Re: [tor-relays] ORPort NoAdvertise & NoListen Not Working
All: Nevermind... After roughly 48 hours, the written/read bytes per second graph, on the metrics.torproject.org site, began showing normal activity, again. Please consider this thread resolved. Respectfully, Gary On Monday, August 23, 2021, 2:15:07 AM MDT, Gary C. New wrote: All: It turns out that this issue was related to PortForwarding to the Private Gateway Address (192.168.0.1:9001). The solution was to include an iptables ACCEPT Rule in the INPUT Chain to the PortForward destination (the Private Gateway Address - 192.168.0.1:9001). # iptables -I INPUT -p tcp --dport 9001 -j ACCEPT # iptables -A VSERVER -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.1:9001 Now, the Tor Self-Test is returning successfully. However, now, there is an issue with the written/read bytes per second graph, on the metrics.torproject.org site, dropping to zero. Any idea why PortForwarding would cause the written/read bytes per second graph to drop to zero? Respectfully, Gary On Tuesday, August 17, 2021, 7:43:22 AM MDT, Gary C. New wrote: All: After reviewing several packet-traces of Tor bound directly to the Public Address:Port vs Tor bound to the Private Address:Port and Advertising the Public Address:Port, I believe I may have found the the issue. It appears that when Tor is bound directly to the Public Address:Port, the initial measurement connections are initiated from External Tor Nodes via High-Ports to the Public Address:Port over TLSv1.2 or TLSv1.3 successfully passing self-test. However, when Tor is bound to the Private Address:Port and Advertising the Public Address:Port, the initial measurement connections are initiated from External Tor Nodes via High-Ports to the Public Address:Port over TLSv1.0. Tor does not like the TLSv1.0 connections and Resets the them; thus, failing the self-test. The question is... Why are the initial measurement connections initiated from External Tor Nodes via High-Ports with the Private Address:Port binding and Public Advertised Address:Port combination over TLSv1.0? Has anyone successfully implemented the Private Address:Port binding and Public Advertised Address:Port combination that successfully passes self-test whom would be kind enough to share their configuration? Is there a way to force the External Tor Nodes that initiate the measurement connections to use TLSv1.2 or TLSv1.3 with the Private Address:Port binding and Public Advertised Address:Port combination? Thanks, again, for your assistance. Respectfully, Gary On Saturday, August 14, 2021, 2:47:01 AM PDT, Gary C. New wrote: David, The ISP has port 9001 blocked to the Public Address. Do the ports have to be the same, when using NoAdvertise & NoListen with the ORPort directive? Thanks! Gary On Saturday, August 14, 2021, 12:20:36 AM MDT, David Figuera wrote: > ORPort 198.91.60.78:443 NoListen > ORPort 192.168.0.1:9001 NoAdvertise Why two different ports? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] ORPort NoAdvertise & NoListen Not Working
All: It turns out that this issue was related to PortForwarding to the Private Gateway Address (192.168.0.1:9001). The solution was to include an iptables ACCEPT Rule in the INPUT Chain to the PortForward destination (the Private Gateway Address - 192.168.0.1:9001). # iptables -I INPUT -p tcp --dport 9001 -j ACCEPT # iptables -A VSERVER -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.1:9001 Now, the Tor Self-Test is returning successfully. However, now, there is an issue with the written/read bytes per second graph, on the metrics.torproject.org site, dropping to zero. Any idea why PortForwarding would cause the written/read bytes per second graph to drop to zero? Respectfully, Gary On Tuesday, August 17, 2021, 7:43:22 AM MDT, Gary C. New wrote: All: After reviewing several packet-traces of Tor bound directly to the Public Address:Port vs Tor bound to the Private Address:Port and Advertising the Public Address:Port, I believe I may have found the the issue. It appears that when Tor is bound directly to the Public Address:Port, the initial measurement connections are initiated from External Tor Nodes via High-Ports to the Public Address:Port over TLSv1.2 or TLSv1.3 successfully passing self-test. However, when Tor is bound to the Private Address:Port and Advertising the Public Address:Port, the initial measurement connections are initiated from External Tor Nodes via High-Ports to the Public Address:Port over TLSv1.0. Tor does not like the TLSv1.0 connections and Resets the them; thus, failing the self-test. The question is... Why are the initial measurement connections initiated from External Tor Nodes via High-Ports with the Private Address:Port binding and Public Advertised Address:Port combination over TLSv1.0? Has anyone successfully implemented the Private Address:Port binding and Public Advertised Address:Port combination that successfully passes self-test whom would be kind enough to share their configuration? Is there a way to force the External Tor Nodes that initiate the measurement connections to use TLSv1.2 or TLSv1.3 with the Private Address:Port binding and Public Advertised Address:Port combination? Thanks, again, for your assistance. Respectfully, Gary On Saturday, August 14, 2021, 2:47:01 AM PDT, Gary C. New wrote: David, The ISP has port 9001 blocked to the Public Address. Do the ports have to be the same, when using NoAdvertise & NoListen with the ORPort directive? Thanks! Gary On Saturday, August 14, 2021, 12:20:36 AM MDT, David Figuera wrote: > ORPort 198.91.60.78:443 NoListen > ORPort 192.168.0.1:9001 NoAdvertise Why two different ports? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] ORPort NoAdvertise & NoListen Not Working
All: After reviewing several packet-traces of Tor bound directly to the Public Address:Port vs Tor bound to the Private Address:Port and Advertising the Public Address:Port, I believe I may have found the the issue. It appears that when Tor is bound directly to the Public Address:Port, the initial measurement connections are initiated from External Tor Nodes via High-Ports to the Public Address:Port over TLSv1.2 or TLSv1.3 successfully passing self-test. However, when Tor is bound to the Private Address:Port and Advertising the Public Address:Port, the initial measurement connections are initiated from External Tor Nodes via High-Ports to the Public Address:Port over TLSv1.0. Tor does not like the TLSv1.0 connections and Resets the them; thus, failing the self-test. The question is... Why are the initial measurement connections initiated from External Tor Nodes via High-Ports with the Private Address:Port binding and Public Advertised Address:Port combination over TLSv1.0? Has anyone successfully implemented the Private Address:Port binding and Public Advertised Address:Port combination that successfully passes self-test whom would be kind enough to share their configuration? Is there a way to force the External Tor Nodes that initiate the measurement connections to use TLSv1.2 or TLSv1.3 with the Private Address:Port binding and Public Advertised Address:Port combination? Thanks, again, for your assistance. Respectfully, Gary On Saturday, August 14, 2021, 2:47:01 AM PDT, Gary C. New wrote: David, The ISP has port 9001 blocked to the Public Address. Do the ports have to be the same, when using NoAdvertise & NoListen with the ORPort directive? Thanks! Gary On Saturday, August 14, 2021, 12:20:36 AM MDT, David Figuera wrote: > ORPort 198.91.60.78:443 NoListen > ORPort 192.168.0.1:9001 NoAdvertise Why two different ports? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] ORPort NoAdvertise & NoListen Not Working
Gary C. New wrote: All: After reviewing several packet-traces of Tor bound directly to the Public Address:Port vs Tor bound to the Private Address:Port and Advertising the Public Address:Port, I believe I may have found the the issue. It appears that when Tor is bound directly to the Public Address:Port, the initial measurement connections are initiated from External Tor Nodes via High-Ports to the Public Address:Port over TLSv1.2 or TLSv1.3 successfully passing self-test. However, when Tor is bound to the Private Address:Port and Advertising the Public Address:Port, the initial measurement connections are initiated from External Tor Nodes via High-Ports to the Public Address:Port over TLSv1.0. Tor does not like the TLSv1.0 connections and Resets the them; thus, failing the self-test. The question is... Why are the initial measurement connections initiated from External Tor Nodes via High-Ports with the Private Address:Port binding and Public Advertised Address:Port combination over TLSv1.0? Has anyone successfully implemented the Private Address:Port binding and Public Advertised Address:Port combination that successfully passes self-test whom would be kind enough to share their configuration? Is there a way to force the External Tor Nodes that initiate the measurement connections to use TLSv1.2 or TLSv1.3 with the Private Address:Port binding and Public Advertised Address:Port combination? Thanks, again, for your assistance. Respectfully, Gary Thanks for running a relay Gary. Your problem does not make much sense for me, I need more information about your setup. I am using the Public IP NoListen and Private IP NoAdvertise configuration fine, the self test passes. Where is the Public IP in your setup assigned to? A router in your home/enterprise ? Or something upstream at your ISP? What kind of connection do you have from your ISP? I saw in previous posts to this thread that you are using this setup because your ISP blocks port 9001 (Tor relay) -- are you sure they just blindly block the PROTOCOL:PORT configurations (such as TCP:9001) or are they doing some deep packet inspections on all ports in order to block Tor more efficiently? Tor (when runs as a relay) is not designed to protect or hide the fact that it's running Tor from your ISP / upstream provider or network administrator. Which is why, they could inspect, detect and terminate Tor traffic regardless your put in on port 443. They can see you are listening on port 443 but it's not a HTTPS daemon there. They can see this if they look for it in the first place, that is why I am asking if you are 100% sure they only block the PROTOCOL:PORT combination or are they doing any advanced filtering for Tor? OpenPGP_signature Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] ORPort NoAdvertise & NoListen Not Working
David, The ISP has port 9001 blocked to the Public Address. Do the ports have to be the same, when using NoAdvertise & NoListen with the ORPort directive? Thanks! Gary On Saturday, August 14, 2021, 12:20:36 AM MDT, David Figuera wrote: > ORPort 198.91.60.78:443 NoListen > ORPort 192.168.0.1:9001 NoAdvertise Why two different ports? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] ORPort NoAdvertise & NoListen Not Working
> ORPort 198.91.60.78:443 NoListen > ORPort 192.168.0.1:9001 NoAdvertise Why two different ports? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
