logs archiveIRC Archive / Oftc / #tor / 2015 / August / 12 / 1
pi2
I will see what I can do...
thanks for your tipps
Levers
pi2: holly sh*t can i get one server like you have 1euro/year
pi2
Levers: right now I am not very happy with it
lots of things do not work
an not even use ufw firewall
breaks kernel when I enable it
kernelcorn
wow, ufw is just a script to set up iptables, how strange
cacahuatl
Yes? :P
Levers
i just need to test it
unxenophobic
Update failed for some reason
trams_
x
unxenophobic
maybe a bug with whonix 10.0.0.55
         

m0nikr
I am a relay operator. I have a friend in China that is trying to access the internet beyond the great firewall of China. If he connects to my relay via obfs3 would that still work for him? What setup do I need to do to enable PEs on my relay?
cacahuatl
I'm not sure how Pluggable Transports would work with a pre-existing relay, you might want to run a seperate tor instnace to handle the bridge. Also you probably want to use obfs4 not obfs3 if you can.
m0nikr
The relay I would use has not been up for a month and the IP has changed since it was last used, What is the advantage of obfs4 over 3 or meek and the others?
Peng
if it's a known public relay, is it likely to be blocked?
cacahuatl
obfs4 isn't vulnerable to active probing discovery like obfs3 is, which China seem to have been observed performing.
Also blocking by IP only is probably a really terrible idea for the Chinese government, especially for VPS providers where IPs might change hands frequently. It might come under greater scrutiny though.
m0nikr
How can I install obfs4 onto my relay so he can use mine to access the tor network?
just like apt-get install obfs4 or...?
cacahuatl
I think it should be in the torproject debian repos, yeah
as 'obfs4proxy'
m0nikr
cool. Now what about if he wants to use the expert bundle instead of the TBB? Can he do that and still connect to my relay? He would need to make a torrc file in a certain directory right?
Can he route all of his traffic over that to my relay?
cacahuatl
That would be quite complicated, they'd need to get a copy of the obfs4 client and setup the torrc to use it
it would be far simpler to use tor browser, since it already has obfs4
m0nikr
That is true. However, disregarding my relay for a minute, if one just wants to connect to the tor network using the expert bundle, is there a guide you might know of that explains how to do that?
cacahuatl
The clue is in the name :)
I'd consult the manual
m0nikr
yes, yes, expert bundle. lol
cacahuatl
really all you get is tor.exe and you run it, you need to make a torrc file and point tor.exe at it with the -f switch and it'll connect to tor
m0nikr
I have looked quite a bit on the torproject website about pluggable transports and the expert bundle and I am having a hard time as there is SO much information out there JUST dealing with TBB
But not so much the inverse...
I would start tor.exe with cmd and -f?
cacahuatl
like "tor.exe -f path\to\torrc". apparently because cmd.exe is terrible it doesn't print output.
m0nikr
ah yes, that makes sense. Thank you
cacahuatl
tor browser will also create a tor instance though, which it's running and makes configuring bridges a lot easier, you can still connect other things to it though, like instant messaging or whatever you need.
assuming they support SOCKS4a/5
m0nikr
Using the TBB I can connect other things to it with the SOCKS proxy?
cacahuatl
Right, when Tor Browser is running it has a SOCKS proxy listening on 127.0.0.1:9150
that's what the browser connects to and you can point other things at it to use them with Tor while the browser is running.
m0nikr
So the SOCKS proxy is just a local thing that facilitates pointing what you want to use at TBB
         

cacahuatl
Yup
m0nikr
Oh, that sounds a lot easier than& assuming the app you want to use supports SOCKS, like you said
then*
cacahuatl
for Windows there isn't really any easy way to get stuff to use Tor without it supporting SOCKS
m0nikr
Also a separate thing. Idk if you know anything about this or not regarding Chinese bypassing the GFW& My friend seems to have in the past followed some other tutorial in chinese that is directing him to get an american VPS and reverse SSH tunnel to it in order to act as like a poor mans VPN basically, seems like that kind of thing would be blocked, idk
just a random side note, thank you for clarifying those things for me...
cacahuatl
ssh as a proxy probably works and will by-pass it till such a time as someone notices, then it will be blocked.
unlikely to be ssh in general, but for that one VPN provider
blacklisting is an arms race in which you're almost always losing to some users
m0nikr
He also experiences a lot of connection drops and packet loss when using the SSH thing. Do you think he would benefit more from just an OpenVPN connection to my server?
cacahuatl
I'd recommend Tor to eliminate any kind of single-point-of-trust lynchpin in the setup :P
https://github.com/Yawning/obfs4#user-content-installation <- re: obfs4 there's a brief example torrc for it here
m0nikr
His latency is already pretty high so Im just thinking it might not be feasible if he routes over obfs4, than to me, than through tor, than to the internet, you know what I mean?
Wont know until we try it I guess =P
cacahuatl
I don't know, it's up to them. OpenVPN works but it puts a lot of power in the provider's (your) hands. If I was in there position I'd rather not be in that situation.
*their
It's also obviously a VPN, obfs4 is not as obviously obfs4.
m0nikr
What would obfs4 look like to the GFW? who provides the intermediary?
cacahuatl
it would look random
at least there'd be no obvious plaintext protocol parts of the communications, like exchanging of SSH version strings in ssh or TLS handshakes.
m0nikr
So it would just look like a generic TLS session to the GFW, like youre connecting to your bank or something...
cacahuatl
No, it would look like ???, not TLS or SSH. Plain Tor looks like TLS.
m0nikr
Also let me just ask, why not use meek or any of the other options for PTs?
cacahuatl
meek is fine too, it would look like TLS but not as obviously Tor TLS
m0nikr
ah ok
cacahuatl
obfs3 is okay but as dicussed it can be probed to discover what it is, so if GFW sees you connecting to the PT port, they can make their own connection pretending to be a client to discover what it really is.
m0nikr
and obfs4 prevents that probing by doing what?
cacahuatl
part of the bridge line the client gets is a shared value, only those who can prove they know it get to talk to it
someone who can only see the traffic to the PT port can't find out this value and so can't pretend to be a client
m0nikr
so its like a shared secret?
cacahuatl
https://gitweb.torproject.org/pluggable-transports/obfs4.git/tree/doc/obfs4-spec.txt#n17
m0nikr
ah, great. Thank you :)
mrphs
unxenophobic: can you try to reproduce it in another os, pls?
and if you could, please file a ticket
unxenophobic
murphs: I did that
CooloutAC
hello all
does anyone have any apparmor profile for tor-browser?
fuushima
Wair
How to I quit a chat?
I don't know what a apparmor profile is
cacahuatl
Tails uses one and TorBrowser-Launcher has one too but they'd need to be tweaked on a per-case basis probably
AndroUser
Hi
CooloutAC
Corey84 is spying on me
i just updated and now i can't connect, is the new tor browser using all sorts of random ports now
i filter outgoing and only had to allow 9001,9101, and 9151 before
now it seems its all random ports?
cacahuatl
filtering outgoing doesn't work, tor can legitimately run on any TCP port
you could do a serqet like system to parse the consensus and build an ruleset from that to enforce tor
Peng
Almost all software makes outgoing connections from random five-digit ports.
CooloutAC
well it use to work until this update
cacahuatl
You were lucky or you were breaking things
CooloutAC
Peng, i'm talking about destination port
cacahuatl, i was lucky everytime i ran it every day?
what? lol
cacahuatl
your guards are kept for long term
CooloutAC
i'm not sure what guards are
cacahuatl
Anyway, you're trying to solve the problem with a flawed solution :)
« prev 1 2 3 4 5 6 7 next »