|
|
[[PageOutline(2-3)]]
|
|
|
|
|
|
= A Tor relay operators IPv6 HOWTO =
|
|
|
# A Tor relay operators IPv6 HOWTO
|
|
|
|
|
|
In Oct 2012, support for clients connecting to relays as well as relays publishing IPv6 addresses and accepting clients connecting over IPv6 had been implemented. As of Jan 2013, there is also support for exiting to IPv6 destinations. See [https://trac.torproject.org/projects/tor/wiki/org/roadmaps/Tor/IPv6 Tor on IPv6 road map] for more detailed information about which versions of Tor that support different aspects of Tor on IPv6.
|
|
|
In Oct 2012, support for clients connecting to relays as well as relays publishing IPv6 addresses and accepting clients connecting over IPv6 had been implemented. As of Jan 2013, there is also support for exiting to IPv6 destinations. See [Tor on IPv6 road map](https://trac.torproject.org/projects/tor/wiki/org/roadmaps/Tor/IPv6) for more detailed information about which versions of Tor that support different aspects of Tor on IPv6.
|
|
|
|
|
|
== 1 Relays on IPv6 ==
|
|
|
## 1 Relays on IPv6
|
|
|
Assuming that you already have an ordinary IPv4 relay up and running, this is how to make it an IPv6 relay.
|
|
|
|
|
|
The way you make your relay bind to and publish an IPv6 OR port is to add another ORPort config option to your torrc file. You can keep your IPv4 ORPort option as is.
|
|
|
|
|
|
For the time being you need to configure your numeric IPv6 address explicitly within square brackets^[#fn1 1]^, like so:
|
|
|
|
|
|
{{{
|
|
|
```
|
|
|
ORPort [2001:DB8::1]:9050
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
Clients use IPv4 and IPv6 ORPorts (because they are more anonymous^[#fn2 2]^). Relays use IPv4 DirPorts and IPv4 ORPorts. So there is no reason to configure an IPv6 DirPort - if you do, it won't be published in your descriptor, and it will never be used by other tors to download directory documents.
|
|
|
|
... | ... | @@ -21,38 +21,38 @@ If your relay becomes a Guard, a small number of clients will use its IPv6 ORPor |
|
|
|
|
|
There is currently no way of running an IPv6 only relay^[#fn4 4]^. Your relay will have to publish both an IPv4 and an IPv6 OR port. This limitation will go away but note that your relay will need to be able to make outgoing IPv4 connections for a foreseeable future.
|
|
|
|
|
|
The !OutboundBindAddress config option can be set to make Tor use a specific source address for outbound connections. This can be useful if your host has more than one IPv6 address. This option can be used twice, once per address family. Enclose an IPv6 address in square brackets.
|
|
|
The OutboundBindAddress config option can be set to make Tor use a specific source address for outbound connections. This can be useful if your host has more than one IPv6 address. This option can be used twice, once per address family. Enclose an IPv6 address in square brackets.
|
|
|
|
|
|
After making changes to the torrc file, a restart of Tor is recommended. Some reconfiguration is done properly when Tor is sent a HUP signal while other is not. Please note that you won't get a warning about your OR port not being reachable if it isn't^[#fn5 5]^. It may take some time (more than 24h) for the directory authorities to confirm your relay is reachable over ipv6 and flag it as ReachableIPv6.
|
|
|
|
|
|
=== 1.1 Ordinary relays ===
|
|
|
### 1.1 Ordinary relays
|
|
|
The IPv6 OR port of an ordinary relay should show in the consensus as an "a" line. For example:
|
|
|
|
|
|
{{{
|
|
|
```
|
|
|
a [2001:DB8::1]:9030
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
In order to be able to exit to IPv6 addresses, exit relays __must__ set
|
|
|
|
|
|
{{{
|
|
|
```
|
|
|
IPv6Exit 1
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
If you don't want to exit to IPv6, please set the exit policy for IPv6 to reject all exiting to IPv6 addresses:
|
|
|
|
|
|
{{{
|
|
|
```
|
|
|
ExitPolicy reject6 *:*
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
=== 1.2 Bridges ===
|
|
|
### 1.2 Bridges
|
|
|
A bridge relay with an IPv6 OR port will be distributed by the Bridge DB. The part of IPv6 bridges ending up in the "http pool" are accessed through https://bridges.torproject.org/?ipv6=True.
|
|
|
|
|
|
== 2 Authoritative directory specifics ==
|
|
|
## 2 Authoritative directory specifics
|
|
|
The AuthDirHasIPv6Connectivity config option is used to make an authoritative directory require successful reachability testing of IPv6 OR ports to consider voting for them (or simply publish them, in the case of a bridge authority).
|
|
|
|
|
|
Note that authorities, directory as well as bridge, do not yet make full use of IPv6^[#fn6 6]^. Specifically, there is no way to make an authority export any of its authority-specific functions over IPv6 -- an authority can not vote over IPv6, and more.
|
|
|
|
|
|
== 3 Client behaviour ==
|
|
|
## 3 Client behaviour
|
|
|
|
|
|
A few notes on how clients behave. Might be useful for testing your relays.
|
|
|
|
... | ... | @@ -68,7 +68,7 @@ For dual-stack clients (ClientUseIPv6 1), setting ClientPreferIPv6ORPort 1 might |
|
|
|
|
|
Note that clients running with bridges do not need to set any IPv6 specific configuration options in order to connect to bridges over IPv6. Putting an IPv6 address in a !Bridge option is enough.
|
|
|
|
|
|
== Footnotes ==
|
|
|
## Footnotes
|
|
|
[=#fn1 1:] #5940: Figure out own IPv6 address
|
|
|
|
|
|
[=#fn2 2:] #18483: Clients should always tunnel connections, and never fall back to a DirPort
|
... | ... | |