Hello Community!
I’m currently facing an issue with my Tor relay. I have three containers running, all of which are fully externally reachable. However, the Tor daemon does not report reachability for its ORPort. The containers are attached to default lxdbr0 and I have attached proxies to them that forward incoming traffic on the specified ports.
I have tested the setup on a separate system with regular privileged LXC containers. Running the relay inside a privileged container does solve the problem. However, I’m seeking assistance to solve this issue with unprivileged containers due to the reduced attack surface of unprivileged containers.
Like I said, my other containers can be reached without any issues. I have tested the ORPorts 9001 and 443 without any success. I have also installed apache2 inside the container and confirm that it was externally reachable. So far, I have not been able to reproduce the issue with any other software. Only Tor appears to have this issue for me.
Software Versions
Host OS: Ubuntu Server 24.04.3 LTS
Guest OS: Debian 13
LXC: 5.21.4 LTS
LXD: 5.21.4 (installed via Snap)
Relevant Firewall Configuration on Host
(I have removed all entries that are not directly related to lxdbr0 or the affected container)
Status: active
To Action From
-- ------ ----
Anywhere on lxdbr0 ALLOW Anywhere
443/tcp ALLOW Anywhere # ORPort Test
Anywhere (v6) on lxdbr0 ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6) # ORPort Test
Anywhere ALLOW OUT Anywhere on lxdbr0
Anywhere ALLOW FWD Anywhere on lxdbr0
Anywhere on lxdbr0 ALLOW FWD Anywhere
Anywhere (v6) ALLOW FWD Anywhere (v6) on lxdbr0
Anywhere (v6) on lxdbr0 ALLOW FWD Anywhere (v6)
Container Configuration
devices: proxy-orport: connect: tcp:10.157.144.136:443 listen: tcp:0.0.0.0:443 type: proxy
Tor Status
● tor@default.service - Anonymizing overlay network for TCP
Loaded: loaded (/usr/lib/systemd/system/tor@default.service; enabled-runtime; preset: enabled)
Drop-In: /run/systemd/system/service.d
└─zzz-lxc-service.conf
Active: active (running) since Mon 2025-10-06 06:20:33 UTC; 1 week 0 days ago
Invocation: 73f08a03dc5249038addae60b8f8a829
Process: 164 ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d /run/tor (code=exited, status=0/SUCCESS)
Process: 175 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 --verify-config (code=exited, status=0/SUCCESS)
Main PID: 179 (tor)
Tasks: 5 (limit: 18971)
Memory: 662.4M (peak: 758.2M)
CPU: 59min 49.368s
CGroup: /system.slice/system-tor.slice/tor@default.service
└─179 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0
Oct 13 08:20:36 tor Tor[179]: Your server has not managed to confirm reachability for its ORPort(s) at 84.63.49.96:443. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Oct 13 08:20:48 tor Tor[179]: Unable to find IPv6 address for ORPort 443. You might want to specify IPv4Only to it or set an explicit address or set Address. [60 similar message(s) suppressed in last 3540 seconds]
Oct 13 08:40:36 tor Tor[179]: Your server has not managed to confirm reachability for its ORPort(s) at 84.63.49.96:443. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Oct 13 09:00:36 tor Tor[179]: Your server has not managed to confirm reachability for its ORPort(s) at 84.63.49.96:443. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Oct 13 09:20:36 tor Tor[179]: Your server has not managed to confirm reachability for its ORPort(s) at 84.63.49.96:443. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Oct 13 09:20:48 tor Tor[179]: Unable to find IPv6 address for ORPort 443. You might want to specify IPv4Only to it or set an explicit address or set Address. [59 similar message(s) suppressed in last 3540 seconds]
Oct 13 09:40:36 tor Tor[179]: Your server has not managed to confirm reachability for its ORPort(s) at 84.63.49.96:443. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Oct 13 10:00:36 tor Tor[179]: Your server has not managed to confirm reachability for its ORPort(s) at 84.63.49.96:443. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Oct 13 10:20:36 tor Tor[179]: Your server has not managed to confirm reachability for its ORPort(s) at 84.63.49.96:443. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Oct 13 10:20:48 tor Tor[179]: Unable to find IPv6 address for ORPort 443. You might want to specify IPv4Only to it or set an explicit address or set Address. [60 similar message(s) suppressed in last 3540 seconds]
torrc (Test Relay)
ORPort 443
Nickname test