plugins icon indicating copy to clipboard operation
plugins copied to clipboard

Published 20 hours ago verified publisher icon opnsense

security/tor: Add support for configuring bridges (via ui/torrc custom entries)

Open vogelfreiheit opened this issue 6 years ago • 8 comments

I don't see any spot in the UI to add bridges. I'm running stable. This would be nice to have since bridges serve a rather important purpose and help increase the safety of a Tor circuit somewhat (besides the censorship "bypass").

vogelfreiheit avatar Nov 06 '18 11:11 vogelfreiheit

If you want to make your instance a bridge, there is already a checkbox in the relay area. Or are you talking about the client side config?

fabianfrz avatar Nov 07 '18 16:11 fabianfrz

Franz, that is not what I meant. I mean using bridges, not becoming one: https://tor.stackexchange.com/questions/3924/how-to-add-obfs3-bridges-in-torrc

At the moment there is no support for that whatsoever, so anyone using the tor plugin in opnsense, somewhere where DPI or stateful packet filtering actively blocks it, won't be able to use the service.

https://blog.torproject.org/obfsproxy-next-step-censorship-arms-race https://github.com/Yawning/obfs4/blob/master/doc/obfs4-spec.txt

ghost avatar Nov 07 '18 16:11 ghost

A somewhat quick workaround would be to allow a custom config snippet. You do need the obfsproxy port, though.

ghost avatar Nov 07 '18 16:11 ghost

depends on python 2.7 so no (https://www.freshports.org/security/py-obfsproxy-tor/) and I will also not add custom config blocks because they may break the config.

Another pluggable transport (if you know one) may be a better idea. I do not want to add any deprecated software to my plugins.

fabianfrz avatar Nov 07 '18 17:11 fabianfrz

I agree re py27.

Yes, you can use this: https://github.com/Yawning/obfs4

It's actually the favored transport, as it uses djb's elligator, and is backwards compatible. elligator makes the entire curve indistinguishable from random data, both the exchange and ciphertext.

It depends on Go, and there seems to be an existent port: https://www.freshports.org/security/obfs4proxy-tor/

ghost avatar Nov 07 '18 17:11 ghost

sounds good, @fichtner there is a FreeBSD port needed.

fabianfrz avatar Nov 07 '18 17:11 fabianfrz

hello, as far as i understand there are some changes... and ports updated.
also i left message on forum: https://forum.opnsense.org/index.php?topic=26029.msg125548#msg125548

mrPsycho avatar Jan 05 '22 22:01 mrPsycho

atm using /usr/local/opnsense/service/templates/OPNsense/Tor/torrc to make stable config (till new upgrade)

mrPsycho avatar Sep 22 '22 19:09 mrPsycho

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.

OPNsense-bot avatar Jan 16 '23 11:01 OPNsense-bot