Running a Tor relay inside a kubernetes cluster - ORPort not reachable

Support Relay Operator
1

Hi all!

I’ve got a kubernetes cluster which I am using to host my projects, I’ve got a whole lot of resources and bandwith that I am not using. Therefore I am trying to see if I can run a tor relay inside my cluster. However, for some reason it keeps erroring out that my ORPort is not reachable.

I’ve first tried to open port 9001 as a NodePort and let my tor relay listen on that port. This didn’t work because kubernetes only allows services to use ports above 30000. Then I’ve tried to run the tor relay on port 9001 inside the container and use a service to redirect 30001 to 9001. This didn’t work either.

Now I am doing it different and I run my relay on port 30001 and are not redirecting any traffic. Here is my torrc:

DataDirectory /var/lib/tor

ORPort 30001
DirPort 30030

# Everything below this where previous trials
#ORPort 30001 NoListen
#ORPort 0.0.0.0:9001 NoAdvertise
#ORPort 9001 NoAdvertise IPv4Only
#ORPort 30001 NoListen IPv4Only
#DirPort 9030 NoAdvertise IPv4Only
#DirPort 30030 NoListen IPv4Only

ExitPolicy reject *:*
ExitPolicy reject6 *:*

SocksPort 0
ControlSocket 0

Nickname <MYNICKNAME>
ContactInfo <MYCONTACTINFO>

Address <MYEXTERNALIP>
#OutboundBindAddressOR <MYEXTERNALIP>
# Log debug stderr

The container is merely starting up tor with the config file above. I can confirm that changes here (for example with regards to the IP) does reflect inside the output log.

This is my kubernetes deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: tor-relay
  namespace: tor-prod
spec:
  replicas: 1
  selector:
    matchLabels:
      app: tor-relay
  template:
    metadata:
      labels:
        app: tor-relay
    spec:
      containers:
      - name: tor
        image: <my alpine container starting up tor with the torrc config>:latest
        ports:
            - containerPort: 30001
            - containerPort: 30030
        volumeMounts:
        - name: tor-data
          mountPath: /var/lib/tor
        - name: tor-config
          mountPath: /config/torrc
          subPath: torrc
      volumes:
      - name: tor-data
        persistentVolumeClaim:
          claimName: tor-data-pvc
      - name: tor-config
        configMap:
          name: tor-config

Here is my service which shows the use of NodePort

apiVersion: v1
kind: Service
metadata:
  name: tor-relay-service
  namespace: tor-prod
spec:
  type: NodePort
  selector:
    app: tor-relay
  ports:
    - name: orport
      protocol: TCP
      port: 30001
      targetPort: 30001
      nodePort: 30001
    - name: dirport
      protocol: TCP
      port: 30030
      targetPort: 30030
      nodePort: 30030

No redirect anywhere should happen and the ORPort should be reacheable on :30001. I’ve pinned this container on 1 node so I am 100% the IP address os properly configured.

Here is the log output:

Mar 30 07:52:18.244 [notice] Tor 0.4.8.10 running on Linux with Libevent 2.1.12-stable, OpenSSL 3.1.4, Zlib 1.3.1, Liblzma 5.4.5, Libzstd 1.5.5 and Unknown N/A as libc.
Mar 30 07:52:18.244 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
Mar 30 07:52:18.244 [notice] Read configuration file "/config/torrc".
Mar 30 07:52:18.246 [notice] Based on detected system memory, MaxMemInQueues is set to 1443 MB. You can override this by setting MaxMemInQueues by hand.
Mar 30 07:52:18.248 [notice] Opening OR listener on 0.0.0.0:30001
Mar 30 07:52:18.248 [notice] Opened OR listener connection (ready) on 0.0.0.0:30001
Mar 30 07:52:18.248 [notice] Opening OR listener on [::]:30001
Mar 30 07:52:18.248 [notice] Opened OR listener connection (ready) on [::]:30001
Mar 30 07:52:18.248 [notice] Opening Directory listener on 0.0.0.0:30030
Mar 30 07:52:18.248 [notice] Opened Directory listener connection (ready) on 0.0.0.0:30030
Mar 30 07:52:23.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Mar 30 07:52:23.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Mar 30 07:52:23.000 [notice] Configured to measure statistics. Look for the *-stats files that will first be written to the data directory in 24 hours from now.
Mar 30 07:52:23.000 [warn] You are running Tor as root. You don't need to, and you probably shouldn't.
Mar 30 07:52:23.000 [notice] Your Tor server's identity key fingerprint is [REDACTED]
Mar 30 07:52:23.000 [notice] Your Tor server's identity key ed25519 fingerprint is [REDACTED]
Mar 30 07:52:23.000 [notice] Bootstrapped 0% (starting): Starting
Mar 30 07:52:24.000 [notice] Starting with guard context "default"
Mar 30 07:52:30.000 [notice] Bootstrapped 5% (conn): Connecting to a relay
Mar 30 07:52:30.000 [notice] Unable to find IPv6 address for ORPort 30001. You might want to specify IPv4Only to it or set an explicit address or set Address.
Mar 30 07:52:30.000 [notice] Bootstrapped 10% (conn_done): Connected to a relay
Mar 30 07:52:30.000 [notice] Bootstrapped 14% (handshake): Handshaking with a relay
Mar 30 07:52:30.000 [notice] Bootstrapped 15% (handshake_done): Handshake with a relay done
Mar 30 07:52:30.000 [notice] Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
Mar 30 07:52:31.000 [notice] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits
Mar 30 07:52:31.000 [notice] Bootstrapped 95% (circuit_create): Establishing a Tor circuit
Mar 30 07:52:31.000 [notice] Bootstrapped 100% (done): Done
Mar 30 07:52:31.000 [notice] Now checking whether IPv4 ORPort <external ip>:30001 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)

I’ve just restarted the container so I cannot show the error, but it is this exact one:

Aug 02 10:35:41 tor-relay Tor[1253]: Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.

One annoying thing is that I have to wait 20 minutes to see if it fails or not, and that there is nothing helpful in there. I can confirm that I am able to connect via Telnet on the ORPort:

╰─$ telnet <external ip> 30001
Trying <external ip>...
Connected to <external ip>.
Escape character is '^]'.

I am hoping that someone is able to point out my issue here and help me figure this out! :pray:t2:

2

Is the one from August the right message?

Ps: The Dirport is currently deprecated

1 Like
3

When writing the post I didn’t have the full log yet, that was the same line I could find via Google. Here the full log after a day:

Mar 30 07:52:18.244 [notice] Tor 0.4.8.10 running on Linux with Libevent 2.1.12-stable, OpenSSL 3.1.4, Zlib 1.3.1, Liblzma 5.4.5, Libzstd 1.5.5 and Unknown N/A as libc.
Mar 30 07:52:18.244 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
Mar 30 07:52:18.244 [notice] Read configuration file "/config/torrc".
Mar 30 07:52:18.246 [notice] Based on detected system memory, MaxMemInQueues is set to 1443 MB. You can override this by setting MaxMemInQueues by hand.
Mar 30 07:52:18.248 [notice] Opening OR listener on 0.0.0.0:30001
Mar 30 07:52:18.248 [notice] Opened OR listener connection (ready) on 0.0.0.0:30001
Mar 30 07:52:18.248 [notice] Opening OR listener on [::]:30001
Mar 30 07:52:18.248 [notice] Opened OR listener connection (ready) on [::]:30001
Mar 30 07:52:18.248 [notice] Opening Directory listener on 0.0.0.0:30030
Mar 30 07:52:18.248 [notice] Opened Directory listener connection (ready) on 0.0.0.0:30030
Mar 30 07:52:18.000 [warn] It looks like another Tor process is running with the same data directory.  Waiting 5 seconds to see if it goes away.
Mar 30 07:52:23.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Mar 30 07:52:23.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Mar 30 07:52:23.000 [notice] Configured to measure statistics. Look for the *-stats files that will first be written to the data directory in 24 hours from now.
Mar 30 07:52:23.000 [warn] You are running Tor as root. You don't need to, and you probably shouldn't.
Mar 30 07:52:23.000 [notice] Your Tor server's identity key fingerprint is [REDACTED]
Mar 30 07:52:23.000 [notice] Your Tor server's identity key ed25519 fingerprint is [REDACTED]
Mar 30 07:52:23.000 [notice] Bootstrapped 0% (starting): Starting
Mar 30 07:52:24.000 [notice] Starting with guard context "default"
Mar 30 07:52:30.000 [notice] Bootstrapped 5% (conn): Connecting to a relay
Mar 30 07:52:30.000 [notice] Unable to find IPv6 address for ORPort 30001. You might want to specify IPv4Only to it or set an explicit address or set Address.
Mar 30 07:52:30.000 [notice] Bootstrapped 10% (conn_done): Connected to a relay
Mar 30 07:52:30.000 [notice] Bootstrapped 14% (handshake): Handshaking with a relay
Mar 30 07:52:30.000 [notice] Bootstrapped 15% (handshake_done): Handshake with a relay done
Mar 30 07:52:30.000 [notice] Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
Mar 30 07:52:31.000 [notice] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits
Mar 30 07:52:31.000 [notice] Bootstrapped 95% (circuit_create): Establishing a Tor circuit
Mar 30 07:52:31.000 [notice] Bootstrapped 100% (done): Done
Mar 30 07:52:31.000 [notice] Now checking whether IPv4 ORPort <external ip>:30001 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
Mar 30 08:12:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 08:32:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 08:52:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 08:52:30.000 [notice] Unable to find IPv6 address for ORPort 30001. You might want to specify IPv4Only to it or set an explicit address or set Address. [59 similar message(s) suppressed in last 3540 seconds]
Mar 30 09:12:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 09:32:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 09:52:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 09:52:30.000 [notice] Unable to find IPv6 address for ORPort 30001. You might want to specify IPv4Only to it or set an explicit address or set Address. [60 similar message(s) suppressed in last 3540 seconds]
Mar 30 10:05:19.000 [notice] No circuits are opened. Relaxed timeout for circuit 1288 (a Measuring circuit timeout 3-hop circuit in state doing handshakes with channel state open) to 60000ms. However, it appears the circuit has timed out anyway.
Mar 30 10:12:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 10:32:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 10:52:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 10:52:31.000 [notice] Unable to find IPv6 address for ORPort 30001. You might want to specify IPv4Only to it or set an explicit address or set Address. [60 similar message(s) suppressed in last 3600 seconds]
Mar 30 11:12:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 11:32:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 11:52:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 11:52:31.000 [notice] Unable to find IPv6 address for ORPort 30001. You might want to specify IPv4Only to it or set an explicit address or set Address. [59 similar message(s) suppressed in last 3540 seconds]
Mar 30 12:12:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 12:32:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 12:37:13.000 [notice] No circuits are opened. Relaxed timeout for circuit 3816 (a Measuring circuit timeout 3-hop circuit in state doing handshakes with channel state open) to 60000ms. However, it appears the circuit has timed out anyway. [6 similar message(s) suppressed in last 8220 seconds]
Mar 30 12:52:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 12:52:31.000 [notice] Unable to find IPv6 address for ORPort 30001. You might want to specify IPv4Only to it or set an explicit address or set Address. [60 similar message(s) suppressed in last 3540 seconds]
Mar 30 13:12:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 13:32:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 13:52:30.000 [notice] Heartbeat: It seems like we are not in the cached consensus.
Mar 30 13:52:30.000 [notice] Heartbeat: Tor's uptime is 6:00 hours, with 10 circuits open. I've sent 14.49 MB and received 23.97 MB. I've received 72 connections on IPv4 and 0 on IPv6. I've made 155 connections with IPv4 and 0 with IPv6.
Mar 30 13:52:30.000 [notice] While bootstrapping, fetched this many bytes: 5567 (microdescriptor fetch)
Mar 30 13:52:30.000 [notice] While not bootstrapping, fetched this many bytes: 5295922 (server descriptor fetch); 279173 (consensus network-status fetch); 29649 (microdescriptor fetch)
Mar 30 13:52:30.000 [notice] Circuit handshake stats since last time: 0/0 TAP, 69/69 NTor.
Mar 30 13:52:30.000 [notice] Since startup we initiated 0 and received 0 v1 connections; initiated 0 and received 0 v2 connections; initiated 0 and received 0 v3 connections; initiated 0 and received 0 v4 connections; initiated 150 and received 69 v5 connections.
Mar 30 13:52:30.000 [notice] Heartbeat: DoS mitigation since startup: 0 circuits killed with too many cells, 0 circuits rejected, 0 marked addresses, 0 marked addresses for max queue, 0 same address concurrent connections rejected, 0 connections rejected, 0 single hop clients refused, 0 INTRODUCE2 rejected.
Mar 30 13:52:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 13:52:31.000 [notice] Unable to find IPv6 address for ORPort 30001. You might want to specify IPv4Only to it or set an explicit address or set Address. [60 similar message(s) suppressed in last 3540 seconds]
Mar 30 14:12:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 14:32:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 14:52:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 14:52:32.000 [notice] Unable to find IPv6 address for ORPort 30001. You might want to specify IPv4Only to it or set an explicit address or set Address. [59 similar message(s) suppressed in last 3600 seconds]
Mar 30 15:12:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 15:32:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 15:52:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 15:52:32.000 [notice] Unable to find IPv6 address for ORPort 30001. You might want to specify IPv4Only to it or set an explicit address or set Address. [60 similar message(s) suppressed in last 3540 seconds]
Mar 30 16:12:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 16:32:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 16:52:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 16:52:32.000 [notice] Unable to find IPv6 address for ORPort 30001. You might want to specify IPv4Only to it or set an explicit address or set Address. [60 similar message(s) suppressed in last 3540 seconds]
Mar 30 17:12:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 17:32:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 17:52:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 17:52:32.000 [notice] Unable to find IPv6 address for ORPort 30001. You might want to specify IPv4Only to it or set an explicit address or set Address. [59 similar message(s) suppressed in last 3540 seconds]
Mar 30 18:12:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 18:32:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 18:52:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 18:52:32.000 [notice] Unable to find IPv6 address for ORPort 30001. You might want to specify IPv4Only to it or set an explicit address or set Address. [60 similar message(s) suppressed in last 3540 seconds]
Mar 30 19:12:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 19:32:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 19:52:30.000 [notice] Heartbeat: It seems like we are not in the cached consensus.
Mar 30 19:52:30.000 [notice] Heartbeat: Tor's uptime is 12:00 hours, with 6 circuits open. I've sent 31.09 MB and received 52.23 MB. I've received 145 connections on IPv4 and 0 on IPv6. I've made 342 connections with IPv4 and 0 with IPv6.
Mar 30 19:52:30.000 [notice] While bootstrapping, fetched this many bytes: 5567 (microdescriptor fetch)
Mar 30 19:52:30.000 [notice] While not bootstrapping, fetched this many bytes: 11010201 (server descriptor fetch); 560641 (consensus network-status fetch); 70208 (microdescriptor fetch)
Mar 30 19:52:30.000 [notice] Circuit handshake stats since last time: 0/0 TAP, 55/55 NTor.
Mar 30 19:52:30.000 [notice] Since startup we initiated 0 and received 0 v1 connections; initiated 0 and received 0 v2 connections; initiated 0 and received 0 v3 connections; initiated 0 and received 0 v4 connections; initiated 334 and received 123 v5 connections.
Mar 30 19:52:30.000 [notice] Heartbeat: DoS mitigation since startup: 0 circuits killed with too many cells, 0 circuits rejected, 0 marked addresses, 0 marked addresses for max queue, 0 same address concurrent connections rejected, 0 connections rejected, 0 single hop clients refused, 0 INTRODUCE2 rejected.
Mar 30 19:52:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 19:52:32.000 [notice] Unable to find IPv6 address for ORPort 30001. You might want to specify IPv4Only to it or set an explicit address or set Address. [60 similar message(s) suppressed in last 3540 seconds]
Mar 30 20:12:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 20:32:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 20:52:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 20:52:33.000 [notice] Unable to find IPv6 address for ORPort 30001. You might want to specify IPv4Only to it or set an explicit address or set Address. [59 similar message(s) suppressed in last 3600 seconds]
Mar 30 21:12:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 21:32:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 21:52:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 21:52:33.000 [notice] Unable to find IPv6 address for ORPort 30001. You might want to specify IPv4Only to it or set an explicit address or set Address. [60 similar message(s) suppressed in last 3540 seconds]
Mar 30 22:12:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 22:32:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 22:46:28.000 [notice] Your network connection speed appears to have changed. Resetting timeout to 60000ms after 18 timeouts and 1000 buildtimes.
Mar 30 22:52:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 22:52:33.000 [notice] Unable to find IPv6 address for ORPort 30001. You might want to specify IPv4Only to it or set an explicit address or set Address. [60 similar message(s) suppressed in last 3540 seconds]
Mar 30 23:12:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 23:32:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 23:52:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 30 23:52:33.000 [notice] Unable to find IPv6 address for ORPort 30001. You might want to specify IPv4Only to it or set an explicit address or set Address. [59 similar message(s) suppressed in last 3540 seconds]
Mar 31 00:12:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 31 00:32:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 31 00:52:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 31 00:52:34.000 [notice] Unable to find IPv6 address for ORPort 30001. You might want to specify IPv4Only to it or set an explicit address or set Address. [60 similar message(s) suppressed in last 3600 seconds]
Mar 31 01:12:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 31 01:32:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 31 01:52:30.000 [notice] Heartbeat: It seems like we are not in the cached consensus.
Mar 31 01:52:30.000 [notice] Heartbeat: Tor's uptime is 18:00 hours, with 6 circuits open. I've sent 47.07 MB and received 77.40 MB. I've received 208 connections on IPv4 and 0 on IPv6. I've made 477 connections with IPv4 and 0 with IPv6.
Mar 31 01:52:30.000 [notice] While bootstrapping, fetched this many bytes: 5567 (microdescriptor fetch)
Mar 31 01:52:30.000 [notice] While not bootstrapping, fetched this many bytes: 16711285 (server descriptor fetch); 830949 (consensus network-status fetch); 128928 (microdescriptor fetch)
Mar 31 01:52:30.000 [notice] Circuit handshake stats since last time: 0/0 TAP, 53/53 NTor.
Mar 31 01:52:30.000 [notice] Since startup we initiated 0 and received 0 v1 connections; initiated 0 and received 0 v2 connections; initiated 0 and received 0 v3 connections; initiated 0 and received 0 v4 connections; initiated 468 and received 175 v5 connections.
Mar 31 01:52:30.000 [notice] Heartbeat: DoS mitigation since startup: 0 circuits killed with too many cells, 0 circuits rejected, 0 marked addresses, 0 marked addresses for max queue, 0 same address concurrent connections rejected, 0 connections rejected, 0 single hop clients refused, 0 INTRODUCE2 rejected.
Mar 31 01:52:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 31 01:52:34.000 [notice] Unable to find IPv6 address for ORPort 30001. You might want to specify IPv4Only to it or set an explicit address or set Address. [60 similar message(s) suppressed in last 3600 seconds]
Mar 31 02:12:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 31 02:32:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 31 02:52:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 31 02:52:34.000 [notice] Unable to find IPv6 address for ORPort 30001. You might want to specify IPv4Only to it or set an explicit address or set Address. [59 similar message(s) suppressed in last 3540 seconds]
Mar 31 03:12:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 31 03:32:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 31 03:52:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 31 03:52:34.000 [notice] Unable to find IPv6 address for ORPort 30001. You might want to specify IPv4Only to it or set an explicit address or set Address. [60 similar message(s) suppressed in last 3540 seconds]
Mar 31 04:12:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 31 04:32:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 31 04:52:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 31 04:52:34.000 [notice] Unable to find IPv6 address for ORPort 30001. You might want to specify IPv4Only to it or set an explicit address or set Address. [60 similar message(s) suppressed in last 3540 seconds]
Mar 31 05:12:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 31 05:32:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 31 05:52:30.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <external ip>:30001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Mar 31 05:52:35.000 [notice] Unable to find IPv6 address for ORPort 30001. You might want to specify IPv4Only to it or set an explicit address or set Address. [59 similar message(s) suppressed in last 3600 seconds]

And, good to know the dirport is deprecated. Is there a replacement for it or can I ignore it alltogether?

4

Did you follow up that warning? It could be that a Tor service is running plus a manually started Tor instance under root.

5

When you tried to check reachability, did you do it from the same network, or from some other place over the internet? If only the former, maybe try the later too, in case you have some firewall blocking that port between your network and the rest of us.

No, directories requests are now mostly tunneled through the ORPort instead of using the DirPort (except for directory authorities).

6

@Felix @trinity-1686a I found it! It was unrelated to your questions, but it did cause me to debug it a bit more.

I used lsof to see if port 30001 was bound on the host and found out it was never bound. So, there is the issue. Then I went and digged further into the issue and stupidly of me, NodePort does not expose the port to the outside. I have to admit that I’ve never used NodePort before and the reason I didn’t catch this is because:

  1. I took the code from a helm chart that wasn’t updated anymore, I guess they used a LoadBalancer to still expose the port.
  2. ChatGPT has hallucinated a lot with this one because it never caught the error. (Other then this, ChatGPT is awesome to write Kubernetes manifests :-))

I used a sample server (manifest below) to check if I could reach it. This one worked with a hostport:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello-world-deployment
  namespace: tor-prod
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hello-world
  template:
    metadata:
      labels:
        app: hello-world
    spec:
      containers:
        - name: hello-world-container
          image: hashicorp/http-echo # Using hashicorp/http-echo for simplicity
          args:
            - "-text=Hello World"
          ports:
            - containerPort: 5678 # The port the container listens on
              hostPort: 30002 # Exposing the container port on the host's port 30002
              protocol: TCP
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: node.kubernetes.io/role
                    operator: In
                    values:
                      - arm-worker
      tolerations:
        - key: "node.kubernetes.io/role"
          operator: "Equal"
          value: "arm-worker"
          effect: "NoSchedule"

Here is my final deployment manifest for future reference if other people want it:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: tor-relay
  namespace: tor-prod
spec:
  replicas: 1
  selector:
    matchLabels:
      app: tor-relay
  template:
    metadata:
      labels:
        app: tor-relay
    spec:
      containers:
      - name: tor
        image: <myimage>
        ports:
          - name: orport
            containerPort: 30001
            hostPort: 30001
            protocol: TCP
          - name: dirport
            containerPort: 30030
            hostPort: 30030
            protocol: TCP
        volumeMounts:
        - name: tor-data
          mountPath: /var/lib/tor
        - name: tor-config
          mountPath: /config/torrc
          subPath: torrc
      volumes:
      - name: tor-data
        persistentVolumeClaim:
          claimName: tor-data-pvc
      - name: tor-config
        configMap:
          name: tor-config
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: node.kubernetes.io/role
                operator: In
                values:
                - arm-worker
      tolerations:
      - key: "node.kubernetes.io/role"
        operator: "Equal"
        value: "arm-worker"
        effect: "NoSchedule"

Note: is just a simple Docker container which starts up the tor daemon with the -c /config/torrc flag, which in turn is a config inside the cluster and is mounted when starting the pod.

Once again thank you! This topic can be closed :slight_smile:

1 Like
7

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.