I have run a bridge for many months using Debian on a Raspberry Pi 4 and until recently everything was fine. Suddenly it stopped working. I tried everything I could think of to fix the problem, but to no avail. Finally I loaded a fresh bare image and then installed only tor, obfs4proxy, and nyx. Using a fresh fingerprint, I then started Tor. At first there were connections and circuits shown using nyx, but there was still minimal traffic. After a few hours all the circuits were gone and a single connection was left.
Using grep to look for “err” in the debug log I found
tor_tls_read(): read returned r=-1, err=-2
but a search with both Duckduckgo and Google revealed nothing useful.
I did find a post here by drvr in May of 22 that pretty much describes my experience with the exception of the error message I had, but there was no resolution or even a suggestion of what his problem might have been. I did try installing some of the tls packages apt listed as available thinking something might be missing, but it did not help.
I suspect there are more problems in my case than only this, but at least it is a place to start. Anyone have an idea of what the cure might be for this error?
Where is the pi located? As in what kind of network / country?
It is in the good old US of A and I suspect you are asking who my ISP is as I have had the same thoughts as well. It is TDS Telecom. However, I am also running another Raspberry PI 4 in support of ADSB Exchange and it generates more traffic than the bridge, although when it was working well, the bridge had a lot more connections, ~150. Who knows. I guess if I never get it working again, TDS might well be the case as it went down hill very quickly for no apparent reason…
Hm ok, given USA - unlikely ISP nor gov is doing anything. Do you have access to another network? It sounds to me like a network issue possibly, likely local in your case.
It could also be your software, did it start after updating?
My LAN is the only network I can access. I use an EdgeRouter X between the ONT and my LAN and I was using NAT and firewall rules successfully on ports 80 and 443 for my bridge. When it stopped working, I switched to simple port forwarding to rule out router issues even though those type of issues seemed unlikely to me. When ports 80 and 443 still did not work, I tried ports above 1024 that speedguide(dot)com indicated were not heavily used. When those also did not work, I next tried ports that portforward(dot)com indicated were used by various games thinking I might blend in. In all cases, off site port scans (e.g., ipvoid(dot)com) indicated the ports I used were open. The only real traffic I have seen with nyx after changing ports were the single bursts of about 400K when tor did a “bandwidth self test”
Looking at the history graphs provided by torproject.org, I see bytes read and written as being nearly equal and constant until they dropped to zero over a three day period. The graph for number of connections was constant until two days prior to the drop in traffic when they doubled going from 600 to 1200. They then plummeted over the next three days, in step with the drop in traffic. They went from 1200 to 750, then to 50, and finally to 0 where it has been ever since.
As for software updating, that is a possibility, and a good thought. All my Pis have a script that runs daily and emails me the number of updates that are now available if they exist. I then login and do the updates manually after I see the email. The good news is that I keep backup images of the micro SD cards in case there are failures to avoid reinventing the wheel. I will load an image from past when things were definitely working and see what happens. I will let you know after it runs for a day or so.
I had to use (dot) instead of “.” because community rules prevent me from having more than one link.
I have been on the old image for 22 hours and it did not make a difference in performance. I still do not know the reason why the both the traffic and connections are down to almost nothing, but apparently it is not software related.
did you check the “setcap” command and the “NoNewPrivileges” issue?
Re setcap: I did use setcaps and it was working fine for ports below 1024, but to be on the safe side, most of my tests since the problem started have been done using ports above 1024 to make sure that was not the issue.
Re NoNewPrivileges=no: Everything was working fine without making that modification to the two listed files, but again to be on the safe side, I did make those modifications and there was no change. The problem persisted.
I do however have some new information that might allow someone more knowledgeable than myself figure out the problem and solution. I have seen the following two notices at different times in the notices.log.
“[NOTICE] Your network connection speed appears to have changed. Resetting timeout to 60000ms after 18 timeouts and 1000 buildtimes.”
“[NOTICE] No circuits are opened. Relaxed timeout for circuit 445 (a Measuring circuit timeout 3-hop circuit in state doing handshakes with channel state open) to 60000ms. However, it appears the circuit has timed out anyway.”
After a Google search, I see others have seen similar messages but none of the follow-up posts on such messages have indicated if such messages were a problem, let alone had a solution if they were.
I also see the following line in red at the bottom of the nyx page that lists the connections and circuits.
“127.0.0.1:47686 (??) → my.ip.addr.ess:9051 resolving…”
It might be perfectly normal to see that message, but I do not know why something cannot be shown as either resolved or not resolved instead of constantly being shown as “resolving”.
It appears it is time to throw in the towel. Since my bridge suddenly stopped working, I have tried running it on two different Raspberry Pis, using both new installs and old images, and most recently, using a new install including the OS, on a regular PC. In all cases it seems to work when it first starts, but within a few minutes the traffic dies and the connections begin to dwindle to nothing rather than continuing to grow. At this point I have to assume that whatever the problem is, it is not local and beyond my control. It was fun while it lasted. Thanks for your suggestions.
Sorry to hear that, hopefully you’ll find a solution and motivation to keep contributing to the network. Remember there are VPS providers with free tier (absolutely free) and cheap (<7$/month) plans, you won’t get many resources, but may be enough to run a relay or bridge without having to deal with NAT issues.
I do not think it is a NAT issue. I think it is an ISP issue. My normal traffic is about 800 GB/month and last month it spiked at 1.5 TB/month. I do not stream movies, download (except for OS images), or play games, but I do feed adsbexchange and run a honey pot. I am not sure why it spiked as nothing had changed in several months, but it did. I have a feeling that they saw all the connections on my Tor ports and decided that was the reason and took steps to shut it down. The ISP says no data limits in their ads, but I think that is likely only lip service. As for trying to get around it, I do not think that is the answer as it will only draw attention to my activities and get me flagged as a bad actor. I do not need that sort of attention if I don’t want my other activities curtailed. I do not do anything that would be considered bad by any standard, but I am not your typical Internet user either. As I said, it was fun well it lasted.