Re: [tor-relays] Opening metrics-api.torproject.org for testing

[boldsuck]

On Freitag, 2. August 2024 17:38:59 CEST Hiro wrote:

> We are now opening NSA for testing, and it can be accessed at:

ROFL ;-)


-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Archive key from deb.torproject.org was renewed!

[boldsuck]

On Freitag, 2. August 2024 02:10:21 CEST Martin Gebhardt via tor-relays wrote:
> >> Since you are all tinkering with your servers anyway, why don't you try
> >> deb822-style ;-)
> > 
> > Because that doesn't make sense for public Tor nodes, but rather for
> > .onion
> > services.
> > Many ISPs and providers have a Debian and Tor mirror and I use them via
> > clearnet because reliability for security updates is important to me.
> 
> ok, you are probably referring to the fact that i use the repo via .onion.
> But i actually wanted to point out the format of the APT source files, see
> https://manpages.debian.org/unstable/apt/sources.list.5.en.html#DEB822-STYL
> E_FORMAT :-)

Aah.
Ooh, thanks. Interesting. I didn't know that. Must be new or I missed it in 
the release notes.

> And regardless of that: In my opinion, it makes perfect sense to also obtain
> public services such as OS updates via Tor. The more data flying around the
> Tor network, the better it is for the Tor network.

With 100 Tor instances and 20G for Tor traffic, the daily repo delta gives me 
almost zero ;-)
On the other hand, we are currently building a hidden service exchange. Damn, 
the Tor network is overloaded with DoS attacks, so I try to avoid any traffic.

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Archive key from deb.torproject.org was renewed!

[boldsuck]

On Donnerstag, 25. Juli 2024 02:55:12 CEST boldsuck wrote:

> > QUESTION:
> > 
> > is there any one / way to tell whether my relays have the proper key
> > from any metrics / torproject admin / version showing up?
> 
> apt update  gives error message that key has expired.
> 
> apt-key -list
> /etc/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg
> -
> pub   rsa2048 2009-09-04 [SC] [expires: 2028-08-29]
>   A3C4 F0F9 79CA A22C DBA8  F512 EE8C BC9E 886D DD89
> uid   [ unknown] deb.torproject.org archive signing key
> sub   rsa2048 2009-09-04 [S] [expires: 2026-09-09]

Sorry,
above is the key that is installed by the package deb.torproject.org-keyring.

gpg --show-keys /usr/share/keyrings/tor-archive-keyring.gpg
shows you the one imported via wget.

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Archive key from deb.torproject.org was renewed!

[boldsuck]

On Donnerstag, 25. Juli 2024 01:29:41 CEST you wrote:

> What was the previous key for reminder?
The same ;-)

> This looks like exactly the one I installed BEFORE all your messages
> mentioning the requirement to update... manually.

Of course, it is the same key as before. When creating PGP keys, an expiration 
date is defined by default. The Repo PGP key is always valid for 2 years and 
the expiry date has been extended  for the next 2 years.

> I have a problem in that I like to remove ssh before I leave my
> installations, to be conscious.

What do you mean exactly? 'exit', and you are logged out.

> I would have to re-install yet I am pretty sure my key was also 89-ending.
> 
> QUESTION:
> 
> is there any one / way to tell whether my relays have the proper key
> from any metrics / torproject admin / version showing up?

apt update  gives error message that key has expired.

apt-key -list
/etc/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg
-
pub   rsa2048 2009-09-04 [SC] [expires: 2028-08-29]
  A3C4 F0F9 79CA A22C DBA8  F512 EE8C BC9E 886D DD89
uid   [ unknown] deb.torproject.org archive signing key
sub   rsa2048 2009-09-04 [S] [expires: 2026-09-09]

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] OT: Tor Control Protokoll ADD_ONION

[boldsuck]

Hi,

In the control-spec
https://spec.torproject.org/control-spec/commands.html#add_onion
or
https://github.com/torproject/torspec/blob/main/control-spec.txt#L1777

The ADD_ONION 'Flag' include Hidden Service options: 
MaxStreamsCloseCircuit and MaxStreams, among others.

We also want to use the PoWDefenses and IntroDoSDefense parameters. Is the 
control-spec outdated or is it not possible to set these parameters via Flag?


-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] OT: Tor-Metrics for Hidden Services

[boldsuck]

Does anyone know where I can find information about the MetricsPort output?

In particular, hs introduction point and rendezvous point circ build time 
bucket.
What do the numbers represent le="1000.00" - le="6000.00"

suggested-effort value  Do I understand correctly that the value goes from 
0-1000?
https://spec.torproject.org/hspow-spec/common-protocol.html#client-limits

# HELP tor_hs_intro_circ_build_time The introduction circuit build time in 
milliseconds
# TYPE tor_hs_intro_circ_build_time histogram
tor_hs_intro_circ_build_time_bucket{onion="somerandomonionaddress",le="1000.00"}
 128
tor_hs_intro_circ_build_time_bucket{onion="somerandomonionaddress",le="5000.00"}
 205
tor_hs_intro_circ_build_time_bucket{onion="somerandomonionaddress",le="1.00"}
 205
tor_hs_intro_circ_build_time_bucket{onion="somerandomonionaddress",le="3.00"}
 205
tor_hs_intro_circ_build_time_bucket{onion="somerandomonionaddress",le="6.00"}
 205
tor_hs_intro_circ_build_time_bucket{onion="somerandomonionaddress",le="+Inf"} 
205
tor_hs_intro_circ_build_time_sum{onion="somerandomonionaddress"} 210297
tor_hs_intro_circ_build_time_count{onion="somerandomonionaddress"} 205

# HELP tor_hs_rend_circ_build_time The rendezvous circuit build time in 
milliseconds
# TYPE tor_hs_rend_circ_build_time histogram
tor_hs_rend_circ_build_time_bucket{onion="somerandomonionaddress",le="1000.00"} 
14275
tor_hs_rend_circ_build_time_bucket{onion="somerandomonionaddress",le="5000.00"} 
24060
tor_hs_rend_circ_build_time_bucket{onion="somerandomonionaddress",le="1.00"}
 24095
tor_hs_rend_circ_build_time_bucket{onion="somerandomonionaddress",le="3.00"}
 24096
tor_hs_rend_circ_build_time_bucket{onion="somerandomonionaddress",le="6.00"}
 24096
tor_hs_rend_circ_build_time_bucket{onion="somerandomonionaddress",le="+Inf"} 
24096
tor_hs_rend_circ_build_time_sum{onion="somerandomonionaddress"} 25308501
tor_hs_rend_circ_build_time_count{onion="somerandomonionaddress"} 24096

# HELP tor_hs_pow_suggested_effort Suggested effort for requests with a proof 
of work client puzzle
# TYPE tor_hs_pow_suggested_effort gauge
tor_hs_pow_suggested_effort{onion="somerandomonionaddress"} 1

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] Reapply exit policy on reload

[boldsuck]

Hi to all dear exit operators,

If you are interested in applying the exit policy on reload and not by 
restarting tor please note:

https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/735#note_3051797
Quote David:
"Can you give us a sense of how many exit operators use this? If there is a 
large enough need for this, we can evaluate this for next release but it needs 
to be for more than 1 operator for such feature."

Related Issue:
https://gitlab.torproject.org/tpo/core/tor/-/issues/40676

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Archive key from deb.torproject.org was renewed!

[boldsuck]

On Mittwoch, 17. Juli 2024 18:43:46 CEST rhatto wrote:

> 2. Then configure sources.list, install apt-transport-https etc.

This is no longer necessary since several Debian releases:
apt-transport-https is just a dummy,
HTTPS has been moved to the apt package since version 1.5.
https://packages.debian.org/en/bookworm/apt-transport-https

> Afterwards, you won't have to manually update the key once a new version
> is available: it will be upgraded whenever a new
> deb.torproject.org-keyring package version is installed.

"The same procedure as every year, James!" ;-)

The repository key must be renewed manually every 2 years.
The rest is done by deb.torproject.org-keyring package


-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Archive key from deb.torproject.org was renewed!

[boldsuck]

On Dienstag, 16. Juli 2024 16:01:09 CEST Martin Gebhardt via tor-relays wrote:

> Since you are all tinkering with your servers anyway, why don't you try
> deb822-style ;-)

Because that doesn't make sense for public Tor nodes, but rather for .onion 
services.
Many ISPs and providers have a Debian and Tor mirror and I use them via 
clearnet because reliability for security updates is important to me.


-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] bridges

[boldsuck]

On Donnerstag, 18. Juli 2024 07:40:27 CEST Earl M. Northern wrote:

Why are you posting bridge lines publicly?
The IPs are now burned. New IPs are expensive. :-(

Except for those that are public in the Tor browser, _never_ post bridgelines 
anywhere. Only share them via encrypted communication. (PGP, SimpleX Chat)

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Archive key from deb.torproject.org was renewed!

[boldsuck]

On Dienstag, 16. Juli 2024 14:15:01 CEST Toralf Förster via tor-relays wrote:
> On 7/16/24 14:03, boldsuck wrote:
> > wget
> > -qO-https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8
> > CBC9E886DDD89.asc  | gpg --dearmor | tee
> > /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null
> Is the name important?
> 
> I'm asking b/c Ansible [1] seems to use "deb.torproject.org-keyring.gpg"
> as the file name.
> 
> 
> [1]
> https://github.com/toralf/tor-relays/blob/main/playbooks/roles/setup_tor/tas
> ks/tor-debian.yaml#L4 --
> Toralf

There are 2 keys. The key for the Repository must be added manually or per 
ansible playbook role.
tor-archive-keyring.gpg =
https://deb.torproject.org/torproject.org/
A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc

apt update && apt install tor deb.torproject.org-keyring

Package deb.torproject.org-keyring installs Release key in:
/etc/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg
/usr/share/keyrings/deb.torproject.org-keyring.gpg


It could be that Peter has the "release key" and extended it.
And the FTP owner has the “repository key”.

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] Archive key from deb.torproject.org was renewed!

[boldsuck]

Hi @all,

The package deb.torproject.org-keyring did not update the key
tor-archive-keyring.gpg in /usr/share/keyrings/
only deb.torproject.org-keyring.gpg was updated.

I had to replace it by hand. Renewing your key is important,
otherwise you will not receive any Tor updates. One line:

wget -qO- 
https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc
 | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null

More Info:
https://support.torproject.org/apt/tor-deb-repo/

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS alerts from my provider

[boldsuck]

On Freitag, 12. Juli 2024 10:12:09 CEST Toralf Förster via tor-relays wrote:

> I prefer sysctl:

Me too, but sysctl needs root privileges.
On new systems I always generate an overview of all active settings:
sysctl -a > /home/user/sysctl.txt

And especially with used servers, before I start setting them up, save the 
output of skdump or smartctl.

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Tor Metrics 'Running' flag is back for bridges who don't publish the OrPort

[boldsuck]

On Montag, 8. Juli 2024 16:49:04 CEST Hiro wrote:
> I do not want to declare victory too soon, but I think this issue should
> be resolved. There was a configuration option hidden in collector that
> was making it process bridgestrap tests every 8 hours. I have now
> changed it to every hour.

This has been looking damn good for 4 days :-)
https://metrics.torproject.org/rs.html#search/ForPrivacyNETbr
Flags, Uptime and green dot is OK

By the way:
I saw that everything is being prepared to shut down bridgedb and migrate 
everything to rdsys.

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS alerts from my provider

[boldsuck]

On Mittwoch, 10. Juli 2024 18:34:26 CEST Toralf Förster via tor-relays wrote:

> > https://www.petsymposium.org/foci/2024/foci-2024-0014.php
Very interesting, thanks.

> After reading that paper I do wonder if a firewall rule would work which
> drops network packets with destination to the ORport if those packets
> are shorter than a given length?

The idea is not bad. But can you simply discard every ≤ 50byte packet?

I drop fragments and uncommon TCP MSS values.
ip frag-off & 0x1fff != 0 counter drop
tcp flags syn tcp option maxseg size 1-536 counter drop


By the way, I actually wanted to write it as a Github issue.
You have to adjust your Dir-auth IP's in iptables.
IP of dizum has changed and faravahar is back ;-)

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS alerts from my provider

[boldsuck]

On Donnerstag, 11. Juli 2024 09:38:34 CEST Scott Bennett via tor-relays wrote:

> My understanding is that LINUX systems do not have pf, but rather have
> a less flexible filter called iptables.  Whether iptables or any other
> packet filter that may be available on LINUX systems has synproxy or a
> similar feature I do not know

Not as nice as in *BSD's pf but a bit easier in nftables than in iptables.
Can be activated in prerouting:
https://wiki.nftables.org/wiki-nftables/index.php/Synproxy

tcp syncookies & timestamps have been enabled by default for years,
you can check it:
cat /proc/sys/net/ipv4/tcp_syncookies
cat /proc/sys/net/ipv4/tcp_tcp_timestamps

In general, you should be careful with sysctl kernel parameters. If you do 
change them, only change individual settings and read and understand what they 
mean. If so, it is always good to look specifically for your network driver and 
DoS. With a 1G network connection, there is little to improve. In the 
cloudflare blog you will find a lot of in-depth expert knowledge about DoS.

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS alerts from my provider

[boldsuck]

On Dienstag, 9. Juli 2024 14:04:49 CEST Rafo (r4fo.com) via tor-relays wrote:
> More specifically, I’m running a middle relay on Debian 12   

Here again the Github's of toralf & Enkidu from the above mentioned forum link. 
They have iptables:
https://github.com/toralf/torutils
https://github.com/Enkidu-6/tor-ddos

I just do it with nftables.
https://github.com/boldsuck/tor-relay-bootstrap/blob/nft/etc/nftables.conf_ddos

Be sure to adjust the SSH IP sets otherwise you will log out!
I have all Dyn-IP subnets from the providers from which I connect via SSH.
You can search for example on: https://bgp.tools/ or https://bgpview.io

Apart from SSH, only Tor is running and I don't have a 'table inet filter'.
If you need them, they are also on my Github.

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Seeking Advice on Running Multiple Tor Relays or A Bridge

[boldsuck]

On Samstag, 6. Juli 2024 20:34:37 CEST Alessandro Greco via tor-relays wrote:

> I have some experience running a Tor relay, and I am now interested in
> setting up another one. I plan to do this using my home internet
> connection, which is an FTTH line with bandwidth up to 2 Gbps. I have read
> that it is possible to run multiple relays on the same node, but I am
> unsure how to configure this.

The most important steps from "man tor-instance-create" 

systemctl stop tor <- if already running

tor-instance-create 00
tor-instance-create 01
systemctl enable tor@00
systemctl enable tor@01
systemctl mask tor@default
systemctl daemon-reload

Configure torrc in /etc/tor/instances/* and then start individually
or all together:
systemctl start tor

> Additionally, I am curious about what would
> be most beneficial for the Tor network today: a highly resilient bridge or
> multiple relays managed from the same node?

If you set up a relay with residential IP, it would be very good if you set  
up a bridge specifically for Turkmenistan first.
Use this torrc-example fron Gus:
https://forum.torproject.org/t/tor-relays-help-turkmens-to-bypass-internet-censorship-run-an-obfs4-bridge/7002/8#torrc-example-6

Mail your bridge line to: frontd...@torproject.org 
Unfortunately, this bridge is usually discovered after a few weeks and then 
you can reconfigure it. (Relay or bridge) Please note Gary's post!

If your provider already has a Tor tag in the BGP database like mine, then 
most likely the entire AS of Turkmenistan is blocked. :-(
https://bgp.tools/as/8422


-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Tor non-exit list

[boldsuck]

On Donnerstag, 20. Juni 2024 02:00:18 CEST t...@nullvoid.me wrote:

> I do not think that asking to remove the complete non-exit list to be 
> valuable to the security of the global internet.

However, this non-exit list should not be activated automatically or with one-
click. There is no reason to block non-exit relays.

> While it is correct that sysadmins should maybe not block traffic just 
> because it's a relay. There is many use cases where they should, most 
> corporation end users do not need access to the Tor network daily, and 
> many ransomware or other malware c2 servers leverage .onion services. By 
> blocking Tor across the network it's a simple way to disarm the malware 
> or prevent data loss to nefarious actors.

Ransomware links are usually opened from emails and Tor is not running on 
company computers. Users cannot install anything either. How are they supposed 
to reach the hidden services?

Users can bypass this blocklist with bridges from their private devices. There 
are private things that are none of the sysadmins' business and for this some 
users use Tor or VPN.

> Secondly, running multiple services from your Tor relay is generally 
> considered bad advice if I understand correctly. Especially critical 
> infrastructure such as mirrors of popular packages. Tor relays should be 
> dedicated hosts with minimal attack surface, we know they are attacked, 
> monitored, and generally attract extra attention. Due to this other 
> services you host on the same server are now at risk of extra 
> surveillance or malicious attacks.

You are right that a dedicated IP for a Tor relay would be better.
On the other hand, we want more relays at universities.

Many users cannot reach the mirror Halifax = ftp2.de.debian.org

We should perhaps consider at the relay meeting on Saturday whether several 
relay operators or the Tor Project could write to dan.me.uk. He shouldn't make 
it so easy to activate the non-exit list. For example, UniFi devices are often 
installed by inexperienced admins. They simply click on all the block lists 
without knowing what they are.


-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Relay usage dropped 9x when enabling UFW. What UFW rules do other relay operators enact?

[boldsuck]

On Dienstag, 18. Juni 2024 18:53:07 CEST admin--- via tor-relays wrote:

I have never used a frontend for IP/nftables. I have no idea what the scripts 
produce and whether they are correct.
The beauty of UNIX/Linux are the human-readable config text files that you can 
comment on as you wish.

> Here are my tor-related UFW rules;
>  To Action  From
>  -- --  
> [ 3] 9001   ALLOW INAnywhere
> [11] 9001 (v6)  ALLOW INAnywhere (v6)
> 
> I'm really confused how UFW firewalled most, but not all, of my relays
> traffic. What UFW rules do other relay operators enact?
Maybe you could post your entire FW ruleset. ((Use pastebin)

First, no output filters: :OUTPUT ACCEPT

Here are default IP/nftables rules for Tor relays:
https://github.com/boldsuck/tor-relay-bootstrap/tree/master/etc/iptables
https://github.com/boldsuck/tor-relay-bootstrap/blob/master/etc/nftables.conf

Here are my current nftables on my Frantech Exits:
https://paste.systemli.org/?052a70208b22aebe#4b8qoJU9MrPgopfhm9HPxARTwXmWVkwBP5XrVFMKqfgD

You don't need to set up dynamic DDoS policies there. Francisco already does 
that on his Junipers.

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Relay migration

[boldsuck]

Hi Eldalië

> My public key is attached. Please, use it and provide me yours!

Your GPG expired on 01/01/2024 ;-)

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Relay migration

[boldsuck]

On Freitag, 14. Juni 2024 21:08:14 CEST Eldalië via tor-relays wrote:

> But it will run on the same hardware and software.
Do you have your own server in colocation?

> I don't mind about the Guard flag, the relay seldom had it because the
> connection was not very stable (had the flag every now and then for maybe 2
> month in total spanning >2 years). But does using the same keys after a long
> downtime cause significantly worse performance (meaning being underused)
> than going through all the lifecycle of a new relay [1] with new keys?
> 

Without guard or exit flags it doesn't matter at all.
So I have repeatedly moved relays from data center A to B and then to C. The 
DirAuth or Bw Scanner notices that your IP and bandwidth have changed and re-
measures your relay. If your relay has enough bandwidth at the new location 
and is running stable, you will usually get a guard flag on day 15.

With your keys you also keep the fingerprint, which saves you work if you have 
a relay family. With new keys all relays and possibly the config for
OrNetStats must be adjusted.


-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Directory authorities not giving weight to a relay

[boldsuck]

On Montag, 3. Juni 2024 09:20:38 CEST Frank Lý via tor-relays wrote:
.
> MDCLOUD LTD (AS203394) does not exist on the Good Bad ISPs list.

But it's the only one so far in AS203394 and runs with FreeBSD, both of which 
are great. I think your relay runs in Ukraine.
https://bgp.he.net/AS203394#_prefixes

> In
> addition, the contact information provided in the `torrc` does not match
> the email address you used to participate in the `tor-relays` mailing list.

The email address in the relay list is completely irrelevant. Mine is also 
different on the list, the relays and in the forum.

> > Almost three months ago I have set up my first node. Everything seemed to
> > be going great at first and as documented in the tor lifecycle blog post.
> > A few days after being set up the weight drastically dropped to around
> > twenty. This seemed a bit odd since that same blog post doesn't mention
> > anything about weight dropping so much, but it does about bandwidth, ao I
> > just shrugged it off and assumed it was normal.

Consensus weight is based on bandwidth observed by the relay and bandwidth 
measured by the directory & bw authorities.
Your observed bandwidth is currently ~500 KiB/s, which is very little 
especially for a relay in the data center.
If you do not have truly unlimited bandwidth from your provider, your 
bandwidth may be throttled. Or in a KVM|Cloud, the node is oversold.

> > Anyway, fast forward to today, and the weight hasn't really gotten above
> > two hundred, it has been a month and a half I think since the weight
> > drop, and it has been stale at a weight of between one hundred eighty and
> > two hundred.
>
> > I can't put my finger on what is exactly the problem, the relay currently
> > has six flags: Fast, HSDir, Running, Stable, V2Dir and Valid. Shortly
> > after the drop I have even seen the Guard flag for like a day. The server
> > has capacity and is dedicated solely to being a relay, and the ISP is in
> > the good providers list.

I would first look at the provider's ToS. It often says something about fair 
usage policies vs. unlimited bandwidth and unlimited traffic. Sometimes only 
inbound or outbound is unlimited.
Then I would install vnstatd or nload and measure the traffic for one to two 
months. It could be that the bw auths are not measuring properly at the moment 
because they are under DDoS.


-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Updating tor issue

[boldsuck]

On Donnerstag, 9. Mai 2024 04:30:49 CEST Keifer Bly wrote:
> Doing it via this guide here:
> 
> https://phoenixnap.com/kb/upgrade-debian-10-to-11
> 
> What other changes need to be made? Thanks.
> --Keifer

Be careful, you can only ever upgrade to the next version!
From Debian 9 to 11 doesn't work. You have to do 2 upgrades.
From 9 to 10 first and later from 10 to 11.
You also cannot upgrade Windows 7 to Win 11 directly.

This is very time-consuming, hence the recommendation to reinstall.

No matter what you do, I would back up the tor config and the tor keys first.

Important: (apt-key is deprecated) How the tor repo is added has changed.
https://support.torproject.org/apt/

Again as a recommendation: Take the official Debian documentation and not any 
random guides from the Internet. Here are the links again. The documentary is 
translated into many languages. Chapters 2 and 4 are important.
Your architecture is: 64-Bit-PC (AMD64)  

https://www.debian.org/releases/bullseye/releasenotes
https://www.debian.org/releases/bookworm//releasenotes

Your relay is running Tor 0.4.8.11 on Linux
That means you have time to read and ask questions.


I'm out of here for now.
I have enormous personal and legal problems because of the exits that I have 
to take care of.

> On Wed, May 8, 2024 at 10:46 AM Keifer Bly  wrote:
> > Ok. So the vps I have is command line only, is there a way to update to
> > debian 11 via the command line? Thanks.
> > 
> > --Keifer
> > 
> > On Wed, May 8, 2024, 1:22 AM Bauruine  wrote:
> >> Sorry I meant reinstall it with Bookworm of course. You can backup and
> >> restore your keys if you like so you are not loosing your relays history.
> >> There is some documentation at
> >> https://community.torproject.org/relay/setup/post-install/ "Backup Tor
> >> Identity Keys"
> >> On 08.05.24 10:16, Bauruine wrote:
> >> 
> >> What they told you, maybe a bit harsh, is that you are using a very old
> >> Debian version that will soon be end of life and won't get updates
> >> anymore.
> >> apt-get upgrade doesn't upgrade to new releases, you have to do it
> >> "manually". Think like a Windows 7 to Windows 10 upgrade which also
> >> doesn't
> >> happen with the normal Windows updates. You can either upgrade from your
> >> current version Buster (10 )--> Bullseye (11) --> Bookworm (12) or just
> >> reinstall it with Bullseye and configure it again.
> >> 
> >> Bauruine
> >> On 07.05.24 19:50, Keifer Bly wrote:
> >> 
> >> Right? Why comment if your just going to be such a jerk and not be
> >> helpful?
> >> 
> >> I am just unable to figure why this would suddenly happen when the relay
> >> has been updating without issue and suddenly this happens, have been
> >> keeping Debian up to date using apt-get update so wondering what else
> >> needs
> >> to be done? Thanks.
> >> --Keifer
> >> 
> >> 
> >> On Mon, May 6, 2024 at 4:12 PM Micah Elizabeth Scott
> >> 
> >> 
> >> wrote:
> >>> On 5/6/24 3:19 PM, li...@for-privacy.net wrote:
> >>> > Did you even only read 2 sentences from the link?
> >>> 
> >>> Can we stop just accepting behavior like this on the tor community's
> >>> mailing lists?
> >>> 
> >>> Seriously, it makes us all look bad.
> >>> 
> >>> I'm sorry folks have to endure so much just to use a computer program
> >>> that's intended to be humane and helpful.
> >>> 
> >>> --beth
> >>> ___
> >>> tor-relays mailing list
> >>> tor-relays@lists.torproject.org
> >>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> >> 
> >> ___
> >> tor-relays mailing
> >> listtor-relays@lists.torproject.orghttps://lists.torproject.org/cgi-bin/
> >> mailman/listinfo/tor-relays
> >> 
> >> 
> >> ___
> >> tor-relays mailing
> >> listtor-relays@lists.torproject.orghttps://lists.torproject.org/cgi-bin/
> >> mailman/listinfo/tor-relays
> >> 
> >> ___
> >> tor-relays mailing list
> >> tor-relays@lists.torproject.org
> >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] I need a new VPS provider

[boldsuck]

On Montag, 22. April 2024 03:02:21 CEST Landon wrote:

> So, I am trying to find a Tor friendly VPS provider that offers 1 Gbps
> unmetered bandwidth. I found my current provider in an article describing
> Tor friendly providers, but I cannot locate that link.

You can find cheap hoster on LowEndTalk or LowEndBox and suitable ASNs here:
https://nusenu.github.io/OrNetStats/#autonomous-systems-by-cw-fraction
Sort by #Relays.
Over 500 ASN where there are currently only 1-3 Tor relays.


-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] I need a new VPS provider

[boldsuck]

On Montag, 22. April 2024 14:18:58 CEST torrelay.9puwh--- via tor-relays 
wrote:

> I can strongly recommend BuyVM.net as a good alternative.

No, that's bullshit. It has been mentioned several times on this list that 
Frantech is one of the avoid providers:
https://community.torproject.org/relay/community-resources/good-bad-isps/

Especially for a bridge. The admins of the oppressive regimes are not stupid. 
Frantech/BuyVM has been known as a Tor provider for many many years. I'm 
pretty sure that Francisco's entire IP space is blacklisted.

Find a provider where there are few Tor nodes. See SirNeo's list on LET:
https://lowendtalk.com/discussion/185210/tor-relay-bridge
or
https://lowendtalk.com/discussion/186269/cheap-hosters-that-allow-tor-exit-node

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] User advisory to check for xz-utils backdoor

[boldsuck via tor-relays]

On Freitag, 29. März 2024 19:39:05 CEST pasture_clubbed242--- via tor-relays 
wrote:

> 
> The near-universally used 'xz' compression library has been found to contain
> a backdoor in certain code branches. This backdoor has made it into some
> systems such as Debian Sid.
> 
> Details regarding this backdoor are available here.
> https://www.openwall.com/lists/oss-security/2024/03/29/4

Pretty unlikely that anyone uses testing or sid for productive servers.


-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] bridges for Lox

[boldsuck]

On Dienstag, 27. Februar 2024 20:09:17 CET s7r wrote:

> Is there anything needed to do with previous setups that use obfs4proxy 
> from it's default previous repository? Or just the name has been changed 
> and everything is backward compatible?

For us on Debian, this will only change with the next release "trixie".
Then we may have to change configs or a post-install script will adjust default 
installations. This will probably be in the release notes.

# Use lyrebird to provide the obfs4 protocol.
ServerTransportPlugin obfs4 exec /usr/local/bin/lyrebird

Will take a few more years. Gentoo & FreeBSD-Port Dev's and users are years 
ahead ;-)
​

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] bridges for Lox

[boldsuck]

On Dienstag, 27. Februar 2024 17:03:22 CET Toralf Förster via tor-relays wrote:

> ServerTransportPlugin obfs4 exec /usr/bin/lyrebird

Ooh, obfs4proxy is renamed to Lyrebird?
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyrebird

> I do not specified the ipv6 port explicietly:
> Would it be needed?

¯\_(ツ)_/¯
https://gitlab.torproject.org/tpo/core/tor/-/issues/40885
It's probably unnecessary at the moment.

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] bridges for Lox

[boldsuck]

On Dienstag, 27. Februar 2024 14:52:00 CET Corl3ss via tor-relays wrote:
> On 26/02/2024 21:03, Toralf Förster via tor-relays wrote:
> > On 2/26/24 20:07, meskio wrote:
> >> At the moment we're
> >> looking for 10 new bridges for Lox.
> > 
> > 9 left
> 
> And one more added, so 8 left.
+1 = 7 left

Is hidden OR port OK for lox based bridge?

ORPort 127.0.0.1:14255
ORPort [::1]:14255
AssumeReachable 1


-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Tor Relay Automatic PMTU Testing

[boldsuck]

On Donnerstag, 22. Februar 2024 08:03:54 CET pasture_clubbed242--- via 
tor-relays wrote:

> I believe there is a larger sized guard relay that has been having MTU
> issues for about a week.

You are welcome to post the fingerprint or IP of the relay with MTU issues.
Or write to him directly if he has a contact address in Tor Metrics.

If a relay operator has an error in the config, he would like to correct it.
It is quite possible that someone has a typo in ip-/nftables because of the
DDOS countermeasures.


-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] VPS w/FDE suggestions?

[boldsuck]

On Mittwoch, 21. Februar 2024 18:08:32 CET Bartosz Zieba wrote:
> > Don't know what FDE is, but at Frantech/BuyVM you can install everything
> > because you can upload your own ISO.
> 
> FDE means Full Disk Encryption.
> 
> Remember, running FDE in virtual environment we give access to
> encryption keys to admin of the host machine :)

Any admin can make a full backup of a 24/7/365 running KVM or cloud machine.
Regardless of whether it is encrypted or not. ;-)

Also with dedicated servers or in colocation:
Encrypting a Tor relay hd, especially exits, is NOT recommended!
In the event of a seizure, it could take months or years to get your server 
back.

We don't host files, we don't have logs. A Tor relay is a dumb router that 
forwards
encrypted traffic. Other than the master identity key's, there is nothing
interesting on a Tor relay. Therefore, use offline relay identity keys:
https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorRelaySecurity/OfflineKeys

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] VPS w/FDE suggestions?

[boldsuck]

On Mittwoch, 21. Februar 2024 00:18:28 CET MRob via tor-relays wrote:

> Hello- Im looking for <= $6/mo VPS suggestions for general non-tor
> server and also for tor. Some super-cheap hosts pre-install O/S and give
> root but I want to install O/S myself so can put in FDE. Hard to see
> which hosts can do this.

Don't know what FDE is, but at Frantech/BuyVM you can install everything
because you can upload your own ISO.

SirNeo made a good list:
https://lowendtalk.com/discussion/185210/tor-relay-bridge

Also:
https://lowendtalk.com/discussion/183226/looking-for-virtual-servers-for-10-tor-exit-nodes

Read first:
https://community.torproject.org/relay/technical-considerations/
AS/location diversity

Try to avoid the following hosters:
OVH SAS (AS16276)
Online S.a.s. (AS12876)
Hetzner Online GmbH (AS24940)
DigitalOcean, LLC (AS14061)


-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Tor is not upgrading via apt from deb.torproject.org

[boldsuck]

On Donnerstag, 15. Februar 2024 20:42:03 CET s7r wrote:

> My guess is that something changed with more recent releases of Debian 
> (Bullseye and Bookworm) because in previous Buster this was not 
> happening, even it was the same version number in nightly, like 
> 4.8.0-aplha-dev, if would update if same version was found but with 
> newer timestamp.

Looks to me like it's the archive:

http://deb.torproject.org/torproject.org/dists/tor-nightly-main-bookworm/main/binary-amd64/Packages
Package: tor
Version: 0.4.9.0-alpha-dev-20230909T020422Z-1~d12.bookworm+1
Architecture: amd64

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Way to be notified when relay goes offline?

[boldsuck]

On Samstag, 3. Februar 2024 19:10:39 CET Keifer Bly wrote:

>  Is there a way to be notified when a relay goes offline?
You've asked that months before and the service is still the same ;-)

https://weather.torproject.org/login


-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Setting up HTML page for exit relay

[boldsuck]

On Montag, 29. Januar 2024 11:53:25 CET mail--- via tor-relays wrote:

> > If I want to serve an HTML page for my exit node do I need Apache2/nginx
> > or can I just modify my torrc?

I use the simple conf in torrc:

DirPort ser.ver.IP.v4:80
DirPortFrontPage /etc/tor/tor-exit-notice.html

Many relay admins use nginx, Apache is overdosed for that.

> And a sample HTML page can be found here:
> https://gitlab.torproject.org/tpo/core/tor/-/raw/HEAD/contrib/operator-tool
> s/tor-exit-notice.html.

We also have international (FR, DE, US) ones here:
https://github.com/chgans/tor-exit-notice

PR for other countries are welcome ;-)


-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] A new kind of attack?

[boldsuck]

On Donnerstag, 18. Januar 2024 19:37:22 CET eff_03675...@posteo.se wrote:

> I just received a DDOS attack on a pretty settled exit relay.
Surgeprotector is very helpful for exits
https://github.com/artikel10/surgeprotector

Tor-nightly 0.4.9.0-alpha-dev fixed
https://gitlab.torproject.org/tpo/core/tor/-/issues/40676

by trinity
https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/735

ReevaluateExitPolicy 1


-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Relay in Japan being marked as a US relay?

[boldsuck]

On Donnerstag, 18. Januar 2024 23:52:00 CET Jag Talon wrote:
> Bug has been filed here for anyone following the thread: 
> https://bugzilla.ipfire.org/show_bug.cgi?id=13541

It's best to ask the provider for their geofeed and mention it in the bug 
report. Then all subnets in this AS will be corrected.

https://bugzilla.ipfire.org/show_bug.cgi?id=12774​


-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] obfs4 bridge current setup is not entirely clear

[boldsuck]

On Mittwoch, 8. November 2023 20:35:56 CET s7r wrote:
> boldsuck wrote:
> 
> > 
> > Not recommended, but rather a request to try it out.
> > 
> 
> 
> So I tried, and besides the log messages that I have a descriptor 
> mismatch I also get the status of my bridge as not running when ORPort 
> is not exposed. The minute I switched ORPort to `localhost` the BridgeDB 
> reported the bridge as not running, regardless it was actually running 
> with the pluggable transport port open.
> 

That is unfortunately the case. I checked whether they are online at:
https://bridges.torproject.org/status?id=[hashed_identity_key]
On Tor metrics you can also see that the history continues.

> > Some info in the old thread
> > https://lists.torproject.org/pipermail/tor-relays/2023-August/021259.html
> > 
> > Relevant tiket from meskio:
> > https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/129
> > 
> 
> 
> Thank you, yes.
> But unfortunately I think we are going to need a proposal for this, to 
> document various use cases and maybe clone the code that does the ORPort 
> reachability check to do pluggable transport port reachability test, 
> then build descriptor and then publish, but this needs ORPort like 
> behavior like NoListen, etc.
> 
That'd be good

> > I've gradually reconfigured _all_ bridges over the last 2 months:
> > The number of connections/users has stayed pretty much the same.
> > Bridges with setting "BridgeDistribution any" the distribution method has
> > not changed.
> > 
> > OrPort must forwarded or should not firewalled otherwise the status will
> > be dysfunctional on https://bridges.torproject.org/status
> > 
> 
> I don't care to use BridgeDistribution param, I let BridgeDB decide this 
> randomly

Me too. "BridgeDistribution any" is tor default setting.

> but configured without public open ORPort I don't get the 
> running flag, I get that bridge is down, while it's not actually.
> 
> 
> >> So what is the best way to for an user to open both IPv4 and IPv6
> >> pluggable transport ports?
> > 
> > 
> > The ServerTransportListenAddr line is dual stack friendly.
> > ServerTransportListenAddr obfs4 [::]:8443
> > 
> 
> 
> So I saw yes, I was able to use [::]:80 to bind to all interfaces in 
> dual stack mode but I am not sure the clients are served both the IPv6 
> line and the IPv4 line, I think it's just one of them and I was curious 
> which one and what logic is applied to determine it.
> This means that currently one cannot setup a dual stack pluggable 
> transport bridge, it must be either IPv4 either IPv6, right?
> 

If I use my dual stack bridges with TorBrowser or HS clients, I can use IP and 
IPv6.

2023-11-08 21:15:20.815 [NOTICE] Bridge 'ForPrivacyNET' has both an IPv4 and an 
IPv6 address.  Will prefer using its IPv6 address ([2001:db8:1::228]:11228) 
based on the configured Bridge address.
2023-11-08 21:15:21.712 [NOTICE] Bridge 'ForPrivacyNET' has both an IPv4 and an 
IPv6 address.  Will prefer using its IPv4 address (203.0.113.228:11228) based 
on the configured Bridge address.

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] obfs4 bridge current setup is not entirely clear

[boldsuck]

On Mittwoch, 8. November 2023 17:42:46 CET s7r wrote:

> 2. It was recommended on the mail list that obfs4 bridges should not 
> open their ORPorts publicly to prevent scanning the entire 1-65536 port 
> range and determine it's a Tor bridge. OK.

Not recommended, but rather a request to try it out.

Some info in the old thread
https://lists.torproject.org/pipermail/tor-relays/2023-August/021259.html

Relevant tiket from meskio:
https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/129

> But if you try:
> 
> ORPort 127.0.0.1:auto
> ORPort [::1]:auto
> AssumeReachable 1 # needed to skip ORPort reachability test
> 
> Tor will start but it will constantly complain in the log with:
> 
> [warn] The IPv4 ORPort address 127.0.0.1 does not match the descriptor 
> address REAL_IPv4_ADDRESS. If you have a static public IPv4 address, use 
> 'Address ' and 'OutboundBindAddress '. If you are behind a 
> NAT, use two ORPort lines: 'ORPort  NoListen' and 'ORPort 
>  NoAdvertise'.
> 
> [warn] The IPv6 ORPort address ::1 does not match the descriptor address 
> REAL_IPv6_ADDRESS. If you have a static public IPv4 address, use 
> 'Address ' and 'OutboundBindAddress '. If you are behind a 
> NAT, use two ORPort lines: 'ORPort  NoListen' and 'ORPort 
>  NoAdvertise'.

Yes you can ignore the logs. Not exposing OrPort for bridges is still 
experimental feature.

I've gradually reconfigured _all_ bridges over the last 2 months:
The number of connections/users has stayed pretty much the same.
Bridges with setting "BridgeDistribution any" the distribution method has not 
changed.

OrPort must forwarded or should not firewalled otherwise the status will be 
dysfunctional on https://bridges.torproject.org/status

> So what is the best way to for an user to open both IPv4 and IPv6 
> pluggable transport ports?

The ServerTransportListenAddr line is dual stack friendly.
ServerTransportListenAddr obfs4 [::]:8443


-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Discuss. Why not split donations to Tor relay owners?

[boldsuck]

Am Donnerstag, 12. Oktober 2023, 15:04:07 CEST schrieb gus:

> Nobody audited the code of 'reiya' project and there is currently no
> concrete evidence to confirm that the funds deposited in that Monero
> wallet will indeed be redirected to the relays. Therefore, we strongly
> recommend not using that project.

> On Thu, Oct 12, 2023 at 12:48:58PM +, t...@nullvoid.me wrote:

> >  exists. Something like this?

Unfortunately the site is currently not accessible. If this is the same one 
that was discussed at a tor-relay-meeting a few months ago, then I can only 
agree with Gus' opinion.

A reputable donation site would publish the Monero View key.

https://www.getmonero.org/resources/moneropedia/viewkey.html
Every Monero address has a private viewkey which can be shared. By sharing a 
viewkey, a person is allowing access to view every incoming transaction for 
that address.

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays