[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-dev] using obfs4 to tunnel to a SOCKS proxy server
- To: tor-dev@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [tor-dev] using obfs4 to tunnel to a SOCKS proxy server
- From: Hans-Christoph Steiner <hans@xxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 25 Jan 2019 00:03:19 +0100
- Autocrypt: addr=hans@xxxxxxxxxxxxxxxxxxxx; prefer-encrypt=mutual; keydata= xsFNBFY1RO0BEAC94s679hO9oxi2h1GF0hN7xCXxeIyJp58rA2QxuMJ/NvMhrfBGVqhkolUb 7IqvHy8n7jvTCCAJOHP6ZAtUUwV20ZpUa2Mfp0/6dbGkvXcXwGlU9ShpBiXnDsKvgRRX5gOO /WeWLe8x8HRcFfcJVXS9pHRw2bxjrbs3zKlf7yBACcSt6ZSgPsqHuUQSUs4Qo0E0/H14uJiD k32qQ1YicVrE1r2pFe9iZpxBMGTwgZyNUEUYDeVfTDubL7Jc1MUpgotNTxbJ3jVxt0uHn20l hNXG6ybaYK3MhIHIEp9Nbd4l6+Y81ZgIQbs4jAbAPcy+qY3GT2uQfbFb2UK8+hnDotGmejgo YuDZGBaAukiELIKxrsNCvaSg5DI/yrH6Vx6ZceHpitrer6yOwZescc5SGud3btU4Iktfw7w+ 5pxmyypUazaltibSd13o56n/aKrQZw098bhqnh9xTbPVK14t4wTdsJKyZmJv8oKCqppEuhTc q8kur0PWOM85NSBl0igSfj8/CR8CbzgasMPNQVVwUA0Ody0s8wO13+WVaLq7y6Xpy9t6jSVv S8KLgmJ/wTJimHb2cctHNBSQEwnJtRyy/o7kKnge6HPzOprjPAlv6okA2XQaLTxyjW1YCRwN GatNAJ2WnJx3m89WGRONN6qQ3RFX59kbyzR1uL6D3Z6ts7bTmwARAQABzTJIYW5zLUNocmlz dG9waCBTdGVpbmVyIDxoYW5zQGd1YXJkaWFucHJvamVjdC5pbmZvPsLBvgQTAQoAaAIbAQUL CQgHAwUVCgkICwUWAgMBAAIeAQIXgAIZAQUCVjdjhUMYaHR0cHM6Ly9wZ3AubWl0LmVkdS9w a3MvbG9va3VwP29wPXZpbmRleCZzZWFyY2g9MHhFOUUyOERFQTAwQUE1NTU2AAoJEOnijeoA qlVW/IwP/0Uq8896f4NJPv9m5xKZnpCErXhvGU8b4gwH5EXaw66Z/0Zp56zF+J0rLdQZ9FoL HmShM8ZIEHmbNs/NTxqJ5qR0QDKJl8kJW7P/yfNjYOHtBCxPOS5LcapGtUT9jx7GAPU+oJ7z RC0nF8eot97Ds797n139BSbabZ74j0mfwKdGFxRaZVAfhzOD3tevyxUGMwj3w+zRpSXrDHc+ mZa9oHVE6J632rKMUTyDH/7kjzqN54l+dW29SK2NCfC79jfjDcO+ldbUV0lDz+HcLAiEYY1U ucuGVYgL0s/blCqw8YBmwBFdzYYwL6JXiK0KO+eukEZZl9nAWb0CUtuq/8dqkB5VKE39sBjZ pADf8xknMXJVTN1NlMUv6ZDKgRByL0gWdxmSaLLcjBliieXsDvMDHZnwhVsXeoPB1o6PaNLr Ho6ohf8vUrpVzDt6jwEydKBjJiykoSae4Gb7zgVx2/jvHZG3TrMqwktmPQKc+mS/WQBVMfUm ay3EYuIXRFhh2l4czMxFPWpan0nxV3QSpjPYJFOcKm0fPOLBAfe5WnatO8RGtL/quOdpOhMi rfzZKb0I4CiLGmyUHhewCGcggejqrBNDsip4RE4XwEYbH/VjWs0g5VVodSLUm0aC/98eG+XR 0bV/v0urdHFedFOVbkTBYYYJWNzRxvv2paJVoUzxWn5GzsBNBFY1RikBCAC2ZLMA4e7v4nZL 4Fy5X5vfaZ5pGHuh/8i34V4geqbMgWKnTgi2CJkAzglVDkbhpyk/Q8hCj4DdiRMsK4+TpLmp sbCYVGBeoaB/zkhZdjHksymED7V5sUim1BV418JXk19bnrDNFvfyhy8fer8FoDKeT0HJNdab lTt5NJrVFIVmglOZFIF+dSbz+HoH15bbwUDoedM63Q9ChQ5RsPKxiKHbwsYQ6zAJb+f/xLsG RUSzg6q6GPwX0A0P6QMkl2a/OXZhk+LGmzvldg4M0roWr6ohH+4iiBxttId4VACNPjQR7UME c8E6GZTRpviaMTTioXHY2wxkjcD6LmdjZ7Hm7F2NABEBAAHCwWUEGAEKAA8FAlY1RikCGwwF CQlmAYAACgkQ6eKN6gCqVVZbvxAAk1RTjZ017OWt/Tpm7Wa1VprbNPSFmDjzXSjIM2ut7E5B iScJLRy4sl7Fl5GcwS8lWkfIz2n8R7zn0Xj4T91dKZZ4J9m+Mf37cHGBBn5Hp2E6gqoClqbN CNLpWeHtwbLf7p9e513yRZwIdwAC4sHCGSzT6ZpFNhOhTqSj4nllfpbkSSjac5KaeV7oRQXI fE8BvwH02sGM5LpsoifhShrdcoEZe3GjyERbf3oh3cqYnr9pR64DnO8IMc+RL2c+sGPoirVS d/kBCIA8vEABZzpHeoNN4DNu3ykg0d0Knn/2CoMY92w4UGrdDRc++uMOawXtI9aGdtt4AIMy YvHfSO5KtZr+U9sViMhSXiiJ1Ofl46C9nZwjyZ5t5NnwfVh3Am79uhDHrckxJ/2aWOt9KOdY H8QqxovWCCq9esUgV+Q0SXow8zdkBa8lKR2H9xbI4frKULnu29iyIv4CbWOZE8QbjKoBcThA XesRjmVb5bvAYx+t5UMyQKaaH7dVTzvdFiIRM3zm0Hxrpxn3muaGk9WRTzKi+cYlAcT3o2ES mlWXkYGArbRoOtnQ1aXbySkF/+veMptetrZ8nyAZJ5oZmjDJ70EBGHEbEhMhNhYXlua4QIiV HdBRZ93PQnQA5j8JcYkeY8g977F9I/Cjk4xSmEuPZ/rmXci54nqnT4tGKQsdnsU=
- Delivered-to: archiver@xxxxxxxx
- Delivery-date: Thu, 24 Jan 2019 18:03:40 -0500
- In-reply-to: <20190123182501.basefja3ypndsrtv@bamsoftware.com>
- List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
- List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
- List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
- List-post: <mailto:tor-dev@lists.torproject.org>
- List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
- List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
- Openpgp: preference=signencrypt
- Organization: Guardian Project
- References: <95da9dd8-5bb2-1f29-00b3-be94988020a6@guardianproject.info> <4ec11e18-e8d4-9f4b-4aec-dea52af6cb0e@schwanenlied.me> <20190123182501.basefja3ypndsrtv@bamsoftware.com>
- Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
- Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
David Fifield:
> On Wed, Jan 23, 2019 at 11:41:42AM +0000, Yawning Angel wrote:
>>> For example, could the obfs4 server side provide a generic SOCKS proxy?
>>
>> There is no functionality for doing such a thing in mainline obfs4proxy.
>>
>> What currently will work is any one of:
>>
>> * Stick a proxy server of your choice behind the obfs4proxy server.
>> From the application end it will essentially be connecting to a (for
>> example) SOCKS5 proxy over another SOCKS5 proxy.
>>
>> * Connect the obfs4proxy server to a load-balancer or reverse-proxy
>> that re-dispatches requests to the correct location based on the SNI
>> block or `Host` header (depending on how you want to treat TLS).
>
> This is the right answer. Fundamentally you need two layers of proxying:
> one at the PT layer (obfs4proxy PT interface) and one at your
> application layer (where you implement problem-specific logic like
> domain whitelists).
>
> On the server, you will point TOR_PT_ORPORT at a SOCKS server or load
> balancer, rather than directly at the target web server. The
> obfs4_server.sh script will work fine for that; you could also try
> https://github.com/twisteroidambassador/ptadapter. The SOCKS server will
> have to support a destination whitelist--or you could just put it on a
> host with an appropriate outgoing firewall. Instead of a SOCKS server,
> you could use load balancer/reverse proxy like Yawning says. Here are a
> few that have SNI proxying (I've personally only used sslh):
> https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/
> https://github.com/yrutschle/sslh
> https://github.com/dlundquist/sniproxy
>
> But you're going to encounter an undesirable feature of this setup:
> there's a 1:1 relationship between application-layer connections and
> obfuscation-layer tunnels. That is, if the app makes 2 HTTPS connections
> to 2 different Wikimedia domains, there will be 2 obfs4 tunnels
> happening. It will work, but it's more conspicuous and will notionally
> make website fingerprinting easier. What you may want is a multiplexing
> protocol that collapses multiple streams into one on the client side (to
> feed into the obfs4 tunnel) and splits them back apart again on the
> server side. (In the usual Tor setup, it's the Tor protocol that serves
> this multiplexing function--you only have one long-lived connection to
> your guard, not a separate connection for every application-layer
> stream.) Unfortunately I don't know of any out-of-the-box that does
> this. You might try https://github.com/xtaci/smux; also lately I've been
> thinking a lot about applying https://github.com/lucas-clemente/quic-go
> to this problem.
Sounds like these are the right direction. Just to clarify: I was
thinking of obfs4 like an SSH port forward, not as the provider of a
SOCKS proxy. So "server-side" means running daemon alongside obfs4proxy
to do the other bits. What you two have outlined sounds like exactly that.
Is this the same with other PT 1.1 daemons? Or would Snowflake be
different? Seems like with obfs4, the load balancer using SNI would
probably be the easiest for the wikipedia use case.
.hc
--
PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev