Tor daemon is unable to use obfuscation

  • Open
  • quality assurance status badge
Details
3 participants
  • André Batista
  • nigko
  • Vincent Legoll
Owner
unassigned
Submitted by
nigko
Severity
normal
N
N
nigko wrote on 11 Apr 08:13 +0200
(address . bug-guix@gnu.org)
f39faa21-da3f-409d-8512-4819a824eb9b@gmail.com
I have found why it is not working! Tor process is simply not allowed to
have access to the obfuscator binary because it is running inside all
Linux namespaces except "net", in particular in "mnt" namespace. We need
to add path/to/obfuscator/binary to the #:mappings field of the
least-authority-wrapper call inside tor-shepard-service body in
/gnu/service/networking.scm. I have checked, this makes obfuscation
fully functional.


Regards,
Nigko Yerden


Toggle quote (37 lines)
> Hello Guix!
>
> I am trying to configure tor daemon to use traffic obfuscation by the following lines in my system configuration
>
>
> (service tor-service-type
> (tor-configuration
> (plain-file "torrc"
> "
> UseBridges 1
> ClientTransportPlugin obfs4 exec /path/to/obfuscator/binary
>
> Bridge obfs4 ......
> Bridge obfs4 ......
> ")))
>
> where /path/to/obfuscator/binary corresponds to an obfs4 obfuscator. There are a few of them in the guix repo, see e.g. go-gitlab-torproject-org-tpo-anti-censorship-pluggable-transports-lyrebird or go-github-com-operatorfoundation-obfs4 packages. The obfuscator is also installed in the system profile. Bridges are gotten from the official site https://bridges.torproject.org/.
>
>
> This torrc configuration works perfectly on guix when tor run at user level by command '$ tor -f path/to/torrc' and '# netstat -tupan' shows obfuscator process is listening on 127.0.0.1:[some random port].
>
>
> However, when tor run as system daemon, there are no obfuscator process listening and tor is unusable.
>
>
> Perhaps this issue is related to https://issues.guix.gnu.org/57222.
>
> I have tried to revert commit fb868cd7794f15e21298e5bdea996fbf0dad17ca on recent guix checkout and then to perform 'guix pull --url=/path/to/my/local/guix/repo --disable-authentication'. It worked fined. But when performing 'sudo guix system reconfigure /path/to/system/configuration' I got an error 'make-forkexec-constructor/container: unbound variable'
>
>
>
> Regards,
> Nigko Yerden
>
>
>
>
A
A
André Batista wrote on 24 Apr 23:11 +0200
Re: [bug#70341] [PATCH v3] services: tor: Add support for pluggable transports.
(name . Nigko Yerden)(address . nigko.yerden@gmail.com)
Zil1buljj2AfL2zL@andel
Attachment: file
V
N
N
Nigko Yerden wrote on 20 Jun 06:49 +0200
eed8c3c4-b2f3-442c-9538-ae243ef85e3b@gmail.com
Hi Vincent,

Indeed, they are related. My message from 70332 was intended
to go to 70302 and didn't get there by my mistake, thus creating
new issue 70332.

Regards,
Nigko


Vincent Legoll wrote:
Toggle quote (8 lines)
> I think the two issues are related, and the second one may have been
> created by typoing the issue number
>
> https://issues.guix.gnu.org/70302
> https://issues.guix.gnu.org/70332
>
> WDYT ?
>
V
V
Vincent Legoll wrote on 20 Jun 17:30 +0200
(name . Nigko Yerden)(address . nigko.yerden@gmail.com)
CAEwRq=oPQSkr3omUocrcRNLEkBL==WH=RgFYgAqkWmTaYzSPdg@mail.gmail.com
Hello,

On Thu, Jun 20, 2024 at 4:49?AM Nigko Yerden <nigko.yerden@gmail.com> wrote:
Toggle quote (4 lines)
> Indeed, they are related. My message from 70332 was intended
> to go to 70302 and didn't get there by my mistake, thus creating
> new issue 70332.

Thanks for the explanation

You said in 70332 that you found the issue, so does something still
need fixing ?

Regards

--
Vincent Legoll
N
N
Nigko Yerden wrote on 20 Jun 18:11 +0200
(name . Vincent Legoll)(address . vincent.legoll@gmail.com)
c3862d35-b980-444a-982f-9c6ab0bd22b4@gmail.com
Yes, the issue still need fixing.
Here is my suggestion https://issues.guix.gnu.org/70341

Regards,
Nigko

Vincent Legoll wrote:
Toggle quote (14 lines)
> Hello,
>
> On Thu, Jun 20, 2024 at 4:49?AM Nigko Yerden <nigko.yerden@gmail.com> wrote:
>> Indeed, they are related. My message from 70332 was intended
>> to go to 70302 and didn't get there by my mistake, thus creating
>> new issue 70332.
>
> Thanks for the explanation
>
> You said in 70332 that you found the issue, so does something still
> need fixing ?
>
> Regards
>
V
V
Vincent Legoll wrote on 20 Jun 18:31 +0200
(name . Nigko Yerden)(address . nigko.yerden@gmail.com)
CAEwRq=opRwQpoeMzBnEnG+_DpL8kOExQRMiGStAFXDs27B1zPw@mail.gmail.com
On Thu, Jun 20, 2024 at 4:11?PM Nigko Yerden <nigko.yerden@gmail.com> wrote:
Toggle quote (3 lines)
> Yes, the issue still need fixing.
> Here is my suggestion https://issues.guix.gnu.org/70341

Thanks, and now all these issues are linked together so we
won't forget to close them at once, if appropriate.

--
Vincent Legoll
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 70332@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 70332
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch