UpdateTor

emdee 2022-10-28 19:46:25 +00:00
parent d62f1d6bf2
commit dc5f8688ef
2 changed files with 70 additions and 59 deletions

@ -6,16 +6,16 @@ is vulnerable to being completely taken down by blocking a small
number of nodes. This is already happening in places like Iran. number of nodes. This is already happening in places like Iran.
It would help if all the BS node operators could also run a Tor client It would help if all the BS node operators could also run a Tor client
(not exit node), in addition to running their node. There are no risks (not exit node), in addition to running their node. There should be no
to the BS operator from running a Tor client in any country that Tor risks from running a Tor client as it's not exit node, and the
is still legal as it's not exit node, and the overhead in negligible. overhead in negligible. The onion server is a 127.0.0.1 service, so
The onion server is a 127.0.0.1 service, so cannot be seen by your ISP. cannot be seen by your ISP. The BS service is on the opennet anyway
The BS service is on the opennet anyway so an onion is just another so an onion is just another access method. So we get dozens of Tor
access method. So we get dozens of Tor onion nodes running quickly, onion nodes running quickly, we could test out running Tox *in* Tor
we could test out running Tox *in* Tor using Hidden Services. If the using Hidden Services. If the Tox nodebase was improved to serve BS
Tox nodebase was improved to serve BS nodes, it would be much more nodes, it would be much more resilient. I'm assuming the adversaries
resilient. I'm assuming the adversaries cannot block .onion addresses cannot block .onion addresses within Tor, which I think is a valid
within Tor, which I think is a valid assumption for now. assumption for now.
There are [simple instructions](https://community.torproject.org/onion-services/setup/) There are [simple instructions](https://community.torproject.org/onion-services/setup/)
to get Tor up and running, and it's distributed in all Linux distributions. to get Tor up and running, and it's distributed in all Linux distributions.
@ -52,25 +52,25 @@ and post it along with your node's public key to the
## Using an Onion Bootstrap node ## Using an Onion Bootstrap node
To let your client know that you have an onion node it can user, To let your client know that you have an onion node it can user,
you need to add the onion address to your DHTnode.json file. you need to add the onion address to your DHTnode.json file.
But Tox clients don't understand onion addresses and until they do, But Tox clients don't understand onion addresses and until they do,
we do the following: we do the following:
1. Get the IP address your Tor assigns to the onion address 1. Get the IP address your Tor assigns to the onion address:
``` ```
tor-resolve -4 l2ct3xnuaiwwtoybtn46qp2av4ndxcguwupzyv6xrsmnwi647vvmwtqd.onion tor-resolve -4 l2ct3xnuaiwwtoybtn46qp2av4ndxcguwupzyv6xrsmnwi647vvmwtqd.onion
``` ```
It will reply with an IPv4 address starting with ```172.```. It will reply with an IPv4 address starting with ```172.```.
You'll need the pubkic key of your BS server. Take that address and 2. You'll need the pubkic key of your BS server. Take that address and
add to the DHTnodes.json file in the list of ```nodes```. add to the DHTnodes.json file as a new dictionary in the list of ```nodes```.
If your nodes file is line one line you can pretty it up with the If your nodes file is one long line you can pretty it up with the
jq utility: ```jq . < DHTnodes.json > Prettynodes.json```. jq utility: ```jq . < DHTnodes.json > Prettynodes.json```.
Put the address in the ```ipv4``` slot and the Make a new entry at the beginning of the nodes list: after the ```[```
and followed by a ```,``` - put the address in the ```ipv4``` slot and the
port in the tcp_ports list and put the onion address as the location. port in the tcp_ports list and put the onion address as the location.
``` ```
{"last_scan": 1665034198, {"last_scan": 1665034198,
@ -97,14 +97,15 @@ port in the tcp_ports list and put the onion address as the location.
}, },
``` ```
You can also add this pair to the onions slot in your entry in the You can copy the above and add the onion:port pair to the onions slot
DHTnodes.json file. If there is not an onions slot, create one. and update the rest of the fields.
### Updating ### Updating
This IP address changes each time Tor restarts, so each time Tor This IP address changes each time Tor restarts, so each time Tor
restarts the DHTnodes.json file needs updating. You can assign it restarts ipv4 field of you entry in the DHTnodes.json file needs updating.
a permanent IP address by using the MapAddress line in the torrc: You can assign it a permanent IP address by using the MapAddress line
in the torrc:
``` ```
MapAddress l2ct3xnuaiwwtoybtn46qp2av4ndxcguwupzyv6xrsmnwi647vvmwtqd.onion 10.192.0.1 MapAddress l2ct3xnuaiwwtoybtn46qp2av4ndxcguwupzyv6xrsmnwi647vvmwtqd.onion 10.192.0.1
``` ```
@ -114,10 +115,24 @@ You can use any address in the range defined by
VirtualAddrNetworkV4 10.192.0.0/10 VirtualAddrNetworkV4 10.192.0.0/10
``` ```
These addresses will be permanent and will not change with Tor restarts.
You can similarly add all the Tox onions you know about in this manner. You can similarly add all the Tox onions you know about in this manner.
We can work on a script that automates this. We can work on a script that automates this, and a way of publishing
onions in the mailing list or an NGC group.
### Client Side
A person that is already using Tor as a client, and Tox over Tor,
only needs to add the first section in the ```/etc/tor/torrc```
described above, and the MapAddress lines. We could have our update
utility read the DHTnodes file and look for onions slot, and
print out the MapAddress lines to be added to the ```torrc```.
Then they'll be using Tox *in* Tor with no vulnerabilities to the
BS node being blocked, or vulnerabilities at exit nodes.
Details: Details:
* https://git.plastiras.org/emdee/tox_profile/ToxAndTorInChinaAndIran * https://git.plastiras.org/emdee/tox_profile/ToxAndTorInChinaAndIran
* https://community.torproject.org/onion-services/setup/ * https://community.torproject.org/onion-services/setup/
* https://community.torproject.org/onion-services/ * https://community.torproject.org/onion-services/
* https://www.wired.com/story/tor-browser-russia-blocks/

@ -1,6 +1,6 @@
Up: [[Home]] Up: [[Home]]
From: https://github.com/TokTok/c-toxcore/issues/419 Following up on: https://github.com/TokTok/c-toxcore/issues/419
I don't think indistinguishable message bytes and sizes are going to I don't think indistinguishable message bytes and sizes are going to
make any difference when they are sent over a network of so few bootstrap nodes. make any difference when they are sent over a network of so few bootstrap nodes.
@ -14,20 +14,19 @@ traffic look like another protocol like HTTP or whatever:
<https://snowflake.torproject.org/> <https://snowflake.torproject.org/>
So the best way to handle this may be to improve the documentation in So the best way to handle this may be to improve the documentation in
Tox of how to use Tor, and how to configure Tor to use pluggable Tox clients of how to use Tor. Whether or not you trust Tor
transports (obfs4). Whether or not you trust Tor (you can't trust (you can't trust exit nodes 40% of the time) it is the only thing
Exit nodes 40% of the time) they are the only things that work right that works right now in e.g. Egypt or Iran. And people can test the Tor
now in e.g. Egypt or Iran. And people can test the Tor setup with setup with their brower (or TorBrowser) to make sure they are working
their brower (or TorBrowser) to make sure they are working before before they try Tox over Tor.
they try Tox over Tor.
I also think the only way of getting a lot of resilience "cheaply" is The only way of getting a lot of resilience "cheaply" is to encourage
to encourage bootstrap node operators to also run a Tor client to serve bootstrap node operators to also run a Tor client to serve the node
the BS node over Onionv3. This is the only way I can see dealing with the over Onionv3. This is the only way I can see dealing with the fact
fact that Tox is a network of so few bootstrap nodes. If the Tox nodebase was that Tox is a network of so few bootstrap nodes. If the Tox nodebase was
improved to serve BS nodes, and OnionV3 relays, it would be much more resilient. improved to serve BS nodes, and OnionV3 relays, it would be much more
I'm assuming the adversaries cannot block .onion addresses within Tor, resilient. I'm assuming the adversaries cannot block .onion addresses
which I think is a valid assumption for now. within Tor, which I think is a valid assumption for now.
There is a way of configuring a Tor client to uniquely assign a There is a way of configuring a Tor client to uniquely assign a
life-of-the-tor-instance IPv4 address from a predefined private range life-of-the-tor-instance IPv4 address from a predefined private range
@ -40,22 +39,21 @@ the heavy lifting of the
of pluggable transports etc. to Tor, and not try to chase them ourselves. of pluggable transports etc. to Tor, and not try to chase them ourselves.
If you have such a list of onion addresses, the Tor user, who is running a Tor If you have such a list of onion addresses, the Tor user, who is running a Tor
instance anyway to connect with the Tox client, adds this to the ```/etc/tor/torrc``` instance anyway to connect with the Tox client, adds this to the
```/etc/tor/torrc```
``` ```
VirtualAddrNetworkIPv4 172.16.0.0/12 VirtualAddrNetworkIPv4 172.16.0.0/12
AutomapHostsOnResolve 1 AutomapHostsOnResolve 1
``` ```
Then with the list of onion addresses for BS nodes that are running Tox as OnionV3, Then with the list of onion addresses for BS nodes that are running Tox
you can simply add aliases for the OnionV3 BS nodes directly into the as OnionV3, you can simply add aliases for the OnionV3 BS nodes directly
```/etc/torrc```. into the ```/etc/torrc``` with the ```MapAddress``` command:
Then the client running Tox over Tor can add aliases for each BS node directly
into your ```/etc/torrc``` with the ```MapAddress``` command
``` ```
MapAddress h5g52d26mmi67pzzln2uya5msfzjdewengefaj75diipeskoo252lnqd.onion 172.16.0.1 MapAddress h5g52d26mmi67pzzln2uya5msfzjdewengefaj75diipeskoo252lnqd.onion 172.16.0.1
``` ```
[Orbot on Android](https://github.com/guardianproject/orbot/releases) [Orbot on Android](https://github.com/guardianproject/orbot/releases)
supports the user adding custom lines to the ```torrc``` so you don't supports the user adding custom lines to the ```torrc``` so you don't
need to be routed on Android. need to be rooted on Android.
Or you can use ```tor-resolve``` or ```tor-resolve -4``` to get the Or you can use ```tor-resolve``` or ```tor-resolve -4``` to get the
good-for-you-only IP addresses of OnionV3 BS nodes in IPv4. So the Tox user good-for-you-only IP addresses of OnionV3 BS nodes in IPv4. So the Tox user
@ -64,13 +62,12 @@ and boostraps his Tox client over Tor Onions . This works with
*libtoxcore is it is today*, as long as your client doesn't suffer from *libtoxcore is it is today*, as long as your client doesn't suffer from
the dreaded deranged-hard-coded-bs syndrome. the dreaded deranged-hard-coded-bs syndrome.
If we adopt a convention of us using the location fields of the If we adopt a convention of putting a new onions field in the DHTnodes.json,
DHTnodes.json, this process could be automated by a simple Python script. this process could be automated by a simple Python script. The script could:
The script could:
1. download the nodes file, 1. download the nodes file,
2. check for the location field, 2. check for the location or onions field,
3. test the connection to the onion, 3. test the connection to the onion,
4. use tor-resolve or the Python stem library to get the IPv4 address 4. use tor-resolve to get the IPv4 address
5. add the address to the DHTnodes.json 5. add the address to the DHTnodes.json
6. repeat and rinse daily. 6. repeat and rinse daily.
@ -78,19 +75,11 @@ These steps would be automated by a simple bash or Python script,
perhaps a Python script wrapped into an exe for Windows/Android. If perhaps a Python script wrapped into an exe for Windows/Android. If
you use MapAddress these mapped addresses are stable life of the Tor you use MapAddress these mapped addresses are stable life of the Tor
instance and the script would need rerunning when Tor is restarted. instance and the script would need rerunning when Tor is restarted.
You can do the equivalent of tor-resolve in standard Python.
The best thing we can do is to make these instructions available with The best thing we can do is to make these instructions available with
Tox downloads, and to ensure that all distributions of Tox come with Tox downloads, and to ensure that all distributions of Tox come with
tor-resolve and the script on all platforms. I doubt tor-resolve comes the script on all platforms.
with OrBot and I doubt it comes with
[Tor](https://www.torproject.org/download/) on Windows or
[Torbrowser on Windows](https://www.torproject.org/download/).
We could ask the maintainers of
[TRIfA](https://f-droid.org/en/packages/com.zoffcc.applications.trifa/) and
[aTOX](https://f-droid.org/en/packages/ltd.evilcorp.atox) to include
it in their distributions, and it would be simple for us to compile a version
of ```tor-resolve``` for our packages to make sure it is available to our
users. It's just a standalone static utility that rarely changes.
It's currently impossible to test as there is no equivalent It's currently impossible to test as there is no equivalent
to the ```other/fun/bootstrap_node_info.py``` script for TCP connections. to the ```other/fun/bootstrap_node_info.py``` script for TCP connections.
@ -102,7 +91,6 @@ So we need a simple fix to the TCP_server code to at least look for a
special packet like this and be nice and send a simple nice reply like special packet like this and be nice and send a simple nice reply like
the UDP case. Raised as https://github.com/TokTok/c-toxcore/issues/2331 the UDP case. Raised as https://github.com/TokTok/c-toxcore/issues/2331
We should not kid ourselves that we don't all live in China or Iran - We should not kid ourselves that we don't all live in China or Iran -
the planet is in a loc$down, and I think we might quickly find out just the planet is in a loc$down, and I think we might quickly find out just
how much resiliance we need. s/China/Iran/Syria/Russia/GDR how much resiliance we need. s/China/Iran/Syria/Russia/GDR
@ -112,5 +100,13 @@ how much resiliance we need. s/China/Iran/Syria/Russia/GDR
* https://www.eff.org/deeplinks/2011/05/syrian-man-middle-against-facebook * https://www.eff.org/deeplinks/2011/05/syrian-man-middle-against-facebook
* https://www.lifesitenews.com/news/biden-executive-order-allows-spying-on-americans-to-assess-political-instability-climate-threats/ * https://www.lifesitenews.com/news/biden-executive-order-allows-spying-on-americans-to-assess-political-instability-climate-threats/
PS: I doubt tor-resolve comes with OrBot and I doubt it comes with
[Tor](https://www.torproject.org/download/) on Windows or
[Torbrowser on Windows](https://www.torproject.org/download/).
We could ask the maintainers of
[TRIfA](https://f-droid.org/en/packages/com.zoffcc.applications.trifa/) and
[aTOX](https://f-droid.org/en/packages/ltd.evilcorp.atox) to include
it in their distributions, but if our script is in Python, we don't need it.
Up: [[DDosSmallNumberOfBSNodes]] Up: [[DDosSmallNumberOfBSNodes]]