Relay Stuck at "ORPort Not Reachable" - Need Help Debugging

Hello Tor community,

I’m a new relay operator and my relay doesn’t seem to be reachable. The logs show it’s binding to ports correctly, but it’s stuck at [WARN] Your server has not managed to confirm reachability for its ORPort(s) at "my public ip":9001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc. and doesn’t progress. Here’s what I’ve done so far:

Technical setup: VPS provider’s server (recommended provider for operating tor relay or exit nodes) → My Proxmox VE installation → Debian LXC linux container → Tor

Port settings: Proxmox has one public IPv4 address, then my LXC containers are behind NAT. I’ve setup port forwarding on Proxmox from the public IP to my LXC local IP on TCP 9001 and TCP 9031. The ports are reachable from the internet, I’ve tested with multiple tools. They are open, and Tor responds.

telnet "my public ip" 9001 immediately comes up with a blank window and port scanners show the ports are open and reachable.

Please help me debugging the problem, what’s wrong with my setup?

torrc

# Proxy should be available on local network for linux containers
SocksPort 0.0.0.0:9050
DnsPort 0.0.0.0:9053
TransPort 0.0.0.0:9000
ControlPort 127.0.0.1:9051

# Logging rules
SafeLogging 1
Log notice file /var/log/tor/notices.log
Log info file /var/log/tor/info.log

# Relay settings
IPv6Exit 0
ClientUseIPv6 0
Address "my public ip"
AddressDisableIPv6 1
ORPort 9001 IPv4Only
DirPort 9031
Nickname secret
ContactInfo secret
BridgeRelay 0
ExitRelay 0
ExitPolicy reject *:*
RelayBandwidthRate 20 MB
RelayBandwidthBurst 25 MB

notices.log

Apr 29 10:30:47.000 [notice] Tor 0.4.8.16 opening log file.
Apr 29 10:30:47.174 [notice] We compiled with OpenSSL 300000f0: OpenSSL 3.0.15 3 Sep 2024 and we are running with OpenSSL 300000f0: 3.0.15. These two versions should be binary compatible.
Apr 29 10:30:47.176 [notice] Tor 0.4.8.16 running on Linux with Libevent 2.1.12-stable, OpenSSL 3.0.15, Zlib 1.2.13, Liblzma 5.4.1, Libzstd 1.5.4 and Glibc 2.36 as libc.
Apr 29 10:30:47.176 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
Apr 29 10:30:47.176 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Apr 29 10:30:47.176 [notice] Read configuration file "/etc/tor/torrc".
Apr 29 10:30:47.176 [warn] You specified a public address '0.0.0.0:9053' for DNSPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Apr 29 10:30:47.176 [warn] You specified a public address '0.0.0.0:9000' for TransPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Apr 29 10:30:47.177 [notice] Based on detected system memory, MaxMemInQueues is set to 384 MB. You can override this by setting MaxMemInQueues by hand.
Apr 29 10:30:47.179 [warn] You specified a public address '0.0.0.0:9050' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Apr 29 10:30:47.179 [warn] You specified a public address '0.0.0.0:9053' for DNSPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Apr 29 10:30:47.179 [warn] You specified a public address '0.0.0.0:9000' for TransPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Apr 29 10:30:47.179 [notice] Opening Socks listener on 0.0.0.0:9050
Apr 29 10:30:47.179 [notice] Opened Socks listener connection (ready) on 0.0.0.0:9050
Apr 29 10:30:47.179 [notice] Opening DNS listener on 0.0.0.0:9053
Apr 29 10:30:47.179 [notice] Opened DNS listener connection (ready) on 0.0.0.0:9053
Apr 29 10:30:47.179 [notice] Opening Transparent pf/netfilter listener on 0.0.0.0:9000
Apr 29 10:30:47.179 [notice] Opened Transparent pf/netfilter listener connection (ready) on 0.0.0.0:9000
Apr 29 10:30:47.179 [notice] Opening Control listener on 127.0.0.1:9051
Apr 29 10:30:47.179 [notice] Opened Control listener connection (ready) on 127.0.0.1:9051
Apr 29 10:30:47.179 [notice] Opening OR listener on 0.0.0.0:9001
Apr 29 10:30:47.179 [notice] Opened OR listener connection (ready) on 0.0.0.0:9001
Apr 29 10:30:47.179 [notice] Opening Directory listener on 0.0.0.0:9031
Apr 29 10:30:47.179 [notice] Opened Directory listener connection (ready) on 0.0.0.0:9031
Apr 29 10:30:47.000 [warn] Your log may contain sensitive information - you're logging more than "notice". Don't log unless it serves an important reason. Overwrite the log afterwards.
Apr 29 10:30:47.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Apr 29 10:30:47.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Apr 29 10:30:47.000 [notice] Configured to measure statistics. Look for the *-stats files that will first be written to the data directory in 24 hours from now.
Apr 29 10:30:47.000 [notice] Your Tor server's identity key fingerprint is 'secret secret'
Apr 29 10:30:47.000 [notice] Your Tor server's identity key ed25519 fingerprint is 'secret secret'
Apr 29 10:30:47.000 [notice] Bootstrapped 0% (starting): Starting
Apr 29 10:30:48.000 [notice] Starting with guard context "default"
Apr 29 10:30:52.000 [notice] Signaled readiness to systemd
Apr 29 10:30:53.000 [notice] Bootstrapped 5% (conn): Connecting to a relay
Apr 29 10:30:53.000 [notice] Opening Control listener on /run/tor/control
Apr 29 10:30:53.000 [notice] Opened Control listener connection (ready) on /run/tor/control
Apr 29 10:30:53.000 [notice] Bootstrapped 10% (conn_done): Connected to a relay
Apr 29 10:30:53.000 [notice] Bootstrapped 14% (handshake): Handshaking with a relay
Apr 29 10:30:53.000 [notice] Bootstrapped 15% (handshake_done): Handshake with a relay done
Apr 29 10:30:53.000 [notice] Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
Apr 29 10:30:53.000 [notice] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits
Apr 29 10:30:53.000 [notice] Bootstrapped 95% (circuit_create): Establishing a Tor circuit
Apr 29 10:30:53.000 [notice] Bootstrapped 100% (done): Done
Apr 29 10:30:53.000 [notice] Now checking whether IPv4 ORPort "my public ip":9001 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
Apr 29 10:33:25.000 [notice] New control connection opened.
Apr 29 10:50:53.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at "my public ip":9001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Apr 29 11:00:34.000 [notice] New control connection opened.
Apr 29 11:10:53.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at "my public ip":9001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Apr 29 11:30:53.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at "my public ip":9001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Apr 29 11:50:53.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at "my public ip":9001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Apr 29 11:59:28.000 [notice] New control connection opened.
Apr 29 12:08:05.000 [notice] New control connection opened.
Apr 29 12:10:53.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at "my public ip":9001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.

try setting this in your torrc

ORPort 9001 IPv4Only NoAdvertise
ORPort yourpublicIP:9001 NoListen

Tor recognizes these flags on each ORPort:
NoAdvertise::
By default, we bind to a port and tell our users about it. If
NoAdvertise is specified, we don’t advertise, but listen anyway. This
can be useful if the port everybody will be connecting to (for
example, one that’s opened on our firewall) is somewhere else.
NoListen::
By default, we bind to a port and tell our users about it. If
NoListen is specified, we don’t bind, but advertise anyway. This
can be useful if something else (for example, a firewall’s port
forwarding configuration) is causing connections to reach us.

1 Like

Now i get the following errors:

 14:26:41 [NOTICE] Failed to find node for hop #1 of our path. Discarding this circuit. [3 duplicates hidden]
 14:24:08 [NOTICE] Our circuit 0 (id: 62) died due to an invalid selected path, purpose General-purpose client. This may be a torrc configuration issue, or a bug.```

For clarification: the Debian LXC container has a private ipv4 address behind nat: 10.0.0.10 that has port forwarding setup like I described. TCP 9001 and TCP 9031 forwarded from the public ipv4 to the private ipv4 address.

just edited my previous post, because i mixed s.th. :wink:
please try the updated suggestion

1 Like

I think some miracle happened, I just saw this:
flags: Running, V2Dir, Valid instead the previous flags: none.

I just set OutboundBindAddress 10.0.0.10 like you recommended, but not with “my public ip”. I set the lxc container private ip behind nat, and now it came alive.

Thank you for the help! Currently I’m testing, if I have any update I’ll comment there. I’ll mark your answer as solution if it keeps working.

1 Like

Is this node healthy and running as expected?

Now I have the following status:

flags: Running, StaleDesc, V2Dir, Valid
uptime: 19:25:24
Download (1.5 KB/sec    - avg: 51.9 KB/sec, total: 3.5 GB):
Upload (536.0 B/sec   - avg: 9.7 KB/sec, total: 659.4 MB):

Some logs:

10:21:17 [WARN] Your server has not managed to confirm reachability for its ORPort(s) at "my public ip":9001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc. [31 duplicates hidden]
 09:01:18 [NOTICE] Heartbeat: DoS mitigation since startup: 0 circuits killed with too many cells, 57147 circuits rejected, 1 marked addresses, 0 marked addresses for max queue, 4695 same address concurrent connections rejected, 0 connections rejected, 0 single hop clients refused, 0 INTRODUCE2 rejected.
 09:01:18 [NOTICE] Since startup we initiated 0 and received 0 v1 connections; initiated 0 and received 0 v2 connections; initiated 0 and received 0 v3 connections; initiated 0 and received 0 v4 connections; initiated 17535 and received 10496 v5 connections.
 09:01:18 [NOTICE] Circuit handshake stats since last time: 0/0 TAP, 2535/2535 NTor. [1 duplicate hidden]
 09:01:18 [NOTICE] While not bootstrapping, fetched this many bytes: 19649154 (server descriptor fetch); 926762 (consensus network-status fetch); 752523 (microdescriptor fetch)
 09:01:18 [NOTICE] Heartbeat: Tor's uptime is 18:00 hours, with 6 circuits open. I've sent 651.19 MB and received 3.45 GB. I've received 10757 connections on IPv4 and 0 on IPv6. I've made 17866 connections with IPv4 and 0 with IPv6. [1 duplicate hidden]
 07:30:20 [WARN] Received http status code 404 ("Consensus is too old") from server secret:9001 while fetching consensus directory.
 06:27:20 [WARN] Possible compression bomb; abandoning stream. [3 duplicates hidden]
 06:27:20 [WARN] Detected possible compression bomb with input size = 19348 and output size = 536467
 06:27:20 [WARN] Detected possible compression bomb with input size = 19798 and output size = 523227
 06:26:20 [WARN] Detected possible compression bomb with input size = 27298 and output size = 786229
 06:26:20 [WARN] Unable to decompress HTTP body (tried Zstandard compressed, on Directory connection (client reading) with secret:443).
 06:26:20 [WARN] Detected possible compression bomb with input size = 14810 and output size = 387600
 03:01:18 [NOTICE] Heartbeat: DoS mitigation since startup: 0 circuits killed with too many cells, 0 circuits rejected, 0 marked addresses, 0 marked addresses for max queue, 2217 same address concurrent connections rejected, 0 connections rejected, 0 single hop clients refused, 0 INTRODUCE2 rejected.
 03:01:18 [NOTICE] Since startup we initiated 0 and received 0 v1 connections; initiated 0 and received 0 v2 connections; initiated 0 and received 0 v3 connections; initiated 0 and received 0 v4 connections; initiated 13005 and received 5074 v5 connections.
 03:01:18 [NOTICE] While not bootstrapping, fetched this many bytes: 14026513 (server descriptor fetch); 655563 (consensus network-status fetch); 171697 (microdescriptor fetch)
 01:11:20 [NOTICE] No circuits are opened. Relaxed timeout for circuit 411 (a General-purpose client 1-hop circuit in state doing handshakes with channel state open) to 60000ms. However, it appears the circuit   has timed out anyway. [1 similar message(s) suppressed in last 21960 seconds]

Current status:

Connections (51 inbound, 143 outbound, 46 directory)

Current torrc:

SocksPort 0.0.0.0:9050
DnsPort 0.0.0.0:9053
TransPort 0.0.0.0:9000
ControlPort 127.0.0.1:9051

SafeLogging 1
Log notice file /var/log/tor/notices.log
Log info file /var/log/tor/info.log

IPv6Exit 0
ClientUseIPv6 0
Address "my public ip"
OutboundBindAddress 10.0.0.100
AddressDisableIPv6 1
ORPort 9001 IPv4Only
DirPort 9031
Nickname secret
ContactInfo secret
BridgeRelay 0
ExitRelay 0
ExitPolicy reject *:*
ExitPolicy reject [::]:*
RelayBandwidthRate 20 MB
RelayBandwidthBurst 25 MB

Finally connection lost, as I tought it will happen. It’s strange, because I didn’t change anything. Previously there were some hundred incoming and some thousand outgoing connections, now the numbers below 100.

Again, flags: none.

I don’t have a clue what can cause this strange issues.

Please try adding this:

ORPort 9001 IPv4Only NoAdvertise
ORPort yourpublicIP:9001 NoListen

And remove that:

Address "my public ip"
OutboundBindAddress 10.0.0.100
ORPort 9001 IPv4Only
DirPort 9031

restart and check…