New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support transparent torification #220

Closed
bnvk opened this Issue Nov 12, 2015 · 19 comments

Comments

5 participants
@bnvk

bnvk commented Nov 12, 2015

When running on a machine with a custom Tor setup that routes all traffic through a proxy (like the Qubes OS transparent Tor ProxyVM onionshare throws the following error:

Connecting to Tor control port to set up hidden service on port 32902.
Can't connect to Tor control port on port [9051, 9151]

A similar issue arises when using Pond through a Qubes TorVM, but can be worked around setting the following environemnt variable in my .bash_profile

export POND_TOR_ADDRESS=10.137.1.12:9050

Is there some quick hack to make onionshare work on systems on like mine?

@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Nov 12, 2015

Without preventing Tor over Tor... Probably not.

Btw, for Whonix this is tracked here:
https://www.whonix.org/wiki/Next#onionshare

The latest conclusion for now is...

Most likely we need to wait until Tor 0.2.7 gets stable:
#178

adrelanos commented Nov 12, 2015

Without preventing Tor over Tor... Probably not.

Btw, for Whonix this is tracked here:
https://www.whonix.org/wiki/Next#onionshare

The latest conclusion for now is...

Most likely we need to wait until Tor 0.2.7 gets stable:
#178

@burdges

This comment has been minimized.

Show comment
Hide comment
@burdges

burdges Nov 13, 2015

There are a bunch of bugs around here on related issues already, but couldn't you simply use port forwarding via ssh, nc, etc.? Take note of the HashedControlPasswordoption in torrc.

burdges commented Nov 13, 2015

There are a bunch of bugs around here on related issues already, but couldn't you simply use port forwarding via ssh, nc, etc.? Take note of the HashedControlPasswordoption in torrc.

@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Nov 13, 2015

No. Running Tor with Hidden Services on one machine and the server service on another is a non-issue.
(This is documented for Whonix: https://www.whonix.org/wiki/Hidden_Services)

adrelanos commented Nov 13, 2015

No. Running Tor with Hidden Services on one machine and the server service on another is a non-issue.
(This is documented for Whonix: https://www.whonix.org/wiki/Hidden_Services)

@micahflee micahflee changed the title from running on custom Tor setups (e.g. Qubes TorVM) fails to Support transparent torification Nov 16, 2015

@micahflee

This comment has been minimized.

Show comment
Hide comment
@micahflee

micahflee Nov 16, 2015

Owner

I just renamed this issue to "Support transparent torification". This will be where I'll track progress on supporting OnionShare in Tails and Whonix.

#178 is done, so this may be possible using the Tor control port now, but I believe I'll need to work directly with both of these projects to make sure onionshare works.

Here's the issue for the Tails project: https://labs.riseup.net/code/issues/7870

Owner

micahflee commented Nov 16, 2015

I just renamed this issue to "Support transparent torification". This will be where I'll track progress on supporting OnionShare in Tails and Whonix.

#178 is done, so this may be possible using the Tor control port now, but I believe I'll need to work directly with both of these projects to make sure onionshare works.

Here's the issue for the Tails project: https://labs.riseup.net/code/issues/7870

@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Nov 16, 2015

Just now testing this with Qubes-Whonix 12.0.0.3.2 RC. Upgraded the gateway to 0.2.7. (Using http://deb.torproject.org/torproject.org/dists/tor-experimental-0.2.7.x-jessie/)

Installed onionshare as per a5aff46 in the workstation.

This is what I get.

onionshare-gui

Traceback (most recent call last):                                                                                                                                                  
  File "/usr/lib/python2.7/dist-packages/onionshare_gui/onionshare_gui.py", line 131, in start_server                                                                               
    self.app.start_hidden_service(gui=True)
  File "/usr/lib/python2.7/dist-packages/onionshare/onionshare.py", line 63, in start_hidden_service
    self.hs = hs.HS(self.transparent_torification)
  File "/usr/lib/python2.7/dist-packages/onionshare/hs.py", line 55, in __init__
    tor_version = self.c.get_version().version_str
  File "/usr/lib/python2.7/dist-packages/stem/control.py", line 992, in get_version
    raise exc
stem.ProtocolError: All lines should end with CRLF

onionshare should be able to talk to Tor by talking to IP 127.0.0.1 port 9051. (Simplified, but sufficient, it say, it's redirected to Whonix-Gateway's Tor ControlPort and that is working stable.)

For a quick and dirty implementation, it should also be able to talk to a Tor SocksPort IP 127.0.0.1 port 9051. (Same. Also gets redirected. anon-ws-disable-stacked-tor)

For a stable implementation it would be good if could configure SocksPort and ControlPort IP / port system wide for better stream isolation. We could also redirect another local port to a Whonix-Gateway Tor SocksPort.

adrelanos commented Nov 16, 2015

Just now testing this with Qubes-Whonix 12.0.0.3.2 RC. Upgraded the gateway to 0.2.7. (Using http://deb.torproject.org/torproject.org/dists/tor-experimental-0.2.7.x-jessie/)

Installed onionshare as per a5aff46 in the workstation.

This is what I get.

onionshare-gui

Traceback (most recent call last):                                                                                                                                                  
  File "/usr/lib/python2.7/dist-packages/onionshare_gui/onionshare_gui.py", line 131, in start_server                                                                               
    self.app.start_hidden_service(gui=True)
  File "/usr/lib/python2.7/dist-packages/onionshare/onionshare.py", line 63, in start_hidden_service
    self.hs = hs.HS(self.transparent_torification)
  File "/usr/lib/python2.7/dist-packages/onionshare/hs.py", line 55, in __init__
    tor_version = self.c.get_version().version_str
  File "/usr/lib/python2.7/dist-packages/stem/control.py", line 992, in get_version
    raise exc
stem.ProtocolError: All lines should end with CRLF

onionshare should be able to talk to Tor by talking to IP 127.0.0.1 port 9051. (Simplified, but sufficient, it say, it's redirected to Whonix-Gateway's Tor ControlPort and that is working stable.)

For a quick and dirty implementation, it should also be able to talk to a Tor SocksPort IP 127.0.0.1 port 9051. (Same. Also gets redirected. anon-ws-disable-stacked-tor)

For a stable implementation it would be good if could configure SocksPort and ControlPort IP / port system wide for better stream isolation. We could also redirect another local port to a Whonix-Gateway Tor SocksPort.

@micahflee

This comment has been minimized.

Show comment
Hide comment
@micahflee

micahflee Feb 27, 2016

Owner

Tails has iptables rules on the lo interface that drop everything, except for specific exceptions. In order to whitelist the ports OnionShare uses, we need to switch to using a range of ports rather than picking a random open one. I'm arbitrarily choosing the range 17600-17650, because according to wikipedia nothing else seems to using it.

Owner

micahflee commented Feb 27, 2016

Tails has iptables rules on the lo interface that drop everything, except for specific exceptions. In order to whitelist the ports OnionShare uses, we need to switch to using a range of ports rather than picking a random open one. I'm arbitrarily choosing the range 17600-17650, because according to wikipedia nothing else seems to using it.

@micahflee

This comment has been minimized.

Show comment
Hide comment
@micahflee

micahflee Feb 28, 2016

Owner

torbrowser_launcher should be a Recommends, not a Depends, because you Tails and Whonix have their own Tor Browsers.

Owner

micahflee commented Feb 28, 2016

torbrowser_launcher should be a Recommends, not a Depends, because you Tails and Whonix have their own Tor Browsers.

@micahflee micahflee modified the milestones: 0.9, 1.0 Apr 10, 2016

@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Sep 21, 2016

Progress has been made on the Whonix side.


On the onionshare side... The following line cannot work for Whonix yet.

https://github.com/micahflee/onionshare/blob/master/onionshare/onion.py#L85

res = self.c.create_ephemeral_hidden_service({ 80: port }, await_publication = True)

Results in:

add_onion new:best port=80,17600

This cannot work, because that incoming hidden service connection then is terminated at Whonix-Gateway while it has to be directed to Whonix-Workstation.

Quote Tor control protocol

  The syntax is:
    "ADD_ONION" SP KeyType ":" KeyBlob
            [SP "Flags=" Flag *("," Flag)]
            1*(SP "Port=" VirtPort ["," Target])
...

We also would have to add the Target and fill it out with Whonix-Workstation IP. I.e. from onionshare's perspective it's eth0 LAN IP.


Whonix non-ephemeral Tor hidden services instructions include...

https://www.whonix.org/wiki/Hidden_Services

HiddenServiceDir /var/lib/tor/hidden_service/
#HiddenServicePort 80 10.152.152.11:80
HiddenServicePort 80 IP-of-Qubes-Whonix-Workstation-AppVM:80

adrelanos commented Sep 21, 2016

Progress has been made on the Whonix side.


On the onionshare side... The following line cannot work for Whonix yet.

https://github.com/micahflee/onionshare/blob/master/onionshare/onion.py#L85

res = self.c.create_ephemeral_hidden_service({ 80: port }, await_publication = True)

Results in:

add_onion new:best port=80,17600

This cannot work, because that incoming hidden service connection then is terminated at Whonix-Gateway while it has to be directed to Whonix-Workstation.

Quote Tor control protocol

  The syntax is:
    "ADD_ONION" SP KeyType ":" KeyBlob
            [SP "Flags=" Flag *("," Flag)]
            1*(SP "Port=" VirtPort ["," Target])
...

We also would have to add the Target and fill it out with Whonix-Workstation IP. I.e. from onionshare's perspective it's eth0 LAN IP.


Whonix non-ephemeral Tor hidden services instructions include...

https://www.whonix.org/wiki/Hidden_Services

HiddenServiceDir /var/lib/tor/hidden_service/
#HiddenServicePort 80 10.152.152.11:80
HiddenServicePort 80 IP-of-Qubes-Whonix-Workstation-AppVM:80
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Sep 23, 2016

Scratch my above post. We are now dynamically patching in Whonix-Workstation IP inside control-port-filter-python. Example... From:

add_onion new:best port=80,17600

To:

add_onion new:best port=80,10.137.6.41:17600

adrelanos commented Sep 23, 2016

Scratch my above post. We are now dynamically patching in Whonix-Workstation IP inside control-port-filter-python. Example... From:

add_onion new:best port=80,17600

To:

add_onion new:best port=80,10.137.6.41:17600
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Dec 23, 2016

We at Whonix yet have to find a solution to this issue:
find way to have Tor ephermal hidden service using applications in Whonix-Workstation bind on all interfaces
https://phabricator.whonix.org/T561

I.e. onionshare binds its webserver on 127.0.0.1. In Whonix, that cannot work because it needs to bind on the external IP.

adrelanos commented Dec 23, 2016

We at Whonix yet have to find a solution to this issue:
find way to have Tor ephermal hidden service using applications in Whonix-Workstation bind on all interfaces
https://phabricator.whonix.org/T561

I.e. onionshare binds its webserver on 127.0.0.1. In Whonix, that cannot work because it needs to bind on the external IP.

@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Jan 10, 2017

Now using bindp as a workaround. (Details, commit here: https://phabricator.whonix.org/T561)

However, the clean solution would be if onionshare would automatically listen on interface eth0 rather than 127.0.0.1 once Whonix is detected. (Check for existence of file /usr/share/anon-ws-base-files/workstation.)

And if auto detection sounds too scary / Whonix specific, then it would be good if the listen interface could be expresses as a drop-in configuration file in /etc/onionshare.d/, we would then drop a snippet /etc/onionshare.d/40_whonix.conf.

adrelanos commented Jan 10, 2017

Now using bindp as a workaround. (Details, commit here: https://phabricator.whonix.org/T561)

However, the clean solution would be if onionshare would automatically listen on interface eth0 rather than 127.0.0.1 once Whonix is detected. (Check for existence of file /usr/share/anon-ws-base-files/workstation.)

And if auto detection sounds too scary / Whonix specific, then it would be good if the listen interface could be expresses as a drop-in configuration file in /etc/onionshare.d/, we would then drop a snippet /etc/onionshare.d/40_whonix.conf.

@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Feb 4, 2017

Discussing if there could be a global standard on which listen IP / listen interface to use by default. Please have a look when you find a chance:

AnemoneLabs/unmessage#2 (comment)

adrelanos commented Feb 4, 2017

Discussing if there could be a global standard on which listen IP / listen interface to use by default. Please have a look when you find a chance:

AnemoneLabs/unmessage#2 (comment)

micahflee added a commit that referenced this issue Feb 23, 2017

@micahflee micahflee modified the milestones: 1.0, 1.0.1 Feb 23, 2017

@micahflee

This comment has been minimized.

Show comment
Hide comment
@micahflee

micahflee Feb 23, 2017

Owner

Now that OnionShare is built-in to Tails, and with #361 it has Whonix support, I'm considering this issue closed.

Owner

micahflee commented Feb 23, 2017

Now that OnionShare is built-in to Tails, and with #361 it has Whonix support, I'm considering this issue closed.

@micahflee micahflee closed this Feb 23, 2017

@bnvk

This comment has been minimized.

Show comment
Hide comment
@bnvk

bnvk Feb 23, 2017

bnvk commented Feb 23, 2017

@rootkovska

This comment has been minimized.

Show comment
Hide comment
@rootkovska

rootkovska May 24, 2017

Hi Micah and everybody!

I've just tried it on a Fedora 24-based VM in Qubes OS with default sys-whonix and... it doesn't seem to properly recognize torification:

[user@varia ~]$ curl -s https://check.torproject.org | grep Congratulations
      Congratulations. This browser is configured to use Tor.
      Congratulations. This browser is configured to use Tor.
[user@varia ~]$ onionshare --transparent mysecret.txt 
Onionshare 0.9.1 | https://onionshare.org/
Can't connect to Tor control port on port [9151, 9153, 9051]. OnionShare requires Tor Browser to be running in the background to work. If you don't have it you can get it from https://www.torproject.org/.
[user@varia ~]$ rpm -q onionshare
onionshare-0.9.1-1.fc24.noarch

rootkovska commented May 24, 2017

Hi Micah and everybody!

I've just tried it on a Fedora 24-based VM in Qubes OS with default sys-whonix and... it doesn't seem to properly recognize torification:

[user@varia ~]$ curl -s https://check.torproject.org | grep Congratulations
      Congratulations. This browser is configured to use Tor.
      Congratulations. This browser is configured to use Tor.
[user@varia ~]$ onionshare --transparent mysecret.txt 
Onionshare 0.9.1 | https://onionshare.org/
Can't connect to Tor control port on port [9151, 9153, 9051]. OnionShare requires Tor Browser to be running in the background to work. If you don't have it you can get it from https://www.torproject.org/.
[user@varia ~]$ rpm -q onionshare
onionshare-0.9.1-1.fc24.noarch
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos May 24, 2017

adrelanos commented May 24, 2017

@micahflee

This comment has been minimized.

Show comment
Hide comment
@micahflee

micahflee May 24, 2017

Owner

Yup, I can't wait for Whonix 14 to be released. In the meantime, I use it in non-Whonix AppVMs.

Owner

micahflee commented May 24, 2017

Yup, I can't wait for Whonix 14 to be released. In the meantime, I use it in non-Whonix AppVMs.

@rootkovska

This comment has been minimized.

Show comment
Hide comment
@rootkovska

rootkovska May 25, 2017

In the meantime, I use it in non-Whonix AppVMs.

Using --transparent and another toryfing VM? Or using TBB in that VM?

rootkovska commented May 25, 2017

In the meantime, I use it in non-Whonix AppVMs.

Using --transparent and another toryfing VM? Or using TBB in that VM?

@micahflee

This comment has been minimized.

Show comment
Hide comment
@micahflee

micahflee May 25, 2017

Owner

Using --transparent and another toryfing VM? Or using TBB in that VM?

@adrelanos was correct, the --transparent flag was never fully implemented.

I've just been OnionShare and tor in a VM, without a torifying ProxyVM.

BTW, you can now use OnionShare with a system tor without needing TBB open -- and the next release supports just launching its own tor process, so you won't even need to configure your system tor, it'll "just work" without any configuration.

OnionShare needs to connect to the tor controller and send the commands ADD_ONION and DEL_ONION, but there are some commands you could send to the tor controller that could deanonymize the user. So if you're in a VM that uses a torified ProxyVM, in order for OnionShare to work it needs to connect to the ProxyVM's tor controller, but allowing this is dangerous. Whonix 14 will support a better tor controller filter than what is currently being used, to allow VMs to connect to the control port and use safe commands like ADD_ONION and DEL_ONION, and block all other potentially dangerous ones.

Owner

micahflee commented May 25, 2017

Using --transparent and another toryfing VM? Or using TBB in that VM?

@adrelanos was correct, the --transparent flag was never fully implemented.

I've just been OnionShare and tor in a VM, without a torifying ProxyVM.

BTW, you can now use OnionShare with a system tor without needing TBB open -- and the next release supports just launching its own tor process, so you won't even need to configure your system tor, it'll "just work" without any configuration.

OnionShare needs to connect to the tor controller and send the commands ADD_ONION and DEL_ONION, but there are some commands you could send to the tor controller that could deanonymize the user. So if you're in a VM that uses a torified ProxyVM, in order for OnionShare to work it needs to connect to the ProxyVM's tor controller, but allowing this is dangerous. Whonix 14 will support a better tor controller filter than what is currently being used, to allow VMs to connect to the control port and use safe commands like ADD_ONION and DEL_ONION, and block all other potentially dangerous ones.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment