New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
daemon: add command line arg to set socks proxy #7616
Conversation
i think the option should prevent monerod from making any clearnet connections. For example, DNS queries will still go over clearnet, leaking the original IP. Same for bootstrap daemon connections.
Not yet. The current implementation won't use specified proxy for bootstrap daemon connections. |
c54e9cf
to
ef53c2e
Compare
@xiphon this is updated now |
@vtnerd Any objections here? Otherwise I will add it to the merge queue. |
nice! for anyone wanting to try the changes, an easy way of doing so on linux is to leverage iptable's logging matching on traffic generated by e.g., one can do that by making
without before we forget, should docs/ANNONIMITY_NETWORKS.md be updated to mention the new flags? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you think of anywhere to put a comment about this mode? There's no way to prevent future mistakes with socket connections in the daemon (afaik), but having this written somewhere at the top of node_node.inl
perhaps? I guess the reviewers will just have to remain vigilante really.
I will do the dull work of updating docs/ANONYMITY_NETWORKS.md
unless you want to.
@@ -66,7 +67,8 @@ class t_core final | |||
#else | |||
const cryptonote::GetCheckpointsCallback& get_checkpoints = nullptr; | |||
#endif | |||
if (!m_core.init(m_vm_HACK, nullptr, get_checkpoints)) | |||
const bool allow_dns = command_line::is_arg_defaulted(vm, daemon_args::arg_proxy) || command_line::get_arg(vm, daemon_args::arg_proxy_allow_dns_leaks); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should it be an error if someone sets the proxy_allow_dns_leaks = false
flag without setting the other flag? It works as-is, but the error reporting helps the user without pointless configurations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a warning message above (I assume only showing a message is sufficient, since the behavior is unaffected). Let me know if there is a better place to put this, though.
Great PR, I'm sure many people will appreciate it. Assume this could also be used to more easily hide Q1) Q2) E.g.:
Q3) |
Co-authored-by: selsta <selsta@sent.at> Co-authored-by: tobtoht <thotbot@protonmail.com>
Everything is sent over the socks proxy, so yes.
The option in this PR uses exit nodes, whereas the previous option uses hidden services. Your examples are spot-on for the tradeoffs, and I'm not aware of any other major ones. The other interesting part of this mode is using a VPN/VPS proxy. You can conceal your home IP address but still have the blockchain verified on a machine you control. This pushes an eclipse attack to the VPN/VPS network from your local ISP, but whether this is a better or worse will depend heavily on the local ISP.
The opinion hasn't changed, defending against eclipse attacks are difficult. Attackers can get exit nodes banned, forcing connections through a handful of nodes. Or with hidden services, many sybils can be created cheaply, and there is nothing analogous to IPv4 subnet zones to "spread" connections. Unfortunately, how much this matter is hard to quantify. Some people find the tradeoffs worth it. Its unlikely to be the default setup for the GUI, but maybe this will change (i.e. perhaps the sybil case with hidden services is much harder in practice). |
Let's make sure I understand this. Scenario A:
Questions:
Scenario B:
Question: Scenario C:
Question: Thank you! |
Defense 1: Defense 2: |
Scenario (A) will send transactions over hidden services but all other traffic (IPv4+6) over VPN/exit node. The bind-ip arguments could be considered a leak if someone could port-scan that external IP address remotely. Anonymous inbound is helpful for routing transactions from other nodes. Inbound IPv4+6 connections only work if the VPN can listen+forward to the external IP, which isn't going to be possible with Tor. In most situations, this will have to be a small VPS running SSH twice - one for outbound socks connections and one for forwarded inbound connections. Scenario (B) does nothing but allow incoming transactions over those networks. You aren't allowing inbound IPv4+6 connections. Blocks can only be fetched/synced over IPv4+6. Scenario (C) may be better for privacy if there is no firewall/nat between the host and internet. Otherwise port scanning will reveal an open port.
A node is not supposed to be linkable across "zones", so this should not be the case. So syncing top-of-chain over Tor+I2P might mitigate the sybil/eclipse attack. In the worse case an attacker just floods both networks with hidden services though, as aliases are cheaper to create than IPv4 (although IPv6 has some massive subnets). The worse such an attacker can do at the moment is prevent transactions over Tor/I2P from being broadcast. In the block-syncing scenario the attacker controls the perceived "top block".
It's not possible to listen in "parallel" without significant changes. Only one instance of Tor or I2P is allowed internally, and I don't know how "parallel" instances would work with command-line specified nodes. Currently everything with .i2p gets routed to the I2P instance, etc. I'm also not certain on the amount of work to change this (ignoring the command line funkiness). The mode would be helpful in cases where spamming the entire network with aliases is unfeasible, unworkable, etc. |
Thank you for explaining the scenarios. The interaction of these arguments can get very confusing. Maybe worth adding some warning messages if people do seemingly dumb things. In scenario A, is
Yeah I understand, I was just trying to understand Monero better and what risks nodes are exposed to. My takeaway is that running a primarily Tor+I2P node with a small number of IPv4 peers primarily for block downloads (with or without PS: This is out of scope and I think I mentioned it in other tickets already, but I believe several options should be renamed to make clear that they only refer to a certain network (e.g., |
|
EDIT: Realize this is somewhat off-topic, sorry don't mean to derail the discussion :)
Not sure if that's what you're saying, but I found this setting to only affect my clearnet connections. E.g., if I set
When you say per connection, do you mean per peer? I thought it was a global cap across all connections (e.g., peer connections), I was just not sure if it also affected Tor/I2P connections. I didn't digest all of the code, but I thought I had seen that there was a global cap across all connections (or at least IP connections, not sure where Tor/I2P come in). monero/contrib/epee/src/connection_basic.cpp Line 237 in dcba757
|
Attempt to configure using monero-project/monero/pull/7616
Patch originally provided by wfaressuissia[m] in #monero-dev, with minor changes.
Tails does not transparently torify traffic, as such torsocks must be used in absence of application-level configuration. This introduces various issues, such as long timeouts (See: #6708 (comment)) and problems closing monerod because torsocks likes to eat sigints. This patch eliminates the need for torsocks by introducing a command line argument for setting the socks proxy. This will also allow the GUI to spawn monerod without using torsocks to fix simple and bootstrap mode on Tails.