From: nigko <nigko.yerden@gmail.com>
To: 70332@debbugs.gnu.org
Subject: bug#70332: Tor daemon is unable to use obfuscation
Date: Thu, 11 Apr 2024 11:13:15 +0500 [thread overview]
Message-ID: <f39faa21-da3f-409d-8512-4819a824eb9b@gmail.com> (raw)
I have found why it is not working! Tor process is simply not allowed to
have access to the obfuscator binary because it is running inside all
Linux namespaces except "net", in particular in "mnt" namespace. We need
to add path/to/obfuscator/binary to the #:mappings field of the
least-authority-wrapper call inside tor-shepard-service body in
/gnu/service/networking.scm. I have checked, this makes obfuscation
fully functional.
Regards,
Nigko Yerden
> Hello Guix!
>
> I am trying to configure tor daemon to use traffic obfuscation by the following lines in my system configuration
>
>
> (service tor-service-type
> (tor-configuration
> (plain-file "torrc"
> "
> UseBridges 1
> ClientTransportPlugin obfs4 exec /path/to/obfuscator/binary
>
> Bridge obfs4 ......
> Bridge obfs4 ......
> ")))
>
> where /path/to/obfuscator/binary corresponds to an obfs4 obfuscator. There are a few of them in the guix repo, see e.g. go-gitlab-torproject-org-tpo-anti-censorship-pluggable-transports-lyrebird or go-github-com-operatorfoundation-obfs4 packages. The obfuscator is also installed in the system profile. Bridges are gotten from the official site https://bridges.torproject.org/.
>
>
> This torrc configuration works perfectly on guix when tor run at user level by command '$ tor -f path/to/torrc' and '# netstat -tupan' shows obfuscator process is listening on 127.0.0.1:[some random port].
>
>
> However, when tor run as system daemon, there are no obfuscator process listening and tor is unusable.
>
>
> Perhaps this issue is related to https://issues.guix.gnu.org/57222.
>
> I have tried to revert commit fb868cd7794f15e21298e5bdea996fbf0dad17ca on recent guix checkout and then to perform 'guix pull --url=/path/to/my/local/guix/repo --disable-authentication'. It worked fined. But when performing 'sudo guix system reconfigure /path/to/system/configuration' I got an error 'make-forkexec-constructor/container: unbound variable'
>
>
>
> Regards,
> Nigko Yerden
>
>
>
>
reply other threads:[~2024-04-11 6:14 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f39faa21-da3f-409d-8512-4819a824eb9b@gmail.com \
--to=nigko.yerden@gmail.com \
--cc=2edb4a1e-63a5-4933-986c-922f7cc2953d@gmail.com \
--cc=70332@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).