search

nusenu / ansible-relayor

An Ansible Role for Tor Relay Operators
GNU General Public License v3.0
245 stars 43 forks source link

tor instances not running on the primary/first IP will be announced on the wrong IP and fail reachability test ('Address' needed) #153

Closed nusenu closed 3 years ago

nusenu commented 6 years ago

Tim reports that on a multi public IP exit only the first 2 instances on the first public IP confirm ORPort reachability: https://lists.torproject.org/pipermail/tor-relays/2018-March/014891.html

Mär 22 02:19:47 tor Tor-185.220.100.25*3*_9000[586]: Your server (185.220.100.25*2*:9000) has not managed to confirm that its ORPort is reachable. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.

Note the mismatch between the IP addresses.

We expect this to be covered by our use of OutboundBindAddress

Tim worked around the issue by adjusting the torrc template to add the Address config parameter which we do not add by default.

RedDog99 commented 6 years ago

Here the requested data:

ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 52:54:00:21:08:b6 brd ff:ff:ff:ff:ff:ff
3: ens9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:df:68:24 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5054:ff:fedf:6824/64 scope link 
       valid_lft forever preferred_lft forever
4: ens10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:53:e1:e3 brd ff:ff:ff:ff:ff:ff
    inet 185.220.100.252/32 scope global ens10
       valid_lft forever preferred_lft forever
    inet 185.220.100.253/32 scope global ens10
       valid_lft forever preferred_lft forever
    inet 185.220.100.254/32 scope global ens10
       valid_lft forever preferred_lft forever
    inet 185.220.100.255/32 scope global ens10
       valid_lft forever preferred_lft forever
    inet6 2a0b:f4c0:16c:4::1/48 scope global 
       valid_lft forever preferred_lft forever
    inet6 2a0b:f4c0:16c:3::1/48 scope global 
       valid_lft forever preferred_lft forever
    inet6 2a0b:f4c0:16c:2::1/48 scope global 
       valid_lft forever preferred_lft forever
    inet6 2a0b:f4c0:16c:1::1/48 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe53:e1e3/64 scope link 
       valid_lft forever preferred_lft forever

ip ro

default via 185.220.100.128 dev ens10 
185.220.100.128 dev ens10 scope link

ip -6 ro

2a0b:f4c0:16c::/48 dev ens10 proto kernel metric 256  pref medium
fe80::/64 dev ens9 proto kernel metric 256  pref medium
fe80::/64 dev ens10 proto kernel metric 256  pref medium
default via 2a0b:f4c0:16c::1 dev ens10 metric 1024  pref medium

$ cat tor.yml 

---
- hosts: relays
  vars:
    tor_ContactInfo: abuse@f3netze.de
    tor_signingkeylifetime_days: 90
    tor_nickname: "F3 Netze"
    tor_ExitRelay: True
    tor_ExitPolicy: accept *:80,accept *:443,reject *:*
    tor_ExitNoticePage: True
    tor_AbuseEmailAddress: abuse@f3netze.de
    tor_maxPublicIPs: 4
    tor_IPv6: False
    tor_IPv6Exit: False
  roles:
   - nusenu.relayor
nusenu commented 6 years ago

Thanks for the fast reply, could you also add

thanks!

RedDog99 commented 6 years ago 
# ansible-relayor generated torrc configuration file
# Note: manual changes will be OVERWRITTEN on the next ansible-playbook run

OfflineMasterKey 1
RunAsDaemon 0
Log notice syslog
OutboundBindAddress 185.220.100.253
SocksPort 0
User _tor-185.220.100.253_9000
DataDirectory /var/lib/tor-instances/185.220.100.253_9000
ORPort 185.220.100.253:9000

DirPort 185.220.100.253:9001

SyslogIdentityTag 185.220.100.253_9000

ControlSocket 0
CookieAuthentication 0

Nickname F3Netze

Sandbox 1
# we are an exit relay!
ExitRelay 1
ExitPolicy accept *:80,accept *:443,reject *:*
DirPortFrontPage /etc/tor/instances/tor-exit-notice.html

ContactInfo abuse@f3netze.de

MyFamily 0436eb493d58a21f22621c916b4e2285a10b513e,2017b0df257a9d6501f084b6d7aeaaf6852e9dc1,2bd4aaef7b149ee7c290dedd1cfa3259aa1db66b,6bcb964ab74e23f8986bda905697d3a6be08af28,719fd0fa327f3ccbcda0d4ea74c15ea110338942,939126ea4d25cb212a79746c133194f8a24c435b,9973e1e9730a58fdba9e112d2b3342d2c0d921b5,9bfc62520f4db61f5df99063ef95b142037d7aa4
# end of torrc
nusenu commented 6 years ago

thanks for providing that info!

tor version for the record: 0.3.2.10

An easy fix would be to simply add the following to the template:

Address {{ item.0.ipv4}}

if we run on public IPv4 addresses (no NAT) and if the user did not set tor_Address (#141) but before doing so I'd like to get to the bottom of this.

I sent an email to tor-dev: https://lists.torproject.org/pipermail/tor-dev/2018-March/013031.html

nusenu commented 6 years ago

An easy fix would be to simply add the following to the template:

It is less obvious than I thought, because currently it would work even if we are behind NAT on public IPs, if we start doing what I suggested above things would no longer work in such (rare) cases.

nusenu commented 6 years ago

This is apparently an old upstream bug in tor reported in 2014 here: https://trac.torproject.org/projects/tor/ticket/13953 In this bug they decided to add a warning only to avoid breaking existing configs. The actual fix is supposed to be in (not fixed yet): https://trac.torproject.org/projects/tor/ticket/19919

Until upstream fixed this we will workaround this issue by sitting Address under certain conditions.

We set the Address parameter to {{ item.0.ipv4}} if

Note: We do not set Address if the user has the default value of tor_maxPublicIPs (1) or has only one public IP

The fix will not require the operator to make any change to their configs (it should work out of the box).

@RedDog99 Could you test b90109aaf11dc12890eb28e08a19d09479f2d320 and confirm that it works for you? (you could use the -C and -D switches to simulate the change)

RedDog99 commented 6 years ago

I think -C prevents the "Check if /etc/resolv.conf contains any Google DNS servers (Exits only)" to run. Without it, the "Abort if Google DNS server is in use (Exits only)" fails. I removed the include for the google check temporary. There are some more things why -C -D may not work: "msg": "AnsibleUndefinedVariable: 'dict object' has no attribute 'stdout'" :(

After removing all stdouts (there is even one in the template), i got a new torrc and just the removed stdout changed. So yes, the change solves the problem for me. Thank you for your fast and kind help.

nusenu commented 6 years ago

thanks for testing, I'll be putting out a new release with this fix in the next few hours.

nusenu commented 6 years ago

workaround is in v0.3.3.

This ticket will remain open until the upstream issue https://trac.torproject.org/projects/tor/ticket/19919 is solved.

nusenu commented 3 years ago

the upstream issue https://gitlab.torproject.org/tpo/core/tor/-/issues/21044 has been closed as wontfix.

we should be fine with our workaround b90109aaf11dc12890eb28e08a19d09479f2d320