diff --git a/.github/renovate.json b/.github/renovate.json index ddf430f..a8ec207 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -24,6 +24,31 @@ "versioningTemplate": "loose", "datasourceTemplate": "repology", "depNameTemplate": "alpine_3_19/{{package}}" + }, + { + "fileMatch": ["/Dockerfile$"], + "matchStrings": ["ARG OBFS_VERSION=[\"']?(?.+?)[\"']?\\s+"], + "versioningTemplate": "loose", + "datasourceTemplate": "github-releases", + "depNameTemplate": "Yawning/obfs4" + }, + { + "fileMatch": ["/Dockerfile$"], + "matchStrings": [ + "ARG SNOWFLAKE_VERSION=[\"']?(?.+?)[\"']?\\s+" + ], + "versioningTemplate": "loose", + "datasourceTemplate": "github-releases", + "depNameTemplate": "tpo/anti-censorship/pluggable-transports/snowflake" + }, + { + "fileMatch": ["/Dockerfile$"], + "matchStrings": [ + "ARG WEBTUNNEL_VERSION=[\"']?(?.+?)[\"']?\\s+" + ], + "versioningTemplate": "loose", + "datasourceTemplate": "github-releases", + "depNameTemplate": "tpo/anti-censorship/pluggable-transports/webtunnel" } ], "packageRules": [ diff --git a/tor/DOCS.md b/tor/DOCS.md index 2b31b1d..fc69abe 100644 --- a/tor/DOCS.md +++ b/tor/DOCS.md @@ -51,6 +51,7 @@ client_names: - haremote2 ports: - 8123 +bridges: [] ``` **Note**: _This is just an example, don't copy and past it! Create your own!_ @@ -150,6 +151,62 @@ The accepted syntaxs of this configuration is: If you do not define a published port, the local port will be used. If you do not define a hostname or IP adress `homeassistant` will be used. +### Option: `bridges` + +> Ensure the option value is clear to avoid unintended use of transport plugins and bridges. + +Bridges are Tor relays that help you circumvent censorship. +Access to bridges is provided by supported transport plugins: + +#### OBFS + +Because bridge addresses are not public, you will need to request them yourself. You have a few options: + +- Visit [Tor][tor-bridges-obfs4] project and follow the instructions, or +- Email `bridges@torproject.org` from a Gmail, or Riseup email address +- Send a message to @GetBridgesBot on Telegram. Tap on 'Start' or write /start or /bridges in the chat. + +For example: + +```yaml +bridges: + - >- + obfs4 123.45.67.89:443 EFC6A00EE6272355C023862378AC77F935F091E4 + cert=KkdWiWlfetJG9SFrzX8g1teBbgxtsc0zPiN5VLxqNNH+iudVW48CoH/XVXPQntbivXIqZA + iat-mode=0 +``` + +#### Webtunnel + +Visit [Tor][tor-bridges-webtunnel] project and follow the instructions + +For example: + +```yaml +bridges: + - >- + webtunnel 192.0.2.3:1 + DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF + url=https://akbwadp9lc5fyyz0cj4d76z643pxgbfh6oyc-167-71-71-157.sslip.io/5m9yq0j4ghkz0fz7qmuw58cvbjon0ebnrsp0 + ver=0.0.1 +``` + +#### Snowflake + +What is [snowflake][what-is-snowflake], example: + +```yaml +bridges: + - >- + snowflake 192.0.2.3:80 2B280B23E1107BB62ABFC40DDCC8824814F80A72 + fingerprint=2B280B23E1107BB62ABFC40DDCC8824814F80A72 + url=https://snowflake-broker.torproject.net/ + ampcache=https://cdn.ampproject.org/ + front=www.google.com + ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 + utls-imitate=hellorandomizedalpn +``` + ## Tor client access setup Using this add-on, you can access your Home Assistant instance over Tor from @@ -261,3 +318,6 @@ SOFTWARE. [releases]: https://github.com/hassio-addons/addon-tor/releases [semver]: http://semver.org/spec/v2.0.0.htm [tor-hidden-service]: https://www.torproject.org/docs/hidden-services.html.en +[tor-bridges-obfs4]: https://bridges.torproject.org/bridges/?transport=obfs4 +[tor-bridges-webtunnel]: https://bridges.torproject.org/bridges/?transport=webtunnel +[what-is-snowflake]: https://support.torproject.org/censorship/what-is-snowflake/ diff --git a/tor/Dockerfile b/tor/Dockerfile index 8936d51..d4c8be4 100755 --- a/tor/Dockerfile +++ b/tor/Dockerfile @@ -9,14 +9,49 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"] COPY rootfs / # Setup base -RUN \ - apk add --no-cache \ +RUN apk add --no-cache \ coreutils=9.4-r2 \ openssl=3.1.5-r0 \ - tor=0.4.8.11-r0 + tor=0.4.8.11-r0 \ + go=1.21.10-r0 \ + git=2.43.4-r0 \ + ca-certificates=20240226-r0 \ + libcap=2.69-r1 + +# Download pluggable-transports sources +WORKDIR /go +ARG OBFS_VERSION=obfs4proxy-0.0.14 +ARG SNOWFLAKE_VERSION=v2.9.2 +ARG WEBTUNNEL_VERSION=3b6faa48163782c1e5420bcb4b068cd38c401ea7 +RUN git clone -b ${OBFS_VERSION} --single-branch --depth 1 https://github.com/Yawning/obfs4.git \ + && git clone -b ${SNOWFLAKE_VERSION} --single-branch --depth 1 https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake.git \ + && git clone --single-branch --depth 1 https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel.git + +# Build obfs4proxy +WORKDIR /go/obfs4 +RUN go build -o /usr/local/bin/obfs4proxy ./obfs4proxy + +# Build snowflake +WORKDIR /go/snowflake/client +RUN go get \ + && go build -o /usr/local/bin/snowflake + +# Build webtunnel +WORKDIR /go/webtunnel/main/client +RUN git reset --hard ${WEBTUNNEL_VERSION} \ + && go build -ldflags="-s -w" -o /usr/local/bin/webtunnel + +# Clean up after build +WORKDIR / +RUN rm -rf /go + +# Give transports clients the capability to bind privileged port. +RUN setcap 'cap_net_bind_service=+ep' /usr/local/bin/obfs4proxy \ + && setcap 'cap_net_bind_service=+ep' /usr/local/bin/snowflake \ + && setcap 'cap_net_bind_service=+ep' /usr/local/bin/webtunnel HEALTHCHECK \ - --start-period=5m \ + --start-period=60m \ --interval=60s \ --timeout=30s \ CMD curl \ diff --git a/tor/config.yaml b/tor/config.yaml index 4cfc912..2b47b29 100644 --- a/tor/config.yaml +++ b/tor/config.yaml @@ -25,6 +25,7 @@ options: ports: - "8123" - "8123:80" + bridges: [] schema: log_level: list(trace|debug|info|notice|warning|error|fatal)? socks: bool @@ -34,3 +35,5 @@ schema: - match(^[A-Za-z0-9+-_]{1,16}$) ports: - match(^(.*:)?(?:[0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])?$) + bridges: + - str diff --git a/tor/rootfs/etc/s6-overlay/s6-rc.d/init-tor/run b/tor/rootfs/etc/s6-overlay/s6-rc.d/init-tor/run index ee19f89..e8c21ab 100755 --- a/tor/rootfs/etc/s6-overlay/s6-rc.d/init-tor/run +++ b/tor/rootfs/etc/s6-overlay/s6-rc.d/init-tor/run @@ -125,6 +125,29 @@ if bashio::config.true 'hidden_services'; then done fi +# Configure bridges +if bashio::config.exists 'bridges' \ + && ! bashio::config.is_empty 'bridges'; +then + bashio::log.info 'Use bridges:' + echo "UseBridges 1" >> "${torrc}" + + # Add client for OBFS transport + echo "ClientTransportPlugin obfs2,obfs3,obfs4,scramblesuit exec /usr/local/bin/obfs4proxy managed" >> "${torrc}" + + # Add client for Snowflake transport + echo "ClientTransportPlugin snowflake exec /usr/local/bin/snowflake" >> "${torrc}" + + # Add client for WebTunnel transport + echo "ClientTransportPlugin webtunnel exec /usr/local/bin/webtunnel" >> "${torrc}" + + # Add bridges + while read -r bridge; do + bashio::log.info "Bridge ${bridge}" + echo "Bridge ${bridge}" >> "${torrc}" + done <<< "$(bashio::config 'bridges')" +fi + # Figure out the address if bashio::config.true 'hidden_services'; then bashio::log.info 'Starting Tor temporarly...' diff --git a/tor/translations/en.yaml b/tor/translations/en.yaml index 61fc685..787fda9 100644 --- a/tor/translations/en.yaml +++ b/tor/translations/en.yaml @@ -30,5 +30,10 @@ configuration: description: >- Configures hosts and ports to publish via a Tor Hidden Service. Check the add-on documentation for the exact format to enter here. + bridges: + name: Bridges + description: >- + Configures bridges to establish connection with Tor Network. Check the + add-on documentation for the exact format to enter here. network: 9050/tcp: Tor SOCKS proxy port