thunderhub: connect to the external APIs through Tor

[openoms]

As described in: Connect to the external APIs through Tor

To test on a running RaspiBlitz installation with Tor on edit the systemd service file:
sudo nano /etc/systemd/system/thunderhub.service

Enter torify after Execstart= so the line becomes:

ExecStart=torify /usr/bin/npm run start -- -p 3010

Restart the Thunderhub service:
sudo systemctl daemon-reload
sudo systemctl restart thunderhub

[openoms]

Unfortunately the process fails using the Tor proxy:

$ sudo journalctl -fu thunderhub
systemd[1]: Started ThunderHub daemon.
torify[29035]: 1606641240 WARNING torsocks[29035]: [syscall] Unsupported syscall number 397. Denying the call (in tsocks_syscall() at syscall.c:605)
torify[29035]: 1606641241 WARNING torsocks[29056]: [syscall] Unsupported syscall number 397. Denying the call (in tsocks_syscall() at syscall.c:605)
torify[29035]: Error: listen EPERM: operation not permitted :::3010
torify[29035]:     at Server.setupListenHandle [as _listen2] (net.js:1318:16)
torify[29035]:     at listenInCluster (net.js:1366:12)
torify[29035]:     at Server.listen (net.js:1452:7)
torify[29035]:     at /home/thunderhub/thunderhub/node_modules/next/dist/server/lib/start-server.js:2:62
torify[29035]:     at new Promise (<anonymous>)
torify[29035]:     at start (/home/thunderhub/thunderhub/node_modules/next/dist/server/lib/start-server.js:1:431)
torify[29035]:     at nextStart (/home/thunderhub/thunderhub/node_modules/next/dist/cli/next-start.js:19:125)
torify[29035]:     at /home/thunderhub/thunderhub/node_modules/next/dist/bin/next:26:341 {
torify[29035]:   code: 'EPERM',
torify[29035]:   errno: -1,
torify[29035]:   syscall: 'listen',
torify[29035]:   address: '::',
torify[29035]:   port: 3010
torify[29035]: }
torify[29035]: npm ERR! code ELIFECYCLE
torify[29035]: npm ERR! errno 1
torify[29035]: npm ERR! thunderhub@0.10.4 start: `next start "-p" "3010"`
torify[29035]: npm ERR! Exit status 1
torify[29035]: npm ERR!
torify[29035]: npm ERR! Failed at the thunderhub@0.10.4 start script.
torify[29035]: npm ERR! This is probably not a problem with npm. There is likely additional logging output above.
torify[29035]: npm ERR! A complete log of this run can be found in:
torify[29035]: npm ERR!     /home/thunderhub/.npm/_logs/2020-11-29T09_14_01_948Z-debug.log
systemd[1]: thunderhub.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: thunderhub.service: Failed with result 'exit-code'.

cat /home/thunderhub/.npm/_logs/2020-11-29T09_14_01_948Z-debug.log | nc termbin.com 9999 : https://termbin.com/adoc

[Kixunil]

I think you could get it working with some modifications of torsocks.conf

Specifically:

• AllowIbound 1 - solves the error above
• AllowOutboundLocalhost 1 - allow connecting to lnd
• I recommend copying the system-wide file and editing the copy, then setting TORSOCKS_CONF_FILE=/path/to/your/modified/copy before calling torify

[openoms]

can test this solution with pasting this:

source /mnt/hdd/raspiblitz.conf

   # torify service if Tor is used
    if [ "${runBehindTor}" = "on" ]; then
      echo "# Connect to the external APIs through Tor"
      proxy="torify"
      echo "# set up torsocks"
      sudo cp /etc/tor/torsocks.conf /etc/tor/torsocks-thunderhub.conf
      sudo sed -i "s/^#AllowInbound 1/AllowInbound 1/g" /etc/tor/torsocks-thunderhub.conf
      sudo sed -i "s/^#AllowOutboundLocalhost 1/AllowOutboundLocalhost 1/g" /etc/tor/torsocks-thunderhub.conf
      env="Environment=TORSOCKS_CONF_FILE=/etc/tor/torsocks-thunderhub.conf"
    else
      echo "# Connect to the external APIs through clearnet"
      proxy=""
      env=""
    fi

    echo "# Install ThunderHub systemd for ${network} on ${chain}"
    echo "
# Systemd unit for thunderhub
# /etc/systemd/system/thunderhub.service

[Unit]
Description=ThunderHub daemon
Wants=lnd.service
After=lnd.service

[Service]
WorkingDirectory=/home/thunderhub/thunderhub
$env
ExecStart=$proxy /usr/bin/npm run start -- -p 3010
User=thunderhub
Restart=always
TimeoutSec=120
RestartSec=30
StandardOutput=null
StandardError=journal

[Install]
WantedBy=multi-user.target
" | sudo tee /etc/systemd/system/thunderhub.service

sudo systemctl daemon-reload
sudo systemctl restart thunderhub

[Kixunil]

That script looks correct.

[openoms]

ok tested this and works on 32 and 64bit (#1833) too.
Ready to merge.

[Kixunil]

Happy to hear it works! I'll keep it in mind for my projects. :)

[openoms]

Thunderhub now has a built in option to proxy over Tor: https://github.com/apotdevin/thunderhub#tor-requests

Will review this with the changed config.

[Kixunil]

Using config definitely looks cleaner but I wonder if it's actually the best thing to do. torify seems to have a nice property of also protecting against accidental leakage. A bug in ThunderHub causing a connection to not respect proxy settings would be harmless in case of torify. Same goes for all other apps.

If you want to take it one step further, systemd supports network namespaces and it should be possible to block all outgoing traffic except for Tor on system level. That way even if the (compromised) app deliberately attempted to bypass torify (which is possible) it wouldn't be able to access clearnet. Although in the specific case of ThunderHub, compromised apps creates much bigger problems than privacy leaks.

I'm not sure how paranoid Raspiblitz is supposed to be.

[openoms]

@Kixunil thanks for your comment, I agree and will keep this as it is.

It is a good option to build this in Thunderhub, but we don't need to rely on it.

As for how paranoid we supposed to be: I am happy to go deep until it does not limit the functionality.
RaspiBlitz is going Tor by default from the next release: #2056 which would open the possibility to apply do this (and use namespaces) for all the systemd services going forward.

The question here is that how important it is to be able switch back to clearnet (or another proxy) easily and how realistic it is to make that an option?

re this PR: @rootzoll it is ready to be merged

[Kixunil]

The question here is that how important it is to be able switch back to clearnet (or another proxy) easily and how realistic it is to make that an option?

Modifying systemd files is kinda unwieldy, so here config in ThunderHub could help. I want to make this configurable in deb repo because clearnet is more reliable which may be more important to some people than their IP being logged somewhere.

[rootzoll]

@openoms can you rebase the PR on the dev branch?

[openoms]

ok, rebased to dev