Hello there! I've been running for over 1.5 year a middle relay on an IP address I also use to browse, withous issues. However it's now some weeks since many websites that always refused tor traffic started to also refuse normal traffic from my IP. I suppose this is related to the relay, because I don't run any other "suspect" service on this IP and when I change it the problem is gone for a few hours. My guess is that some widely used black list started including middle relay IPs, but I have no proofs. Has anyone had similar experiences? Any thoughts on this? Thanks,
Eldalië
-- Eldalië My private key is attached. Please, use it and provide me yours!
On Tue, 1 Aug 2023 23:14:28 +0200 Eldalië via tor-relays tor-relays@lists.torproject.org wrote:
Hello there! I've been running for over 1.5 year a middle relay on an IP address I also use to browse, withous issues. However it's now some weeks since many websites that always refused tor traffic started to also refuse normal traffic from my IP. I suppose this is related to the relay, because I don't run any other "suspect" service on this IP and when I change it the problem is gone for a few hours. My guess is that some widely used black list started including middle relay IPs, but I have no proofs. Has anyone had similar experiences? Any thoughts on this?
For me this has always been the case, since many years ago. It is surprising you did not have issues for 1.5 years.
It is probably this list: https://www.dan.me.uk/tornodes It has explanation text in bold, but nobody reads that. Or just the Tor relay lists that can be fetched from the Tor project directly.
On Thu, 3 Aug 2023, 15:57 Roman Mamedov, rm@romanrm.net wrote:
On Tue, 1 Aug 2023 23:14:28 +0200 Eldalië via tor-relays tor-relays@lists.torproject.org wrote:
Hello there! I've been running for over 1.5 year a middle relay on an IP address I
also use
to browse, withous issues. However it's now some weeks since many
websites that
always refused tor traffic started to also refuse normal traffic from my
IP. I
suppose this is related to the relay, because I don't run any other
"suspect"
service on this IP and when I change it the problem is gone for a few
hours.
My guess is that some widely used black list started including middle
relay
IPs, but I have no proofs. Has anyone had similar experiences? Any thoughts on this?
For me this has always been the case, since many years ago. It is surprising you did not have issues for 1.5 years.
It is probably this list: https://www.dan.me.uk/tornodes It has explanation text in bold, but nobody reads that. Or just the Tor relay lists that can be fetched from the Tor project directly.
I stopped running a relay at home years ago (due to moving home and going from 1Gbps upload to 10Mbps) but had had the problem with a third party used by an airline starting to use that list.
It may be better nowadays as most things are available over IPv6 so I wouldn't care as much if my IPv4 gets blocked and hopefully they wouldn't block more than a /64 for IPv6.
On 2023-08-01 23:14, Eldalië via tor-relays wrote:
My guess is that some widely used black list started including middle relay IPs, but I have no proofs. Has anyone had similar experiences? Any thoughts on this?
I run a non-exit relay at home and have run into the same issue. Some Swedish government sites use a third party for handling log ins. A few months ago this third party started blocking non-exit relays. I tried to contact the government sites and explain the issue (exit vs non-exit IP lists etc). None of them said it was their policy to block non-exits but naturally pointed at the third party. I tried to contact them but got nowhere, maybe they outsource in their turn.
Since sites these days outsource so much it is hopeless to get through to anyone able or willing to fix an issue. I gave up after many emails.
My "solution" for now is to use my phone's internet sharing when I have to contact these sites. Since it only is a few sites which I contact rarely this works, but as more and more sites outsource their security to third parties I expect this to be a growing problem. Eventually I might no longer be able to run a relay.
Hi,
On 03.08.23 14:22, Logforme wrote:
My "solution" for now is to use my phone's internet sharing when I have to contact these sites. Since it only is a few sites which I contact rarely this works, but as more and more sites outsource their security to third parties I expect this to be a growing problem. Eventually I might no longer be able to run a relay.
instead of turning down your relay, you could change it to a cloud hoster.
I e.g. would suggest the German provider Hetzner [*] - you have 20TB/month free traffic for only a few euros. Since the IP address of your relay is publicly known anyway, it also doesn't matter as much as with a bridge if the relay is running at a cloud provider (e.g. regarding the situation in Turkmenistan). The disadvantage is, of course, less diversity in the number of networks in which the relays are distributed.
Kind regards telekobold
As an at-Home, Middle-Relay operator, I experienced similar issues. Initially, I attempted to solve the problem by using dnsmasq + nginx to reverse proxy the blacklisted sites through a dedicated vpn, which worked... with some issues. As the issues increased, I decided to secure a new IP Address and pivot to an at-Home, Bridge operator, which has been trouble free and much more amenable to at-Home operation. Thanks for running a Tor Relay... or Bridge.
On Thursday, August 3, 2023, 1:58:08 PM MDT, telekobold torproject-ml@telekobold.de wrote:
Hi,
On 03.08.23 14:22, Logforme wrote:
My "solution" for now is to use my phone's internet sharing when I have to contact these sites. Since it only is a few sites which I contact rarely this works, but as more and more sites outsource their security to third parties I expect this to be a growing problem. Eventually I might no longer be able to run a relay.
instead of turning down your relay, you could change it to a cloud hoster.
I e.g. would suggest the German provider Hetzner [*] - you have 20TB/month free traffic for only a few euros. Since the IP address of your relay is publicly known anyway, it also doesn't matter as much as with a bridge if the relay is running at a cloud provider (e.g. regarding the situation in Turkmenistan). The disadvantage is, of course, less diversity in the number of networks in which the relays are distributed.
Kind regards telekobold
[*] https://www.hetzner.com/ _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
I tried reporting a similar issue a few months ago (post wasn’t approved by moderator). I was running a relay from my home ISP. After a short while certain websites became inaccessible from other computers in my home network that shared the same public IP. After trial and error with other IP addresses (non-Tor) I realized commercial gateway services had blacklisted our IP address.
After several weeks of running a Relay I shut it down and after a few days we could access the websites again from our IP.
The ISP didn’t understand when I reported it and just wanted to upsell me a business plan.
Live and learn. The Tor network was the victim. You are correct that by publishing entry, relay and exit node IP addresses for the Tor network, it’s an easy target for commercial services to indiscriminately blacklist any IP addresses associated with Tor. Sharing your IP with a relay and your personal use might get you blocked.
I hope this post gets approved.
On Aug 3, 2023, at 7:47 AM, Eldalië via tor-relays tor-relays@lists.torproject.org wrote:
Hello there! I've been running for over 1.5 year a middle relay on an IP address I also use to browse, withous issues. However it's now some weeks since many websites that always refused tor traffic started to also refuse normal traffic from my IP. I suppose this is related to the relay, because I don't run any other "suspect" service on this IP and when I change it the problem is gone for a few hours. My guess is that some widely used black list started including middle relay IPs, but I have no proofs. Has anyone had similar experiences? Any thoughts on this? Thanks,
Eldalië
-- Eldalië My private key is attached. Please, use it and provide me yours! _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
securehell@gmail.com wrote on 8/4/23 01:46:
I tried reporting a similar issue a few months ago (post wasn’t approved by moderator). I was running a relay from my home ISP. After a short while certain websites became inaccessible from other computers in my home network that shared the same public IP. After trial and error with other IP addresses (non-Tor) I realized commercial gateway services had blacklisted our IP address.
Same here, middle node. In order to access some sites, I have to shut down briefly my modem in order to obtain a new IP, and for a while all goes smoothly again.
On Samstag, 5. August 2023 08:40:42 CEST Marco Predicatori wrote:
securehell@gmail.com wrote on 8/4/23 01:46:
I tried reporting a similar issue a few months ago (post wasn’t approved by moderator). I was running a relay from my home ISP. After a short while certain websites became inaccessible from other computers in my home network that shared the same public IP. After trial and error with other IP addresses (non-Tor) I realized commercial gateway services had blacklisted our IP address.
Same here, middle node. In order to access some sites, I have to shut down briefly my modem in order to obtain a new IP, and for a while all goes smoothly again.
Hi @all,
Just my 2 cents. Is this worth the hassle? Calculate your power consumption 24x7x30 @home.
For 1-5$ you can get a VPS. This exit has 1GB RAM and 1CPU and costs $3.50/month https://metrics.torproject.org/rs.html#details/376DC7CAD597D3A4CBB651999CFAD...
Search or ask for offers on LEB & LET: https://lowendbox.com/ https://lowendtalk.com/discussion/185210/tor-relay-bridge
$websearch: cheap vps unlimited bandwidth IONOS 1,-EUR/Month - 1GB RAM - 1vCore unlimited bandwidth - prepaid (=no contract term) https://www.ionos.de/server/vps
Dedicated server for $15 per month: 4 Cores/4 threads - 16GB DDR3 - 5 usable IPv4 :-) https://www.nocix.net/cart/?id=261
lists@for-privacy.net wrote:
On Samstag, 5. August 2023 08:40:42 CEST Marco Predicatori wrote:
securehell@gmail.com wrote on 8/4/23 01:46:
I tried reporting a similar issue a few months ago (post wasn’t approved by moderator). I was running a relay from my home ISP. After a short while certain websites became inaccessible from other computers in my home network that shared the same public IP. After trial and error with other IP addresses (non-Tor) I realized commercial gateway services had blacklisted our IP address.
Same here, middle node. In order to access some sites, I have to shut down briefly my modem in order to obtain a new IP, and for a while all goes smoothly again.
Hi @all,
Just my 2 cents. Is this worth the hassle? Calculate your power consumption 24x7x30 @home.
For 1-5$ you can get a VPS. This exit has 1GB RAM and 1CPU and costs $3.50/month https://metrics.torproject.org/rs.html#details/376DC7CAD597D3A4CBB651999CFAD...
Search or ask for offers on LEB & LET: https://lowendbox.com/ https://lowendtalk.com/discussion/185210/tor-relay-bridge
$websearch: cheap vps unlimited bandwidth IONOS 1,-EUR/Month - 1GB RAM - 1vCore unlimited bandwidth - prepaid (=no contract term) https://www.ionos.de/server/vps
Dedicated server for $15 per month: 4 Cores/4 threads - 16GB DDR3 - 5 usable IPv4 :-) https://www.nocix.net/cart/?id=261
While all the above is true, a thing to remember is to make sure we don't end up all renting too many VPS'es or dedicated servers in the same places / same AS numbers - we need network diversity, it is a very important factor, more AS numbers, more providers, more physical locations, etc. So, running at home is super good and recommended from this perspective, provides us with the diversity we need, however not being to login to online banking to pay an electricity bill because of a middle relay is also way too annoying.. however who can afford the hassle should definitely run a middle relay or bridge at home (even Exit relay, I do run an Exit relay at my office place and I had one police visit in like 8 years or so).
The problem here is with the people who treat 1 IP address = 1 person, this assumption which is 3 decades old should disappear once and forever. I cannot imagine what kind of an IT/security expert would use a black list (haha) that contains Tor relays (double haha) and also applies same restrictions to *middle* relays (triple haha). There are so many ways to properly handle an IP address that sends robotic/unrequested traffic which are so obvious I'm not going to spam the list to enumerate them.
On 8/7/2023 1:28 PM, s7r wrote:
lists@for-privacy.net wrote:
On Samstag, 5. August 2023 08:40:42 CEST Marco Predicatori wrote:
securehell@gmail.com wrote on 8/4/23 01:46:
I tried reporting a similar issue a few months ago (post wasn’t approved by moderator). I was running a relay from my home ISP. After a short while certain websites became inaccessible from other computers in my home network that shared the same public IP. After trial and error with other IP addresses (non-Tor) I realized commercial gateway services had blacklisted our IP address.
Same here, middle node. In order to access some sites, I have to shut down briefly my modem in order to obtain a new IP, and for a while all goes smoothly again.
Hi @all,
Just my 2 cents. Is this worth the hassle? Calculate your power consumption 24x7x30 @home.
For 1-5$ you can get a VPS. This exit has 1GB RAM and 1CPU and costs $3.50/month https://metrics.torproject.org/rs.html#details/376DC7CAD597D3A4CBB651999CFAD...
Search or ask for offers on LEB & LET: https://lowendbox.com/ https://lowendtalk.com/discussion/185210/tor-relay-bridge
$websearch: cheap vps unlimited bandwidth IONOS 1,-EUR/Month - 1GB RAM - 1vCore unlimited bandwidth - prepaid (=no contract term) https://www.ionos.de/server/vps
Dedicated server for $15 per month: 4 Cores/4 threads - 16GB DDR3 - 5 usable IPv4 :-) https://www.nocix.net/cart/?id=261
While all the above is true, a thing to remember is to make sure we don't end up all renting too many VPS'es or dedicated servers in the same places / same AS numbers - we need network diversity, it is a very important factor, more AS numbers, more providers, more physical locations, etc. So, running at home is super good and recommended from this perspective, provides us with the diversity we need, however not being to login to online banking to pay an electricity bill because of a middle relay is also way too annoying.. however who can afford the hassle should definitely run a middle relay or bridge at home (even Exit relay, I do run an Exit relay at my office place and I had one police visit in like 8 years or so).
The problem here is with the people who treat 1 IP address = 1 person, this assumption which is 3 decades old should disappear once and forever. I cannot imagine what kind of an IT/security expert would use a black list (haha) that contains Tor relays (double haha) and also applies same restrictions to *middle* relays (triple haha). There are so many ways to properly handle an IP address that sends robotic/unrequested traffic which are so obvious I'm not going to spam the list to enumerate them.
As much as I would like to laugh along with you, it's clearly the case from my experiences, and some of the folks in this thread, that there are some major outsourced firewall/protection companies who unfortunately do have the IT/security folks you can't imagine. I've spoken to one senior network technician at a major US wide bank because after running a middle relay for 5 years with only minor issues, my wife who works from home for the bank was suddenly blocked from accessing the bank network. He fully understood what a middle relay was and was quite happy for me to run one, but was unable to do anything as they had just outsourced the network "protection" and whoever they had outsourced to was classing the middle relay as a threat, and so blocking her access.
Cheers.
On Monday, August 7, 2023, 2:28:56 PM MDT, s7r s7r@sky-ip.org wrote:
lists@for-privacy.net wrote:
On Samstag, 5. August 2023 08:40:42 CEST Marco Predicatori wrote:
securehell@gmail.com wrote on 8/4/23 01:46:
I tried reporting a similar issue a few months ago (post wasn’t approved by moderator). I was running a relay from my home ISP. After a short while certain websites became inaccessible from other computers in my home network that shared the same public IP. After trial and error with other IP addresses (non-Tor) I realized commercial gateway services had blacklisted our IP address.
Same here, middle node. In order to access some sites, I have to shut down briefly my modem in order to obtain a new IP, and for a while all goes smoothly again.
Hi @all,
Just my 2 cents. Is this worth the hassle? Calculate your power consumption 24x7x30 @home.
For 1-5$ you can get a VPS. This exit has 1GB RAM and 1CPU and costs $3.50/month https://metrics.torproject.org/rs.html#details/376DC7CAD597D3A4CBB651999CFAD...
Search or ask for offers on LEB & LET: https://lowendbox.com/ https://lowendtalk.com/discussion/185210/tor-relay-bridge
$websearch: cheap vps unlimited bandwidth IONOS 1,-EUR/Month - 1GB RAM - 1vCore unlimited bandwidth - prepaid (=no contract term) https://www.ionos.de/server/vps
Dedicated server for $15 per month: 4 Cores/4 threads - 16GB DDR3 - 5 usable IPv4 :-) https://www.nocix.net/cart/?id=261%3E%C2%A0 While all the above is true, a thing to remember is to make sure we don't end up all renting too many VPS'es or dedicated servers in the same places / same AS numbers - we need network diversity, it is a very important factor, more AS numbers, more providers, more physical locations, etc. So, running at home is super good and recommended from this perspective, provides us with the diversity we need, however not being to login to online banking to pay an electricity bill because of a middle relay is also way too annoying.. however who can afford the hassle should definitely run a middle relay or bridge at home (even Exit relay, I do run an Exit relay at my office place and I had one police visit in like 8 years or so).
Marco... Thanks for the great VPS information. In addition to network diversity, there is the fact that most individuals find it necessary to run an at Home internet connection 24 x 7 x 365. So... Other than for the reasons inspired by the subject of this post, why not just run a low-resource consuming Tor server at home, too, which meets the requirements and continual request for Tor Bridges? Moreover... In the Tor documentation describing the various relays, it might be wise to highly recommend that new at Home operators focus their resources toward Tor Bridges (opposed to Relays) to avoid this common pitfall. Just my 2¢.
On Dienstag, 8. August 2023 00:30:38 CEST Gary C. New via tor-relays wrote:
In addition to network diversity, there is the fact that most individuals find it necessary to run an at Home internet connection 24 x 7 x 365. So... Other than for the reasons inspired by the subject of this post, why not just run a low-resource consuming Tor server at home, too,
Most people definitely have the router on all the time. I saw this recently because I wanted to run a bridge for Turkmenistan at home: On Ubiquity EdgeOS Router (Vyatta/Debian based) you can 'apt install tor' OPNsense (FreeBSD based): https://docs.opnsense.org/manual/how-tos/tor.html
On Tuesday, August 8, 2023, 10:24:44 AM MDT, lists@for-privacy.net wrote:
On Dienstag, 8. August 2023 00:30:38 CEST Gary C. New via tor-relays wrote:
> In addition to network diversity, there is the fact that most individuals > find it necessary to run an at Home internet connection 24 x 7 x 365. So... > Other than for the reasons inspired by the subject of this post, why not > just run a low-resource consuming Tor server at home, too,
Most people definitely have the router on all the time. I saw > this recently > because I wanted to run a bridge for Turkmenistan at home: On Ubiquity EdgeOS Router (Vyatta/Debian based) you can > 'apt install tor'> OPNsense (FreeBSD based): https://docs.opnsense.org/manual/how-tos/tor.html
Similarly, Tor can be installed on network devices (i.e., Mikrotik, etc) that use OpenWRT or Entware packages with "opkg install tor". Thanks, again, for dropping some knowledge on us, Marco.
On Montag, 7. August 2023 22:28:32 CEST s7r wrote:
While all the above is true, a thing to remember is to make sure we don't end up all renting too many VPS'es or dedicated servers in the same places / same AS numbers - we need network diversity,
Especially at the exits, which unfortunately occur in a few places and in large heaps. Approx 50%: Berlin Germany, Utrecht Netherlands, Roost Luxembourg.
it is a very important factor, more AS numbers, more providers, more physical locations, etc. So, running at home is super good and recommended from this perspective, provides us with the diversity we need,
You made a good list of underused ISP's on lowendtalk and on nusenu's OrNetStat there are over 500 AS where only 1 or 2 relays are running. There should be enough data centers in the world to achieve diversity even without running at home. https://nusenu.github.io/OrNetStats/#autonomous-systems-by-cw-fraction
Runnig snowflake @home is a nice option. Many relays @home only have kbit/s of bandwidth. In my humble opinion, a Tor relay should offer at least 10 MB/s.
however who can afford the hassle should definitely run a middle relay or bridge at home
Yes, anyone with a good internet connection at home can do this. At least in Germany, every ISP offers its customers a http & ftp proxy. Use them in your browser or OS. This might have less of a problem running Tor relays at home. Because most websites will then see the proxy IP.
(even Exit relay, I do run an Exit relay at my office place and I had one police visit in like 8 years or so).
@office is different than @home. I wouldn't advise anyone to run an exit at home. It's no fun when the cops ring at 6:00 am and search your whole apartment. And if you're unlucky, they take all computers, cell phones and other 'things'.
On Mon, Aug 07, 2023 at 11:28:32PM +0300, s7r wrote:
While all the above is true, a thing to remember is to make sure we don't end up all renting too many VPS'es or dedicated servers in the same places / same AS numbers - we need network diversity, it is a very important factor, more AS numbers, more providers, more physical locations, etc. So, running at home is super good and recommended from this perspective, provides us with the diversity we need, however not being to login to online banking to pay an electricity bill because of a middle relay is also way too annoying.. however who can afford the hassle should definitely run a middle relay or bridge at home
Yes, exactly this. If you are interested in running a non-exit relay at home, and you can tolerate the hassles from occasionally finding that some service doesn't want to hear from you, then you are definitely helping the diversity of the Tor network.
Having the Tor traffic concentrated at a few cheapo providers like Hetzner and OVH is not only scary in the sense that too much traffic goes through too few cables, but it's also scary because it increases the appeal for somebody to attack those few companies, either by breaking into their infrastructure to watch traffic or through more traditional insider threats like getting an employee there to help them monitor traffic.
The internet already has uncomfortably many bottlenecks -- too few undersea cables, too few Content Distribution Networks (CDNs), too few app stores, etc.
(even Exit relay, I do run an Exit relay at my office place and I had one police visit in like 8 years or so).
Follow this advice only with great caution. :) Many people happily run their exit relay from their home, but it only takes one fresh new cybercrime detective (trying to make a name for himself by kicking down a door at 7am, and with no idea what Tor is) to ruin your day.
--Roger
tor-relays@lists.torproject.org
-
Eddie -
Eldalië -
Gary C. New -
lists@for-privacy.net -
Logforme -
Marco Predicatori -
Pascal Terjan -
Roger Dingledine -
Roman Mamedov -
s7r -
securehell@gmail.com -
telekobold