Tor resolves ip address using port 80 [SOLVED]

Berend · 2013-09-04 17:57:51

Hey everyone,

I'm trying to provide a service to fellow internet users that don't like their internet traffic to be snooped on. To explain my situation I'll tell something about my setup.

I use a router to access the internet. I let a router set up a vpn connection to my vpn provider. Then I tell it, using iptables, to redirect all http and https traffic through the VPN tunnel and let all other traffic go over the standard WAN. Not entirely true, I also redirect all udp and icmp traffic through the vpn tunnel.

I have a server that I want to act as the TOR relay. I want it to use the WAN acces and not go over the VPN. This makes sure I don't burden my vpn provider with a bunch of traffic that can just use my WAN acces.

When setting up the TOR relay I use port 4436 as the relay port and port 9030 as the Directory port. My router directs all this traffic over the WAN. I also port forward these ports in the router towards the server.

The TOR relay seems to work but not entirely. I have the following message log: (I have replaced the ip addresses that belong to my WAN and VPN tunnel with "<wan-ip>" and "<vpn-ip>" to make it clearer. )

sep 04 17:29:48.164 [Notice] Self-testing indicates your DirPort is reachable from the outside. Excellent.
sep 04 17:35:08.532 [Notice] Our IP Address has changed from <wan-ip> to <vpn-ip>; rebuilding descriptor (source: 154.35.32.5).
sep 04 17:35:09.883 [Notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
sep 04 17:55:08.476 [Warning] Your server (<vpn-ip>:9030) has not managed to confirm that its DirPort is reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
sep 04 18:15:08.476 [Warning] Your server (<vpn-ip>:9030) has not managed to confirm that its DirPort is reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
sep 04 18:26:44.664 [Notice] Our IP Address has changed from <vpn-ip> to <wan-ip>; rebuilding descriptor (source: 128.31.0.34).
sep 04 18:26:45.117 [Notice] Our IP Address has changed from <wan-ip> to <vpn-ip>; rebuilding descriptor (source: 194.109.206.212).
sep 04 18:26:49.342 [Notice] Our IP Address has changed from <vpn-ip> to <wan-ip>; rebuilding descriptor (source: 76.73.17.194).
sep 04 18:26:58.255 [Notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
sep 04 18:33:01.221 [Notice] Self-testing indicates your DirPort is reachable from the outside. Excellent.
sep 04 18:36:52.096 [Notice] Our IP Address has changed from <wan-ip> to <vpn-ip>; rebuilding descriptor (source: 212.112.245.170).
sep 04 18:37:10.626 [Notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
sep 04 18:56:51.965 [Warning] Your server (<vpn-ip>:9030) has not managed to confirm that its DirPort is reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
sep 04 19:16:51.967 [Warning] Your server (<vpn-ip>:9030) has not managed to confirm that its DirPort is reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
sep 04 19:27:44.011 [Notice] Our IP Address has changed from <vpn-ip> to <wan-ip>; rebuilding descriptor (source: 128.31.0.34).
sep 04 19:27:44.092 [Notice] Our IP Address has changed from <wan-ip> to <vpn-ip>; rebuilding descriptor (source: 171.25.193.9).
sep 04 19:27:44.095 [Notice] Our IP Address has changed from <vpn-ip> to <wan-ip>; rebuilding descriptor (source: 128.31.0.34).
sep 04 19:27:44.098 [Notice] Our IP Address has changed from <wan-ip> to <vpn-ip>; rebuilding descriptor (source: 194.109.206.212).
sep 04 19:27:50.211 [Notice] Our IP Address has changed from <vpn-ip> to <wan-ip>; rebuilding descriptor (source: 76.73.17.194).
sep 04 19:27:55.398 [Notice] Self-testing indicates your DirPort is reachable from the outside. Excellent.
sep 04 19:28:08.914 [Notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
sep 04 19:29:45.764 [Warning] We just marked ourself as down. Are your external addresses reachable?
sep 04 19:37:51.966 [Notice] Our IP Address has changed from <wan-ip> to <vpn-ip>; rebuilding descriptor (source: 212.112.245.170).
sep 04 19:37:55.358 [Notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.

What I think will fix the problem is that TOR should not resolve my ip address using http or https since that will provide the wrong ip address. When trying to access that ip address at another port (in this case 9030) will obviously not work. However there is no setting to do that. Is there any way to archieve this?

Please ask if anything is unclear.

Regards,

Berend

--edit--

I was able to set the Address field in the torrc file. This means I can hardcode the ipaddress I want it to use (WAN). However that address can change every 6 months or so. If someone has a better solution that would be very welcome.

Last edited by Berend (2013-09-05 00:47:25)

Xyne · 2013-09-04 19:16:22

Can you determine the address used by Tor for address resolution and add an exception to the forwarding table?

Of course, this assumes that the resolution address is static, which would actually surprise me.

Berend · 2013-09-04 22:10:01

I actually made a mistake. I guess tor uses port 80 for a large part of its traffic by default. So I have decided to route all traffic coming from my servers ip address to my WAN. Now all port 80 and port 433 traffic, except when coming from my server, is redirected into the vpn tunnel. I can now leave the Address field blank and let Tor resolve my ip address.

Xyne · 2013-09-04 22:20:41

I considered that, but I suspected that the server was also your main system from which you wanted to forward to the VPN.

Anyway, if you have found a solution, please edit the first post to mark the subject as [SOLVED].

progandy · 2013-09-04 22:34:11

You could also run TOR with a specific username and then route traffic for that user differently than the rest.

Berend · 2013-09-05 00:46:56

@Xyne
I wanted to redirect the traffic for all my connected devices. My server is the only one that does not really need it. Too focused on a difficult solution that I couldn't see the obvious one.

@progandy
I don't have any experience with that.
I guess I can tag them with a TOS so my router knows what to do with it. But how would I give that tag?

progandy · 2013-09-05 07:20:09

Berend wrote:

@progandy
I don't have any experience with that.
I guess I can tag them with a TOS so my router knows what to do with it. But how would I give that tag?

Select the packtes with owner and then depending on what your router supports you can set either DSCP or TOS. dscp is the current standard, tos is deprecated.

Arch Linux

#1 2013-09-04 17:57:51

Tor resolves ip address using port 80 [SOLVED]

#2 2013-09-04 19:16:22

Re: Tor resolves ip address using port 80 [SOLVED]

#3 2013-09-04 22:10:01

Re: Tor resolves ip address using port 80 [SOLVED]

#4 2013-09-04 22:20:41

Re: Tor resolves ip address using port 80 [SOLVED]

#5 2013-09-04 22:34:11

Re: Tor resolves ip address using port 80 [SOLVED]

#6 2013-09-05 00:46:56

Re: Tor resolves ip address using port 80 [SOLVED]

#7 2013-09-05 07:20:09

Re: Tor resolves ip address using port 80 [SOLVED]

Board footer