Skip to content

Tor: Fix ORPort stability

Sunil Mohan Adapa requested to merge sunilmohan/freedombox:tor-port-fixes into master

When ORPort is set to 'auto', Tor automatically allocates a port for it. During it's first run, we able to extract the port number and open the firewall port. However, unlike for pluggable transports, Tor does not seem to store this port for future reuse in the state file. It hence opens a new port every time it is started. This leads to a new port being assigned on next Tor startup and leads to relay functionality not being reachable from outside.

According to the documentation, only possible values for ORPort are a fixed number or 0 (disable) or auto (current behavior). Choose 9001 as this is the commonly used port number for ORPort. The recommended port number of 443 is not possible in FreedomBox due it is use for other purposes.

Closes: #1495 (closed). Signed-off-by: Sunil Mohan Adapa's avatarSunil Mohan Adapa sunil@medhas.org

Note: Documentation for pluggable transports has ORPort 9001 suggested. So, it should be okay to have a stable ORPort even while bridge relays are enabled.

Performed testing as follows:

- Fresh install with patch applied:
  - Setup succeeded.
  - Download software tor is enabled.
  - ORPort is set to 9001.
  - firewall-cmd --list-all-zones shows tor-orport
  - firewall-cmd --list-all-zones --permanent shows tor-orport
  - /etc/firewalld/services/tor-orport.xml shows port 9001.
  - Tor page shows orport 9001.
  - See message "Opened OR listener on 0.0.0.0:9001 in journalctl -u tor@plinth"
  - Restart Tor
    - Tor page shows orport 9001.
    - See message "Opened OR listener on 0.0.0.0:9001 in journalctl -u tor@plinth"
- Install Tor without patch applied:
  - Enable relay
  - Enable bridge relay
  - Disable Tor
  - Upgrade to Tor with patch.
  - firewall-cmd --list-all-zones should not show tor ports.
  - /etc/tor/instances/plinth/torrc should show ORPort as 9001
  - /etc/firewalld/services/tor-orport.xml should show port as 9001
  - Tor should not be running
  - Tor should not be enabled.
  - Relay should be enabled
  - Bridge relay should be enabled.
- Install Tor without patch applied:
  - Disable relay
  - Disable bridge relay
  - Disable Tor
  - Upgrade to Tor with patch.
  - firewall-cmd --list-all-zones should not show tor ports.
  - /etc/tor/instances/plinth/torrc should not show ORPort
  - /etc/firewalld/services/tor-orport.xml should show port as 9001
  - Tor should not be running
  - Tor should not be enabled.
  - Relay should be disabled.
  - Bridge relay should be disabled.
- Install Tor without patch applied:
  - Enable relay
  - Enable bridge relay
  - Enable Tor
  - Upgrade to Tor with patch.
  - firewall-cmd --list-all-zones should show tor ports.
  - nft list ruleset should show 9001 port opened.
  - /etc/tor/instances/plinth/torrc should show ORPort as 9001
  - /etc/firewalld/services/tor-orport.xml should show port as 9001
  - Tor should be running
  - Tor should be enabled.
  - Relay should be enabled.
  - Bridge relay should be enabled.

Merge request reports