You are not logged in.

#1 2016-04-13 22:02:33

Acetate
Member
From: Strasbourg, France
Registered: 2010-04-11
Posts: 6

[SOLVED] [Tor relay setup] OR and Dir port not reachable

I'm running out of ideas regarding a "port not reachable" issue while setting up a new Tor relay. Output of :

journalctl | grep 'Tor'

...shows :

Tor[220]: Bootstrapped 85%: Finishing handshake with first hop
Tor[220]: Bootstrapped 90%: Establishing a Tor circuit
Tor[220]: Tor has successfully opened a circuit. Looks like client functionality is working.
Tor[220]: Bootstrapped 100%: Done
Tor[220]: Now checking whether ORPort x.y.z.w:443 and DirPort x.y.z.w:80 are reachable... (this may take up to 20 minutes -- look for log messages indicating success)

(20 minutes later...)

Tor[220]: Your server (x.y.z.w:443) has not managed to confirm that its ORPort is reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Tor[220]: Your server (x.y.z.w:80) has not managed to confirm that its DirPort is reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.

Basic details about the relay follow.
Hardware: Raspberry Pi 2
OS: Arch Linux ARM
Tor version: 0.2.7.6 (official package)

This is the Tor configuration as output by arm:

BandwidthRate             1 GB
BandwidthBurst            1 GB
RelayBandwidthRate        256 KB
RelayBandwidthBurst       512 KB
ControlPort               9051
HashedControlPassword     <none>
CookieAuthentication      True
DataDirectory             /var/lib/tor
Log                       notice syslog
RunAsDaemon               False
User                      <none>
Bridge                    <none>
ExcludeNodes              <none>
MaxCircuitDirtiness       10 minutes
SocksPort                 0
UseBridges                False
BridgeRelay               False
ContactInfo               xxx yyy@zzz.www
ExitPolicy                reject *:*
MyFamily                  <none>
Nickname                  nickname
ORPort                    443 NoListen, 127.0.0.1:3443 NoAdvertise
PortForwarding            False
AccountingMax             0 B
AccountingStart           <none>
DirPortFrontPage          <none>
DirPort                   80 NoListen, 127.0.0.1:3480 NoAdvertise
HiddenServiceDir          <none>
HiddenServicePort         <none>

Tor listens on ports 3480 (Dir) and 3443 (OR) but advertises ports 80 and 443 respectively (I had to push back Tor's port numbers to higher values because of privilege issues). The relay is behind a router that forwards its 80 and 443 ports to the relay's 3480 and 3443 ports for both TCP and UDP. There are no iptables rules active on the relay.

nmap shows both ports as "closed" from the outside but I guess it is expected from Tor to stop listening after the circuits have been set up, is it?


Hints about why the exposed ports aren't reachable would be much appreciated. Thanks in advance. smile

Last edited by Acetate (2016-04-14 16:04:20)

Offline

#2 2016-04-14 16:04:01

Acetate
Member
From: Strasbourg, France
Registered: 2010-04-11
Posts: 6

Re: [SOLVED] [Tor relay setup] OR and Dir port not reachable

Nailed it! It was a misconfiguration issue. Solution follows if it may help anybody else.

Something weird finally caught my eye in the log (not included in the excerpt I posted above) :

Tor[291]: Opening Control listener on 127.0.0.1:9051
Tor[291]: Opening OR listener on 127.0.0.1:3443
Tor[291]: Opening Directory listener on 127.0.0.1:3480

How come the OR and Dir ports are open to connections from localhost only? The address part should be 0.0.0.0!

This came from the following lines in /etc/tor/torrc which I had pretty much stupidly copy-pasted from the example configuration:

ORPort 127.0.0.1:3443 NoAdvertise
DirPort 127.0.0.1:3480 NoAdvertise

I removed the IP part and everything is back in order!

Tor[291]: Now checking whether ORPort x.y.z.w:443 and DirPort x.y.z.w:80 are reachable... (this may take up to 20 minutes -- look for log messages indicating success)
Tor[291]: Self-testing indicates your DirPort is reachable from the outside. Excellent.
Tor[291]: Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Tor[291]: Performing bandwidth self-test...done.

Offline

Board footer

Powered by FluxBB