7

I would like to run a Tor relay through my VPN (Linux using OpenVPN).

My anonymous VPN service connects through an OpenVPN tun0 interface. I run both "Tor ->- over ->- VPN" and "TBB ->- over ->- VPN" with no problems.

Using the netstat -nr command to check (I blocked out my VPN's public IP address and internal IP addresses):

$ netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.---.---.---  0.0.0.0         UG        0 0          0 tun0
10.-.-.-        10.---.---.---  255.255.255.255 UGH       0 0          0 tun0
10.---.---.---  0.0.0.0         255.255.255.255 UH        0 0          0 tun0
111.222.333.444 192.168.1.1     255.255.255.255 UGH       0 0          0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0

I have my /etc/tor/torrc configured to run a middle-man relay on port 9001.

Right after, I start Tor using this command:

systemctl start tor.service

And then using these two netstat commands to check right after starting tor:

netstat -tuapenv | grep -i established
netstat --all --numeric --programs --inet --inet6

I am able to see about 80 different ESTABLISHED connections to "foreign addresses" that are linked to my VPN's internal IP address in the "Local Address" column.

The 80 different "Foreign Address" are only shown for the first few minutes, then after a couple of minutes all I have left are my original three EntryGuard IP addresses shown when using those netstat commands.

So if my VPN's public address is 111.222.333.444 and its internal IP address is 10.---.---.--- which connects to my local 127.0.0.1 then how would I run a relay that stays connected and shows its IP address on the Tor Network Status page at blutmagie?

Roya
  • 3,240
  • 3
  • 19
  • 40
human
  • 71
  • 1
  • 2

3 Answers3

3

A relay requires a public IP address as it needs to accept incoming connections. As far as I can see from your routing table, your tunnel provider does not give you a public IP address. Your Tor log messages should currently contain something like:

Your server has not managed to confirm that its ORPort is reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.

Please note that the idea of running a Tor relay behind a tunnel is not a very good idea. The relayed packets are going to take a round-trip through the tunnel, adding latency and minimizing bandwidth. Please consider running a bridge on the public IP address given by your ISP instead.

mirimir
  • 3,017
  • 1
  • 19
  • 29
Lunar
  • 627
  • 5
  • 12
1

I would add that if you really want to do this you need to forward ports from the outside so that other peoples tor clients can connect to your relay, since you are not being given a public ip your traffic over the vpn is being NAT'd. Usually VPN service do not want you to do this and yes, its generally not a good idea for the reasons above as well.

August Germar
  • 360
  • 2
  • 9
0

It's very simple: In most of tor's port-related directives - an IP-address can be specified. For example try use ORPort 111.222.333.444:<port> instead of just ORPort <port>. Actually if you'll post your torrc config it will be a way better and easier to advise you, but the basic concept is in answer.

Alexey Vesnin
  • 6,385
  • 3
  • 15
  • 36