Hi,
I had to reboot my bridge for a (Ubuntu) kernel upgrade but now it cannot confirm that the ORPort is accessible:
May 17 20:20:36.000 [notice] Tor 0.2.4.12-alpha (git-a1bb0df9be95ce7a) opening log file. May 17 20:20:36.000 [notice] Not disabling debugger attaching for unprivileged users. May 17 20:20:36.000 [notice] Your Tor server's identity key fingerprint is '...' May 17 20:20:36.000 [notice] Configured hibernation. This interval began at 2013-05-13 10:00:00; the scheduled wake-up time was 2013-05-13 10:00:00; we expect to exhaust our quota for this interval around 2013-05-20 10:00:00; the next interval begins at 2013-05-20 10:00:00 (all times local) May 17 20:20:36.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip. May 17 20:20:37.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6. May 17 20:20:37.000 [notice] Configured to measure statistics. Look for the *-stats files that will first be written to the data directory in 24 hours from now. May 17 20:20:40.000 [notice] We now have enough directory information to build circuits. May 17 20:20:40.000 [notice] Bootstrapped 80%: Connecting to the Tor network. May 17 20:20:41.000 [notice] Bootstrapped 85%: Finishing handshake with first hop. May 17 20:20:41.000 [notice] Bootstrapped 90%: Establishing a Tor circuit. May 17 20:20:42.000 [notice] Registered server transport 'obfs3' at '0.0.0.0:30001' May 17 20:20:42.000 [notice] Registered server transport 'obfs2' at '0.0.0.0:20001' May 17 20:20:43.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working. May 17 20:20:43.000 [notice] Bootstrapped 100%: Done. May 17 20:20:43.000 [notice] Guessed our IP address as ... (source: ...). May 17 20:40:43.000 [warn] Your server (...:9001) has not managed to confirm that its ORPort is reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
I have not changed my tor configuration (honest! :-)) and Tor 0.2.4.12-alpha (from deb.torproject.org) was running fine before. This particular bridge is running inside an Amazon EC2 instance and I can reach port 9001 from the outside:
$ nc -w1 -vnz xx.18.xx.xxx 9001 Connection to xx.18.xx.xxx 9001 port [tcp/*] succeeded!
And I can see that request on the bridge when tcpdump'ing :9001, so it's not a network issue. I'm not sure what "/etc/hosts" should have to do with it, but I haven't modified this either. I'm strace'ing the tor process now to see what it's doing but couldn't find anything suspicious so far.
Any thoughts?
Christian.
Hm, an hour later it succeeded:
May 17 20:40:43.000 [warn] Your server (...:9001) has not managed to confirm that its ORPort is reachable. May 17 21:00:43.000 [warn] Your server (...:9001) has not managed to confirm that its ORPort is reachable. May 17 21:20:43.000 [warn] Your server (...:9001) has not managed to confirm that its ORPort is reachable. May 17 21:38:01.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Strange...
C.
On Fri, May 17, 2013 at 11:11:33PM -0700, Christian Kujau wrote:
Hm, an hour later it succeeded:
May 17 20:40:43.000 [warn] Your server (...:9001) has not managed to confirm that its ORPort is reachable. May 17 21:00:43.000 [warn] Your server (...:9001) has not managed to confirm that its ORPort is reachable. May 17 21:20:43.000 [warn] Your server (...:9001) has not managed to confirm that its ORPort is reachable. May 17 21:38:01.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Your relay launches reachability tests every 20 minutes, and it counts you as reachable if anybody succeeds at connecting (and making a Tor circuit) from the outside. In this case it sure looks like somebody else had your bridge address and connected to it -- perhaps the bridge directory authority doing its own reachability test, or perhaps some user who got your address from bridgedb.
My first thought is to look at the "..." that you left out, and see if it's guessing its address wrong (and thus launching the reachability test to the wrong place).
--Roger
On Sat, 18 May 2013 at 17:24, Roger Dingledine wrote:
Your relay launches reachability tests every 20 minutes, and it counts you as reachable if anybody succeeds at connecting (and making a Tor circuit) from the outside.
Ah, this could be it . This bridge[0] has notoriously _very_ low traffic[1] although the instance is usually up 24x7, so maybe Tor just thought it wasn't reachable, just because no one used the bridge.
My first thought is to look at the "..." that you left out, and see if it's guessing its address wrong (and thus launching the reachability test to the wrong place).
No, the address printed there was the correct one.
Thanks, Christian.
[0] http://paste.debian.net/5094/ [1] https://lists.torproject.org/pipermail/tor-talk/2012-February/023363.html
-
Christian Kujau -
Roger Dingledine