-
Notifications
You must be signed in to change notification settings - Fork 36.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Connect to Tor hidden services by default #7090
Conversation
Concept ACK, but I'm not sure setting onion proxy to 127.0.0.1:9051 by default is a good idea. Maybe a better approach would be to have torcontrol set -onion proxy automatically, when it manages to negotiate with tor? |
So, the disadvantage with that idea is support for the HS control thing is actually pretty recent, while connecting to 127.0.0.1:9050 works with any Tor version. OTOH, come to think of it there's a valid argument that we want the # of nodes connecting to HS's to grow in line with the number of nodes making them available. |
In principle the tor control port authentication/communication works with older versions. It's just the HS creation itself that is recent. If the control connection is also used for other things it could tolerate that failing. |
@laanwj How about this? I looked into getting the proxy info automatically; doesn't look to be trivial as you have to use the GETCONF command on the control port to read the config file values yourself, and what they actually mean for you is non-trivial. I'm inclined to just use the hardcoded default - pretty rare for that to be setup differently. |
(and yeah, the duplication of code is kinda ugly; open to suggestions) |
Agree that this may be the best thing to do for now. This sets (and you are right, actually getting a proxy port from Tor given just the control port seems to be non-trivial! I thought it was just me) Maybe also disable the NET_TOR proxy in |
Concept ACK. We should do something like this; otherwise we could get a strange result where listening gets commonly setup but we can't connect out to it! |
Concept ACK On November 24, 2015 2:24:50 PM PST, Gregory Maxwell notifications@github.com wrote:
|
(see posts below for better option) |
d122002
to
d4df507
Compare
@laanwj The problem is SocksPort can be in many different formats depending on the local configuration, not to mention multiple lines of SocksPort's. Re: disconnected_cb, I'm inclined to just leave the behavior the same as what -onion would do anyway for simplicity. Removed the first two reverted commits; ready for merging. |
utACK. |
@petertodd OK, yeah, the option itself is reasonable complicated
It even has Set it to "auto" to have Tor pick a port for you. This makes querying this option a no-go. I wonder what the way is to find out what the port is in that case.
|
// Now that we know Tor is running setup the proxy for onion addresses | ||
// if -onion isn't set to something else. | ||
if (GetArg("-onion", "") == "") { | ||
bool proxyRandomize = GetBoolArg("-proxyrandomize", true); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: Probably, proxyRandomize should be always true if we know this is Tor. The option exists because people may want to disable it for non-tor SOCKS5 proxies, there's not really a reason to disable it for Tor.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
Tested ACK.
Starting it without Tor running:
|
Adds 127.0.0.1:9050 for the .onion proxy if we can succesfully connect to the control port. Natural followup to creating hidden services automatically.
d4df507
to
cde857f
Compare
@isislovecruft See above - can you confirm that this GETINFO thing what we're supposed to be doing? |
Concept ACK |
cde857f Connect to Tor hidden services by default (Peter Todd)
Two thoughts:
So, I'd recommend not using tor automatically when it is found. It would be better to probe for tor (on both port 9050 and 9150, in that order) and if it is found prompt the user "We noticed you have Tor running. Do you want to connect using it? [Just Once] [Never] [Always (default)]" When "Always" is selected, a configuration option should be set which causes it to fail closed if tor is not running in the future. |
To be clear: this will not by default route all Bitcoin traffic over Tor.
It will only enable connecting to hidden services (nodes listening on a
port "on" the tor network, so to speak).
|
BTW, how do we know that the app listening on the port is tor? |
Thanks @sipa, i missed that. I suppose there are actually four possible tor configurations:
Hopefully (4) can be the default in a future release after there are enough onion nodes running! For nodes advertising both a hidden service and a regular IP address, are their two advertisements linkable? @paveljanik you can't really. you could do some checking to see if it seems like tor, but what would your threat model be? |
Well, it could be some other application run by other user of the same system. Of course the user is not supposed to be doing anything important on such system, but anyway... |
@petertodd I assume this does not work when the user defines no password nor cookie? |
To avoid the behaviour of this merge one must set something for Currently I have nothing set for |
|
Tor ephemeral hidden services Cherry-picked from the following upstream PRs: - bitcoin/bitcoin#6503 (included to reduce merge conflicts) - bitcoin/bitcoin#6639 - bitcoin/bitcoin#6643 - bitcoin/bitcoin#7090 - bitcoin/bitcoin#7035 - bitcoin/bitcoin#7170 - bitcoin/bitcoin#7218 (non-QT part) - bitcoin/bitcoin#7313 - bitcoin/bitcoin#7438 - bitcoin/bitcoin#7553 - bitcoin/bitcoin#7637 - bitcoin/bitcoin#7683 - bitcoin/bitcoin#7813 - bitcoin/bitcoin#7703 - bitcoin/bitcoin#8203 - bitcoin/bitcoin#9004 - bitcoin/bitcoin#9234 - bitcoin/bitcoin#9911 (partial) Closes #2061.
Sets -onion=127.0.0.1:9050 by default, which means we're able to connect to hidden services automatically if Tor is running locally. Natural followup to @laanwj's #6639, which creates hidden services automatically.
Currently the way addrman works hidden service peers won't be chosen very often, as there just aren't all that many of them on the network right now. It might be worth addressing that in a future pull-req to deliberately set aside connection slots groups for different types of peers, rather than having all outgoing connections be picked in the same way.