would love to have this as well. I can also help as well. About the slow relays, looking at your company website (http://queair.net/hardware.html), you appear to be a fan of low-power hardware like Alix or ARM boards (RPI, BeagleBone) and believe you run relays on these. I could be wrong, as it could also be your ISP. If the cause is low-power hardware, I'm not against low power development boards, I just feel that for Tor they're more for low-bandwidth relays (e.g. bridges or relays on slower connections). > One of those devs lives close to both you and I :) Sounds great. > Keep us in the loop on the relay and any customizations you're doing. OK, I will. When I get to setting up the server, I will post an article to my website (https://www.neelc.org) and a copy of the article here (@tor-relays). Thanks, Neel Chauhan === https://www.neelc.org/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] 300mbps FreeBSD Tor relay on HPE MicroServer Gen10 (AMD X3421)
Hi tor-relays@, I have a Tor middle relay NeelTorRelay2 hosted on a 50 megabit symmetrical Verizon FiOS (FTTH/GPON) connection. The server used is a HPE MicroServer Gen10 (AMD X3421 quad-core version, 8GB DDR4 RAM). This relay can be seen here: https://metrics.torproject.org/rs.html#details/D5B8C38539C509380767D4DE20DE84CF84EE8299 My relay runs FreeBSD 11.2 and Tor runs in a "jail". I am using AESNI and Tor is configured to use OpenSSL cryptodev. Here's the situation: I will be moving apartments in a few days, and Verizon is upgrading my broadband speed to 300 megabits symmetrical. I plan to use this extra bandwidth for Tor. Right now, I set my RelayBandwidthRate to my line speed (yes really!), and plan to increase this setting according to my new speed. I know that Tor is not optimized for multicore CPUs, and that's the reason why I am posting here. My question is that can Tor work on the HPE MicroServer Gen10 with the AMD X3421 (or one with a similar computer of any brand with a similar performance CPU, whether desktop or server, Intel or AMD) with all 300 megabits to a single instance or would I need two instances (each at 150 megabits each)? Looking at my top usage, I average at about 20-30% CPU usage on my 50 megabit relay. Also keep in mind that: * I am using my own router instead of Verizon's and I plan to keep doing so * I want to keep using FreeBSD on my server and do not want to run Linux * I would prefer to have a single instance, but can use multiple if I have to * When I move, I will upgrade my server to FreeBSD 12.0 * My server supports hardware accelerated AES and SHA. I am using this on FreeBSD with the aesni kernel module and Tor with "HardwareAccel 1" and "AccelName cryptodev" Thank You, Neel Chauhan === https://www.neelc.org/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] FamilyGenerator: Tor MyFamily Generator
nonetheless I find it positive that Neel now finally has a (proper?) MyFamily config probably because of this non-perfect way of collecting FPs. Well, my relays don't use FamilyGenerator. I still hope no one is using onionoo query results to alter their config *automatically* I guess then I realized that generating MyFamily from Onionoo output is not such a good idea after all. I updated my GitHub page for "FamilyGenerator" to reflect these issues and put a link to this thread (so random people don't just use my software). -Neel Chauhan On 2018-07-22 12:01, nusenu wrote: - you run your own AS and all servers in that AS are under your control (parameter: as) https://metrics.torproject.org/onionoo.html#parameters_as This effectively puts MaxMind in charge of MyFamily. good point and I guess there is only a handful of operators with their own AS anyway - all your relays are under your own DNS domain and only you can generate DNS A records for that domain and [1] is implemented (note: these onionoo fields appear currently somewhat broken) There is no attempt currently to perform any DNSSEC or other validation. I was about to make a ticket for that when I wrote the last mail, since using a DNSSEC validating resolver should not be a whole lot of effort. https://trac.torproject.org/projects/tor/ticket/26901 Onionoo is useful for many things, but I don't think this is one of them. Instead, you can use Ansible/Salt/Puppet/whatever to configure MyFamily and there are plenty of ways out there to do this. +1 nonetheless I find it positive that Neel now finally has a (proper?) MyFamily config probably because of this non-perfect way of collecting FPs. I still hope no one is using onionoo query results to alter their config *automatically* ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] [Software Announcement] FamilyGenerator: Tor MyFamily Generator
Hi tor-relays mailing list, I have created a tool called FamilyGenerator. FamilyGenerator is a tool to automatically construct a Tor MyFamily line based on Onionoo parameters. Why? If you run multiple relays, it can become hard to keep your MyFamily line updated if you add or remove relays. FamilyGenerator makes it easier (and automated if you use cron, or maybe without it in a future version if it ever comes). Does it integrate with Tor directly? As of now, no. If you want to automatically load FamilyGenerator outputs to Tor, you can: 1. Make sure all your relays has something in common in the Nickname or ContactInfo lines 2. Use a shell script to generate the MyFamily line with FamilyGenerator 3. Use a cron job to reload Tor after FamilyGenerator runs 4. Include the output in a Include line in your torrc Hopefully, a future version can avoid cron (that is, if it comes). FamilyGenerator is available on GitHub at: https://github.com/neelchauhan/FamilyGenerator You can install it from PyPI with: pip install FamilyGenerator A FreeBSD port is underway. For Debian users, sorry, but there's no Debian package in the pipeline as I don't use Debian. That's it. Thank You, Neel Chauhan ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Turning down my relay from DigitalOcean
If you want an alternative to DigitalOcean for a Tor relay, two good alternatives include BuyVM and ITL. I use them both for two exit relays each. Both providers are unmetered in terms of bandwidth, have good support, allow exits, and support both Linux and *BSD. If you need to choose one of the two, I would choose BuyVM (both their servers and network seem to be faster). If you want an alternative to ITL and BuyVM, search online for an "unmetered VPS" and if you find a provider check ther TOS to see whether they allow the type of relay you want to run (many allow middle relays, but only a few allow exits). Hope this helps. Best, Neel Chauhan === https://www.neelc.org/ On 2018-07-02 09:27, Guillermo Narvaez wrote: Hello everyone, Sadly I'm stoping the tor daemon in my relay due high cost of bandwidth ($100), in the meantime I start to search an optional hosting. My apologies! -Guillermo ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] how to set-up multiple debian relays at once
Are you talking about multiple instances on one VPS, or multiple VPS instances? If you have multiple VPS instances, and your VPS provider supports imaging, you can just copy the images to as many relays as you want. If you go this route, just make sure that you haven't let Tor generate a relay private key yet (so don't run Tor with ORPort before creating your image) You can also use scripts for setting up Tor relays with tools like Ansible, Docker, etc. For instance, an Ansible role: https://github.com/nusenu/ansible-relayor If you want multiple instances on a single VPS, Debian has something handy called tor-instance-create: http://manpages.ubuntu.com/manpages/bionic/man8/tor-instance-create.8.html I don't know enough about Debian (I run FreeBSD). If you don't like tor-instance-create and are willing to use FreeBSD, they also make it easy to have multiple instances on a single computer: https://svnweb.freebsd.org/ports/head/security/tor/files/pkg-message.in?revision=425102=markup=472266 -Neel Chauhan === https://www.neelc.org/ On 2018-06-16 07:18, I wrote: Is there a way to collectively install and manage multiple VPS relays? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Spam Emails Received From This Mailing List
It seems that I am getting spam from a new email address: camrynbentley870...@ao.ovsum.com The pattern is that the emails are from *@*.ovsum.com addresses. Just block this pattern as well, and report your emails to SpamCop. -Neel Chauhan === https://www.neelc.org/ On 2018-06-08 20:24, Keifer Bly wrote: Hello fellow relay operators, My apologies as this is not related to tor relays, however, there seems to be several spammers subscribed to the relay list. Every time I am involved in a discussion on this list, I receive 3-5 emails supposedly from girls wanting to meet up (for sex). The emails in question claim they are sent from email address tor-relays@lists.torproject.org (and always have the same email subject of the discussion I was involved in). I am somewhat in a trap as blocking them with spam filters would block all emails sent from the relay lists address. I am wondering what could be done about this (the email provider in question is Gmail). Thank you. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Trying to set up a relay at home, but get no connections
Do you have an alternative choice of ISP? In many countries, you often do (e.g. Europe, East Asia). In others, you usually don't (e.g. USA, small island nations). If you don't, another option is a VPN with a public IP address (that is, if you are willing to pay for one). Once Verizon FiOS (US FTTH ISP) blocked the consensus node tor26 (86.59.21.38) and just tor26 and I thought that was absurd, but this is on a whole another level. At least Verizon still let me run a Tor relay (they technically ban it, but nobody enforces it), and I did get tor26 unblocked after posting on the NANOG mailing list. At least I still had the cable company here as well, but in the US cable usually sucks (some have cable as their only option if you don't want 1.5-6mbps DSL). Maybe your ISP hates Tor and doesn't want you to run a relay. Most broadband ISPs in countries which don't block Tor usually let you run a relay even if their TOS says it's not allowed, but if you don't have net neutrality in your country, an ISP can freely block consensus nodes to prevent you from being a relay. Unfortunate, but probably is true in your case. If you are willing to get political, you should push for net neutrality in your country. -Neel Chauhan === https://www.neelc.org/ On 2018-06-11 14:29, Gunnar Wolf wrote: Graeme Neilson dijo [Sat, Jun 09, 2018 at 11:53:20AM +1200]: See if you can route to all the authorities. Tor requires that all relays are able to contact all directory authorities. In my case tcptraceroute would not get to all the authorities. For some authorities my ISP was not routing to them. This seems to be the issue - I'm attaching a screenshot of «mtr» trying to reach all of the directory authorities from said server. So, it seems my ISP does not want us to run relays ☹ Can you think of any way my connection (oversized for my regular uses) can be put to use for Tor? I guess it would not work as a bridge either, would it? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Spam Emails Received From This Mailing List
I've gotten these emails as well. Since I have my own email server, I configured Postfix to block the spam address. For me, the address was consistently the same. I thought that it was just a problem with my spam filter, but looking here even Gmail users got these messages. I also uploaded a few of these messages to SpamCop (and if you still have your emails, you should also). IMHO we should just block emails from *.mexyst.com domains (it seems everyone got a different sending address), no matter what email we use. Gmail, Outlook, ProtonMail, Riseup, or even your own server if you're like me. -Neel Chauhan === https://www.neelc.org/ On 2018-06-09 00:08, Mirimir wrote: On 06/08/2018 04:06 PM, Keifer Bly wrote: I receive them whenever I send a note to this address, starting with the first time I participated in a conversation with this thread. Thank you. Wow, that's bizarre! I thought that you meant occasionally, not after every post. But still, someone could be watching for your posts, and then sending spam to you with tor-relays@lists.torproject.org as a spoofed from header. I get that this is off-topic, and that most of you are rolling your eyes. But if anyone else has seen this, I'd like to know. And as I've said, I'm happy to review some source, and see if some header could be used to block. From: Mirimir Sent: Friday, June 8, 2018 8:05 PM To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] Spam Emails Received From This Mailing List On 06/08/2018 03:48 PM, Keifer Bly wrote: Yes, but the emails are saying that they are from the tor-rel...@lists.tororoject.org email address. They must be spoofing the email address it’s coming from somehow. I just thought that I’d say something as given that they are making their emails come from that email address could mean that these spammers could have somehow gotten who is subscribed to the relay mailing list as this is my personal email and not a school or company owned google account, no one else has access to this email account but me so not sure how they would have known I am subscribed. I would supply a copy of the email but that may be tough as they contain nudity and graphically intensive language. How long have you been receiving them? I see that your first post to the list was on 2018-04-10. Anyone, whether subscribed or not, can get that from http://lists.torproject.org/pipermail/tor-relays/. Please feel comfortable sending message source for one of them to me. Not just forwarding. Get the source text (in Thunderbird, it's just "View Source") and email as an attachment. Sent from my iPhone On Jun 8, 2018, at 6:18 PM, Mirimir wrote: On 06/08/2018 01:24 PM, Keifer Bly wrote: Hello fellow relay operators, My apologies as this is not related to tor relays, however, there seems to be several spammers subscribed to the relay list. Every time I am involved in a discussion on this list, I receive 3-5 emails supposedly from girls wanting to meet up (for sex). The emails in question claim they are sent from email address tor-relays@lists.torproject.org (and always have the same email subject of the discussion I was involved in). I don't recall seeing such messages. So they must be spoofing the from address. I am somewhat in a trap as blocking them with spam filters would block all emails sent from the relay lists address. I am wondering what could be done about this (the email provider in question is Gmail). Maybe there's something in the headers that could be filtered on. Also, I recall reading that Gmail doesn't actually parse headers properly. If from address is spoofed to your address, it goes in your outbox :) So maybe you need to use an old-school email client. Thank you. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Tor Guard Relay
On 2018-06-07 14:08, Keifer Bly wrote: Thanks. How much bandwidth and uptime do I need to become a guard relay? Sent from my iPhone Bandwidth requirments: A guard is the first relay in the chain of 3 relays building a Tor circuit. A middle relay is neither a guard nor an exit, but acts as the second hop between the two. To become a guard, a relay has to be stable and fast (at least 2MByte/s) otherwise it will remain a middle relay. Source: https://trac.torproject.org/projects/tor/wiki/TorRelayGuide For the "Stable" flag: "Stable" -- A router is 'Stable' if it is active, and either its Weighted MTBF is at least the median for known active routers or its Weighted MTBF corresponds to at least 7 days. Routers are never called Stable if they are running a version of Tor known to drop circuits stupidly. (0.1.1.10-alpha through 0.1.1.16-rc are stupid this way.) Source: https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt Looking that you have Charter as your ISP, and Charter is a cable ISP, upstream speeds are usually limited. This means that unless your cable company gives at least 16 megabits of upload speed, you cannot become a guard. Also, many parts of the US have cable broadband, but not fiber, so they're stuck with slow upload speeds for now, and if they want to be a Tor relay, may not have the Guard flag unless they have a higher speed package hopefully with enough upload bandwidth (and it may only be between 16-35 mbps upload). CableLabs (who maintains DOCSIS, the standard for cable modems) is working on a new technology called Full Duplex DOCSIS 3.1 which supposedly makes cable broadband have similar upload speeds to fiber connections. Source: https://www.cablelabs.com/full-duplex-docsis/ Sadly, it's not a reality yet, so for a few more years you'll probably have to live with slow upload speeds until it comes (provided that cable companies deploy full duplex tech). If you really want the Guard flag right now, another option is to get an unmetered VPS. Some networks like OVH, Online.net/Scaleway, Hetzner, and Digital Ocean are very popular for relays and many in the Tor community consider that new relays should avoid "popular" networks. Two good VPS providers to consider include ITL and BuyVM (I have two VPSes each with both for exits). You could also look at other unmeterd providers like Contabo and Trabia as well. You could also check if your phone company or another provider (like Google) has fiber in your area, but considering that you're in the US, many Americans have cable as their only high speed option (because most telcos refuse to deploy fiber). Hope this helps. -Neel Chauhan === https://www.neelc.org/ On Jun 7, 2018, at 5:39 AM, Neel Chauhan wrote: The guard flag gets automatically assigned to you if you have enough bandwidth and uptime. You usually don't get to choose. You can still influence it by inducing downtime or limiting bandwidth (but both will be counterproductive). There are no risks in being a guard node, unlike being an exit. That's why web hosts are okay with guard nodes but not exits, and also why you can be a guard node on a broadband connection without getting complaints from your ISP. Abuse complaints don't go to a guard node, it goes to exits as exits connect directly to requested non-onion websites and guards don't. -Neel Chauhan === https://www.neelc.org/ On 2018-06-06 14:42, Keifer Bly wrote: Hello, I have one question. I have been running my relay “torland” at http://torstatus.blutmagie.de/router_detail.php?FP=db1af6477bb276b6ea5e72132684096eee779d30 For roughly 3 months now (I am unsure exactly how many days). While my relay is marked “fast” and “stable” currently, it has never been marked as a “guard” relay. I believe being a “guard” relay requires at least 10mb/s for relay speed, but am wondering, do I need to configure my torrc file to allow it to be used as a guard relay and are there any risks for doing this (like there are in running in exit relay)? Thank you. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Tor Guard Relay
The guard flag gets automatically assigned to you if you have enough bandwidth and uptime. You usually don't get to choose. You can still influence it by inducing downtime or limiting bandwidth (but both will be counterproductive). There are no risks in being a guard node, unlike being an exit. That's why web hosts are okay with guard nodes but not exits, and also why you can be a guard node on a broadband connection without getting complaints from your ISP. Abuse complaints don't go to a guard node, it goes to exits as exits connect directly to requested non-onion websites and guards don't. -Neel Chauhan === https://www.neelc.org/ On 2018-06-06 14:42, Keifer Bly wrote: Hello, I have one question. I have been running my relay “torland” at http://torstatus.blutmagie.de/router_detail.php?FP=db1af6477bb276b6ea5e72132684096eee779d30 For roughly 3 months now (I am unsure exactly how many days). While my relay is marked “fast” and “stable” currently, it has never been marked as a “guard” relay. I believe being a “guard” relay requires at least 10mb/s for relay speed, but am wondering, do I need to configure my torrc file to allow it to be used as a guard relay and are there any risks for doing this (like there are in running in exit relay)? Thank you. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Running A Bridge Alongside My Relay
You normally can't run a server through a regular "proxy" as you would need to be able to advertise an open port for the bridge and regular proxy servers won't let you do that. You can do it if you use a VPN with a public IP address for the bridge however, or a second IP address, but you would need to pay $$$ for this. -Neel Chauhan === https://www.neelc.org/ On 2018-05-26 16:19, Keifer Bly wrote: Yes but I would run it through the proxy so it would have the proxy IP address. I just noticed tor could use more bridges as there are four times as many public relays as their are bridges. Sent from my iPhone On May 26, 2018, at 12:44 PM, Logforme <m7...@abc.se> wrote: So I am considering running a bridge alongside my relay gotland Would the bridge use the same public IP address as the relay? Since you already run a relay, that IP address is public. The point of bridges is that they are not public so they are harder to block. A government that censors the internet would surely block access to all Tor relay IP addresses. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Verizon AS701 blocking Tor consensus server tor26 (86.59.21.38)
Hi tor-relays mailing list, Good news! Verizon unblocked tor26 (86.59.21.38). I posted something similar on NANOG (with modifications for network people) here: https://mailman.nanog.org/pipermail/nanog/2018-May/095386.html Someone nice at Verizon must have read NANOG (VZ NOC people probably do read NANOG) and unblocked tor26. Here is a (successful) traceroute: neel@flex:~ % traceroute 86.59.21.38 traceroute to 86.59.21.38 (86.59.21.38), 64 hops max, 40 byte packets 1 unknown (192.168.1.1) 0.886 ms 0.567 ms 0.460 ms 2 lo0-100.NYCMNY-VFTTP-401.verizon-gni.net (173.68.77.1) 2.437 ms 2.129 ms 1.127 ms 3 B3401.NYCMNY-LCR-21.verizon-gni.net (100.41.137.94) 3.957 ms 5.827 ms B3401.NYCMNY-LCR-22.verizon-gni.net (100.41.137.96) 5.022 ms 4 * * * 5 0.et-11-1-5.BR3.NYC4.ALTER.NET (140.222.2.131) 3.527 ms 0.et-5-0-2.BR3.NYC4.ALTER.NET (140.222.239.37) 4.578 ms 0.et-11-1-5.BR3.NYC4.ALTER.NET (140.222.2.131) 18.629 ms 6 204.255.168.118 (204.255.168.118) 4.764 ms 8.144 ms 7.132 ms 7 sl-crs3-lon-0-6-3-0.sprintlink.net (144.232.9.165) 70.718 ms sl-crs1-lon-0-6-2-0.sprintlink.net (144.232.13.44) 79.200 ms 144.232.13.112 (144.232.13.112) 78.583 ms 8 144.232.13.108 (144.232.13.108) 83.652 ms 213.206.129.100 (213.206.129.100) 86.477 ms 83.988 ms 9 217.149.32.65 (217.149.32.65) 100.367 ms 95.808 ms sl-crs4-ams-0-7-0-3.sprintlink.net (213.206.129.139) 85.614 ms 10 217.149.47.46 (217.149.47.46) 84.036 ms 84.193 ms 83.651 ms 11 ams5-core-1.bundle-ether1.tele2.net (130.244.82.54) 79.584 ms 79.037 ms 78.659 ms 12 ams-core-2.bundle-ether9.tele2.net (130.244.82.57) 91.635 ms 94.684 ms 93.261 ms 13 wen3-core-2.bundle-ether15.tele2.net (130.244.71.47) 105.583 ms 105.421 ms 105.308 ms 14 tele2at-bundle2-vie3.net.uta.at (212.152.189.65) 112.490 ms 105.685 ms 111.003 ms 15 86.59.118.145 (86.59.118.145) 130.001 ms 138.869 ms 106.799 ms 16 tor.noreply.org (86.59.21.38) 106.681 ms 105.468 ms 105.891 ms neel@flex:~ % (it's on a different laptop, my 'xb2' refuses to charge now, still same connection however). Now no consensus relays are blocked on FiOS! Although **most** Verizon NOC people probably don't read tor-relays (unlike NANOG's mailing lists), but to the person who read my NANOG post and unblocked tor26 (86.59.21.38), thank you so much! Thank You, Neel Chauhan === https://www.neelc.org/ On 2018-05-15 20:12, Neel Chauhan wrote: Hi tor-relays mailing list, I have noticed that the Tor consensus server tor26 (https://metrics.torproject.org/rs.html#details/847B1F850344D7876491A54892F904934E4EB85D) is blocked on Verizon's UUNET (AS701) backbone, and therefore, Verizon's retail services like FiOS and Wireless. I can confirm this on FiOS, but I don't use Verizon Wireless (my smartphone uses Sprint) so I can't test it there. A traceroute to tor26's IP address 86.59.21.38 from a Brooklyn apartment shows this is filtered on Verizon's backbone: neel@xb2:~ % traceroute 86.59.21.38 traceroute to 86.59.21.38 (86.59.21.38), 64 hops max, 40 byte packets 1 unknown (192.168.1.1) 1.128 ms 0.780 ms 0.613 ms 2 lo0-100.NYCMNY-VFTTP-401.verizon-gni.net (173.68.77.1) 1.001 ms 3.632 ms 0.900 ms 3 B3401.NYCMNY-LCR-22.verizon-gni.net (100.41.137.96) 2.291 ms B3401.NYCMNY-LCR-21.verizon-gni.net (100.41.137.94) 3.172 ms 4.046 ms 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * ^C neel@xb2:~ % In a normal traceroute, you will see ALTER.NET at hop 5. Also, the subnet 86.59.21.0/24 is not filtered on UUNET. A traceroute to 86.59.21.1 works: neel@xb2:~ % traceroute 86.59.21.1 traceroute to 86.59.21.1 (86.59.21.1), 64 hops max, 40 byte packets 1 unknown (192.168.1.1) 0.863 ms 0.757 ms 0.579 ms 2 lo0-100.NYCMNY-VFTTP-401.verizon-gni.net (173.68.77.1) 1.010 ms 1.545 ms 1.034 ms 3 B3401.NYCMNY-LCR-22.verizon-gni.net (100.41.137.96) 3.616 ms B3401.NYCMNY-LCR-21.verizon-gni.net (100.41.137.94) 5.696 ms 10.062 ms 4 * * * 5 0.et-5-1-5.BR3.NYC4.ALTER.NET (140.222.2.127) 3.492 ms 3.506 ms 2.996 ms 6 204.255.168.118 (204.255.168.118) 8.462 ms 7.479 ms 7.252 ms 7 144.232.4.84 (144.232.4.84) 5.041 ms 4.688 ms sl-crs3-lon-0-6-3-0.sprintlink.net (144.232.9.165) 71.865 ms 8 sl-crs2-lon-0-0-3-0.sprintlink.net (213.206.128.181) 72.214 ms 73.579 ms 72.339 ms 9 213.206.129.142 (213.206.129.142) 81.390 ms sl-crs4-ams-0-7-0-3.sprintlink.net (213.206.129.139) 85.854 ms 93.238 ms 10 217.149.47.46 (217.149.47.46) 79.004 ms 85.669 ms 79.392 ms 11 ams5-core-1.bundle-ether1.tele2.net (130.244.82.54) 86.507 ms 78.374 ms 77.740 ms 12 ams-core-2.bundle-ether9.tele2.net (130.244.82.57) 79.642 ms 77.926 ms 81.515 ms 13 wen3-core-2.bundle-ether15.tele2.net (130.244.71.47) 105.400 ms 105.089 ms 109.751 ms 14 tele2at-bundle2-vie3.net.uta.at (212.152.189.65) 122.716 ms 110.820 ms 114.354 ms 15 86.59.21.1 (86.59.21.1) 106.389 ms * 105.379 ms neel@xb2:~ % I got
[tor-relays] Verizon AS701 blocking Tor consensus server tor26 (86.59.21.38)
using anything Verizon at all costs (I certainly wouldn't want to go to the local cable company), I just want to point out a blocked consensus server. Thank You, Neel Chauhan === https://www.neelc.org/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Smallest, cheapest, lightest computer for tor relay
>Yes it does make a real big difference. Get the Pi 3, the 1st Pi is an order of magnitude slower. If you don't want to spend your money on a RPI 3, you can also look at a used RPI 2. If you are willing to have a computer that is a bit larger, you can also use a smaller desktop PC, like a Mac Mini, or a SFF Dell or HP. I have a Raspberry Pi 2, but use a homebuilt Pentium 4 desktop on a 60/25 cable connection (Optimum Online), and a Dell Optiplex 755 (Core 2 Duo) on a 50/50 FTTH connection (Verizon FiOS). I don't use the RPI because I want my Tor nodes to use FreeBSD instead of Linux, and am not sure if RPI has the best FreeBSD support (I'm even a FreeBSD contributor, but my laptop which I typed this from unfortunately runs Arch). The disadvantage of the PC approach is space and higher power consumption, but the advantage is that you can use *BSD and Windows, and can possibly take advantage of faster speeds. But if you are fine with Linux, and, the RPI 2/3 is a good choice. There are also other SBC computers like the BeagleBone. SBC computers are great if they have ADSL/Cable, but if they have fiber to the home (Verizon FiOS, Google Fiber, etc.), a used desktop (or a higher end SBC) may be better (in my opinion) as they usually have a faster upstream and a desktop may take better advantage of the speed. My atlas entries are below (for the two nodes from my two homes, not my exits): https://atlas.torproject.org/#details/AED76373324653A0522DF30550BA31902B2CFA44 https://atlas.torproject.org/#details/D5B8C38539C509380767D4DE20DE84CF84EE8299 Thanks, Neel Chauhan === https://www.neelc.org/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] VPS for Exits
> An exit node could be expensive ... Well, I'm still sticking with CoolHousing/Virtual Server Lite because I hardly ever get abuse complaints. For ITL, I may leave after my term expires. But a few other companies I found were: https://hostmaze.com/ https://www.lcsnet.eu/index.php https://serverastra.com/ https://blazingfast.io/ Thanks, Neel Chauhan https://www.neelc.org/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] VPS for Exits
I contacted ITL (https://itldc.com/) as well two weeks ago. To me they refused opening an exit: "We decide to do not allow new public tor exit nodes in our network. Existing public tor exit nodes we be kept." Well that's unfortunate. I guess I'll have to hold on to my VPS for a long time. No wonder why someone on this mailing list had trouble with ITL earlier this month. They no longer want exit nodes. -Neel Chauhan https://www.neelc.org/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] VPS for Exits
>Do you know of a VPS for an exit? I have two exits on VPS servers. One is on ITL (https://itldc.com/), and the other one is on CoolHousing using their Virtual Server Lite brand (http://virtualniserverlite.cz/en/). My experience with both hosts has been very good. For the latter, you WILL need a Reduced Exit Policy, and have to remove IRC ports. I also previously had a VPS with Verelox (https://verelox.com/) when they had unlimited bandwidth, and they allow Tor exit nodes as well. I don't know about other providers, but a good place to ask for a Tor friendly VPS is vpsBoard (https://vpsboard.com/). -Neel Chauhan https://www.neelc.org/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] https://itldc.com/
>Perhaps you could answer that with clear steps to put a restricted port list which blocks the known offenders and web page explaining that it is only a proxy and complaints should be directed at you? >One VPS business accepted those from me and offered to help as well. >Others did as you found and cut ten VPS off just after I paid while the policy on their site allowed exits. Second this. I host a Tor exit node on ITL and still have my Tor exit node after a year with them, just because I am willing to block IP addresses I get complaints from. I also have another VPS with CoolHousing (through their Virtual Server Lite brand) and I do the same (block IP addresses I get complaints from). -Neel Chauhan https://www.neelc.org/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Tor Consensus Weight Stuck at 20 (Even on Relay with Stable Flag)
Hi, I have a Tor relay (https://atlas.torproject.org/#details/342587A287603040A49BB364D72EAC0B6BC3D71A) running from a FreeBSD server at my house on with a 5 megabit upstream connection. I have seen that lately, Tor's Consensus Weight value on this relay has not been going anywhere above (or below) 20. My relay has gotten the Stable flag, but yet didn't see it's consensus weight value rise. I decided to look at https://consensus-health.torproject.org/, and saw that two of the four bandwidth consensus servers, namely tor26 (86.59.21.38) and longclaw (199.254.238.52) don't seem to be calculating any consensus value for Tor relays in the last few days. Has anyone else been having this problem? And if the Tor consensus operators are reading this, (approximately) when would this problem get resolved? Thanks, Neel Chauhan ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
