diff --git a/desktopApp/tor/README.CONJURE.md b/desktopApp/tor/README.CONJURE.md new file mode 100644 index 00000000..0a51c64e --- /dev/null +++ b/desktopApp/tor/README.CONJURE.md @@ -0,0 +1,28 @@ +# Conjure + +[Conjure](https://jhalderm.com/pub/papers/conjure-ccs19.pdf) is an anti-censorship tool in the refraction networking (a.k.a. decoy routing) lineage of circumvention systems. The key innovation of Conjure is to turn the unused IP address space of deploying ISPs into a large pool of **phantom** proxies that users can connect to. Due to the size of unused IPv6 address space and the potential for collateral damage against real websites hosted by the deploying ISPs, Conjure provides an effective solution to the problem of censors enumerating deployed bridges or proxies. + +Conjure is currenty deployed on the University of Colorado network and a small to mid size ISP in Michigan. + +# Conjure Pluggable Transport for Tor + +This repository is an implementation of both the client and bridge side of a Tor pluggable transport that uses the deployed Conjure network to allow users to connect to the Tor network. The client side calls the [`gotapdance` library](https://github.com/refraction-networking/gotapdance) to communicate with deployed Conjure stations and route client traffic through the phantom proxies assigned by the station. The bridge side receives [haproxy](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) connections from the Conjure station that wrap the proxied client traffic. + +# Deployment details + +We currently have deployed a low capacity Conjure bridge named [Haunt](https://metrics.torproject.org/rs.html#details/A84C946BF4E14E63A3C92E140532A4594F2C24CD). To connect through this bridge, use the `torrc` file in the `client/` directory as follows: + +``` +cd client/ +tor -f torrc +``` + +# Warnings + +This tool and the deployment is still under active development. We are still working on securing the connection between the deployed Conjure stations and the Conjure bridge. We are also working on improving the censorship resistance of the registration connection between the client and the station. Do not expect this to work out of the box in all areas. + +The Conjure station sometimes suffers from a heavy load of users. When this happens, connections will fail. If you are testing this out, try waiting awhile and trying again later. + +# Conjure development + +Due to the complex nature of the Conjure deployment, it can be difficult to set up a local development environment. Check out [phantombox](https://gitlab.torproject.org/cohosh/phantombox) for an automated libvirt-based setup that works on Linux. diff --git a/desktopApp/tor/README.SNOWFLAKE.md b/desktopApp/tor/README.SNOWFLAKE.md new file mode 100644 index 00000000..c242e5c7 --- /dev/null +++ b/desktopApp/tor/README.SNOWFLAKE.md @@ -0,0 +1,109 @@ +# Snowflake + +[![Build Status](https://travis-ci.org/keroserene/snowflake.svg?branch=master)](https://travis-ci.org/keroserene/snowflake) + +Pluggable Transport using WebRTC, inspired by Flashproxy. + + + +**Table of Contents** + +- [Structure of this Repository](#structure-of-this-repository) +- [Usage](#usage) + - [Using Snowflake with Tor](#using-snowflake-with-tor) + - [Running a Snowflake Proxy](#running-a-snowflake-proxy) + - [Using the Snowflake Library with Other Applications](#using-the-snowflake-library-with-other-applications) +- [Test Environment](#test-environment) +- [FAQ](#faq) +- [More info and links](#more-info-and-links) + + + +### Structure of this Repository + +- `broker/` contains code for the Snowflake broker +- `doc/` contains Snowflake documentation and manpages +- `client/` contains the Tor pluggable transport client and client library code +- `common/` contains generic libraries used by multiple pieces of Snowflake +- `proxy/` contains code for the Go standalone Snowflake proxy +- `probetest/` contains code for a NAT probetesting service +- `server/` contains the Tor pluggable transport server and server library code + +### Usage + +Snowflake is currently deployed as a pluggable transport for Tor. + +#### Using Snowflake with Tor + +To use the Snowflake client with Tor, you will need to add the appropriate `Bridge` and `ClientTransportPlugin` lines to your [torrc](https://2019.www.torproject.org/docs/tor-manual.html.en) file. See the [client README](client) for more information on building and running the Snowflake client. + +#### Running a Snowflake Proxy + +You can contribute to Snowflake by running a Snowflake proxy. We have the option to run a proxy in your browser or as a standalone Go program. See our [community documentation](https://community.torproject.org/relay/setup/snowflake/) for more details. + +#### Using the Snowflake Library with Other Applications + +Snowflake can be used as a Go API, and adheres to the [v2.1 pluggable transports specification](). For more information on using the Snowflake Go library, see the [Snowflake library documentation](doc/using-the-snowflake-library.md). + +### Test Environment + +There is a Docker-based test environment at https://github.com/cohosh/snowbox. + +### FAQ + +**Q: How does it work?** + +In the Tor use-case: + +1. Volunteers visit websites which host the "snowflake" proxy. (just +like flashproxy) +2. Tor clients automatically find available browser proxies via the Broker +(the domain fronted signaling channel). +3. Tor client and browser proxy establish a WebRTC peer connection. +4. Proxy connects to some relay. +5. Tor occurs. + +More detailed information about how clients, snowflake proxies, and the Broker +fit together on the way... + +**Q: What are the benefits of this PT compared with other PTs?** + +Snowflake combines the advantages of flashproxy and meek. Primarily: + +- It has the convenience of Meek, but can support magnitudes more +users with negligible CDN costs. (Domain fronting is only used for brief +signalling / NAT-piercing to setup the P2P WebRTC DataChannels which handle +the actual traffic.) + +- Arbitrarily high numbers of volunteer proxies are possible like in +flashproxy, but NATs are no longer a usability barrier - no need for +manual port forwarding! + +**Q: Why is this called Snowflake?** + +It utilizes the "ICE" negotiation via WebRTC, and also involves a great +abundance of ephemeral and short-lived (and special!) volunteer proxies... + +### More info and links + +We have more documentation in the [Snowflake wiki](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) and at https://snowflake.torproject.org/. + + +##### -- Android AAR Reproducible Build Setup -- + +Using `gomobile` it is possible to build snowflake as shared libraries for all +the architectures supported by Android. This is in the _.gitlab-ci.yml_, which +runs in GitLab CI. It is also possible to run this setup in a Virtual Machine +using [vagrant](https://www.vagrantup.com/). Just run `vagrant up` and it will +create and provision the VM. `vagrant ssh` to get into the VM to use it as a +development environment. + +##### uTLS Settings + +Snowflake communicate with broker that serves as signaling server with TLS based domain fronting connection, which may be identified by its usage of Go language TLS stack. + +uTLS is a software library designed to initiate the TLS Client Hello fingerprint of browsers or other popular software's TLS stack to evade censorship based on TLS client hello fingerprint with `-utls-imitate` . You can use `-version` to see a list of supported values. + +Depending on client and server configuration, it may not always work as expected as not all extensions are correctly implemented. + +You can also remove SNI (Server Name Indication) from client hello to evade censorship with `-utls-nosni`, not all servers supports this. diff --git a/desktopApp/tor/README.WEBTUNNEL.md b/desktopApp/tor/README.WEBTUNNEL.md new file mode 100644 index 00000000..be279bf8 --- /dev/null +++ b/desktopApp/tor/README.WEBTUNNEL.md @@ -0,0 +1,263 @@ +# WebTunnel + +Pluggable Transport based on HTTP Upgrade(HTTPT) + +WebTunnel is pluggable transport that attempt to imitate web browsing activities based on [HTTPT](https://censorbib.nymity.ch/#Frolov2020b). + +## Client Usage +Connect to a WebTunnel server with a Tor configuration file like: +``` +UseBridges 1 +DataDirectory datadir + +ClientTransportPlugin webtunnel exec ./client + +Bridge webtunnel 192.0.2.3:1 url=https://akbwadp9lc5fyyz0cj4d76z643pxgbfh6oyc-167-71-71-157.sslip.io/5m9yq0j4ghkz0fz7qmuw58cvbjon0ebnrsp0 + +SocksPort auto + +Log info +``` +## Server Setup + +#### Install Tor +On a Debian system, first install tor normally with +``` +apt install apt-transport-https +lsb_release -c +nano /etc/apt/sources.list.d/tor.list +wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null +apt update +apt install tor deb.torproject.org-keyring +``` + +### Disable default instance +The default Tor configuration is not useful for this setup, so the next step will be disabling them. +``` +systemctl stop tor@default.service +systemctl mask tor@default.service +``` + +### Get Environment Ready +``` +#copy server file to server +scp server root@$SERVER_ADDRESS:/var/lib/torwebtunnel/webtunnel +``` + +then create server torrc at `/var/lib/torwebtunnel/torrc` +``` +BridgeRelay 1 + +ORPort 10000 + +ServerTransportPlugin webtunnel exec /var/lib/torwebtunnel/webtunnel + +ServerTransportListenAddr webtunnel 127.0.0.1:11000 + +ExtORPort auto + +ContactInfo WebTunnel email: tor.relay.email@torproject.net ciissversion:2 + +Nickname WebTunnelTest + +PublishServerDescriptor 1 +BridgeDistribution none + +DataDirectory /var/lib/torwebtunnel/tor-data +CacheDirectory /tmp/tor-tmp-torwebtunnel + +SocksPort 0 +``` + +#### Configure service unit file +Create a service unit file as follow +``` +[Unit] +Description=Tor Web Tunnel + +[Service] +Type=simple +DynamicUser=yes +PrivateUsers=true +PrivateMounts=true +ProtectSystem=strict +PrivateTmp=true +PrivateDevices=true +ProtectClock=true +NoNewPrivileges=true +ProtectHome=tmpfs +ProtectKernelModules=true +ProtectKernelLogs=true + +StateDirectory=torwebtunnel + +ExecStart=/usr/bin/tor -f /var/lib/torwebtunnel/torrc --RunAsDaemon 0 + +[Install] +WantedBy=default.target +``` + +#### Obtain Certificate +WebTunnel Requires a valid TLS certificate, to obtain that +``` +curl https://get.acme.sh | sh -s email=my@example.com +~/.acme.sh/acme.sh --issue --standalone --domain $SERVER_ADDRESS +``` + +#### Install & Configure Nginx +To coexist with other content at a single port, it is necessary to install a reverse proxy like nginx: +``` +apt install nginx +``` + +And then configure HTTP Upgrade forwarding at /etc/nginx/nginx.conf. +``` +--- a/before.conf ++++ b/after.conf +@@ -60,6 +60,13 @@ http { + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; ++ ++ #WebSocket Support ++ map $http_upgrade $connection_upgrade { ++ default upgrade; ++ '' close; ++ } ++ + } + +``` + +Finally, add http forwarding setting to a new file at /etc/nginx/site-enabled . +``` +server { + listen [::]:443 ssl http2; + listen 443 ssl http2; + server_name $SERVER_ADDRESS; + #ssl on; + + # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate + ssl_certificate /etc/nginx/ssl/fullchain.cer; + ssl_certificate_key /etc/nginx/ssl/key.key; + + + ssl_session_timeout 15m; + + ssl_protocols TLSv1.2 TLSv1.3; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + ssl_prefer_server_ciphers off; + + ssl_session_cache shared:MozSSL:50m; + #ssl_ecdh_curve secp521r1,prime256v1,secp384r1; + ssl_session_tickets off; + + add_header Strict-Transport-Security "max-age=63072000" always; + + location /$PATH { + proxy_pass http://127.0.0.1:11000; + proxy_http_version 1.1; + + ###Set WebSocket headers #### + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + ### Set Proxy headers #### + proxy_set_header Accept-Encoding ""; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + add_header Front-End-Https on; + + proxy_redirect off; +} + + +} + +``` + +## Docker Setup + +Webtunnel is a new pluggable transport available for bridge operators. + +### Prerequisites +An existing website using nginx balancer to handle traffic. (other load banlancer is currently untested) + +Handle traffic directly, without CDN. (CDN passthrough is currently untested) + +A container runtime like Docker. + +### Configure nginx Forwarding +If you haven't already, configure websocket forwarding support in nginx by configure HTTP Upgrade forwarding at /etc/nginx/nginx.conf: +``` +--- a/before.conf ++++ b/after.conf +@@ -60,6 +60,13 @@ http { + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; ++ ++ #WebSocket Support ++ map $http_upgrade $connection_upgrade { ++ default upgrade; ++ '' close; ++ } ++ + } +``` +And add a forwarded path under one the served domain, typically defined in files within `/etc/nginx/sites-enabled/`, replace $PATH with a random string(which you could generate with `echo $(cat /dev/urandom | tr -cd "qwertyuiopasdfghjklzxcvbnmMNBVCXZLKJHGFDSAQWERTUIOP0987654321"|head -c 24)`): +``` +location /$PATH { + proxy_pass http://127.0.0.1:11000; + proxy_http_version 1.1; + + ###Set WebSocket headers #### + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + ### Set Proxy headers #### + proxy_set_header Accept-Encoding ""; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + add_header Front-End-Https on; + + proxy_redirect off; +} +``` + +### Install Docker Runtime(if necessary) +``` +apt install curl sudo +curl -fsSL https://get.docker.com -o get-docker.sh +sudo sh ./get-docker.sh +``` + +### Run Dockerlized Webtunnel Server +Replace `URL` with your domain and path, and `OPERATOR_EMAIL` with your email address, then run: +``` +truncate --size 0 .env +echo "URL=https://yourdomain/and/path" >> .env +echo "OPERATOR_EMAIL=your@email.org" >> .env +echo "BRIDGE_NICKNAME=WTBr$(cat /dev/urandom | tr -cd 'qwertyuiopasdfghjklzxcvbnmMNBVCXZLKJHGFDSAQWERTUIOP0987654321'|head -c 10)" >> .env +echo "GENEDORPORT=4$(cat /dev/urandom | tr -cd '0987654321'|head -c 4)" >> .env +``` +This will create an environment file for the configuration of webtunnel bridge. + +After creating the configure file, download the webtunnel docker compose file, and instancize it. +````shell +curl https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel/-/raw/main/release/container/docker-compose.yml?inline=false > docker-compose.yml +docker compose up -d +```` +It includes auto update by default, and will update webtunnel bridge server without any further action. Remove `watchtower` to disable this behavior. + +### Get Bridgeline and Check it is Running +You can obtain bridgeline and verify if it is working by running +```shell +docker compose exec webtunnel-bridge get-bridge-line.sh +``` diff --git a/desktopApp/tor/tor-linux/tor/pluggable_transports/README.CONJURE.md b/desktopApp/tor/tor-linux/tor/pluggable_transports/README.CONJURE.md deleted file mode 100644 index 0a51c64e..00000000 --- a/desktopApp/tor/tor-linux/tor/pluggable_transports/README.CONJURE.md +++ /dev/null @@ -1,28 +0,0 @@ -# Conjure - -[Conjure](https://jhalderm.com/pub/papers/conjure-ccs19.pdf) is an anti-censorship tool in the refraction networking (a.k.a. decoy routing) lineage of circumvention systems. The key innovation of Conjure is to turn the unused IP address space of deploying ISPs into a large pool of **phantom** proxies that users can connect to. Due to the size of unused IPv6 address space and the potential for collateral damage against real websites hosted by the deploying ISPs, Conjure provides an effective solution to the problem of censors enumerating deployed bridges or proxies. - -Conjure is currenty deployed on the University of Colorado network and a small to mid size ISP in Michigan. - -# Conjure Pluggable Transport for Tor - -This repository is an implementation of both the client and bridge side of a Tor pluggable transport that uses the deployed Conjure network to allow users to connect to the Tor network. The client side calls the [`gotapdance` library](https://github.com/refraction-networking/gotapdance) to communicate with deployed Conjure stations and route client traffic through the phantom proxies assigned by the station. The bridge side receives [haproxy](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) connections from the Conjure station that wrap the proxied client traffic. - -# Deployment details - -We currently have deployed a low capacity Conjure bridge named [Haunt](https://metrics.torproject.org/rs.html#details/A84C946BF4E14E63A3C92E140532A4594F2C24CD). To connect through this bridge, use the `torrc` file in the `client/` directory as follows: - -``` -cd client/ -tor -f torrc -``` - -# Warnings - -This tool and the deployment is still under active development. We are still working on securing the connection between the deployed Conjure stations and the Conjure bridge. We are also working on improving the censorship resistance of the registration connection between the client and the station. Do not expect this to work out of the box in all areas. - -The Conjure station sometimes suffers from a heavy load of users. When this happens, connections will fail. If you are testing this out, try waiting awhile and trying again later. - -# Conjure development - -Due to the complex nature of the Conjure deployment, it can be difficult to set up a local development environment. Check out [phantombox](https://gitlab.torproject.org/cohosh/phantombox) for an automated libvirt-based setup that works on Linux. diff --git a/desktopApp/tor/tor-linux/tor/pluggable_transports/README.CONJURE.md b/desktopApp/tor/tor-linux/tor/pluggable_transports/README.CONJURE.md new file mode 120000 index 00000000..6bbb264e --- /dev/null +++ b/desktopApp/tor/tor-linux/tor/pluggable_transports/README.CONJURE.md @@ -0,0 +1 @@ +../../../README.CONJURE.md \ No newline at end of file diff --git a/desktopApp/tor/tor-linux/tor/pluggable_transports/README.SNOWFLAKE.md b/desktopApp/tor/tor-linux/tor/pluggable_transports/README.SNOWFLAKE.md deleted file mode 100644 index c242e5c7..00000000 --- a/desktopApp/tor/tor-linux/tor/pluggable_transports/README.SNOWFLAKE.md +++ /dev/null @@ -1,109 +0,0 @@ -# Snowflake - -[![Build Status](https://travis-ci.org/keroserene/snowflake.svg?branch=master)](https://travis-ci.org/keroserene/snowflake) - -Pluggable Transport using WebRTC, inspired by Flashproxy. - - - -**Table of Contents** - -- [Structure of this Repository](#structure-of-this-repository) -- [Usage](#usage) - - [Using Snowflake with Tor](#using-snowflake-with-tor) - - [Running a Snowflake Proxy](#running-a-snowflake-proxy) - - [Using the Snowflake Library with Other Applications](#using-the-snowflake-library-with-other-applications) -- [Test Environment](#test-environment) -- [FAQ](#faq) -- [More info and links](#more-info-and-links) - - - -### Structure of this Repository - -- `broker/` contains code for the Snowflake broker -- `doc/` contains Snowflake documentation and manpages -- `client/` contains the Tor pluggable transport client and client library code -- `common/` contains generic libraries used by multiple pieces of Snowflake -- `proxy/` contains code for the Go standalone Snowflake proxy -- `probetest/` contains code for a NAT probetesting service -- `server/` contains the Tor pluggable transport server and server library code - -### Usage - -Snowflake is currently deployed as a pluggable transport for Tor. - -#### Using Snowflake with Tor - -To use the Snowflake client with Tor, you will need to add the appropriate `Bridge` and `ClientTransportPlugin` lines to your [torrc](https://2019.www.torproject.org/docs/tor-manual.html.en) file. See the [client README](client) for more information on building and running the Snowflake client. - -#### Running a Snowflake Proxy - -You can contribute to Snowflake by running a Snowflake proxy. We have the option to run a proxy in your browser or as a standalone Go program. See our [community documentation](https://community.torproject.org/relay/setup/snowflake/) for more details. - -#### Using the Snowflake Library with Other Applications - -Snowflake can be used as a Go API, and adheres to the [v2.1 pluggable transports specification](). For more information on using the Snowflake Go library, see the [Snowflake library documentation](doc/using-the-snowflake-library.md). - -### Test Environment - -There is a Docker-based test environment at https://github.com/cohosh/snowbox. - -### FAQ - -**Q: How does it work?** - -In the Tor use-case: - -1. Volunteers visit websites which host the "snowflake" proxy. (just -like flashproxy) -2. Tor clients automatically find available browser proxies via the Broker -(the domain fronted signaling channel). -3. Tor client and browser proxy establish a WebRTC peer connection. -4. Proxy connects to some relay. -5. Tor occurs. - -More detailed information about how clients, snowflake proxies, and the Broker -fit together on the way... - -**Q: What are the benefits of this PT compared with other PTs?** - -Snowflake combines the advantages of flashproxy and meek. Primarily: - -- It has the convenience of Meek, but can support magnitudes more -users with negligible CDN costs. (Domain fronting is only used for brief -signalling / NAT-piercing to setup the P2P WebRTC DataChannels which handle -the actual traffic.) - -- Arbitrarily high numbers of volunteer proxies are possible like in -flashproxy, but NATs are no longer a usability barrier - no need for -manual port forwarding! - -**Q: Why is this called Snowflake?** - -It utilizes the "ICE" negotiation via WebRTC, and also involves a great -abundance of ephemeral and short-lived (and special!) volunteer proxies... - -### More info and links - -We have more documentation in the [Snowflake wiki](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) and at https://snowflake.torproject.org/. - - -##### -- Android AAR Reproducible Build Setup -- - -Using `gomobile` it is possible to build snowflake as shared libraries for all -the architectures supported by Android. This is in the _.gitlab-ci.yml_, which -runs in GitLab CI. It is also possible to run this setup in a Virtual Machine -using [vagrant](https://www.vagrantup.com/). Just run `vagrant up` and it will -create and provision the VM. `vagrant ssh` to get into the VM to use it as a -development environment. - -##### uTLS Settings - -Snowflake communicate with broker that serves as signaling server with TLS based domain fronting connection, which may be identified by its usage of Go language TLS stack. - -uTLS is a software library designed to initiate the TLS Client Hello fingerprint of browsers or other popular software's TLS stack to evade censorship based on TLS client hello fingerprint with `-utls-imitate` . You can use `-version` to see a list of supported values. - -Depending on client and server configuration, it may not always work as expected as not all extensions are correctly implemented. - -You can also remove SNI (Server Name Indication) from client hello to evade censorship with `-utls-nosni`, not all servers supports this. diff --git a/desktopApp/tor/tor-linux/tor/pluggable_transports/README.SNOWFLAKE.md b/desktopApp/tor/tor-linux/tor/pluggable_transports/README.SNOWFLAKE.md new file mode 120000 index 00000000..815ae8e0 --- /dev/null +++ b/desktopApp/tor/tor-linux/tor/pluggable_transports/README.SNOWFLAKE.md @@ -0,0 +1 @@ +../../../README.SNOWFLAKE.md \ No newline at end of file diff --git a/desktopApp/tor/tor-linux/tor/pluggable_transports/README.WEBTUNNEL.md b/desktopApp/tor/tor-linux/tor/pluggable_transports/README.WEBTUNNEL.md deleted file mode 100644 index be279bf8..00000000 --- a/desktopApp/tor/tor-linux/tor/pluggable_transports/README.WEBTUNNEL.md +++ /dev/null @@ -1,263 +0,0 @@ -# WebTunnel - -Pluggable Transport based on HTTP Upgrade(HTTPT) - -WebTunnel is pluggable transport that attempt to imitate web browsing activities based on [HTTPT](https://censorbib.nymity.ch/#Frolov2020b). - -## Client Usage -Connect to a WebTunnel server with a Tor configuration file like: -``` -UseBridges 1 -DataDirectory datadir - -ClientTransportPlugin webtunnel exec ./client - -Bridge webtunnel 192.0.2.3:1 url=https://akbwadp9lc5fyyz0cj4d76z643pxgbfh6oyc-167-71-71-157.sslip.io/5m9yq0j4ghkz0fz7qmuw58cvbjon0ebnrsp0 - -SocksPort auto - -Log info -``` -## Server Setup - -#### Install Tor -On a Debian system, first install tor normally with -``` -apt install apt-transport-https -lsb_release -c -nano /etc/apt/sources.list.d/tor.list -wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null -apt update -apt install tor deb.torproject.org-keyring -``` - -### Disable default instance -The default Tor configuration is not useful for this setup, so the next step will be disabling them. -``` -systemctl stop tor@default.service -systemctl mask tor@default.service -``` - -### Get Environment Ready -``` -#copy server file to server -scp server root@$SERVER_ADDRESS:/var/lib/torwebtunnel/webtunnel -``` - -then create server torrc at `/var/lib/torwebtunnel/torrc` -``` -BridgeRelay 1 - -ORPort 10000 - -ServerTransportPlugin webtunnel exec /var/lib/torwebtunnel/webtunnel - -ServerTransportListenAddr webtunnel 127.0.0.1:11000 - -ExtORPort auto - -ContactInfo WebTunnel email: tor.relay.email@torproject.net ciissversion:2 - -Nickname WebTunnelTest - -PublishServerDescriptor 1 -BridgeDistribution none - -DataDirectory /var/lib/torwebtunnel/tor-data -CacheDirectory /tmp/tor-tmp-torwebtunnel - -SocksPort 0 -``` - -#### Configure service unit file -Create a service unit file as follow -``` -[Unit] -Description=Tor Web Tunnel - -[Service] -Type=simple -DynamicUser=yes -PrivateUsers=true -PrivateMounts=true -ProtectSystem=strict -PrivateTmp=true -PrivateDevices=true -ProtectClock=true -NoNewPrivileges=true -ProtectHome=tmpfs -ProtectKernelModules=true -ProtectKernelLogs=true - -StateDirectory=torwebtunnel - -ExecStart=/usr/bin/tor -f /var/lib/torwebtunnel/torrc --RunAsDaemon 0 - -[Install] -WantedBy=default.target -``` - -#### Obtain Certificate -WebTunnel Requires a valid TLS certificate, to obtain that -``` -curl https://get.acme.sh | sh -s email=my@example.com -~/.acme.sh/acme.sh --issue --standalone --domain $SERVER_ADDRESS -``` - -#### Install & Configure Nginx -To coexist with other content at a single port, it is necessary to install a reverse proxy like nginx: -``` -apt install nginx -``` - -And then configure HTTP Upgrade forwarding at /etc/nginx/nginx.conf. -``` ---- a/before.conf -+++ b/after.conf -@@ -60,6 +60,13 @@ http { - - include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*; -+ -+ #WebSocket Support -+ map $http_upgrade $connection_upgrade { -+ default upgrade; -+ '' close; -+ } -+ - } - -``` - -Finally, add http forwarding setting to a new file at /etc/nginx/site-enabled . -``` -server { - listen [::]:443 ssl http2; - listen 443 ssl http2; - server_name $SERVER_ADDRESS; - #ssl on; - - # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate - ssl_certificate /etc/nginx/ssl/fullchain.cer; - ssl_certificate_key /etc/nginx/ssl/key.key; - - - ssl_session_timeout 15m; - - ssl_protocols TLSv1.2 TLSv1.3; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers off; - - ssl_session_cache shared:MozSSL:50m; - #ssl_ecdh_curve secp521r1,prime256v1,secp384r1; - ssl_session_tickets off; - - add_header Strict-Transport-Security "max-age=63072000" always; - - location /$PATH { - proxy_pass http://127.0.0.1:11000; - proxy_http_version 1.1; - - ###Set WebSocket headers #### - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - ### Set Proxy headers #### - proxy_set_header Accept-Encoding ""; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - add_header Front-End-Https on; - - proxy_redirect off; -} - - -} - -``` - -## Docker Setup - -Webtunnel is a new pluggable transport available for bridge operators. - -### Prerequisites -An existing website using nginx balancer to handle traffic. (other load banlancer is currently untested) - -Handle traffic directly, without CDN. (CDN passthrough is currently untested) - -A container runtime like Docker. - -### Configure nginx Forwarding -If you haven't already, configure websocket forwarding support in nginx by configure HTTP Upgrade forwarding at /etc/nginx/nginx.conf: -``` ---- a/before.conf -+++ b/after.conf -@@ -60,6 +60,13 @@ http { - - include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*; -+ -+ #WebSocket Support -+ map $http_upgrade $connection_upgrade { -+ default upgrade; -+ '' close; -+ } -+ - } -``` -And add a forwarded path under one the served domain, typically defined in files within `/etc/nginx/sites-enabled/`, replace $PATH with a random string(which you could generate with `echo $(cat /dev/urandom | tr -cd "qwertyuiopasdfghjklzxcvbnmMNBVCXZLKJHGFDSAQWERTUIOP0987654321"|head -c 24)`): -``` -location /$PATH { - proxy_pass http://127.0.0.1:11000; - proxy_http_version 1.1; - - ###Set WebSocket headers #### - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - ### Set Proxy headers #### - proxy_set_header Accept-Encoding ""; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - add_header Front-End-Https on; - - proxy_redirect off; -} -``` - -### Install Docker Runtime(if necessary) -``` -apt install curl sudo -curl -fsSL https://get.docker.com -o get-docker.sh -sudo sh ./get-docker.sh -``` - -### Run Dockerlized Webtunnel Server -Replace `URL` with your domain and path, and `OPERATOR_EMAIL` with your email address, then run: -``` -truncate --size 0 .env -echo "URL=https://yourdomain/and/path" >> .env -echo "OPERATOR_EMAIL=your@email.org" >> .env -echo "BRIDGE_NICKNAME=WTBr$(cat /dev/urandom | tr -cd 'qwertyuiopasdfghjklzxcvbnmMNBVCXZLKJHGFDSAQWERTUIOP0987654321'|head -c 10)" >> .env -echo "GENEDORPORT=4$(cat /dev/urandom | tr -cd '0987654321'|head -c 4)" >> .env -``` -This will create an environment file for the configuration of webtunnel bridge. - -After creating the configure file, download the webtunnel docker compose file, and instancize it. -````shell -curl https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel/-/raw/main/release/container/docker-compose.yml?inline=false > docker-compose.yml -docker compose up -d -```` -It includes auto update by default, and will update webtunnel bridge server without any further action. Remove `watchtower` to disable this behavior. - -### Get Bridgeline and Check it is Running -You can obtain bridgeline and verify if it is working by running -```shell -docker compose exec webtunnel-bridge get-bridge-line.sh -``` diff --git a/desktopApp/tor/tor-linux/tor/pluggable_transports/README.WEBTUNNEL.md b/desktopApp/tor/tor-linux/tor/pluggable_transports/README.WEBTUNNEL.md new file mode 120000 index 00000000..db72d5bc --- /dev/null +++ b/desktopApp/tor/tor-linux/tor/pluggable_transports/README.WEBTUNNEL.md @@ -0,0 +1 @@ +../../../README.WEBTUNNEL.md \ No newline at end of file diff --git a/desktopApp/tor/tor-mac/tor/pluggable_transports/README.CONJURE.md b/desktopApp/tor/tor-mac/tor/pluggable_transports/README.CONJURE.md deleted file mode 100644 index 0a51c64e..00000000 --- a/desktopApp/tor/tor-mac/tor/pluggable_transports/README.CONJURE.md +++ /dev/null @@ -1,28 +0,0 @@ -# Conjure - -[Conjure](https://jhalderm.com/pub/papers/conjure-ccs19.pdf) is an anti-censorship tool in the refraction networking (a.k.a. decoy routing) lineage of circumvention systems. The key innovation of Conjure is to turn the unused IP address space of deploying ISPs into a large pool of **phantom** proxies that users can connect to. Due to the size of unused IPv6 address space and the potential for collateral damage against real websites hosted by the deploying ISPs, Conjure provides an effective solution to the problem of censors enumerating deployed bridges or proxies. - -Conjure is currenty deployed on the University of Colorado network and a small to mid size ISP in Michigan. - -# Conjure Pluggable Transport for Tor - -This repository is an implementation of both the client and bridge side of a Tor pluggable transport that uses the deployed Conjure network to allow users to connect to the Tor network. The client side calls the [`gotapdance` library](https://github.com/refraction-networking/gotapdance) to communicate with deployed Conjure stations and route client traffic through the phantom proxies assigned by the station. The bridge side receives [haproxy](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) connections from the Conjure station that wrap the proxied client traffic. - -# Deployment details - -We currently have deployed a low capacity Conjure bridge named [Haunt](https://metrics.torproject.org/rs.html#details/A84C946BF4E14E63A3C92E140532A4594F2C24CD). To connect through this bridge, use the `torrc` file in the `client/` directory as follows: - -``` -cd client/ -tor -f torrc -``` - -# Warnings - -This tool and the deployment is still under active development. We are still working on securing the connection between the deployed Conjure stations and the Conjure bridge. We are also working on improving the censorship resistance of the registration connection between the client and the station. Do not expect this to work out of the box in all areas. - -The Conjure station sometimes suffers from a heavy load of users. When this happens, connections will fail. If you are testing this out, try waiting awhile and trying again later. - -# Conjure development - -Due to the complex nature of the Conjure deployment, it can be difficult to set up a local development environment. Check out [phantombox](https://gitlab.torproject.org/cohosh/phantombox) for an automated libvirt-based setup that works on Linux. diff --git a/desktopApp/tor/tor-mac/tor/pluggable_transports/README.CONJURE.md b/desktopApp/tor/tor-mac/tor/pluggable_transports/README.CONJURE.md new file mode 120000 index 00000000..6bbb264e --- /dev/null +++ b/desktopApp/tor/tor-mac/tor/pluggable_transports/README.CONJURE.md @@ -0,0 +1 @@ +../../../README.CONJURE.md \ No newline at end of file diff --git a/desktopApp/tor/tor-mac/tor/pluggable_transports/README.SNOWFLAKE.md b/desktopApp/tor/tor-mac/tor/pluggable_transports/README.SNOWFLAKE.md deleted file mode 100644 index c242e5c7..00000000 --- a/desktopApp/tor/tor-mac/tor/pluggable_transports/README.SNOWFLAKE.md +++ /dev/null @@ -1,109 +0,0 @@ -# Snowflake - -[![Build Status](https://travis-ci.org/keroserene/snowflake.svg?branch=master)](https://travis-ci.org/keroserene/snowflake) - -Pluggable Transport using WebRTC, inspired by Flashproxy. - - - -**Table of Contents** - -- [Structure of this Repository](#structure-of-this-repository) -- [Usage](#usage) - - [Using Snowflake with Tor](#using-snowflake-with-tor) - - [Running a Snowflake Proxy](#running-a-snowflake-proxy) - - [Using the Snowflake Library with Other Applications](#using-the-snowflake-library-with-other-applications) -- [Test Environment](#test-environment) -- [FAQ](#faq) -- [More info and links](#more-info-and-links) - - - -### Structure of this Repository - -- `broker/` contains code for the Snowflake broker -- `doc/` contains Snowflake documentation and manpages -- `client/` contains the Tor pluggable transport client and client library code -- `common/` contains generic libraries used by multiple pieces of Snowflake -- `proxy/` contains code for the Go standalone Snowflake proxy -- `probetest/` contains code for a NAT probetesting service -- `server/` contains the Tor pluggable transport server and server library code - -### Usage - -Snowflake is currently deployed as a pluggable transport for Tor. - -#### Using Snowflake with Tor - -To use the Snowflake client with Tor, you will need to add the appropriate `Bridge` and `ClientTransportPlugin` lines to your [torrc](https://2019.www.torproject.org/docs/tor-manual.html.en) file. See the [client README](client) for more information on building and running the Snowflake client. - -#### Running a Snowflake Proxy - -You can contribute to Snowflake by running a Snowflake proxy. We have the option to run a proxy in your browser or as a standalone Go program. See our [community documentation](https://community.torproject.org/relay/setup/snowflake/) for more details. - -#### Using the Snowflake Library with Other Applications - -Snowflake can be used as a Go API, and adheres to the [v2.1 pluggable transports specification](). For more information on using the Snowflake Go library, see the [Snowflake library documentation](doc/using-the-snowflake-library.md). - -### Test Environment - -There is a Docker-based test environment at https://github.com/cohosh/snowbox. - -### FAQ - -**Q: How does it work?** - -In the Tor use-case: - -1. Volunteers visit websites which host the "snowflake" proxy. (just -like flashproxy) -2. Tor clients automatically find available browser proxies via the Broker -(the domain fronted signaling channel). -3. Tor client and browser proxy establish a WebRTC peer connection. -4. Proxy connects to some relay. -5. Tor occurs. - -More detailed information about how clients, snowflake proxies, and the Broker -fit together on the way... - -**Q: What are the benefits of this PT compared with other PTs?** - -Snowflake combines the advantages of flashproxy and meek. Primarily: - -- It has the convenience of Meek, but can support magnitudes more -users with negligible CDN costs. (Domain fronting is only used for brief -signalling / NAT-piercing to setup the P2P WebRTC DataChannels which handle -the actual traffic.) - -- Arbitrarily high numbers of volunteer proxies are possible like in -flashproxy, but NATs are no longer a usability barrier - no need for -manual port forwarding! - -**Q: Why is this called Snowflake?** - -It utilizes the "ICE" negotiation via WebRTC, and also involves a great -abundance of ephemeral and short-lived (and special!) volunteer proxies... - -### More info and links - -We have more documentation in the [Snowflake wiki](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) and at https://snowflake.torproject.org/. - - -##### -- Android AAR Reproducible Build Setup -- - -Using `gomobile` it is possible to build snowflake as shared libraries for all -the architectures supported by Android. This is in the _.gitlab-ci.yml_, which -runs in GitLab CI. It is also possible to run this setup in a Virtual Machine -using [vagrant](https://www.vagrantup.com/). Just run `vagrant up` and it will -create and provision the VM. `vagrant ssh` to get into the VM to use it as a -development environment. - -##### uTLS Settings - -Snowflake communicate with broker that serves as signaling server with TLS based domain fronting connection, which may be identified by its usage of Go language TLS stack. - -uTLS is a software library designed to initiate the TLS Client Hello fingerprint of browsers or other popular software's TLS stack to evade censorship based on TLS client hello fingerprint with `-utls-imitate` . You can use `-version` to see a list of supported values. - -Depending on client and server configuration, it may not always work as expected as not all extensions are correctly implemented. - -You can also remove SNI (Server Name Indication) from client hello to evade censorship with `-utls-nosni`, not all servers supports this. diff --git a/desktopApp/tor/tor-mac/tor/pluggable_transports/README.SNOWFLAKE.md b/desktopApp/tor/tor-mac/tor/pluggable_transports/README.SNOWFLAKE.md new file mode 120000 index 00000000..815ae8e0 --- /dev/null +++ b/desktopApp/tor/tor-mac/tor/pluggable_transports/README.SNOWFLAKE.md @@ -0,0 +1 @@ +../../../README.SNOWFLAKE.md \ No newline at end of file diff --git a/desktopApp/tor/tor-mac/tor/pluggable_transports/README.WEBTUNNEL.md b/desktopApp/tor/tor-mac/tor/pluggable_transports/README.WEBTUNNEL.md deleted file mode 100644 index be279bf8..00000000 --- a/desktopApp/tor/tor-mac/tor/pluggable_transports/README.WEBTUNNEL.md +++ /dev/null @@ -1,263 +0,0 @@ -# WebTunnel - -Pluggable Transport based on HTTP Upgrade(HTTPT) - -WebTunnel is pluggable transport that attempt to imitate web browsing activities based on [HTTPT](https://censorbib.nymity.ch/#Frolov2020b). - -## Client Usage -Connect to a WebTunnel server with a Tor configuration file like: -``` -UseBridges 1 -DataDirectory datadir - -ClientTransportPlugin webtunnel exec ./client - -Bridge webtunnel 192.0.2.3:1 url=https://akbwadp9lc5fyyz0cj4d76z643pxgbfh6oyc-167-71-71-157.sslip.io/5m9yq0j4ghkz0fz7qmuw58cvbjon0ebnrsp0 - -SocksPort auto - -Log info -``` -## Server Setup - -#### Install Tor -On a Debian system, first install tor normally with -``` -apt install apt-transport-https -lsb_release -c -nano /etc/apt/sources.list.d/tor.list -wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null -apt update -apt install tor deb.torproject.org-keyring -``` - -### Disable default instance -The default Tor configuration is not useful for this setup, so the next step will be disabling them. -``` -systemctl stop tor@default.service -systemctl mask tor@default.service -``` - -### Get Environment Ready -``` -#copy server file to server -scp server root@$SERVER_ADDRESS:/var/lib/torwebtunnel/webtunnel -``` - -then create server torrc at `/var/lib/torwebtunnel/torrc` -``` -BridgeRelay 1 - -ORPort 10000 - -ServerTransportPlugin webtunnel exec /var/lib/torwebtunnel/webtunnel - -ServerTransportListenAddr webtunnel 127.0.0.1:11000 - -ExtORPort auto - -ContactInfo WebTunnel email: tor.relay.email@torproject.net ciissversion:2 - -Nickname WebTunnelTest - -PublishServerDescriptor 1 -BridgeDistribution none - -DataDirectory /var/lib/torwebtunnel/tor-data -CacheDirectory /tmp/tor-tmp-torwebtunnel - -SocksPort 0 -``` - -#### Configure service unit file -Create a service unit file as follow -``` -[Unit] -Description=Tor Web Tunnel - -[Service] -Type=simple -DynamicUser=yes -PrivateUsers=true -PrivateMounts=true -ProtectSystem=strict -PrivateTmp=true -PrivateDevices=true -ProtectClock=true -NoNewPrivileges=true -ProtectHome=tmpfs -ProtectKernelModules=true -ProtectKernelLogs=true - -StateDirectory=torwebtunnel - -ExecStart=/usr/bin/tor -f /var/lib/torwebtunnel/torrc --RunAsDaemon 0 - -[Install] -WantedBy=default.target -``` - -#### Obtain Certificate -WebTunnel Requires a valid TLS certificate, to obtain that -``` -curl https://get.acme.sh | sh -s email=my@example.com -~/.acme.sh/acme.sh --issue --standalone --domain $SERVER_ADDRESS -``` - -#### Install & Configure Nginx -To coexist with other content at a single port, it is necessary to install a reverse proxy like nginx: -``` -apt install nginx -``` - -And then configure HTTP Upgrade forwarding at /etc/nginx/nginx.conf. -``` ---- a/before.conf -+++ b/after.conf -@@ -60,6 +60,13 @@ http { - - include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*; -+ -+ #WebSocket Support -+ map $http_upgrade $connection_upgrade { -+ default upgrade; -+ '' close; -+ } -+ - } - -``` - -Finally, add http forwarding setting to a new file at /etc/nginx/site-enabled . -``` -server { - listen [::]:443 ssl http2; - listen 443 ssl http2; - server_name $SERVER_ADDRESS; - #ssl on; - - # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate - ssl_certificate /etc/nginx/ssl/fullchain.cer; - ssl_certificate_key /etc/nginx/ssl/key.key; - - - ssl_session_timeout 15m; - - ssl_protocols TLSv1.2 TLSv1.3; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers off; - - ssl_session_cache shared:MozSSL:50m; - #ssl_ecdh_curve secp521r1,prime256v1,secp384r1; - ssl_session_tickets off; - - add_header Strict-Transport-Security "max-age=63072000" always; - - location /$PATH { - proxy_pass http://127.0.0.1:11000; - proxy_http_version 1.1; - - ###Set WebSocket headers #### - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - ### Set Proxy headers #### - proxy_set_header Accept-Encoding ""; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - add_header Front-End-Https on; - - proxy_redirect off; -} - - -} - -``` - -## Docker Setup - -Webtunnel is a new pluggable transport available for bridge operators. - -### Prerequisites -An existing website using nginx balancer to handle traffic. (other load banlancer is currently untested) - -Handle traffic directly, without CDN. (CDN passthrough is currently untested) - -A container runtime like Docker. - -### Configure nginx Forwarding -If you haven't already, configure websocket forwarding support in nginx by configure HTTP Upgrade forwarding at /etc/nginx/nginx.conf: -``` ---- a/before.conf -+++ b/after.conf -@@ -60,6 +60,13 @@ http { - - include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*; -+ -+ #WebSocket Support -+ map $http_upgrade $connection_upgrade { -+ default upgrade; -+ '' close; -+ } -+ - } -``` -And add a forwarded path under one the served domain, typically defined in files within `/etc/nginx/sites-enabled/`, replace $PATH with a random string(which you could generate with `echo $(cat /dev/urandom | tr -cd "qwertyuiopasdfghjklzxcvbnmMNBVCXZLKJHGFDSAQWERTUIOP0987654321"|head -c 24)`): -``` -location /$PATH { - proxy_pass http://127.0.0.1:11000; - proxy_http_version 1.1; - - ###Set WebSocket headers #### - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - ### Set Proxy headers #### - proxy_set_header Accept-Encoding ""; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - add_header Front-End-Https on; - - proxy_redirect off; -} -``` - -### Install Docker Runtime(if necessary) -``` -apt install curl sudo -curl -fsSL https://get.docker.com -o get-docker.sh -sudo sh ./get-docker.sh -``` - -### Run Dockerlized Webtunnel Server -Replace `URL` with your domain and path, and `OPERATOR_EMAIL` with your email address, then run: -``` -truncate --size 0 .env -echo "URL=https://yourdomain/and/path" >> .env -echo "OPERATOR_EMAIL=your@email.org" >> .env -echo "BRIDGE_NICKNAME=WTBr$(cat /dev/urandom | tr -cd 'qwertyuiopasdfghjklzxcvbnmMNBVCXZLKJHGFDSAQWERTUIOP0987654321'|head -c 10)" >> .env -echo "GENEDORPORT=4$(cat /dev/urandom | tr -cd '0987654321'|head -c 4)" >> .env -``` -This will create an environment file for the configuration of webtunnel bridge. - -After creating the configure file, download the webtunnel docker compose file, and instancize it. -````shell -curl https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel/-/raw/main/release/container/docker-compose.yml?inline=false > docker-compose.yml -docker compose up -d -```` -It includes auto update by default, and will update webtunnel bridge server without any further action. Remove `watchtower` to disable this behavior. - -### Get Bridgeline and Check it is Running -You can obtain bridgeline and verify if it is working by running -```shell -docker compose exec webtunnel-bridge get-bridge-line.sh -``` diff --git a/desktopApp/tor/tor-mac/tor/pluggable_transports/README.WEBTUNNEL.md b/desktopApp/tor/tor-mac/tor/pluggable_transports/README.WEBTUNNEL.md new file mode 120000 index 00000000..db72d5bc --- /dev/null +++ b/desktopApp/tor/tor-mac/tor/pluggable_transports/README.WEBTUNNEL.md @@ -0,0 +1 @@ +../../../README.WEBTUNNEL.md \ No newline at end of file diff --git a/desktopApp/tor/tor-win/tor/pluggable_transports/README.CONJURE.md b/desktopApp/tor/tor-win/tor/pluggable_transports/README.CONJURE.md deleted file mode 100644 index 0a51c64e..00000000 --- a/desktopApp/tor/tor-win/tor/pluggable_transports/README.CONJURE.md +++ /dev/null @@ -1,28 +0,0 @@ -# Conjure - -[Conjure](https://jhalderm.com/pub/papers/conjure-ccs19.pdf) is an anti-censorship tool in the refraction networking (a.k.a. decoy routing) lineage of circumvention systems. The key innovation of Conjure is to turn the unused IP address space of deploying ISPs into a large pool of **phantom** proxies that users can connect to. Due to the size of unused IPv6 address space and the potential for collateral damage against real websites hosted by the deploying ISPs, Conjure provides an effective solution to the problem of censors enumerating deployed bridges or proxies. - -Conjure is currenty deployed on the University of Colorado network and a small to mid size ISP in Michigan. - -# Conjure Pluggable Transport for Tor - -This repository is an implementation of both the client and bridge side of a Tor pluggable transport that uses the deployed Conjure network to allow users to connect to the Tor network. The client side calls the [`gotapdance` library](https://github.com/refraction-networking/gotapdance) to communicate with deployed Conjure stations and route client traffic through the phantom proxies assigned by the station. The bridge side receives [haproxy](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) connections from the Conjure station that wrap the proxied client traffic. - -# Deployment details - -We currently have deployed a low capacity Conjure bridge named [Haunt](https://metrics.torproject.org/rs.html#details/A84C946BF4E14E63A3C92E140532A4594F2C24CD). To connect through this bridge, use the `torrc` file in the `client/` directory as follows: - -``` -cd client/ -tor -f torrc -``` - -# Warnings - -This tool and the deployment is still under active development. We are still working on securing the connection between the deployed Conjure stations and the Conjure bridge. We are also working on improving the censorship resistance of the registration connection between the client and the station. Do not expect this to work out of the box in all areas. - -The Conjure station sometimes suffers from a heavy load of users. When this happens, connections will fail. If you are testing this out, try waiting awhile and trying again later. - -# Conjure development - -Due to the complex nature of the Conjure deployment, it can be difficult to set up a local development environment. Check out [phantombox](https://gitlab.torproject.org/cohosh/phantombox) for an automated libvirt-based setup that works on Linux. diff --git a/desktopApp/tor/tor-win/tor/pluggable_transports/README.CONJURE.md b/desktopApp/tor/tor-win/tor/pluggable_transports/README.CONJURE.md new file mode 120000 index 00000000..6bbb264e --- /dev/null +++ b/desktopApp/tor/tor-win/tor/pluggable_transports/README.CONJURE.md @@ -0,0 +1 @@ +../../../README.CONJURE.md \ No newline at end of file diff --git a/desktopApp/tor/tor-win/tor/pluggable_transports/README.SNOWFLAKE.md b/desktopApp/tor/tor-win/tor/pluggable_transports/README.SNOWFLAKE.md deleted file mode 100644 index c242e5c7..00000000 --- a/desktopApp/tor/tor-win/tor/pluggable_transports/README.SNOWFLAKE.md +++ /dev/null @@ -1,109 +0,0 @@ -# Snowflake - -[![Build Status](https://travis-ci.org/keroserene/snowflake.svg?branch=master)](https://travis-ci.org/keroserene/snowflake) - -Pluggable Transport using WebRTC, inspired by Flashproxy. - - - -**Table of Contents** - -- [Structure of this Repository](#structure-of-this-repository) -- [Usage](#usage) - - [Using Snowflake with Tor](#using-snowflake-with-tor) - - [Running a Snowflake Proxy](#running-a-snowflake-proxy) - - [Using the Snowflake Library with Other Applications](#using-the-snowflake-library-with-other-applications) -- [Test Environment](#test-environment) -- [FAQ](#faq) -- [More info and links](#more-info-and-links) - - - -### Structure of this Repository - -- `broker/` contains code for the Snowflake broker -- `doc/` contains Snowflake documentation and manpages -- `client/` contains the Tor pluggable transport client and client library code -- `common/` contains generic libraries used by multiple pieces of Snowflake -- `proxy/` contains code for the Go standalone Snowflake proxy -- `probetest/` contains code for a NAT probetesting service -- `server/` contains the Tor pluggable transport server and server library code - -### Usage - -Snowflake is currently deployed as a pluggable transport for Tor. - -#### Using Snowflake with Tor - -To use the Snowflake client with Tor, you will need to add the appropriate `Bridge` and `ClientTransportPlugin` lines to your [torrc](https://2019.www.torproject.org/docs/tor-manual.html.en) file. See the [client README](client) for more information on building and running the Snowflake client. - -#### Running a Snowflake Proxy - -You can contribute to Snowflake by running a Snowflake proxy. We have the option to run a proxy in your browser or as a standalone Go program. See our [community documentation](https://community.torproject.org/relay/setup/snowflake/) for more details. - -#### Using the Snowflake Library with Other Applications - -Snowflake can be used as a Go API, and adheres to the [v2.1 pluggable transports specification](). For more information on using the Snowflake Go library, see the [Snowflake library documentation](doc/using-the-snowflake-library.md). - -### Test Environment - -There is a Docker-based test environment at https://github.com/cohosh/snowbox. - -### FAQ - -**Q: How does it work?** - -In the Tor use-case: - -1. Volunteers visit websites which host the "snowflake" proxy. (just -like flashproxy) -2. Tor clients automatically find available browser proxies via the Broker -(the domain fronted signaling channel). -3. Tor client and browser proxy establish a WebRTC peer connection. -4. Proxy connects to some relay. -5. Tor occurs. - -More detailed information about how clients, snowflake proxies, and the Broker -fit together on the way... - -**Q: What are the benefits of this PT compared with other PTs?** - -Snowflake combines the advantages of flashproxy and meek. Primarily: - -- It has the convenience of Meek, but can support magnitudes more -users with negligible CDN costs. (Domain fronting is only used for brief -signalling / NAT-piercing to setup the P2P WebRTC DataChannels which handle -the actual traffic.) - -- Arbitrarily high numbers of volunteer proxies are possible like in -flashproxy, but NATs are no longer a usability barrier - no need for -manual port forwarding! - -**Q: Why is this called Snowflake?** - -It utilizes the "ICE" negotiation via WebRTC, and also involves a great -abundance of ephemeral and short-lived (and special!) volunteer proxies... - -### More info and links - -We have more documentation in the [Snowflake wiki](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) and at https://snowflake.torproject.org/. - - -##### -- Android AAR Reproducible Build Setup -- - -Using `gomobile` it is possible to build snowflake as shared libraries for all -the architectures supported by Android. This is in the _.gitlab-ci.yml_, which -runs in GitLab CI. It is also possible to run this setup in a Virtual Machine -using [vagrant](https://www.vagrantup.com/). Just run `vagrant up` and it will -create and provision the VM. `vagrant ssh` to get into the VM to use it as a -development environment. - -##### uTLS Settings - -Snowflake communicate with broker that serves as signaling server with TLS based domain fronting connection, which may be identified by its usage of Go language TLS stack. - -uTLS is a software library designed to initiate the TLS Client Hello fingerprint of browsers or other popular software's TLS stack to evade censorship based on TLS client hello fingerprint with `-utls-imitate` . You can use `-version` to see a list of supported values. - -Depending on client and server configuration, it may not always work as expected as not all extensions are correctly implemented. - -You can also remove SNI (Server Name Indication) from client hello to evade censorship with `-utls-nosni`, not all servers supports this. diff --git a/desktopApp/tor/tor-win/tor/pluggable_transports/README.SNOWFLAKE.md b/desktopApp/tor/tor-win/tor/pluggable_transports/README.SNOWFLAKE.md new file mode 120000 index 00000000..815ae8e0 --- /dev/null +++ b/desktopApp/tor/tor-win/tor/pluggable_transports/README.SNOWFLAKE.md @@ -0,0 +1 @@ +../../../README.SNOWFLAKE.md \ No newline at end of file diff --git a/desktopApp/tor/tor-win/tor/pluggable_transports/README.WEBTUNNEL.md b/desktopApp/tor/tor-win/tor/pluggable_transports/README.WEBTUNNEL.md deleted file mode 100644 index be279bf8..00000000 --- a/desktopApp/tor/tor-win/tor/pluggable_transports/README.WEBTUNNEL.md +++ /dev/null @@ -1,263 +0,0 @@ -# WebTunnel - -Pluggable Transport based on HTTP Upgrade(HTTPT) - -WebTunnel is pluggable transport that attempt to imitate web browsing activities based on [HTTPT](https://censorbib.nymity.ch/#Frolov2020b). - -## Client Usage -Connect to a WebTunnel server with a Tor configuration file like: -``` -UseBridges 1 -DataDirectory datadir - -ClientTransportPlugin webtunnel exec ./client - -Bridge webtunnel 192.0.2.3:1 url=https://akbwadp9lc5fyyz0cj4d76z643pxgbfh6oyc-167-71-71-157.sslip.io/5m9yq0j4ghkz0fz7qmuw58cvbjon0ebnrsp0 - -SocksPort auto - -Log info -``` -## Server Setup - -#### Install Tor -On a Debian system, first install tor normally with -``` -apt install apt-transport-https -lsb_release -c -nano /etc/apt/sources.list.d/tor.list -wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null -apt update -apt install tor deb.torproject.org-keyring -``` - -### Disable default instance -The default Tor configuration is not useful for this setup, so the next step will be disabling them. -``` -systemctl stop tor@default.service -systemctl mask tor@default.service -``` - -### Get Environment Ready -``` -#copy server file to server -scp server root@$SERVER_ADDRESS:/var/lib/torwebtunnel/webtunnel -``` - -then create server torrc at `/var/lib/torwebtunnel/torrc` -``` -BridgeRelay 1 - -ORPort 10000 - -ServerTransportPlugin webtunnel exec /var/lib/torwebtunnel/webtunnel - -ServerTransportListenAddr webtunnel 127.0.0.1:11000 - -ExtORPort auto - -ContactInfo WebTunnel email: tor.relay.email@torproject.net ciissversion:2 - -Nickname WebTunnelTest - -PublishServerDescriptor 1 -BridgeDistribution none - -DataDirectory /var/lib/torwebtunnel/tor-data -CacheDirectory /tmp/tor-tmp-torwebtunnel - -SocksPort 0 -``` - -#### Configure service unit file -Create a service unit file as follow -``` -[Unit] -Description=Tor Web Tunnel - -[Service] -Type=simple -DynamicUser=yes -PrivateUsers=true -PrivateMounts=true -ProtectSystem=strict -PrivateTmp=true -PrivateDevices=true -ProtectClock=true -NoNewPrivileges=true -ProtectHome=tmpfs -ProtectKernelModules=true -ProtectKernelLogs=true - -StateDirectory=torwebtunnel - -ExecStart=/usr/bin/tor -f /var/lib/torwebtunnel/torrc --RunAsDaemon 0 - -[Install] -WantedBy=default.target -``` - -#### Obtain Certificate -WebTunnel Requires a valid TLS certificate, to obtain that -``` -curl https://get.acme.sh | sh -s email=my@example.com -~/.acme.sh/acme.sh --issue --standalone --domain $SERVER_ADDRESS -``` - -#### Install & Configure Nginx -To coexist with other content at a single port, it is necessary to install a reverse proxy like nginx: -``` -apt install nginx -``` - -And then configure HTTP Upgrade forwarding at /etc/nginx/nginx.conf. -``` ---- a/before.conf -+++ b/after.conf -@@ -60,6 +60,13 @@ http { - - include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*; -+ -+ #WebSocket Support -+ map $http_upgrade $connection_upgrade { -+ default upgrade; -+ '' close; -+ } -+ - } - -``` - -Finally, add http forwarding setting to a new file at /etc/nginx/site-enabled . -``` -server { - listen [::]:443 ssl http2; - listen 443 ssl http2; - server_name $SERVER_ADDRESS; - #ssl on; - - # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate - ssl_certificate /etc/nginx/ssl/fullchain.cer; - ssl_certificate_key /etc/nginx/ssl/key.key; - - - ssl_session_timeout 15m; - - ssl_protocols TLSv1.2 TLSv1.3; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - - ssl_prefer_server_ciphers off; - - ssl_session_cache shared:MozSSL:50m; - #ssl_ecdh_curve secp521r1,prime256v1,secp384r1; - ssl_session_tickets off; - - add_header Strict-Transport-Security "max-age=63072000" always; - - location /$PATH { - proxy_pass http://127.0.0.1:11000; - proxy_http_version 1.1; - - ###Set WebSocket headers #### - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - ### Set Proxy headers #### - proxy_set_header Accept-Encoding ""; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - add_header Front-End-Https on; - - proxy_redirect off; -} - - -} - -``` - -## Docker Setup - -Webtunnel is a new pluggable transport available for bridge operators. - -### Prerequisites -An existing website using nginx balancer to handle traffic. (other load banlancer is currently untested) - -Handle traffic directly, without CDN. (CDN passthrough is currently untested) - -A container runtime like Docker. - -### Configure nginx Forwarding -If you haven't already, configure websocket forwarding support in nginx by configure HTTP Upgrade forwarding at /etc/nginx/nginx.conf: -``` ---- a/before.conf -+++ b/after.conf -@@ -60,6 +60,13 @@ http { - - include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*; -+ -+ #WebSocket Support -+ map $http_upgrade $connection_upgrade { -+ default upgrade; -+ '' close; -+ } -+ - } -``` -And add a forwarded path under one the served domain, typically defined in files within `/etc/nginx/sites-enabled/`, replace $PATH with a random string(which you could generate with `echo $(cat /dev/urandom | tr -cd "qwertyuiopasdfghjklzxcvbnmMNBVCXZLKJHGFDSAQWERTUIOP0987654321"|head -c 24)`): -``` -location /$PATH { - proxy_pass http://127.0.0.1:11000; - proxy_http_version 1.1; - - ###Set WebSocket headers #### - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - ### Set Proxy headers #### - proxy_set_header Accept-Encoding ""; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - add_header Front-End-Https on; - - proxy_redirect off; -} -``` - -### Install Docker Runtime(if necessary) -``` -apt install curl sudo -curl -fsSL https://get.docker.com -o get-docker.sh -sudo sh ./get-docker.sh -``` - -### Run Dockerlized Webtunnel Server -Replace `URL` with your domain and path, and `OPERATOR_EMAIL` with your email address, then run: -``` -truncate --size 0 .env -echo "URL=https://yourdomain/and/path" >> .env -echo "OPERATOR_EMAIL=your@email.org" >> .env -echo "BRIDGE_NICKNAME=WTBr$(cat /dev/urandom | tr -cd 'qwertyuiopasdfghjklzxcvbnmMNBVCXZLKJHGFDSAQWERTUIOP0987654321'|head -c 10)" >> .env -echo "GENEDORPORT=4$(cat /dev/urandom | tr -cd '0987654321'|head -c 4)" >> .env -``` -This will create an environment file for the configuration of webtunnel bridge. - -After creating the configure file, download the webtunnel docker compose file, and instancize it. -````shell -curl https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel/-/raw/main/release/container/docker-compose.yml?inline=false > docker-compose.yml -docker compose up -d -```` -It includes auto update by default, and will update webtunnel bridge server without any further action. Remove `watchtower` to disable this behavior. - -### Get Bridgeline and Check it is Running -You can obtain bridgeline and verify if it is working by running -```shell -docker compose exec webtunnel-bridge get-bridge-line.sh -``` diff --git a/desktopApp/tor/tor-win/tor/pluggable_transports/README.WEBTUNNEL.md b/desktopApp/tor/tor-win/tor/pluggable_transports/README.WEBTUNNEL.md new file mode 120000 index 00000000..db72d5bc --- /dev/null +++ b/desktopApp/tor/tor-win/tor/pluggable_transports/README.WEBTUNNEL.md @@ -0,0 +1 @@ +../../../README.WEBTUNNEL.md \ No newline at end of file