Following IPv6-only stack for guard relay.
I’m now trying to operate a Tor relay in China.
Like the last thread said, most of the IPv6 guards are not blocked yet. And for IPv4, I scanned out accessible ones and specified them in EntryNodes.
And for the directory authorities, all of them are accessible via IPv6, but not on the other. Tracreroute indicates the packets are stuck at the last 1 hop for most of IPv4, and for 3 of them the packets cannot even go through ISP backbone.
Both IPv4 and IPv6 ORPort are open, confirmed on https://portchecker.co/ and my virtual machine in United States.
However, I’m not sure how Tor authorities check my port. The following log is incomplete, in the end, always there will be something like
2024-12-31_08:20:07.40657 Dec 31 16:20:07.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at ...:9001 and [...]:9002. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
How should I manage to get authorities know my relay? Or is it impossible
torrc below:
## Configuration file for a typical Tor user
## Last updated 28 February 2019 for Tor 0.3.5.1-alpha.
## (may or may not work for much older or much newer versions of Tor.)
...
SafeLogging 0
RelayBandwidthRate 100 KBytes # Throttle traffic to 100KB/s (800Kbps)
RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB (1600Kb)
AccountingMax 40GBytes
AccountingStart month 1 00:00
...
SOCKSPort [::]:9150
SOCKSPort 0.0.0.0:9150
SOCKSPolicy accept 192.168.0.0/16
SOCKSPolicy accept 10.0.0.0/16
SOCKSPolicy accept6 fd00:8964::/48
SOCKSPolicy reject *
ClientPreferIPv6ORPort 1
#UseBridges 1
Bridge snowflake 192.0.2.3:80 2B280B23E1107BB62ABFC40DDCC8824814F80A72 fingerprint=2B280B23E1107BB62ABFC40DDCC8824814F80A72 url=https://1098762253.rsc.cdn77.org fronts=www.phpmyadmin.net,cdn.zk.mk ice=stun:stun.antisip.com:3478,stun:stun.epygi.com:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.mixvoip.com:3478,stun:stun.nextcloud.com:3478,stun:stun.bethesda.net:3478,stun:stun.nextcloud.com:443 utls-imitate=hellorandomizedalpn
Bridge snowflake 192.0.2.4:80 8838024498816A039FCBBAB14E6F40A0843051FA fingerprint=8838024498816A039FCBBAB14E6F40A0843051FA url=https://1098762253.rsc.cdn77.org fronts=www.phpmyadmin.net,cdn.zk.mk ice=stun:stun.antisip.com:3478,stun:stun.epygi.com:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.mixvoip.com:3478,stun:stun.nextcloud.com:3478,stun:stun.bethesda.net:3478,stun:stun.nextcloud.com:443 utls-imitate=hellorandomizedalpn
Bridge snowflake 192.0.2.5:80 2B280B23E1107BB62ABFC40DDCC8824814F80A72 fingerprint=2B280B23E1107BB62ABFC40DDCC8824814F80A72 sqsqueue=https://sqs.us-east-1.amazonaws.com/893902434899/snowflake-broker sqscreds=eyJhd3MtYWNjZXNzLWtleS1pZCI6IkFLSUE1QUlGNFdKSlhTN1lIRUczIiwiYXdzLXNlY3JldC1rZXkiOiI3U0RNc0pBNHM1RitXZWJ1L3pMOHZrMFFXV0lsa1c2Y1dOZlVsQ0tRIn0= ice=stun:stun.mixvoip.com:3478,stun:stun.nextcloud.com:3478,stun:stun.bethesda.net:3478,stun:stun.nextcloud.com:443 utls-imitate=hellorandomizedalpn
Bridge snowflake 192.0.2.6:80 8838024498816A039FCBBAB14E6F40A0843051FA fingerprint=8838024498816A039FCBBAB14E6F40A0843051FA sqsqueue=https://sqs.us-east-1.amazonaws.com/893902434899/snowflake-broker sqscreds=eyJhd3MtYWNjZXNzLWtleS1pZCI6IkFLSUE1QUlGNFdKSlhTN1lIRUczIiwiYXdzLXNlY3JldC1rZXkiOiI3U0RNc0pBNHM1RitXZWJ1L3pMOHZrMFFXV0lsa1c2Y1dOZlVsQ0tRIn0= ice=stun:stun.antisip.com:3478,stun:stun.epygi.com:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478 utls-imitate=hellorandomizedalpn
ClientTransportPlugin snowflake exec /data/data/com.termux/files/usr/bin/snowflake-client
contactinfo [redacted]
Nickname AS4837Honeypot1
#BridgeRelay 1
ORPort [redacted]:9001 IPv4Only NoListen
ORPort 9002 IPv6Only
#AssumeReachable 1
PublishServerDescriptor 1
#ServerTransportPlugin obfs4 exec /data/data/com.termux/files/usr/bin/obfs4proxy
ServerTransportListenAddr obfs4 0.0.0.0:9001
ServerTransportOptions obfs4 iat-mode=2
ExtORPort auto
EntryNodes 52A0C729BBA4A31A5C435FBD1078D1DAFBC9CB8D # 138.201.55.70:443
EntryNodes 5D95800B6875192F7CA94383A47450B34B291E08 # 146.190.47.157:65535
EntryNodes F85B80C40360CFB0D4D894CBBB12BB75FF548FAB # 165.227.129.4:65535
EntryNodes 83BADBCC825EAC0661592831ED4D30214C5B997F # 165.227.35.102:65535
EntryNodes D254F8936FB716DAB03572F1F07D6D7F86C6F9F6 # 194.59.206.96:9001
EntryNodes BAA79A6037FA9383A8423BB7EE9B9D585D16954D # 51.38.112.15:9000
EntryNodes 89F95502BDA81E44B67BADBFFF00DA80CDD4AFB5 # 51.38.112.15:9100
EntryNodes 765D92D69E37768118063F20D6AB1895A8154424 # 51.38.112.15:9200
EntryNodes 6F1487E500FBC009CC7F7A607371E548D516B051 # 51.38.112.15:9300
EntryNodes F17571CCF5867D3E5F16ABF5833771F4DC70B3C5 # 85.239.244.9:443
DisableDebuggerAttachment 0
Logs of one unsuccessful publishing:
Dec 31 23:32:59.306 [notice] Tor 0.4.8.13 running on Linux with Libevent 2.1.12-stable, OpenSSL 3.3.2, Zlib 1.3.1, Liblzma 5.6.3, Libzstd N/A and Unknown N/A as libc.
Dec 31 23:32:59.306 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
Dec 31 23:32:59.306 [notice] Read configuration file "/data/data/com.termux/files/usr/etc/tor/torrc".
Dec 31 23:32:59.308 [warn] You have a ControlPort set to accept connections from a non-local address. This means that programs not running on your computer can reconfigure your Tor. That's pretty bad, since the controller protocol isn't encrypted! Maybe you should just listen on 127.0.0.1 and use a tool like stunnel or ssh to encrypt remote connections to your control port.
Dec 31 23:32:59.314 [notice] Based on detected system memory, MaxMemInQueues is set to 5596 MB. You can override this by setting MaxMemInQueues by hand.
Dec 31 23:32:59.314 [notice] By default, Tor does not run as an exit relay. If you want to be an exit relay, set ExitRelay to 1. To suppress this message in the future, set ExitRelay to 0.
Dec 31 23:32:59.314 [notice] You need at least a single managed-proxy to specify a transport listen address. The ServerTransportListenAddr line will be ignored.
Dec 31 23:32:59.315 [warn] You specified a public address '[::]:9150' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Dec 31 23:32:59.315 [warn] You specified a public address '0.0.0.0:9150' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Dec 31 23:32:59.315 [warn] You have a ControlPort set to accept connections from a non-local address. This means that programs not running on your computer can reconfigure your Tor. That's pretty bad, since the controller protocol isn't encrypted! Maybe you should just listen on 127.0.0.1 and use a tool like stunnel or ssh to encrypt remote connections to your control port.
Dec 31 23:32:59.321 [notice] Opening Socks listener on [::]:9150
Dec 31 23:32:59.321 [notice] Opened Socks listener connection (ready) on [::]:9150
Dec 31 23:32:59.321 [notice] Opening Socks listener on 0.0.0.0:9150
Dec 31 23:32:59.321 [notice] Opened Socks listener connection (ready) on 0.0.0.0:9150
Dec 31 23:32:59.321 [notice] Opening Control listener on 0.0.0.0:9051
Dec 31 23:32:59.321 [notice] Opened Control listener connection (ready) on 0.0.0.0:9051
Dec 31 23:32:59.321 [notice] Opening OR listener on [::]:9002
Dec 31 23:32:59.321 [notice] Opened OR listener connection (ready) on [::]:9002
Dec 31 23:32:59.321 [notice] Opening Extended OR listener on 127.0.0.1:0
Dec 31 23:32:59.321 [notice] Extended OR listener listening on port 37543.
Dec 31 23:32:59.321 [notice] Opened Extended OR listener connection (ready) on 127.0.0.1:37543
Dec 31 23:32:59.000 [warn] Your log may contain sensitive information - you disabled SafeLogging. Don't log unless it serves an important reason. Overwrite the log afterwards.
Dec 31 23:32:59.000 [notice] Not disabling debugger attaching for unprivileged users.
Dec 31 23:32:59.000 [notice] Your Tor server's identity key fingerprint is 'AS4837Honeypot1 [redacted]'
Dec 31 23:32:59.000 [notice] Your Tor server's identity key ed25519 fingerprint is 'AS4837Honeypot1 [redacted]'
Dec 31 23:32:59.000 [notice] Configured hibernation. This interval begins at 2024-12-01 00:00:00 and ends at 2025-01-01 00:00:00. We have no prior estimate for bandwidth, so we will start out awake and hibernate when we exhaust our quota.
Dec 31 23:32:59.000 [notice] Parsing GEOIP IPv4 file /data/data/com.termux/files/usr/share/tor/geoip.
Dec 31 23:32:59.000 [notice] Parsing GEOIP IPv6 file /data/data/com.termux/files/usr/share/tor/geoip6.
Dec 31 23:33:00.000 [notice] Configured to measure statistics. Look for the *-stats files that will first be written to the data directory in 24 hours from now.
Dec 31 23:33:00.000 [notice] Bootstrapped 0% (starting): Starting
Dec 31 23:33:01.000 [warn] Your configuration excludes 99% of all possible guards. That's likely to make you stand out from the rest of the world.
Dec 31 23:33:01.000 [notice] Starting with guard context "restricted"
Dec 31 23:33:02.000 [notice] Bootstrapped 5% (conn): Connecting to a relay
Dec 31 23:33:03.000 [notice] Not advertising Directory Service support (Reason: AccountingMax enabled)
Dec 31 23:33:03.000 [notice] We'd like to launch a circuit to handle a connection, but we already have 32 general-purpose client circuits pending. Waiting until some finish.
Dec 31 23:33:03.000 [notice] Bootstrapped 10% (conn_done): Connected to a relay
Dec 31 23:33:03.000 [notice] Bootstrapped 14% (handshake): Handshaking with a relay
Dec 31 23:33:04.000 [notice] Bootstrapped 15% (handshake_done): Handshake with a relay done
Dec 31 23:33:04.000 [notice] Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
Dec 31 23:33:04.000 [notice] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits
Dec 31 23:33:04.000 [notice] Bootstrapped 95% (circuit_create): Establishing a Tor circuit
Dec 31 23:33:05.000 [notice] Bootstrapped 100% (done): Done
Dec 31 23:33:05.000 [notice] Now checking whether IPv4 ORPort xx.xxx.223.124:9001 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
Dec 31 23:33:05.000 [notice] Now checking whether IPv6 ORPort [2408:...]:9002 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)