Table of Contents
Serving an Onion Bootstrap node
By design, Tox relies on a small number of BS nodes. As the network is now, the number of nodes is very small, and all well known. So Tox is vulnerable to being completely taken down by blocking a small number of nodes. This is already happening in places like Iran.
It would help if all the BS node operators could also run a Tor client (not exit node), in addition to running their node. There should be no risks from running a Tor client as it's not exit node, and the overhead in negligible. The onion server is a 127.0.0.1 service, so cannot be seen by your ISP. The BS service is on the opennet anyway so an onion is just another access method. The BS operator does not have to use Tor; just run it.
So we get dozens of Tor onion nodes running quickly, we could test out running Tox in Tor using Hidden Services. If the Tox nodebase was improved to serve BS nodes, it would be much more resilient.
There are simple instructions
to get Tor up and running, and it's distributed in all Linux distributions.
You can test it by setting your browserto use the SOCKS proxy on
127.0.0.1:9050
.
Configure your boostrap server with an extra tcp_port that is not listed publically in the nodes.json file. We will use 33446 as an example.
In your /etc/tor/torrc
or equivalent, you need to add 2 sections.
The first is:
VirtualAddrNetworkV4 10.192.0.0/10
AutomapHostsOnResolve 1
AutomapHostsSuffixes .exit,.onion
The second is:
# Tox hidden service configuration.
HiddenServiceDir /var/lib/tor/tox-hsv3/
HiddenServicePort 33446 127.0.0.1:33446
Replace 33446 with your real port number.
The next time tor starts up, a new directory will be created in
/var/lib/tor/tox-hsv3/
and it will have a file called
hostname
. Look in the file for the onion address to your site.
Now add the onion address followed by a colon and the port number and post it along with your node's public key to the mailinglist.
Using an Onion Bootstrap node
To let your client know that you have an onion node it can user, you need to add the onion address to your DHTnode.json file. But Tox clients don't understand onion addresses and until they do, we do the following:
- Get the IP address your Tor assigns to the onion address:
tor-resolve -4 l2ct3xnuaiwwtoybtn46qp2av4ndxcguwupzyv6xrsmnwi647vvmwtqd.onion
It will reply with an IPv4 address starting with 172.
.
- You'll need the pubkic key of your BS server. Take that address and
add to the DHTnodes.json file as a new dictionary in the list of
nodes
.
If your nodes file is one long line you can pretty it up with the
jq utility: jq . < DHTnodes.json > Prettynodes.json
.
Make a new entry at the beginning of the nodes list: after the [
and followed by a ,
- put the address in the ipv4
slot and the
port in the tcp_ports list and put the onion address as the location.
{"last_scan": 1665034198,
"last_refresh": 1665034201,
"nodes": [
{
"ipv4": "10.192.0.1",
"ipv6": "-",
"port": "-",
"tcp_ports": [
33446
],
"public_key": "8E7D0B859922EF569298B4D261A8CCB5FEA14FB91ED412A7603A585A25698832",
"maintainer": "me",
"location": "ZA",
"status_udp": false,
"status_tcp": true,
"version": "1000002018",
"motd": "My Tox Node. ToxId:....",
"onions": [
l2ct3xnuaiwwtoybtn46qp2av4ndxcguwupzyv6xrsmnwi647vvmwtqd.onion:33446
],
"last_ping": 1665034200
},
You can copy the above and add the onion:port pair to the onions slot and update the rest of the fields.
Updating
This IP address changes each time Tor restarts, so each time Tor restarts ipv4 field of you entry in the DHTnodes.json file needs updating. You can assign it a permanent IP address by using the MapAddress line in the torrc:
MapAddress l2ct3xnuaiwwtoybtn46qp2av4ndxcguwupzyv6xrsmnwi647vvmwtqd.onion 10.192.0.1
You can use any address in the range defined by
VirtualAddrNetworkV4 10.192.0.0/10
These addresses will be permanent and will not change with Tor restarts. You can similarly add all the Tox onions you know about in this manner. We can work on a script that automates this, and a way of publishing onions in the mailing list or an NGC group.
Client Side
A person that is already using Tor as a client, and Tox over Tor,
only needs to add the first section in the /etc/tor/torrc
described above, and the MapAddress lines. We could have our update
script read the DHTnodes file and look for onions slots, and
print out the MapAddress lines to be added to the torrc
.
Then they'll be using Tox in Tor with no vulnerabilities to the BS node being blocked, or vulnerabilities at exit nodes.
Details:
- https://git.plastiras.org/emdee/tox_profile/ToxAndTorInChinaAndIran
- https://community.torproject.org/onion-services/setup/
- https://community.torproject.org/onion-services/
- https://www.wired.com/story/tor-browser-russia-blocks/
- https://blog.torproject.org/tor-censorship-in-russia/
- https://nusenu.medium.com/how-malicious-tor-relays-are-exploiting-users-in-2020-part-i-1097575c0cac
- https://lists.torproject.org/pipermail/tor-talk/2022-January/045803.html
Up: Home