Tor node doesn't start anymore

Hi again

After my little mishap here, I now have the problem that my Tor Node no longer works, I have not made any changes to it, even disabling the DIR port no longer helps here. The Tor proxy works.

Tor[3800]: We compiled with OpenSSL 101010ff: OpenSSL 1.1.1o 3 May 2022 and we are running with OpenSSL 101010ff: 1.1.1o. These two versions should be binary compatible.
Tor[3800]: Tor 0.4.7.7 running on Linux with Libevent 2.1.12-stable, OpenSSL 1.1.1o, Zlib 1.2.12, Liblzma 5.2.5, Libzstd 1.5.2 and Glibc 2.35 as libc.
Tor[3800]: Tor can’t help you if you use it wrong! Learn how to be safe at Am I totally anonymous if I use Tor? | Tor Project | Support
Tor[3800]: Read configuration file “/usr/share/tor/defaults-torrc”.
Tor[3800]: Read configuration file “/etc/tor/torrc”.
Tor[3800]: Based on detected system memory, MaxMemInQueues is set to 6267 MB. You can override this by setting MaxMemInQueues by hand.
Tor[3800]: ControlPort is open, but no authentication method has been configured. This means that any program on your computer can reconfigure your Tor. That’s bad! You should upgrade your Tor controller as soon as possible.
Tor[3800]: You specified a public address ‘0.0.0.0:9060’ for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don’t allow this unless you have a good reason.
Tor[3800]: Opening Socks listener on 0.0.0.0:9060
Tor[3800]: Opened Socks listener connection (ready) on 0.0.0.0:9060
Tor[3800]: Opening Control listener on 127.0.0.1:9051
Tor[3800]: Opened Control listener connection (ready) on 127.0.0.1:9051
Tor[3800]: Opening OR listener on 0.0.0.0:9001
Tor[3800]: Opened OR listener connection (ready) on 0.0.0.0:9001
Tor[3800]: Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Tor[3800]: Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Tor[3800]: Configured to measure statistics. Look for the *-stats files that will first be written to the data directory in 24 hours from now.
Tor[3800]: Your Tor server’s identity key fingerprint is ‘nameofrelay XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX’
Tor[3800]: Your Tor server’s identity key ed25519 fingerprint is ‘nameofrealy XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX’
Tor[3800]: Bootstrapped 0% (starting): Starting
Tor[3800]: Starting with guard context “default”
Tor[3800]: Bootstrapped 5% (conn): Connecting to a relay
Tor[3800]: Bootstrapped 10% (conn_done): Connected to a relay
Tor[3800]: Bootstrapped 14% (handshake): Handshaking with a relay
Tor[3800]: Bootstrapped 15% (handshake_done): Handshake with a relay done
Tor[3800]: Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
Tor[3800]: Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits
Tor[3800]: Bootstrapped 95% (circuit_create): Establishing a Tor circuit
Tor[3800]: Bootstrapped 100% (done): Done
Tor[3800]: Now checking whether IPv4 ORPort myexternIP:9001 is reachable… (this may take up to 20 minutes – look for log messages indicating success)
Tor[3800]: Your network connection speed appears to have changed. Resetting timeout to 60000ms after 18 timeouts and 174 buildtimes.
Tor[3800]: New control connection opened from 127.0.0.1.
Tor[3800]: Your server has not managed to confirm reachability for its ORPort(s) at myexternIP:9001. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.

etc]# cat hosts
127.0.0.1 localhost.localdomain localhost
myexternIP gateway

any ideas?

Hi,

apparently, port 9001 is not reachable from the internet. As the log message states, please make sure any devices in front of IPFire have this port forwarded to it, and do not hamper communication in any way.

Also, please ensure you truly get a public IPv4 address allocated from your ISP, and no CGNAT or DSLite is involved.

Sorry for not being able to answer this more detailed, and best regards,
Peter Müller

It does not matter which port I enter, I also tried port 1312 for example, did not work either. After the Ipfire comes only the modem and my IP is an ipv4, I can easily reach the OpenVPN server. So all this can be ruled out, it must be something else.

Hi,

if you try to access this port from the outside, do you actually see the packets arriving on the RED interface, such as in the output of tcpdump? Are there any correspondent firewall log messages?

Thanks, and best regards,
Peter Müller

Hi, unfortunately I have no idea how to access a specific port from outside, except for sending a ping for example. But I have installed the program tcpdumb and created the following command.

~]# tcpdump -i red0 -n -c 15 port 1312
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on red0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

If the gate relay is not started the output remains empty.

As soon as the relay is started, data is received and sent on the port, for example here–>

~]# tcpdump -i red0 -n -c 15 port 1312
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on red0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:45:24.987083 IP 147.135.112.139.49798 > myIP.1312: Flags [P.], seq 1118188025:1118188191, ack 1149495773, win 229, options [nop,nop,TS val 3903937792 ecr 539467047], length 166
14:45:45.531002 IP 147.135.112.139.49798 > MyIP.1312: Flags [P.], seq 0:166, ack 1, win 229, options [nop,nop,TS val 3903958336 ecr 539467047], length 166
14:45:58.982409 IP 192.42.115.103.57406 >MyIP.1312: Flags [P.], seq 2432312214:2432312731, ack 1008866187, win 126, options [nop,nop,TS val 4205038811 ecr 1448039502], length 517
14:46:07.550264 IP 51.81.87.113.34632 > MyIP.1312: Flags [S], seq 613764223, win 64240, options [mss 1460,sackOK,TS val 4202874670 ecr 0,nop,wscale 7], length 0
14:46:07.550465 IP MyIP.1312 > 51.81.87.113.34632: Flags [S.], seq 3569659037, ack 613764224, win 65160, options [mss 1460,sackOK,TS val 2076348679 ecr 4202874670,nop,wscale 9], length 0
14:46:07.654089 IP 51.81.87.113.34632 > MyIP.1312: Flags [.], ack 1, win 502, options [nop,nop,TS val 4202874774 ecr 2076348679], length 0
14:46:07.656430 IP 51.81.87.113.34632 > MyIP.1312: Flags [P.], seq 1:518, ack 1, win 502, options [nop,nop,TS val 4202874776 ecr 2076348679], length 517
14:46:07.971114 IP 51.81.87.113.34632 > MyIP.1312: Flags [P.], seq 1:518, ack 1, win 502, options [nop,nop,TS val 4202875089 ecr 2076348679], length 517
14:46:08.289953 IP 51.81.87.113.34632 > MyIP.1312: Flags [P.], seq 1:518, ack 1, win 502, options [nop,nop,TS val 4202875409 ecr 2076348679], length 517
14:46:08.337675 IP 85.195.214.252.46931 > MyIP.1312: Flags [P.], seq 2421526495:2421527012, ack 3373614941, win 502, options [nop,nop,TS val 2891921324 ecr 1576329679], length 517
14:46:08.929798 IP 51.81.87.113.34632 > MyIP.1312: Flags [P.], seq 1:518, ack 1, win 502, options [nop,nop,TS val 4202876049 ecr 2076348679], length 517
14:46:10.209293 IP 51.81.87.113.34632 > MyIP.1312: Flags [P.], seq 1:518, ack 1, win 502, options [nop,nop,TS val 4202877329 ecr 2076348679], length 517
14:46:12.738276 IP 51.81.87.113.34632 > MyIP.1312: Flags [P.], seq 1:518, ack 1, win 502, options [nop,nop,TS val 4202879857 ecr 2076348679], length 517
14:46:17.856244 IP 51.81.87.113.34632 > MyIP.1312: Flags [P.], seq 1:518, ack 1, win 502, options [nop,nop,TS val 4202884977 ecr 2076348679], length 517
14:46:26.556560 IP 147.135.112.139.49798 > MyIP.1312: Flags [P.], seq 0:166, ack 1, win 229, options [nop,nop,TS val 3903999360 ecr 539467047], length 166

In my firewall log these IP addresses are not to be found, also not in the IPS log.
Under Status → Connections the IP addresses are listed with the connection status ESTABLISHED
So nothing is blocked, why does the initiation fail?

I noticed also an error message in the Tor log, because the Tor proxy also fails after some time.

Tor[4490]: Received reload signal (hup). Reloading config and resetting internal state.
Tor[4490]: Read configuration file “/usr/share/tor/defaults-torrc”.
Tor[4490]: Read configuration file “/etc/tor/torrc”.
Tor[4490]: ControlPort is open, but no authentication method has been configured. This means that any program on your computer can reconfigure your Tor. That’s bad! You should upgrade your Tor controller as soon as possible.
Tor[4490]: Failed to parse/validate config: Can’t start/stop being a server while Sandbox is active
Tor[4490]: Reading config failed–see warnings above. For usage, try -h.
Tor[4490]: Restart failed (config error?). Exiting.

Edit:
In general the file seems very short to me–>

Sandbox 1
HardwareAccel 1
ControlPort 9051
SocksPort 0.0.0.0:9060
SocksPolicy accept 192.168.1.0/255.255.255.0
SocksPolicy accept 172.16.1.0/255.255.255.0
SocksPolicy reject *
ExitPolicyRejectPrivate 1
ORPort 1312 IPv4Only
Nickname mynick
ContactInfo mycontact
ExitPolicy reject :
RelayBandwidthRate 3200 KB
RelayBandwidthBurst 6400 KB

Hi,

sorry for the late reply.

No, that is fine. Tor does need very little configuration directives, and since all comments are omitted, the torrc file is only a couple of lines long.

Hm. The line below seems to be the only packet that has been sent; I am a bit puzzled by the distribution of received and sent packets being that uneven.

Sorry to disappoint, but I have no idea at the moment. To my understanding, the Tor authority relays have to confirm the reachability of a relay, which would mean that a network issue between these and your relay can cause your relay not to get accepted. However, I am by no means a Tor expert.

That being said, deferring you to the Tor support channels probably does not guarantees anything, but I guess you can try it. Perhaps they have more tools or insights than we do here.

Sorry to disappoint, and best regards,
Peter Müller

Can you tell me how to recognize a sent packet? I though this are all sent and received packets.

No problem, now I have at least a substantiated statement that I’m not completely stupid.
Yes, normally you get the message, all right you are reachable and then it continues with speed measurement and make my IP known in the network, then it becomes more and more connections that are established and after weeks he then starts to exhaust the line, or the bandwidth that I provide.
What I can well imagine is that Tor has set my fingerprint on block because I had in the time of my change here so irregularly and constantly only briefly the server online. And because the network is dependent on reliable servers and I have certainly well provided for interruptions in this time.

I will see what I can achieve with my nice and friendly manner at the tor support.
Thanks for the confirmation that so far on my side is nothing to find, at least at first glance. I have changed nothing compared to the time before and there it ran well, had just gotten my guard flag fresh.
If I have news and found a solution, I’ll get back to you.

bye

Ok, now i found the issue but i don’t know why it doesn’t work as usual, i get no block logs …
If i disable IPS then the relay pass the reachable test.
But why doesn’t work it anymore with IPS enable? I disable the tor rules i found and no log is given for blocking, Problem goes back to ipfire.

Edit:I was able to narrow down the problem to the Snort/VRT GPLv2 community ruleset list, without that list it works.
The list also has no ruleset to customize and nothing appears in the log.
Any ideas what goes wrong?