Obfs4: Your server has not managed to confirm reachability for its ORPort(s)

I’m setting up a bridge relay on my home network, which is obviously behind a NAT. I have port-forwarded the tor & obfs4 ports. Must add that I’m using a modified version of your docker image, but with podman.

I’ve also disabled ipv6 at kernel level, as in my country there’s no IPV6. However, the problem persists with or without the ipv6 module.

Kernel info:

ersoul@myhost ~ $ uname -srvmpio
Linux 5.15.33-sunxi64 #trunk SMP PREEMPT Mon Apr 11 13:39:00 PDT 2022 aarch64 unknown unknown GNU/Linux

The ports are reachable from outside, as netcat suggest (tested from a cloud VPS):

ersoul@rie ~ $ nc -z my.public.ip.addr 62523
Connection to my.public.ip.addr 62523 port [tcp/*] succeeded!
ersoul@rie ~ $ nc -z my.public.ip.addr 62524
Connection to my.public.ip.addr 62524 port [tcp/*] succeeded!

I’ve also tried with adding the PortForwarding 1 option, binding ORPort and ServerTransportListenAddr with my public IP address. But none of them worked.

My current torrc config is:

RunAsDaemon 0
# We don't need an open SOCKS port.
SocksPort 0
BridgeRelay 1
ExitRelay 0
Nickname nodenickname
Log notice stdout
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
ExtORPort auto
DataDirectory /var/lib/tor

# The variable "OR_PORT" is replaced with the OR port.
ORPort 62523 IPv4Only

# The variable "PT_PORT" is replaced with the obfs4 port.
ServerTransportListenAddr obfs4 0.0.0.0:62524

# The variable "EMAIL" is replaced with the operator's email address.
ContactInfo xyz@xyz.org

# For nyx
ControlPort 9051
CookieAuthentication 1

# Additional properties from processed 'OBFS4V_' environment variables
Address my.public.ip.addr

Netcat output from the container:

(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:36321         0.0.0.0:*               LISTEN      1/tor
tcp        0      0 0.0.0.0:62523           0.0.0.0:*               LISTEN      1/tor
tcp        0      0 0.0.0.0:62524           0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:9051          0.0.0.0:*               LISTEN      1/tor

Netcat output from the host:

ersoul@myhost ~/obfs4-tor $ netstat -ptln | egrep "62524|62523"
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 0.0.0.0:62524           0.0.0.0:*               LISTEN      7076/containers-roo
tcp        0      0 0.0.0.0:62523           0.0.0.0:*               LISTEN      7076/containers-roo

And the tor’s process output log:

Using NICKNAME=nodenickname, OR_PORT=62523, PT_PORT=62524, and EMAIL=xyz@xyz.org.
Additional properties from 'OBFS4V_' environment variables processing enabled
Overriding 'Address' with value 'my.public.ip.addr'
Starting tor.
Apr 06 14:09:00.130 [notice] Tor 0.4.8.10 running on Linux with Libevent 2.1.12-stable, OpenSSL 3.0.11, Zlib 1.2.13, Liblzma 5.4.1, Libzstd 1.5.4 and Glibc 2.36 as libc.
Apr 06 14:09:00.130 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
Apr 06 14:09:00.131 [notice] Read configuration file "/etc/tor/torrc".
Apr 06 14:09:00.135 [notice] Based on detected system memory, MaxMemInQueues is set to 1488 MB. You can override this by setting MaxMemInQueues by hand.
Apr 06 14:09:00.135 [warn] BridgeRelay is 1, but ExitRelay is 1 or an ExitPolicy is configured. Tor will start, but it will not function as an exit relay.
Apr 06 14:09:00.138 [notice] Opening Control listener on 127.0.0.1:9051
Apr 06 14:09:00.138 [notice] Opened Control listener connection (ready) on 127.0.0.1:9051
Apr 06 14:09:00.138 [notice] Opening OR listener on 0.0.0.0:62523
Apr 06 14:09:00.138 [notice] Opened OR listener connection (ready) on 0.0.0.0:62523
Apr 06 14:09:00.138 [notice] Opening Extended OR listener on 127.0.0.1:0
Apr 06 14:09:00.138 [notice] Extended OR listener listening on port 36321.
Apr 06 14:09:00.138 [notice] Opened Extended OR listener connection (ready) on 127.0.0.1:36321
Apr 06 14:09:00.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Apr 06 14:09:00.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Apr 06 14:09:00.000 [notice] Configured to measure statistics. Look for the *-stats files that will first be written to the data directory in 24 hours from now.
Apr 06 14:09:01.000 [notice] You are running a new relay. Thanks for helping the Tor network! If you wish to know what will happen in the upcoming weeks regarding its usage, have a look at https://blog.torproject.org/lifecycle-of-a-new-relay
Apr 06 14:09:01.000 [notice] It looks like I need to generate and sign a new medium-term signing key, because I don't have one. To do that, I need to load (or create) the permanent master identity key. If the master identity key was not moved or encrypted with a passphrase, this will be done automatically and no further action is required. Otherwise, provide the necessary data using 'tor --keygen' to do it manually.
Apr 06 14:09:03.000 [notice] Your Tor server's identity key fingerprint is 'nodenickname C95F4B105DEE8893B8E4AC78A3AB5F4095F1B7C6'
Apr 06 14:09:03.000 [notice] Your Tor bridge's hashed identity key fingerprint is 'nodenickname E4D45756D001F797A48C04E5C76EAA84ACF2FE2C'
Apr 06 14:09:03.000 [notice] Your Tor server's identity key ed25519 fingerprint is 'nodenickname bF//QTxSz2TeMs1CmC4ifyOKKjSzeoi6Zf5S1oyrFIg'
Apr 06 14:09:03.000 [notice] You can check the status of your bridge relay at https://bridges.torproject.org/status?id=E4D45756D001F797A48C04E5C76EAA84ACF2FE2C
Apr 06 14:09:03.000 [notice] Bootstrapped 0% (starting): Starting
Apr 06 14:09:03.000 [notice] Starting with guard context "default"
Apr 06 14:09:03.000 [notice] Registered server transport 'obfs4' at '0.0.0.0:62524'
Apr 06 14:09:04.000 [notice] Bootstrapped 5% (conn): Connecting to a relay
Apr 06 14:09:04.000 [notice] Bootstrapped 10% (conn_done): Connected to a relay
Apr 06 14:09:05.000 [notice] Bootstrapped 14% (handshake): Handshaking with a relay
Apr 06 14:09:05.000 [notice] Bootstrapped 15% (handshake_done): Handshake with a relay done
Apr 06 14:09:05.000 [notice] Bootstrapped 20% (onehop_create): Establishing an encrypted directory connection
Apr 06 14:09:06.000 [notice] Bootstrapped 25% (requesting_status): Asking for networkstatus consensus
Apr 06 14:09:06.000 [notice] Bootstrapped 30% (loading_status): Loading networkstatus consensus
Apr 06 14:09:09.000 [notice] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
Apr 06 14:09:11.000 [notice] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
Apr 06 14:09:12.000 [notice] Bootstrapped 50% (loading_descriptors): Loading relay descriptors
Apr 06 14:09:18.000 [notice] The current consensus has no exit nodes. Tor can only build internal paths, such as paths to onion services.
Apr 06 14:09:19.000 [notice] I learned some more directory information, but not enough to build a circuit: We need more microdescriptors: we have 0/7717, and can only build 0% of likely paths. (We have 0% of guards bw, 0% of midpoint bw, and 0% of end bw (no exits in consensus, using mid) = 0% of path bw.)
Apr 06 14:09:27.000 [notice] The current consensus contains exit nodes. Tor can build exit and internal paths.
Apr 06 14:09:40.000 [notice] Bootstrapped 56% (loading_descriptors): Loading relay descriptors
Apr 06 14:09:40.000 [notice] Bootstrapped 62% (loading_descriptors): Loading relay descriptors
Apr 06 14:09:41.000 [notice] Bootstrapped 70% (loading_descriptors): Loading relay descriptors
Apr 06 14:09:41.000 [notice] Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
Apr 06 14:09:42.000 [notice] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits
Apr 06 14:09:42.000 [notice] Bootstrapped 95% (circuit_create): Establishing a Tor circuit
Apr 06 14:09:43.000 [notice] Bootstrapped 100% (done): Done
Apr 06 14:09:43.000 [notice] Now checking whether IPv4 ORPort my.public.ip.addr:62523 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
Apr 06 14:17:58.000 [notice] New control connection opened from 127.0.0.1.
Apr 06 14:22:26.000 [notice] New control connection opened from 127.0.0.1.
Apr 06 14:29:04.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at my.public.ip.addr:62523. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Apr 06 14:49:04.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at my.public.ip.addr:62523. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
1 Like

Setting the option AssumeReachable as 1 solved the problem.

You can find the original answer in reddit:

https://www.reddit.com/r/TOR/comments/1c2sjli/comment/kzc784p/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

1 Like