Hey, I’m trying to set up a Tor exit relay on my little server network to help journalists and others in need. I have plenty of bandwidth with 100MBit+ speeds, so thought I would give this a try.
My infrastructure is a little chaotic, so I’ll try to explain it simplified:
- Imagine there is server0 for incoming traffic.
- There is also server1, completely isolated from the internet, for hosting critical services - I’m trying to host the exit relay on this one.
- Lastly, there is server2 - this one’s for outgoing traffic.
The servers have interconnected filesystems, allowing them to communicate with unix sockets.
On server1, all services listen on unix sockets. If a service does not support sockets (Tor included), there is an nginx instance that listens on those sockets and forwards to the service’s listen ports.
On server0, there is a massive nginx instance which handles all the incoming traffic. I have set it up so that it forwards incoming traffic to it’s port 9001 to server1’s Tor socket (which is then forwarded to the Tor’s port 9001 via nginx).
Now, everything sent from the outside to server0:9001 will reach the server1’s Tor instance’s ORPort. Now, how can the Tor relay interact with the internet if it’s so isolated? Well, there is a SOCKS5 proxy service running on server2. Again using socket and nginx magic on server1, server1’s Tor relay can speak to the outside world as server2 (Socks5Proxy setting in torrc).
Extremely simplified: Traffic going to server0:9001 will land on server1’s Tor:9001. server1’s Tor outgoing traffic will be sent out as server2.
Now here’s the unexpected problem. I’m not really familiar with Tor or even Linux in general, but please bear with me, there may be a new exit relay if I succeed
The server2’s SOCKS5 proxy works perfectly - if I do curl 'https://www.icanhazip.com' -x 'socks5://127.0.0.1:9050'
, I get a random IP as a result, meaning the network works and my Tor instance can communicate with other instances on behalf of server2.
However, I cannot get Tor to verify it’s ORPort. I’ve checked my proxy setup like a hundred times, and truly, server0:9001’s traffic reaches Tor’s ORPort. The log starts with this:
Now checking whether IPv4 ORPort <ip_of_server0>:9001 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
After 20 minutes, it spits out this:
Your server has not managed to confirm reachability for its ORPort(s) at <ip_of_server0>:9001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
I kind of don’t get the problem. <ip_of_server0>:9001 is open and working. I’ve tried almost everything, yet no success - that’s why I’m now here. If you have any ideas, feel free to share <3
My torrc looks like this:
# General
Log notice stdout
DataDirectory /service/tor/data
# Network
Socks5Proxy 127.0.0.1:3000 # this forwards to server2's SOCKS5 proxy
SOCKSPort 127.0.0.1:9050 # this is Tor's SOCKS5 proxy - works flawlessly
# Relay
OrPort 9001 IPv4Only # server0's 9001 is forwarded to this
# Advertise
Address <ip_of_server0>
Nickname whatisthis
ContactInfo whatisthis <<email>>
# Bandwidth
AccountingMax 15 TBytes
AccountingRule out
AccountingStart month 1 00:00
# Exit
ExitRelay 1
IPv6Exit 0 # my servers still don't support this
ExitPolicy reject *:25,reject *:137,reject *:138,reject *:139,reject *:445,accept *:*
(Note: server1 does not have any public IP. There’s only 127.0.0.1 on loopback.)