Re: [tor-relays] Auto-discovered IPv6 address [...] has not been found reachable.

Fran wrote:
Hej,

Hello,

TLS handshake succeeds for me from my laptop:

$ curl --insecure https://[2a02:a446:5ef1:1:d072:53ff:fef4:ea59] -v
* Trying 2a02:a446:5ef1:1:d072:53ff:fef4:ea59:443...
* Connected to 2a02:a446:5ef1:1:d072:53ff:fef4:ea59
(2a02:a446:5ef1:1:d072:53ff:fef4:ea59) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=www.s5uu2cs3ui4yok4.net
* start date: Nov 2 00:00:00 2021 GMT
* expire date: Apr 16 00:00:00 2022 GMT
* issuer: CN=www.yi5r3anmk2gd3fbqrw4.com
* SSL certificate verify result: unable to get local issuer certificate (20),
continuing anyway.

GET / HTTP/1.1
Host: [2a02:a446:5ef1:1:d072:53ff:fef4:ea59]
User-Agent: curl/7.82.0
Accept: */*

* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
^C

What if you configure the IPv6 address by hand in torrc?

for months my torrc had

  ORPort 443 IPv4Only
  ORPort [2a02:a446:5ef1:1:d072:53ff:fef4:ea59]:443 IPv6Only

  Address XXX

and read in the logs:

  Unable to find IPv6 address for ORPort 443. You might want to specify
  IPv4Only to it or set an explicit address or set Address.

(XXX had only the A record)

Can you please send your torrc and the output of

--- cut here ---
ContactInfo flev @ kpnmail . nl
Nickname RealityLeighWinner

ExitPolicy reject *:*
ExitPolicy reject6 *:*

AvoidDiskWrites 1

DirPort 80
ORPort 443

Address XXX
--- cut here ---

where XXX is a DNS entry with both A and AAAA records.

ip route show table all

default via 192.168.2.254 dev eth0
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.102
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.2.0 dev eth0 table local proto kernel scope link src 192.168.2.102
local 192.168.2.102 dev eth0 table local proto kernel scope host src 192.168.2.102
broadcast 192.168.2.255 dev eth0 table local proto kernel scope link src 192.168.2.102
::1 dev lo proto kernel metric 256 pref medium
2a02:a446:5ef1:1::/64 dev eth0 proto kernel metric 256 expires 257593sec pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fe80::7e39:53ff:fef6:d2cc dev eth0 proto ra metric 1024 expires 1464sec hoplimit 64 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2a02:a446:5ef1:1:d072:53ff:fef4:ea59 dev eth0 table local proto kernel metric 0 pref medium
local fe80::d072:53ff:fef4:ea59 dev eth0 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium

ip address show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether d2:72:53:f4:ea:59 brd ff:ff:ff:ff:ff:ff permaddr 00:1e:06:42:f9:14
    inet 192.168.2.102/24 brd 192.168.2.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 2a02:a446:5ef1:1:d072:53ff:fef4:ea59/64 scope global dynamic mngtmpaddr
       valid_lft 257524sec preferred_lft 171124sec
    inet6 fe80::d072:53ff:fef4:ea59/64 scope link
       valid_lft forever preferred_lft forever

BTW, it's also silly that the DirPort seems not effective. I can reach it from outside but don't
get it in the descriptor.

This the output of ss -plt:

LISTEN 0 4096 0.0.0.0:80 0.0.0.0:* users:(("tor",pid=992,fd=9))
LISTEN 0 4096 127.0.0.1:9050 0.0.0.0:* users:(("tor",pid=992,fd=6))
LISTEN 0 4096 0.0.0.0:443 0.0.0.0:* users:(("tor",pid=992,fd=7))
LISTEN 0 4096 [::]:443 [::]:* users:(("tor",pid=992,fd=8))

tnx & ciao,
fran

thanks
Oo.

Onion Operator wrote:

What if you configure the IPv6 address by hand in torrc?

for months my torrc had

   ORPort 443 IPv4Only
   ORPort [2a02:a446:5ef1:1:d072:53ff:fef4:ea59]:443 IPv6Only

   Address XXX

and read in the logs:

   Unable to find IPv6 address for ORPort 443. You might want to specify
   IPv4Only to it or set an explicit address or set Address.

(XXX had only the A record)

Add a second Address entry with the IPv6 address.

so:
ORPort 443 IPv4Only
ORPort [2a02:a446:5ef1:1:d072:53ff:fef4:ea59]:443 IPv6Only
Address XXX
Address [2a02:a446:5ef1:1:d072:53ff:fef4:ea59]

Where XXX is the hostname that has only an `A` record.

Or add an `AAAA` record with the IPv6 address to XXX hostname and use a single Address entry with `Address XXX`.

See if this works for you.

When IPv6 autodiscovery that was badly needed was coded maybe this particular use case was not considered.

I guess you IPv4 is Dynamic and IPv6 is static, which is why you use XXX with some kind of DynamicDNS?

Please test and let us know if it worked with the indications above, otherwise let me know so I'll open a Bug ticket.

Onion Operator wrote:

>> What if you configure the IPv6 address by hand in torrc?
>
> for months my torrc had
>
> ORPort 443 IPv4Only
> ORPort [2a02:a446:5ef1:1:d072:53ff:fef4:ea59]:443 IPv6Only
>
> Address XXX
>
> and read in the logs:
>
> Unable to find IPv6 address for ORPort 443. You might want to specify
> IPv4Only to it or set an explicit address or set Address.
>
> (XXX had only the A record)

Add a second Address entry with the IPv6 address.

so:
ORPort 443 IPv4Only
ORPort [2a02:a446:5ef1:1:d072:53ff:fef4:ea59]:443 IPv6Only
Address XXX
Address [2a02:a446:5ef1:1:d072:53ff:fef4:ea59]

Where XXX is the hostname that has only an `A` record.

Or add an `AAAA` record with the IPv6 address to XXX hostname and use a
single Address entry with `Address XXX`.

See if this works for you.

Yes, it works! Thanks

I went for

ORPort 443 IPv4Only
ORPort [2a02:a446:5ef1:1:d072:53ff:fef4:ea59]:443 IPv6Only
Address XXX

Where XXX has both A and AAAA records.

When IPv6 autodiscovery that was badly needed was coded maybe this
particular use case was not considered.

I guess you IPv4 is Dynamic and IPv6 is static, which is why you use XXX
with some kind of DynamicDNS?

The IPv4 address is very stable. I think it's now pinned to me, its
reverse points to 77-162-229-73.fixed.kpn.net