GNU bug report logs - #70302
Tor daemon is unable to use obfuscation

Previous Next

To reply to this bug, email your comments to 70302 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: nigko <nigko.yerden <at> gmail.com>
To: bug-guix <at> gnu.org
Subject: Tor daemon is unable to use obfuscation
Date: Tue, 9 Apr 2024 14:55:44 +0500

Hello Guix!

I am trying to configure tor daemon to use traffic obfuscation by the 
following lines in my system configuration

(service tor-service-type
	(tor-configuration
	   (plain-file "torrc"
"
UseBridges 1
ClientTransportPlugin obfs4 exec /path/to/obfuscator/binary

Bridge obfs4 ......
Bridge obfs4 ......
")))

where /path/to/obfuscator/binary corresponds to an obfs4 obfuscator. 
There are a few of them in the guix repo, see e.g. 
go-gitlab-torproject-org-tpo-anti-censorship-pluggable-transports-lyrebird 
or go-github-com-operatorfoundation-obfs4 packages. The obfuscator is 
also installed in the system profile. Bridges are gotten from the 
official site https://bridges.torproject.org/.

This torrc configuration works perfectly on guix when tor run at user 
level by command '$ tor -f path/to/torrc' and '# netstat -tupan' shows 
obfuscator process is listening on 127.0.0.1:[some random port].

However, when tor run as system daemon, there are no obfuscator process 
listening and tor is unusable.

Perhaps this issue is related to https://issues.guix.gnu.org/57222.
I have tried to revert commit fb868cd7794f15e21298e5bdea996fbf0dad17ca 
on recent guix checkout and then to perform 'guix pull 
--url=/path/to/my/local/guix/repo --disable-authentication'. It worked 
fined. But when performing 'sudo guix system reconfigure 
/path/to/system/configuration' I got an error 
'make-forkexec-constructor/container: unbound variable'


Regards,
Nigko Yerden

Message #8 received at 70302 <at> debbugs.gnu.org (full text, mbox):

From: André Batista <nandre <at> riseup.net>
To: Nigko Yerden <nigko.yerden <at> gmail.com>
Cc: 70332 <at> debbugs.gnu.org, 70302 <at> debbugs.gnu.org, 70341 <at> debbugs.gnu.org
Subject: Re: [bug#70341] [PATCH v3] services: tor: Add support for pluggable
 transports.
Date: Wed, 24 Apr 2024 18:11:10 -0300

Hi Nigko,

seg 22 abr 2024 às 08:58:39 (1713787119), nigko.yerden <at> gmail.com enviou:
> Pluggable transports are programs that disguise Tor traffic, which
> can be useful in case Tor is censored.  Pluggable transports
> cannot be configured by #:config-file file exclusively because Tor
> process is run via 'least-authority-wrapper' and cannot have access
> to transport plugin, which is a separate executable (Bug#70302,
> Bug#70332).

I can confirm that the tor service is unable to fork-exec a
pluggable-transport and the bootstrap process is halted at its start
when trying to use a system wide bridge + PT. However, this patch
does not seem to address the issue at hand, since it just creates
new tor-service-type configuration options that accomplish the
same as configuring on config-file directly. Have you had success
with this? I had no luck.

More comments bellow.

> * doc/guix.texi (Networking Services): Document 'transport-plugin' and
> 'pluggable-transport' options for 'tor-configuration'.
> * gnu/services/networking.scm: Export 'tor-configuration-transport-plugin-path',
> 'tor-configuration-pluggable-transport'.
> (<tor-configuration>): Add 'transport-plugin' and 'pluggable-transport'
> fields.
> (tor-configuration->torrc)[transport-plugin]: Add content to 'torrc'
> computed-file.
> (tor-shepherd-service)[transport-plugin]: Add file-system-mapping.
> 
> Change-Id: I64e7632729287ea0ab27818bb7322fddae43de48
> ---
>  doc/guix.texi               | 11 ++++++++
>  gnu/services/networking.scm | 54 ++++++++++++++++++++++++++-----------
>  2 files changed, 49 insertions(+), 16 deletions(-)
> 
> diff --git a/doc/guix.texi b/doc/guix.texi
> index 65af136e61..eb0837860e 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -127,6 +127,7 @@
>  Copyright @copyright{} 2024 Herman Rimm@*
>  Copyright @copyright{} 2024 Matthew Trzcinski@*
>  Copyright @copyright{} 2024 Richard Sent@*
> +Copyright @copyright{} 2024 Nigko Yerden@*
>  
>  Permission is granted to copy, distribute and/or modify this document
>  under the terms of the GNU Free Documentation License, Version 1.3 or
> @@ -21849,6 +21850,16 @@ Networking Services
>  @file{/var/run/tor/control-sock}, which will be made writable by members of the
>  @code{tor} group.
>  
> +@item @code{transport-plugin} (default: @code{#f})
> +This must be either @code{#f} or a ``file-like'' object pointing to the
> +pluggable transport plugin executable.  In the latter case the
> +@code{#:config-file} file should contain line(s) configuring
> +one or more bridges.
> +
> +@item @code{pluggable-transport} (default: @code{"obfs4"})
> +A string that specifies the type of the pluggable transport in
> +case @code{#:transport-plugin} is not @code{#f}.
> +
>  @end table
>  @end deftp
>  
> diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
> index 8e64e529ab..6e535ea8ef 100644
> --- a/gnu/services/networking.scm
> +++ b/gnu/services/networking.scm
> @@ -22,6 +22,7 @@
>  ;;; Copyright © 2023 Declan Tsien <declantsien <at> riseup.net>
>  ;;; Copyright © 2023 Bruno Victal <mirai <at> makinata.eu>
>  ;;; Copyright © 2023 muradm <mail <at> muradm.net>
> +;;; Copyright © 2024 Nigko Yerden <nigko.yerden <at> gmail.com>
>  ;;;
>  ;;; This file is part of GNU Guix.
>  ;;;
> @@ -159,6 +160,8 @@ (define-module (gnu services networking)
>              tor-configuration-hidden-services
>              tor-configuration-socks-socket-type
>              tor-configuration-control-socket-path
> +            tor-configuration-transport-plugin-path
> +            tor-configuration-pluggable-transport
>              tor-onion-service-configuration
>              tor-onion-service-configuration?
>              tor-onion-service-configuration-name
> @@ -955,7 +958,11 @@ (define-record-type* <tor-configuration>
>    (socks-socket-type tor-configuration-socks-socket-type ; 'tcp or 'unix
>                       (default 'tcp))
>    (control-socket?  tor-configuration-control-socket-path
> -                    (default #f)))
> +                    (default #f))
> +  (transport-plugin tor-configuration-transport-plugin-path
> +                    (default #f))
> +  (pluggable-transport tor-configuration-pluggable-transport
> +                    (default "obfs4")))
>  
>  (define %tor-accounts
>    ;; User account and groups for Tor.
> @@ -988,7 +995,8 @@ (define-configuration/no-serialization tor-onion-service-configuration
>  (define (tor-configuration->torrc config)
>    "Return a 'torrc' file for CONFIG."
>    (match-record config <tor-configuration>
> -    (tor config-file hidden-services socks-socket-type control-socket?)
> +    (tor config-file hidden-services socks-socket-type control-socket?
> +         transport-plugin pluggable-transport)
>      (computed-file
>       "torrc"
>       (with-imported-modules '((guix build utils))
> @@ -1027,6 +1035,13 @@ (define (tor-configuration->torrc config)
>                                      (cons name mapping)))
>                                   hidden-services))
>  
> +               (when #$transport-plugin
> +                 (format port "\
> +UseBridges 1
> +ClientTransportPlugin ~a exec ~a~%"
> +                         #$pluggable-transport
> +                         #$transport-plugin))
> +
>                 (display "\
>  ### End of automatically generated lines.\n\n" port)

Even if it had succeded though, I'm not sure if this is the best
approach to it, since it would break guix system configuration, right?
How would one know beforehand which binary to point to? One would first
need to install the PT and look to its path on store and then link to
it in a new configuration. And then this link would have to be manualy
updated. Am I missing something here?

Finally, next time, try to keep the issue to a single thread. I'm
replying to #70332 and #70302 just for reference, but let's keep to
#70341 going forward.

Cheers!

Message #11 received at 70302 <at> debbugs.gnu.org (full text, mbox):

From: Vincent Legoll <vincent.legoll <at> gmail.com>
To: 70302 <at> debbugs.gnu.org, 70332 <at> debbugs.gnu.org, 
 nigko <nigko.yerden <at> gmail.com>
Subject: Tor daemon is unable to use obfuscation
Date: Wed, 19 Jun 2024 21:52:33 +0000

I think the two issues are related, and the second one may have been
created by typoing the issue number

https://issues.guix.gnu.org/70302
https://issues.guix.gnu.org/70332

WDYT ?

-- 
Vincent Legoll

Message #14 received at 70302 <at> debbugs.gnu.org (full text, mbox):

From: Nigko Yerden <nigko.yerden <at> gmail.com>
To: Vincent Legoll <vincent.legoll <at> gmail.com>, 70302 <at> debbugs.gnu.org,
 70332 <at> debbugs.gnu.org
Subject: Re: Tor daemon is unable to use obfuscation
Date: Thu, 20 Jun 2024 09:49:31 +0500

Hi Vincent,

Indeed, they are related. My message from 70332 was intended
to go to 70302 and didn't get there by my mistake, thus creating
new issue 70332.

Regards,
Nigko


Vincent Legoll wrote:
> I think the two issues are related, and the second one may have been
> created by typoing the issue number
> 
> https://issues.guix.gnu.org/70302
> https://issues.guix.gnu.org/70332
> 
> WDYT ?
> 

Message #17 received at 70302 <at> debbugs.gnu.org (full text, mbox):

From: Vincent Legoll <vincent.legoll <at> gmail.com>
To: Nigko Yerden <nigko.yerden <at> gmail.com>
Cc: 70332 <at> debbugs.gnu.org, 70302 <at> debbugs.gnu.org
Subject: Re: Tor daemon is unable to use obfuscation
Date: Thu, 20 Jun 2024 15:30:49 +0000

Hello,

On Thu, Jun 20, 2024 at 4:49 AM Nigko Yerden <nigko.yerden <at> gmail.com> wrote:
> Indeed, they are related. My message from 70332 was intended
> to go to 70302 and didn't get there by my mistake, thus creating
> new issue 70332.

Thanks for the explanation

You said in 70332 that you found the issue, so does something still
need fixing ?

Regards

-- 
Vincent Legoll

Message #20 received at 70302 <at> debbugs.gnu.org (full text, mbox):

From: Nigko Yerden <nigko.yerden <at> gmail.com>
To: Vincent Legoll <vincent.legoll <at> gmail.com>
Cc: 70332 <at> debbugs.gnu.org, 70302 <at> debbugs.gnu.org
Subject: Re: Tor daemon is unable to use obfuscation
Date: Thu, 20 Jun 2024 21:11:22 +0500

Yes, the issue still need fixing.
Here is my suggestion https://issues.guix.gnu.org/70341

Regards,
Nigko

Vincent Legoll wrote:
> Hello,
> 
> On Thu, Jun 20, 2024 at 4:49 AM Nigko Yerden <nigko.yerden <at> gmail.com> wrote:
>> Indeed, they are related. My message from 70332 was intended
>> to go to 70302 and didn't get there by my mistake, thus creating
>> new issue 70332.
> 
> Thanks for the explanation
> 
> You said in 70332 that you found the issue, so does something still
> need fixing ?
> 
> Regards
> 

Message #23 received at 70302 <at> debbugs.gnu.org (full text, mbox):

From: Vincent Legoll <vincent.legoll <at> gmail.com>
To: Nigko Yerden <nigko.yerden <at> gmail.com>
Cc: 70332 <at> debbugs.gnu.org, 70302 <at> debbugs.gnu.org, 70341 <at> debbugs.gnu.org
Subject: Re: Tor daemon is unable to use obfuscation
Date: Thu, 20 Jun 2024 16:31:07 +0000

On Thu, Jun 20, 2024 at 4:11 PM Nigko Yerden <nigko.yerden <at> gmail.com> wrote:
> Yes, the issue still need fixing.
> Here is my suggestion https://issues.guix.gnu.org/70341

Thanks, and now all these issues are linked together so we
won't forget to close them at once, if appropriate.

-- 
Vincent Legoll

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.