Mirror/robosats
1
0
Fork 0
mirror of https://github.com/RoboSats/robosats.git synced 2024-12-13 02:46:28 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

duplicate readme deleted

Browse Source
This commit is contained in:
amitpanwar789 2024-06-18 13:27:02 +05:30
parent a68c579fde
commit 03207f404a
12 changed files with 409 additions and 1200 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
desktopApp/tor/README.CONJURE.md Normal file
View File

@ -0,0 +1,28 @@
# Conjure
[Conjure](https://jhalderm.com/pub/papers/conjure-ccs19.pdf) is an anti-censorship tool in the refraction networking (a.k.a. decoy routing) lineage of circumvention systems. The key innovation of Conjure is to turn the unused IP address space of deploying ISPs into a large pool of **phantom** proxies that users can connect to. Due to the size of unused IPv6 address space and the potential for collateral damage against real websites hosted by the deploying ISPs, Conjure provides an effective solution to the problem of censors enumerating deployed bridges or proxies.
Conjure is currenty deployed on the University of Colorado network and a small to mid size ISP in Michigan.
# Conjure Pluggable Transport for Tor
This repository is an implementation of both the client and bridge side of a Tor pluggable transport that uses the deployed Conjure network to allow users to connect to the Tor network. The client side calls the [`gotapdance` library](https://github.com/refraction-networking/gotapdance) to communicate with deployed Conjure stations and route client traffic through the phantom proxies assigned by the station. The bridge side receives [haproxy](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) connections from the Conjure station that wrap the proxied client traffic.
# Deployment details
We currently have deployed a low capacity Conjure bridge named [Haunt](https://metrics.torproject.org/rs.html#details/A84C946BF4E14E63A3C92E140532A4594F2C24CD). To connect through this bridge, use the `torrc` file in the `client/` directory as follows:
```
cd client/
tor -f torrc
```
# Warnings
This tool and the deployment is still under active development. We are still working on securing the connection between the deployed Conjure stations and the Conjure bridge. We are also working on improving the censorship resistance of the registration connection between the client and the station. Do not expect this to work out of the box in all areas.
The Conjure station sometimes suffers from a heavy load of users. When this happens, connections will fail. If you are testing this out, try waiting awhile and trying again later.
# Conjure development
Due to the complex nature of the Conjure deployment, it can be difficult to set up a local development environment. Check out [phantombox](https://gitlab.torproject.org/cohosh/phantombox) for an automated libvirt-based setup that works on Linux.

109
desktopApp/tor/README.SNOWFLAKE.md Normal file
View File

@ -0,0 +1,109 @@
# Snowflake
[![Build Status](https://travis-ci.org/keroserene/snowflake.svg?branch=master)](https://travis-ci.org/keroserene/snowflake)
Pluggable Transport using WebRTC, inspired by Flashproxy.
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
**Table of Contents**
- [Structure of this Repository](#structure-of-this-repository)
- [Usage](#usage)
- [Using Snowflake with Tor](#using-snowflake-with-tor)
- [Running a Snowflake Proxy](#running-a-snowflake-proxy)
- [Using the Snowflake Library with Other Applications](#using-the-snowflake-library-with-other-applications)
- [Test Environment](#test-environment)
- [FAQ](#faq)
- [More info and links](#more-info-and-links)
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
### Structure of this Repository
- `broker/` contains code for the Snowflake broker
- `doc/` contains Snowflake documentation and manpages
- `client/` contains the Tor pluggable transport client and client library code
- `common/` contains generic libraries used by multiple pieces of Snowflake
- `proxy/` contains code for the Go standalone Snowflake proxy
- `probetest/` contains code for a NAT probetesting service
- `server/` contains the Tor pluggable transport server and server library code
### Usage
Snowflake is currently deployed as a pluggable transport for Tor.
#### Using Snowflake with Tor
To use the Snowflake client with Tor, you will need to add the appropriate `Bridge` and `ClientTransportPlugin` lines to your [torrc](https://2019.www.torproject.org/docs/tor-manual.html.en) file. See the [client README](client) for more information on building and running the Snowflake client.
#### Running a Snowflake Proxy
You can contribute to Snowflake by running a Snowflake proxy. We have the option to run a proxy in your browser or as a standalone Go program. See our [community documentation](https://community.torproject.org/relay/setup/snowflake/) for more details.
#### Using the Snowflake Library with Other Applications
Snowflake can be used as a Go API, and adheres to the [v2.1 pluggable transports specification](). For more information on using the Snowflake Go library, see the [Snowflake library documentation](doc/using-the-snowflake-library.md).
### Test Environment
There is a Docker-based test environment at https://github.com/cohosh/snowbox.
### FAQ
**Q: How does it work?**
In the Tor use-case:
1. Volunteers visit websites which host the "snowflake" proxy. (just
like flashproxy)
2. Tor clients automatically find available browser proxies via the Broker
(the domain fronted signaling channel).
3. Tor client and browser proxy establish a WebRTC peer connection.
4. Proxy connects to some relay.
5. Tor occurs.
More detailed information about how clients, snowflake proxies, and the Broker
fit together on the way...
**Q: What are the benefits of this PT compared with other PTs?**
Snowflake combines the advantages of flashproxy and meek. Primarily:
- It has the convenience of Meek, but can support magnitudes more
users with negligible CDN costs. (Domain fronting is only used for brief
signalling / NAT-piercing to setup the P2P WebRTC DataChannels which handle
the actual traffic.)
- Arbitrarily high numbers of volunteer proxies are possible like in
flashproxy, but NATs are no longer a usability barrier - no need for
manual port forwarding!
**Q: Why is this called Snowflake?**
It utilizes the "ICE" negotiation via WebRTC, and also involves a great
abundance of ephemeral and short-lived (and special!) volunteer proxies...
### More info and links
We have more documentation in the [Snowflake wiki](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) and at https://snowflake.torproject.org/.
##### -- Android AAR Reproducible Build Setup --
Using `gomobile` it is possible to build snowflake as shared libraries for all
the architectures supported by Android. This is in the _.gitlab-ci.yml_, which
runs in GitLab CI. It is also possible to run this setup in a Virtual Machine
using [vagrant](https://www.vagrantup.com/). Just run `vagrant up` and it will
create and provision the VM. `vagrant ssh` to get into the VM to use it as a
development environment.
##### uTLS Settings
Snowflake communicate with broker that serves as signaling server with TLS based domain fronting connection, which may be identified by its usage of Go language TLS stack.
uTLS is a software library designed to initiate the TLS Client Hello fingerprint of browsers or other popular software's TLS stack to evade censorship based on TLS client hello fingerprint with `-utls-imitate` . You can use `-version` to see a list of supported values.
Depending on client and server configuration, it may not always work as expected as not all extensions are correctly implemented.
You can also remove SNI (Server Name Indication) from client hello to evade censorship with `-utls-nosni`, not all servers supports this.

263
desktopApp/tor/README.WEBTUNNEL.md Normal file
View File

@ -0,0 +1,263 @@
# WebTunnel
Pluggable Transport based on HTTP Upgrade(HTTPT)
WebTunnel is pluggable transport that attempt to imitate web browsing activities based on [HTTPT](https://censorbib.nymity.ch/#Frolov2020b).
## Client Usage
Connect to a WebTunnel server with a Tor configuration file like:
```
UseBridges 1
DataDirectory datadir
ClientTransportPlugin webtunnel exec ./client
Bridge webtunnel 192.0.2.3:1 url=https://akbwadp9lc5fyyz0cj4d76z643pxgbfh6oyc-167-71-71-157.sslip.io/5m9yq0j4ghkz0fz7qmuw58cvbjon0ebnrsp0
SocksPort auto
Log info
```
## Server Setup
#### Install Tor
On a Debian system, first install tor normally with
```
apt install apt-transport-https
lsb_release -c
nano /etc/apt/sources.list.d/tor.list
wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null
apt update
apt install tor deb.torproject.org-keyring
```
### Disable default instance
The default Tor configuration is not useful for this setup, so the next step will be disabling them.
```
systemctl stop tor@default.service
systemctl mask tor@default.service
```
### Get Environment Ready
```
#copy server file to server
scp server root@$SERVER_ADDRESS:/var/lib/torwebtunnel/webtunnel
```
then create server torrc at `/var/lib/torwebtunnel/torrc`
```
BridgeRelay 1
ORPort 10000
ServerTransportPlugin webtunnel exec /var/lib/torwebtunnel/webtunnel
ServerTransportListenAddr webtunnel 127.0.0.1:11000
ExtORPort auto
ContactInfo WebTunnel email: tor.relay.email@torproject.net ciissversion:2
Nickname WebTunnelTest
PublishServerDescriptor 1
BridgeDistribution none
DataDirectory /var/lib/torwebtunnel/tor-data
CacheDirectory /tmp/tor-tmp-torwebtunnel
SocksPort 0
```
#### Configure service unit file
Create a service unit file as follow
```
[Unit]
Description=Tor Web Tunnel
[Service]
Type=simple
DynamicUser=yes
PrivateUsers=true
PrivateMounts=true
ProtectSystem=strict
PrivateTmp=true
PrivateDevices=true
ProtectClock=true
NoNewPrivileges=true
ProtectHome=tmpfs
ProtectKernelModules=true
ProtectKernelLogs=true
StateDirectory=torwebtunnel
ExecStart=/usr/bin/tor -f /var/lib/torwebtunnel/torrc --RunAsDaemon 0
[Install]
WantedBy=default.target
```
#### Obtain Certificate
WebTunnel Requires a valid TLS certificate, to obtain that
```
curl https://get.acme.sh | sh -s email=my@example.com
~/.acme.sh/acme.sh --issue --standalone --domain $SERVER_ADDRESS
```
#### Install & Configure Nginx
To coexist with other content at a single port, it is necessary to install a reverse proxy like nginx:
```
apt install nginx
```
And then configure HTTP Upgrade forwarding at /etc/nginx/nginx.conf.
```
--- a/before.conf
+++ b/after.conf
@@ -60,6 +60,13 @@ http {
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
+
+ #WebSocket Support
+ map $http_upgrade $connection_upgrade {
+ default upgrade;
+ '' close;
+ }
+
}
```
Finally, add http forwarding setting to a new file at /etc/nginx/site-enabled .
```
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name $SERVER_ADDRESS;
#ssl on;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/nginx/ssl/fullchain.cer;
ssl_certificate_key /etc/nginx/ssl/key.key;
ssl_session_timeout 15m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:MozSSL:50m;
#ssl_ecdh_curve secp521r1,prime256v1,secp384r1;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=63072000" always;
location /$PATH {
proxy_pass http://127.0.0.1:11000;
proxy_http_version 1.1;
###Set WebSocket headers ####
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
### Set Proxy headers ####
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
proxy_redirect off;
}
}
```
## Docker Setup
Webtunnel is a new pluggable transport available for bridge operators.
### Prerequisites
An existing website using nginx balancer to handle traffic. (other load banlancer is currently untested)
Handle traffic directly, without CDN. (CDN passthrough is currently untested)
A container runtime like Docker.
### Configure nginx Forwarding
If you haven't already, configure websocket forwarding support in nginx by configure HTTP Upgrade forwarding at /etc/nginx/nginx.conf:
```
--- a/before.conf
+++ b/after.conf
@@ -60,6 +60,13 @@ http {
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
+
+ #WebSocket Support
+ map $http_upgrade $connection_upgrade {
+ default upgrade;
+ '' close;
+ }
+
}
```
And add a forwarded path under one the served domain, typically defined in files within `/etc/nginx/sites-enabled/`, replace $PATH with a random string(which you could generate with `echo $(cat /dev/urandom | tr -cd "qwertyuiopasdfghjklzxcvbnmMNBVCXZLKJHGFDSAQWERTUIOP0987654321"|head -c 24)`):
```
location /$PATH {
proxy_pass http://127.0.0.1:11000;
proxy_http_version 1.1;
###Set WebSocket headers ####
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
### Set Proxy headers ####
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
proxy_redirect off;
}
```
### Install Docker Runtime(if necessary)
```
apt install curl sudo
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh ./get-docker.sh
```
### Run Dockerlized Webtunnel Server
Replace `URL` with your domain and path, and `OPERATOR_EMAIL` with your email address, then run:
```
truncate --size 0 .env
echo "URL=https://yourdomain/and/path" >> .env
echo "OPERATOR_EMAIL=your@email.org" >> .env
echo "BRIDGE_NICKNAME=WTBr$(cat /dev/urandom | tr -cd 'qwertyuiopasdfghjklzxcvbnmMNBVCXZLKJHGFDSAQWERTUIOP0987654321'|head -c 10)" >> .env
echo "GENEDORPORT=4$(cat /dev/urandom | tr -cd '0987654321'|head -c 4)" >> .env
```
This will create an environment file for the configuration of webtunnel bridge.
After creating the configure file, download the webtunnel docker compose file, and instancize it.
````shell
curl https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel/-/raw/main/release/container/docker-compose.yml?inline=false > docker-compose.yml
docker compose up -d
````
It includes auto update by default, and will update webtunnel bridge server without any further action. Remove `watchtower` to disable this behavior.
### Get Bridgeline and Check it is Running
You can obtain bridgeline and verify if it is working by running
```shell
docker compose exec webtunnel-bridge get-bridge-line.sh
```

28
desktopApp/tor/tor-linux/tor/pluggable_transports/README.CONJURE.md
View File

@ -1,28 +0,0 @@
# Conjure
[Conjure](https://jhalderm.com/pub/papers/conjure-ccs19.pdf) is an anti-censorship tool in the refraction networking (a.k.a. decoy routing) lineage of circumvention systems. The key innovation of Conjure is to turn the unused IP address space of deploying ISPs into a large pool of **phantom** proxies that users can connect to. Due to the size of unused IPv6 address space and the potential for collateral damage against real websites hosted by the deploying ISPs, Conjure provides an effective solution to the problem of censors enumerating deployed bridges or proxies.
Conjure is currenty deployed on the University of Colorado network and a small to mid size ISP in Michigan.
# Conjure Pluggable Transport for Tor
This repository is an implementation of both the client and bridge side of a Tor pluggable transport that uses the deployed Conjure network to allow users to connect to the Tor network. The client side calls the [`gotapdance` library](https://github.com/refraction-networking/gotapdance) to communicate with deployed Conjure stations and route client traffic through the phantom proxies assigned by the station. The bridge side receives [haproxy](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) connections from the Conjure station that wrap the proxied client traffic.
# Deployment details
We currently have deployed a low capacity Conjure bridge named [Haunt](https://metrics.torproject.org/rs.html#details/A84C946BF4E14E63A3C92E140532A4594F2C24CD). To connect through this bridge, use the `torrc` file in the `client/` directory as follows:
```
cd client/
tor -f torrc
```
# Warnings
This tool and the deployment is still under active development. We are still working on securing the connection between the deployed Conjure stations and the Conjure bridge. We are also working on improving the censorship resistance of the registration connection between the client and the station. Do not expect this to work out of the box in all areas.
The Conjure station sometimes suffers from a heavy load of users. When this happens, connections will fail. If you are testing this out, try waiting awhile and trying again later.
# Conjure development
Due to the complex nature of the Conjure deployment, it can be difficult to set up a local development environment. Check out [phantombox](https://gitlab.torproject.org/cohosh/phantombox) for an automated libvirt-based setup that works on Linux.

1
desktopApp/tor/tor-linux/tor/pluggable_transports/README.CONJURE.md Symbolic link
View File

@ -0,0 +1 @@
../../../README.CONJURE.md

109
desktopApp/tor/tor-linux/tor/pluggable_transports/README.SNOWFLAKE.md
View File

@ -1,109 +0,0 @@
# Snowflake
[![Build Status](https://travis-ci.org/keroserene/snowflake.svg?branch=master)](https://travis-ci.org/keroserene/snowflake)
Pluggable Transport using WebRTC, inspired by Flashproxy.
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
**Table of Contents**
- [Structure of this Repository](#structure-of-this-repository)
- [Usage](#usage)
- [Using Snowflake with Tor](#using-snowflake-with-tor)
- [Running a Snowflake Proxy](#running-a-snowflake-proxy)
- [Using the Snowflake Library with Other Applications](#using-the-snowflake-library-with-other-applications)
- [Test Environment](#test-environment)
- [FAQ](#faq)
- [More info and links](#more-info-and-links)
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
### Structure of this Repository
- `broker/` contains code for the Snowflake broker
- `doc/` contains Snowflake documentation and manpages
- `client/` contains the Tor pluggable transport client and client library code
- `common/` contains generic libraries used by multiple pieces of Snowflake
- `proxy/` contains code for the Go standalone Snowflake proxy
- `probetest/` contains code for a NAT probetesting service
- `server/` contains the Tor pluggable transport server and server library code
### Usage
Snowflake is currently deployed as a pluggable transport for Tor.
#### Using Snowflake with Tor
To use the Snowflake client with Tor, you will need to add the appropriate `Bridge` and `ClientTransportPlugin` lines to your [torrc](https://2019.www.torproject.org/docs/tor-manual.html.en) file. See the [client README](client) for more information on building and running the Snowflake client.
#### Running a Snowflake Proxy
You can contribute to Snowflake by running a Snowflake proxy. We have the option to run a proxy in your browser or as a standalone Go program. See our [community documentation](https://community.torproject.org/relay/setup/snowflake/) for more details.
#### Using the Snowflake Library with Other Applications
Snowflake can be used as a Go API, and adheres to the [v2.1 pluggable transports specification](). For more information on using the Snowflake Go library, see the [Snowflake library documentation](doc/using-the-snowflake-library.md).
### Test Environment
There is a Docker-based test environment at https://github.com/cohosh/snowbox.
### FAQ
**Q: How does it work?**
In the Tor use-case:
1. Volunteers visit websites which host the "snowflake" proxy. (just
like flashproxy)
2. Tor clients automatically find available browser proxies via the Broker
(the domain fronted signaling channel).
3. Tor client and browser proxy establish a WebRTC peer connection.
4. Proxy connects to some relay.
5. Tor occurs.
More detailed information about how clients, snowflake proxies, and the Broker
fit together on the way...
**Q: What are the benefits of this PT compared with other PTs?**
Snowflake combines the advantages of flashproxy and meek. Primarily:
- It has the convenience of Meek, but can support magnitudes more
users with negligible CDN costs. (Domain fronting is only used for brief
signalling / NAT-piercing to setup the P2P WebRTC DataChannels which handle
the actual traffic.)
- Arbitrarily high numbers of volunteer proxies are possible like in
flashproxy, but NATs are no longer a usability barrier - no need for
manual port forwarding!
**Q: Why is this called Snowflake?**
It utilizes the "ICE" negotiation via WebRTC, and also involves a great
abundance of ephemeral and short-lived (and special!) volunteer proxies...
### More info and links
We have more documentation in the [Snowflake wiki](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) and at https://snowflake.torproject.org/.
##### -- Android AAR Reproducible Build Setup --
Using `gomobile` it is possible to build snowflake as shared libraries for all
the architectures supported by Android. This is in the _.gitlab-ci.yml_, which
runs in GitLab CI. It is also possible to run this setup in a Virtual Machine
using [vagrant](https://www.vagrantup.com/). Just run `vagrant up` and it will
create and provision the VM. `vagrant ssh` to get into the VM to use it as a
development environment.
##### uTLS Settings
Snowflake communicate with broker that serves as signaling server with TLS based domain fronting connection, which may be identified by its usage of Go language TLS stack.
uTLS is a software library designed to initiate the TLS Client Hello fingerprint of browsers or other popular software's TLS stack to evade censorship based on TLS client hello fingerprint with `-utls-imitate` . You can use `-version` to see a list of supported values.
Depending on client and server configuration, it may not always work as expected as not all extensions are correctly implemented.
You can also remove SNI (Server Name Indication) from client hello to evade censorship with `-utls-nosni`, not all servers supports this.

1
desktopApp/tor/tor-linux/tor/pluggable_transports/README.SNOWFLAKE.md Symbolic link
View File

@ -0,0 +1 @@
../../../README.SNOWFLAKE.md

263
desktopApp/tor/tor-linux/tor/pluggable_transports/README.WEBTUNNEL.md
View File

@ -1,263 +0,0 @@
# WebTunnel
Pluggable Transport based on HTTP Upgrade(HTTPT)
WebTunnel is pluggable transport that attempt to imitate web browsing activities based on [HTTPT](https://censorbib.nymity.ch/#Frolov2020b).
## Client Usage
Connect to a WebTunnel server with a Tor configuration file like:
```
UseBridges 1
DataDirectory datadir
ClientTransportPlugin webtunnel exec ./client
Bridge webtunnel 192.0.2.3:1 url=https://akbwadp9lc5fyyz0cj4d76z643pxgbfh6oyc-167-71-71-157.sslip.io/5m9yq0j4ghkz0fz7qmuw58cvbjon0ebnrsp0
SocksPort auto
Log info
```
## Server Setup
#### Install Tor
On a Debian system, first install tor normally with
```
apt install apt-transport-https
lsb_release -c
nano /etc/apt/sources.list.d/tor.list
wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null
apt update
apt install tor deb.torproject.org-keyring
```
### Disable default instance
The default Tor configuration is not useful for this setup, so the next step will be disabling them.
```
systemctl stop tor@default.service
systemctl mask tor@default.service
```
### Get Environment Ready
```
#copy server file to server
scp server root@$SERVER_ADDRESS:/var/lib/torwebtunnel/webtunnel
```
then create server torrc at `/var/lib/torwebtunnel/torrc`
```
BridgeRelay 1
ORPort 10000
ServerTransportPlugin webtunnel exec /var/lib/torwebtunnel/webtunnel
ServerTransportListenAddr webtunnel 127.0.0.1:11000
ExtORPort auto
ContactInfo WebTunnel email: tor.relay.email@torproject.net ciissversion:2
Nickname WebTunnelTest
PublishServerDescriptor 1
BridgeDistribution none
DataDirectory /var/lib/torwebtunnel/tor-data
CacheDirectory /tmp/tor-tmp-torwebtunnel
SocksPort 0
```
#### Configure service unit file
Create a service unit file as follow
```
[Unit]
Description=Tor Web Tunnel
[Service]
Type=simple
DynamicUser=yes
PrivateUsers=true
PrivateMounts=true
ProtectSystem=strict
PrivateTmp=true
PrivateDevices=true
ProtectClock=true
NoNewPrivileges=true
ProtectHome=tmpfs
ProtectKernelModules=true
ProtectKernelLogs=true
StateDirectory=torwebtunnel
ExecStart=/usr/bin/tor -f /var/lib/torwebtunnel/torrc --RunAsDaemon 0
[Install]
WantedBy=default.target
```
#### Obtain Certificate
WebTunnel Requires a valid TLS certificate, to obtain that
```
curl https://get.acme.sh | sh -s email=my@example.com
~/.acme.sh/acme.sh --issue --standalone --domain $SERVER_ADDRESS
```
#### Install & Configure Nginx
To coexist with other content at a single port, it is necessary to install a reverse proxy like nginx:
```
apt install nginx
```
And then configure HTTP Upgrade forwarding at /etc/nginx/nginx.conf.
```
--- a/before.conf
+++ b/after.conf
@@ -60,6 +60,13 @@ http {
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
+
+ #WebSocket Support
+ map $http_upgrade $connection_upgrade {
+ default upgrade;
+ '' close;
+ }
+
}
```
Finally, add http forwarding setting to a new file at /etc/nginx/site-enabled .
```
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name $SERVER_ADDRESS;
#ssl on;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/nginx/ssl/fullchain.cer;
ssl_certificate_key /etc/nginx/ssl/key.key;
ssl_session_timeout 15m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:MozSSL:50m;
#ssl_ecdh_curve secp521r1,prime256v1,secp384r1;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=63072000" always;
location /$PATH {
proxy_pass http://127.0.0.1:11000;
proxy_http_version 1.1;
###Set WebSocket headers ####
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
### Set Proxy headers ####
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
proxy_redirect off;
}
}
```
## Docker Setup
Webtunnel is a new pluggable transport available for bridge operators.
### Prerequisites
An existing website using nginx balancer to handle traffic. (other load banlancer is currently untested)
Handle traffic directly, without CDN. (CDN passthrough is currently untested)
A container runtime like Docker.
### Configure nginx Forwarding
If you haven't already, configure websocket forwarding support in nginx by configure HTTP Upgrade forwarding at /etc/nginx/nginx.conf:
```
--- a/before.conf
+++ b/after.conf
@@ -60,6 +60,13 @@ http {
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
+
+ #WebSocket Support
+ map $http_upgrade $connection_upgrade {
+ default upgrade;
+ '' close;
+ }
+
}
```
And add a forwarded path under one the served domain, typically defined in files within `/etc/nginx/sites-enabled/`, replace $PATH with a random string(which you could generate with `echo $(cat /dev/urandom | tr -cd "qwertyuiopasdfghjklzxcvbnmMNBVCXZLKJHGFDSAQWERTUIOP0987654321"|head -c 24)`):
```
location /$PATH {
proxy_pass http://127.0.0.1:11000;
proxy_http_version 1.1;
###Set WebSocket headers ####
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
### Set Proxy headers ####
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
proxy_redirect off;
}
```
### Install Docker Runtime(if necessary)
```
apt install curl sudo
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh ./get-docker.sh
```
### Run Dockerlized Webtunnel Server
Replace `URL` with your domain and path, and `OPERATOR_EMAIL` with your email address, then run:
```
truncate --size 0 .env
echo "URL=https://yourdomain/and/path" >> .env
echo "OPERATOR_EMAIL=your@email.org" >> .env
echo "BRIDGE_NICKNAME=WTBr$(cat /dev/urandom | tr -cd 'qwertyuiopasdfghjklzxcvbnmMNBVCXZLKJHGFDSAQWERTUIOP0987654321'|head -c 10)" >> .env
echo "GENEDORPORT=4$(cat /dev/urandom | tr -cd '0987654321'|head -c 4)" >> .env
```
This will create an environment file for the configuration of webtunnel bridge.
After creating the configure file, download the webtunnel docker compose file, and instancize it.
````shell
curl https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel/-/raw/main/release/container/docker-compose.yml?inline=false > docker-compose.yml
docker compose up -d
````
It includes auto update by default, and will update webtunnel bridge server without any further action. Remove `watchtower` to disable this behavior.
### Get Bridgeline and Check it is Running
You can obtain bridgeline and verify if it is working by running
```shell
docker compose exec webtunnel-bridge get-bridge-line.sh
```

1
desktopApp/tor/tor-linux/tor/pluggable_transports/README.WEBTUNNEL.md Symbolic link
View File

@ -0,0 +1 @@
../../../README.WEBTUNNEL.md

28
desktopApp/tor/tor-mac/tor/pluggable_transports/README.CONJURE.md
View File

@ -1,28 +0,0 @@
# Conjure
[Conjure](https://jhalderm.com/pub/papers/conjure-ccs19.pdf) is an anti-censorship tool in the refraction networking (a.k.a. decoy routing) lineage of circumvention systems. The key innovation of Conjure is to turn the unused IP address space of deploying ISPs into a large pool of **phantom** proxies that users can connect to. Due to the size of unused IPv6 address space and the potential for collateral damage against real websites hosted by the deploying ISPs, Conjure provides an effective solution to the problem of censors enumerating deployed bridges or proxies.
Conjure is currenty deployed on the University of Colorado network and a small to mid size ISP in Michigan.
# Conjure Pluggable Transport for Tor
This repository is an implementation of both the client and bridge side of a Tor pluggable transport that uses the deployed Conjure network to allow users to connect to the Tor network. The client side calls the [`gotapdance` library](https://github.com/refraction-networking/gotapdance) to communicate with deployed Conjure stations and route client traffic through the phantom proxies assigned by the station. The bridge side receives [haproxy](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) connections from the Conjure station that wrap the proxied client traffic.
# Deployment details
We currently have deployed a low capacity Conjure bridge named [Haunt](https://metrics.torproject.org/rs.html#details/A84C946BF4E14E63A3C92E140532A4594F2C24CD). To connect through this bridge, use the `torrc` file in the `client/` directory as follows:
```
cd client/
tor -f torrc
```
# Warnings
This tool and the deployment is still under active development. We are still working on securing the connection between the deployed Conjure stations and the Conjure bridge. We are also working on improving the censorship resistance of the registration connection between the client and the station. Do not expect this to work out of the box in all areas.
The Conjure station sometimes suffers from a heavy load of users. When this happens, connections will fail. If you are testing this out, try waiting awhile and trying again later.
# Conjure development
Due to the complex nature of the Conjure deployment, it can be difficult to set up a local development environment. Check out [phantombox](https://gitlab.torproject.org/cohosh/phantombox) for an automated libvirt-based setup that works on Linux.

1
desktopApp/tor/tor-mac/tor/pluggable_transports/README.CONJURE.md Symbolic link
View File

@ -0,0 +1 @@
../../../README.CONJURE.md

109
desktopApp/tor/tor-mac/tor/pluggable_transports/README.SNOWFLAKE.md
View File

@ -1,109 +0,0 @@
# Snowflake
[![Build Status](https://travis-ci.org/keroserene/snowflake.svg?branch=master)](https://travis-ci.org/keroserene/snowflake)
Pluggable Transport using WebRTC, inspired by Flashproxy.
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
**Table of Contents**
- [Structure of this Repository](#structure-of-this-repository)
- [Usage](#usage)
- [Using Snowflake with Tor](#using-snowflake-with-tor)
- [Running a Snowflake Proxy](#running-a-snowflake-proxy)
- [Using the Snowflake Library with Other Applications](#using-the-snowflake-library-with-other-applications)
- [Test Environment](#test-environment)
- [FAQ](#faq)
- [More info and links](#more-info-and-links)
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
### Structure of this Repository
- `broker/` contains code for the Snowflake broker
- `doc/` contains Snowflake documentation and manpages
- `client/` contains the Tor pluggable transport client and client library code
- `common/` contains generic libraries used by multiple pieces of Snowflake
- `proxy/` contains code for the Go standalone Snowflake proxy
- `probetest/` contains code for a NAT probetesting service
- `server/` contains the Tor pluggable transport server and server library code
### Usage
Snowflake is currently deployed as a pluggable transport for Tor.
#### Using Snowflake with Tor
To use the Snowflake client with Tor, you will need to add the appropriate `Bridge` and `ClientTransportPlugin` lines to your [torrc](https://2019.www.torproject.org/docs/tor-manual.html.en) file. See the [client README](client) for more information on building and running the Snowflake client.
#### Running a Snowflake Proxy
You can contribute to Snowflake by running a Snowflake proxy. We have the option to run a proxy in your browser or as a standalone Go program. See our [community documentation](https://community.torproject.org/relay/setup/snowflake/) for more details.
#### Using the Snowflake Library with Other Applications
Snowflake can be used as a Go API, and adheres to the [v2.1 pluggable transports specification](). For more information on using the Snowflake Go library, see the [Snowflake library documentation](doc/using-the-snowflake-library.md).
### Test Environment
There is a Docker-based test environment at https://github.com/cohosh/snowbox.
### FAQ
**Q: How does it work?**
In the Tor use-case:
1. Volunteers visit websites which host the "snowflake" proxy. (just
like flashproxy)
2. Tor clients automatically find available browser proxies via the Broker
(the domain fronted signaling channel).
3. Tor client and browser proxy establish a WebRTC peer connection.
4. Proxy connects to some relay.
5. Tor occurs.
More detailed information about how clients, snowflake proxies, and the Broker
fit together on the way...
**Q: What are the benefits of this PT compared with other PTs?**
Snowflake combines the advantages of flashproxy and meek. Primarily:
- It has the convenience of Meek, but can support magnitudes more
users with negligible CDN costs. (Domain fronting is only used for brief
signalling / NAT-piercing to setup the P2P WebRTC DataChannels which handle
the actual traffic.)
- Arbitrarily high numbers of volunteer proxies are possible like in
flashproxy, but NATs are no longer a usability barrier - no need for
manual port forwarding!
**Q: Why is this called Snowflake?**
It utilizes the "ICE" negotiation via WebRTC, and also involves a great
abundance of ephemeral and short-lived (and special!) volunteer proxies...
### More info and links
We have more documentation in the [Snowflake wiki](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) and at https://snowflake.torproject.org/.
##### -- Android AAR Reproducible Build Setup --
Using `gomobile` it is possible to build snowflake as shared libraries for all
the architectures supported by Android. This is in the _.gitlab-ci.yml_, which
runs in GitLab CI. It is also possible to run this setup in a Virtual Machine
using [vagrant](https://www.vagrantup.com/). Just run `vagrant up` and it will
create and provision the VM. `vagrant ssh` to get into the VM to use it as a
development environment.
##### uTLS Settings
Snowflake communicate with broker that serves as signaling server with TLS based domain fronting connection, which may be identified by its usage of Go language TLS stack.
uTLS is a software library designed to initiate the TLS Client Hello fingerprint of browsers or other popular software's TLS stack to evade censorship based on TLS client hello fingerprint with `-utls-imitate` . You can use `-version` to see a list of supported values.
Depending on client and server configuration, it may not always work as expected as not all extensions are correctly implemented.
You can also remove SNI (Server Name Indication) from client hello to evade censorship with `-utls-nosni`, not all servers supports this.

1
desktopApp/tor/tor-mac/tor/pluggable_transports/README.SNOWFLAKE.md Symbolic link
View File

@ -0,0 +1 @@
../../../README.SNOWFLAKE.md

263
desktopApp/tor/tor-mac/tor/pluggable_transports/README.WEBTUNNEL.md
View File

@ -1,263 +0,0 @@
# WebTunnel
Pluggable Transport based on HTTP Upgrade(HTTPT)
WebTunnel is pluggable transport that attempt to imitate web browsing activities based on [HTTPT](https://censorbib.nymity.ch/#Frolov2020b).
## Client Usage
Connect to a WebTunnel server with a Tor configuration file like:
```
UseBridges 1
DataDirectory datadir
ClientTransportPlugin webtunnel exec ./client
Bridge webtunnel 192.0.2.3:1 url=https://akbwadp9lc5fyyz0cj4d76z643pxgbfh6oyc-167-71-71-157.sslip.io/5m9yq0j4ghkz0fz7qmuw58cvbjon0ebnrsp0
SocksPort auto
Log info
```
## Server Setup
#### Install Tor
On a Debian system, first install tor normally with
```
apt install apt-transport-https
lsb_release -c
nano /etc/apt/sources.list.d/tor.list
wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null
apt update
apt install tor deb.torproject.org-keyring
```
### Disable default instance
The default Tor configuration is not useful for this setup, so the next step will be disabling them.
```
systemctl stop tor@default.service
systemctl mask tor@default.service
```
### Get Environment Ready
```
#copy server file to server
scp server root@$SERVER_ADDRESS:/var/lib/torwebtunnel/webtunnel
```
then create server torrc at `/var/lib/torwebtunnel/torrc`
```
BridgeRelay 1
ORPort 10000
ServerTransportPlugin webtunnel exec /var/lib/torwebtunnel/webtunnel
ServerTransportListenAddr webtunnel 127.0.0.1:11000
ExtORPort auto
ContactInfo WebTunnel email: tor.relay.email@torproject.net ciissversion:2
Nickname WebTunnelTest
PublishServerDescriptor 1
BridgeDistribution none
DataDirectory /var/lib/torwebtunnel/tor-data
CacheDirectory /tmp/tor-tmp-torwebtunnel
SocksPort 0
```
#### Configure service unit file
Create a service unit file as follow
```
[Unit]
Description=Tor Web Tunnel
[Service]
Type=simple
DynamicUser=yes
PrivateUsers=true
PrivateMounts=true
ProtectSystem=strict
PrivateTmp=true
PrivateDevices=true
ProtectClock=true
NoNewPrivileges=true
ProtectHome=tmpfs
ProtectKernelModules=true
ProtectKernelLogs=true
StateDirectory=torwebtunnel
ExecStart=/usr/bin/tor -f /var/lib/torwebtunnel/torrc --RunAsDaemon 0
[Install]
WantedBy=default.target
```
#### Obtain Certificate
WebTunnel Requires a valid TLS certificate, to obtain that
```
curl https://get.acme.sh | sh -s email=my@example.com
~/.acme.sh/acme.sh --issue --standalone --domain $SERVER_ADDRESS
```
#### Install & Configure Nginx
To coexist with other content at a single port, it is necessary to install a reverse proxy like nginx:
```
apt install nginx
```
And then configure HTTP Upgrade forwarding at /etc/nginx/nginx.conf.
```
--- a/before.conf
+++ b/after.conf
@@ -60,6 +60,13 @@ http {
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
+
+ #WebSocket Support
+ map $http_upgrade $connection_upgrade {
+ default upgrade;
+ '' close;
+ }
+
}
```
Finally, add http forwarding setting to a new file at /etc/nginx/site-enabled .
```
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name $SERVER_ADDRESS;
#ssl on;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/nginx/ssl/fullchain.cer;
ssl_certificate_key /etc/nginx/ssl/key.key;
ssl_session_timeout 15m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:MozSSL:50m;
#ssl_ecdh_curve secp521r1,prime256v1,secp384r1;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=63072000" always;
location /$PATH {
proxy_pass http://127.0.0.1:11000;
proxy_http_version 1.1;
###Set WebSocket headers ####
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
### Set Proxy headers ####
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
proxy_redirect off;
}
}
```
## Docker Setup
Webtunnel is a new pluggable transport available for bridge operators.
### Prerequisites
An existing website using nginx balancer to handle traffic. (other load banlancer is currently untested)
Handle traffic directly, without CDN. (CDN passthrough is currently untested)
A container runtime like Docker.
### Configure nginx Forwarding
If you haven't already, configure websocket forwarding support in nginx by configure HTTP Upgrade forwarding at /etc/nginx/nginx.conf:
```
--- a/before.conf
+++ b/after.conf
@@ -60,6 +60,13 @@ http {
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
+
+ #WebSocket Support
+ map $http_upgrade $connection_upgrade {
+ default upgrade;
+ '' close;
+ }
+
}
```
And add a forwarded path under one the served domain, typically defined in files within `/etc/nginx/sites-enabled/`, replace $PATH with a random string(which you could generate with `echo $(cat /dev/urandom | tr -cd "qwertyuiopasdfghjklzxcvbnmMNBVCXZLKJHGFDSAQWERTUIOP0987654321"|head -c 24)`):
```
location /$PATH {
proxy_pass http://127.0.0.1:11000;
proxy_http_version 1.1;
###Set WebSocket headers ####
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
### Set Proxy headers ####
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
proxy_redirect off;
}
```
### Install Docker Runtime(if necessary)
```
apt install curl sudo
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh ./get-docker.sh
```
### Run Dockerlized Webtunnel Server
Replace `URL` with your domain and path, and `OPERATOR_EMAIL` with your email address, then run:
```
truncate --size 0 .env
echo "URL=https://yourdomain/and/path" >> .env
echo "OPERATOR_EMAIL=your@email.org" >> .env
echo "BRIDGE_NICKNAME=WTBr$(cat /dev/urandom | tr -cd 'qwertyuiopasdfghjklzxcvbnmMNBVCXZLKJHGFDSAQWERTUIOP0987654321'|head -c 10)" >> .env
echo "GENEDORPORT=4$(cat /dev/urandom | tr -cd '0987654321'|head -c 4)" >> .env
```
This will create an environment file for the configuration of webtunnel bridge.
After creating the configure file, download the webtunnel docker compose file, and instancize it.
````shell
curl https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel/-/raw/main/release/container/docker-compose.yml?inline=false > docker-compose.yml
docker compose up -d
````
It includes auto update by default, and will update webtunnel bridge server without any further action. Remove `watchtower` to disable this behavior.
### Get Bridgeline and Check it is Running
You can obtain bridgeline and verify if it is working by running
```shell
docker compose exec webtunnel-bridge get-bridge-line.sh
```

1
desktopApp/tor/tor-mac/tor/pluggable_transports/README.WEBTUNNEL.md Symbolic link
View File

@ -0,0 +1 @@
../../../README.WEBTUNNEL.md

28
desktopApp/tor/tor-win/tor/pluggable_transports/README.CONJURE.md
View File

@ -1,28 +0,0 @@
# Conjure
[Conjure](https://jhalderm.com/pub/papers/conjure-ccs19.pdf) is an anti-censorship tool in the refraction networking (a.k.a. decoy routing) lineage of circumvention systems. The key innovation of Conjure is to turn the unused IP address space of deploying ISPs into a large pool of **phantom** proxies that users can connect to. Due to the size of unused IPv6 address space and the potential for collateral damage against real websites hosted by the deploying ISPs, Conjure provides an effective solution to the problem of censors enumerating deployed bridges or proxies.
Conjure is currenty deployed on the University of Colorado network and a small to mid size ISP in Michigan.
# Conjure Pluggable Transport for Tor
This repository is an implementation of both the client and bridge side of a Tor pluggable transport that uses the deployed Conjure network to allow users to connect to the Tor network. The client side calls the [`gotapdance` library](https://github.com/refraction-networking/gotapdance) to communicate with deployed Conjure stations and route client traffic through the phantom proxies assigned by the station. The bridge side receives [haproxy](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) connections from the Conjure station that wrap the proxied client traffic.
# Deployment details
We currently have deployed a low capacity Conjure bridge named [Haunt](https://metrics.torproject.org/rs.html#details/A84C946BF4E14E63A3C92E140532A4594F2C24CD). To connect through this bridge, use the `torrc` file in the `client/` directory as follows:
```
cd client/
tor -f torrc
```
# Warnings
This tool and the deployment is still under active development. We are still working on securing the connection between the deployed Conjure stations and the Conjure bridge. We are also working on improving the censorship resistance of the registration connection between the client and the station. Do not expect this to work out of the box in all areas.
The Conjure station sometimes suffers from a heavy load of users. When this happens, connections will fail. If you are testing this out, try waiting awhile and trying again later.
# Conjure development
Due to the complex nature of the Conjure deployment, it can be difficult to set up a local development environment. Check out [phantombox](https://gitlab.torproject.org/cohosh/phantombox) for an automated libvirt-based setup that works on Linux.

1
desktopApp/tor/tor-win/tor/pluggable_transports/README.CONJURE.md Symbolic link
View File

@ -0,0 +1 @@
../../../README.CONJURE.md

109
desktopApp/tor/tor-win/tor/pluggable_transports/README.SNOWFLAKE.md
View File

@ -1,109 +0,0 @@
# Snowflake
[![Build Status](https://travis-ci.org/keroserene/snowflake.svg?branch=master)](https://travis-ci.org/keroserene/snowflake)
Pluggable Transport using WebRTC, inspired by Flashproxy.
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
**Table of Contents**
- [Structure of this Repository](#structure-of-this-repository)
- [Usage](#usage)
- [Using Snowflake with Tor](#using-snowflake-with-tor)
- [Running a Snowflake Proxy](#running-a-snowflake-proxy)
- [Using the Snowflake Library with Other Applications](#using-the-snowflake-library-with-other-applications)
- [Test Environment](#test-environment)
- [FAQ](#faq)
- [More info and links](#more-info-and-links)
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
### Structure of this Repository
- `broker/` contains code for the Snowflake broker
- `doc/` contains Snowflake documentation and manpages
- `client/` contains the Tor pluggable transport client and client library code
- `common/` contains generic libraries used by multiple pieces of Snowflake
- `proxy/` contains code for the Go standalone Snowflake proxy
- `probetest/` contains code for a NAT probetesting service
- `server/` contains the Tor pluggable transport server and server library code
### Usage
Snowflake is currently deployed as a pluggable transport for Tor.
#### Using Snowflake with Tor
To use the Snowflake client with Tor, you will need to add the appropriate `Bridge` and `ClientTransportPlugin` lines to your [torrc](https://2019.www.torproject.org/docs/tor-manual.html.en) file. See the [client README](client) for more information on building and running the Snowflake client.
#### Running a Snowflake Proxy
You can contribute to Snowflake by running a Snowflake proxy. We have the option to run a proxy in your browser or as a standalone Go program. See our [community documentation](https://community.torproject.org/relay/setup/snowflake/) for more details.
#### Using the Snowflake Library with Other Applications
Snowflake can be used as a Go API, and adheres to the [v2.1 pluggable transports specification](). For more information on using the Snowflake Go library, see the [Snowflake library documentation](doc/using-the-snowflake-library.md).
### Test Environment
There is a Docker-based test environment at https://github.com/cohosh/snowbox.
### FAQ
**Q: How does it work?**
In the Tor use-case:
1. Volunteers visit websites which host the "snowflake" proxy. (just
like flashproxy)
2. Tor clients automatically find available browser proxies via the Broker
(the domain fronted signaling channel).
3. Tor client and browser proxy establish a WebRTC peer connection.
4. Proxy connects to some relay.
5. Tor occurs.
More detailed information about how clients, snowflake proxies, and the Broker
fit together on the way...
**Q: What are the benefits of this PT compared with other PTs?**
Snowflake combines the advantages of flashproxy and meek. Primarily:
- It has the convenience of Meek, but can support magnitudes more
users with negligible CDN costs. (Domain fronting is only used for brief
signalling / NAT-piercing to setup the P2P WebRTC DataChannels which handle
the actual traffic.)
- Arbitrarily high numbers of volunteer proxies are possible like in
flashproxy, but NATs are no longer a usability barrier - no need for
manual port forwarding!
**Q: Why is this called Snowflake?**
It utilizes the "ICE" negotiation via WebRTC, and also involves a great
abundance of ephemeral and short-lived (and special!) volunteer proxies...
### More info and links
We have more documentation in the [Snowflake wiki](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) and at https://snowflake.torproject.org/.
##### -- Android AAR Reproducible Build Setup --
Using `gomobile` it is possible to build snowflake as shared libraries for all
the architectures supported by Android. This is in the _.gitlab-ci.yml_, which
runs in GitLab CI. It is also possible to run this setup in a Virtual Machine
using [vagrant](https://www.vagrantup.com/). Just run `vagrant up` and it will
create and provision the VM. `vagrant ssh` to get into the VM to use it as a
development environment.
##### uTLS Settings
Snowflake communicate with broker that serves as signaling server with TLS based domain fronting connection, which may be identified by its usage of Go language TLS stack.
uTLS is a software library designed to initiate the TLS Client Hello fingerprint of browsers or other popular software's TLS stack to evade censorship based on TLS client hello fingerprint with `-utls-imitate` . You can use `-version` to see a list of supported values.
Depending on client and server configuration, it may not always work as expected as not all extensions are correctly implemented.
You can also remove SNI (Server Name Indication) from client hello to evade censorship with `-utls-nosni`, not all servers supports this.

1
desktopApp/tor/tor-win/tor/pluggable_transports/README.SNOWFLAKE.md Symbolic link
View File

@ -0,0 +1 @@
../../../README.SNOWFLAKE.md

263
desktopApp/tor/tor-win/tor/pluggable_transports/README.WEBTUNNEL.md
View File

@ -1,263 +0,0 @@
# WebTunnel
Pluggable Transport based on HTTP Upgrade(HTTPT)
WebTunnel is pluggable transport that attempt to imitate web browsing activities based on [HTTPT](https://censorbib.nymity.ch/#Frolov2020b).
## Client Usage
Connect to a WebTunnel server with a Tor configuration file like:
```
UseBridges 1
DataDirectory datadir
ClientTransportPlugin webtunnel exec ./client
Bridge webtunnel 192.0.2.3:1 url=https://akbwadp9lc5fyyz0cj4d76z643pxgbfh6oyc-167-71-71-157.sslip.io/5m9yq0j4ghkz0fz7qmuw58cvbjon0ebnrsp0
SocksPort auto
Log info
```
## Server Setup
#### Install Tor
On a Debian system, first install tor normally with
```
apt install apt-transport-https
lsb_release -c
nano /etc/apt/sources.list.d/tor.list
wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null
apt update
apt install tor deb.torproject.org-keyring
```
### Disable default instance
The default Tor configuration is not useful for this setup, so the next step will be disabling them.
```
systemctl stop tor@default.service
systemctl mask tor@default.service
```
### Get Environment Ready
```
#copy server file to server
scp server root@$SERVER_ADDRESS:/var/lib/torwebtunnel/webtunnel
```
then create server torrc at `/var/lib/torwebtunnel/torrc`
```
BridgeRelay 1
ORPort 10000
ServerTransportPlugin webtunnel exec /var/lib/torwebtunnel/webtunnel
ServerTransportListenAddr webtunnel 127.0.0.1:11000
ExtORPort auto
ContactInfo WebTunnel email: tor.relay.email@torproject.net ciissversion:2
Nickname WebTunnelTest
PublishServerDescriptor 1
BridgeDistribution none
DataDirectory /var/lib/torwebtunnel/tor-data
CacheDirectory /tmp/tor-tmp-torwebtunnel
SocksPort 0
```
#### Configure service unit file
Create a service unit file as follow
```
[Unit]
Description=Tor Web Tunnel
[Service]
Type=simple
DynamicUser=yes
PrivateUsers=true
PrivateMounts=true
ProtectSystem=strict
PrivateTmp=true
PrivateDevices=true
ProtectClock=true
NoNewPrivileges=true
ProtectHome=tmpfs
ProtectKernelModules=true
ProtectKernelLogs=true
StateDirectory=torwebtunnel
ExecStart=/usr/bin/tor -f /var/lib/torwebtunnel/torrc --RunAsDaemon 0
[Install]
WantedBy=default.target
```
#### Obtain Certificate
WebTunnel Requires a valid TLS certificate, to obtain that
```
curl https://get.acme.sh | sh -s email=my@example.com
~/.acme.sh/acme.sh --issue --standalone --domain $SERVER_ADDRESS
```
#### Install & Configure Nginx
To coexist with other content at a single port, it is necessary to install a reverse proxy like nginx:
```
apt install nginx
```
And then configure HTTP Upgrade forwarding at /etc/nginx/nginx.conf.
```
--- a/before.conf
+++ b/after.conf
@@ -60,6 +60,13 @@ http {
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
+
+ #WebSocket Support
+ map $http_upgrade $connection_upgrade {
+ default upgrade;
+ '' close;
+ }
+
}
```
Finally, add http forwarding setting to a new file at /etc/nginx/site-enabled .
```
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name $SERVER_ADDRESS;
#ssl on;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/nginx/ssl/fullchain.cer;
ssl_certificate_key /etc/nginx/ssl/key.key;
ssl_session_timeout 15m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:MozSSL:50m;
#ssl_ecdh_curve secp521r1,prime256v1,secp384r1;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=63072000" always;
location /$PATH {
proxy_pass http://127.0.0.1:11000;
proxy_http_version 1.1;
###Set WebSocket headers ####
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
### Set Proxy headers ####
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
proxy_redirect off;
}
}
```
## Docker Setup
Webtunnel is a new pluggable transport available for bridge operators.
### Prerequisites
An existing website using nginx balancer to handle traffic. (other load banlancer is currently untested)
Handle traffic directly, without CDN. (CDN passthrough is currently untested)
A container runtime like Docker.
### Configure nginx Forwarding
If you haven't already, configure websocket forwarding support in nginx by configure HTTP Upgrade forwarding at /etc/nginx/nginx.conf:
```
--- a/before.conf
+++ b/after.conf
@@ -60,6 +60,13 @@ http {
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
+
+ #WebSocket Support
+ map $http_upgrade $connection_upgrade {
+ default upgrade;
+ '' close;
+ }
+
}
```
And add a forwarded path under one the served domain, typically defined in files within `/etc/nginx/sites-enabled/`, replace $PATH with a random string(which you could generate with `echo $(cat /dev/urandom | tr -cd "qwertyuiopasdfghjklzxcvbnmMNBVCXZLKJHGFDSAQWERTUIOP0987654321"|head -c 24)`):
```
location /$PATH {
proxy_pass http://127.0.0.1:11000;
proxy_http_version 1.1;
###Set WebSocket headers ####
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
### Set Proxy headers ####
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
proxy_redirect off;
}
```
### Install Docker Runtime(if necessary)
```
apt install curl sudo
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh ./get-docker.sh
```
### Run Dockerlized Webtunnel Server
Replace `URL` with your domain and path, and `OPERATOR_EMAIL` with your email address, then run:
```
truncate --size 0 .env
echo "URL=https://yourdomain/and/path" >> .env
echo "OPERATOR_EMAIL=your@email.org" >> .env
echo "BRIDGE_NICKNAME=WTBr$(cat /dev/urandom | tr -cd 'qwertyuiopasdfghjklzxcvbnmMNBVCXZLKJHGFDSAQWERTUIOP0987654321'|head -c 10)" >> .env
echo "GENEDORPORT=4$(cat /dev/urandom | tr -cd '0987654321'|head -c 4)" >> .env
```
This will create an environment file for the configuration of webtunnel bridge.
After creating the configure file, download the webtunnel docker compose file, and instancize it.
````shell
curl https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel/-/raw/main/release/container/docker-compose.yml?inline=false > docker-compose.yml
docker compose up -d
````
It includes auto update by default, and will update webtunnel bridge server without any further action. Remove `watchtower` to disable this behavior.
### Get Bridgeline and Check it is Running
You can obtain bridgeline and verify if it is working by running
```shell
docker compose exec webtunnel-bridge get-bridge-line.sh
```

1
desktopApp/tor/tor-win/tor/pluggable_transports/README.WEBTUNNEL.md Symbolic link
View File

@ -0,0 +1 @@
../../../README.WEBTUNNEL.md