From 02899f7e595ab139019a525b182009606b2c2039 Mon Sep 17 00:00:00 2001 From: David Stainton Date: Sun, 31 Aug 2014 04:59:39 +0000 Subject: [PATCH 01/30] Add Tor usage and configuration documentation Written by Zooko and I. We need to add more technical citations and have it reviewed for inaccuracies by Tor developers. --- docs/tor.rst | 198 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 198 insertions(+) create mode 100644 docs/tor.rst diff --git a/docs/tor.rst b/docs/tor.rst new file mode 100644 index 000000000..6cf811d29 --- /dev/null +++ b/docs/tor.rst @@ -0,0 +1,198 @@ +.. -*- coding: utf-8-with-signature; fill-column: 77 -*- + +========================= +Using Tahoe-LAFS with Tor +========================= + +1. `Use cases`_ +2. `Native Tor integration for Tahoe-LAFS`_ +3. `Software Dependencies`_ +4. `Client Configuration`_ +5. `Storage Server Configuration`_ +6. `Performance and security issues of Tor Hidden Services`_ + + +Use cases +========= + +Tor is an anonymizing network used to help hide the identity of internet +clients and servers. Please see the Tor Project's website for more information: +https://www.torproject.org/ + + +There are three potential use-cases for Tahoe-LAFS on the client side: + +1. User does not care to protect their anonymity or to connect to anonymous + storage servers. This document is not useful to you... so stop reading. + +2. User does not care to protect their anonymity but they wish to connect to + Tahoe-LAFS storage servers which are accessbile only via Tor Hidden Services. + +3. User wishes to always use Tor to protect their anonymity when + connecting to Tahoe-LAFS storage grids (whether or not the storage servers + are Tor Hidden Services) [*]. + + +For Tahoe-LAFS storage servers there are three use-cases: + +1. Storage server operator does not care to protect their own anonymity + nor to help the clients protect theirs. Stop reading this document + and run your Tahoe-LAFS storage server using publicly routed TCP/IP. + +2. The operator does not require anonymity for his storage server, but + he wants it to be available over both publicly routed TCP/IP and + through Tor Hidden Services. One possible reason to do this is + because being reachable through Tor Hidden Services is a convenient + way to bypass NAT or firewall that prevents publicly routed TCP/IP + connections to your server. Another is that making your storage + server reachable through Tor Hidden Services can provide better + protection for your clients who themselves use Tor to protect their + anonymity [*]. + +https://www.torproject.org/docs/hidden-services.html.en + +3. The operator wishes to protect their anonymity by making their + Tahoe server accessible only via Tor Hidden Services. + + + +Native Tor integration for Tahoe-LAFS +===================================== + +Native Tor integration for Tahoe-LAFS utilizes the Twisted endpoints API: +https://twistedmatrix.com/documents/14.0.0i XXXX replace with current XXXX /core/howto/endpoints.html + +Twisted's endpoint parser plugin system is extensible via installing additional +Twisted packages. The native Tor integration for Tahoe-LAFS uses +txsocksx and txtorcon. + +txsocksx will try to use the system tor's SOCKS port if available; +attempts are made on ports 9050 and 9151. + +txtorcon will use the tor control port to configure Tor Hidden Services. + + +Software Dependencies +===================== + +* Tor (tor) must be installed. See here: + https://www.torproject.org/docs/tor-doc-unix.html.en XXX link to operating-system-independent howto for tor + +* The "Tor-friendly" branch of txsocksx must be installed:: + pip install git+https://github.com/david415/txsocksx.git + + Once this is merged then you can use upstream txsocksx: + https://github.com/habnabit/txsocksx/pull/8 + + +* txtorcon must be installed:: + pip install txtorcon + +Once these software dependencies are installed and the Tahoe-LAFS node is restarted, then no further configuration is necessary in order for it to connect to other Tahoe-LAFS nodes via Tor (client use-case 2 from `Use cases`_, above). + +In order to implement client use-case 3 or server use-cases 2 or 3, further configuration is necessary. + + +Client Configuration +==================== + +``[node]`` + +``tor_only.enabled = (boolean, optional)`` + + This specifies two changes in behavior: + 1. Transform all non-Tor client endpoints into Tor client endpoints. + 2. Force ``tub.location`` to be set to "client.fakelocation:1" + + This option is necessary to preserve the client's anonymity (client + use-case 3 from `Use cases`_, above). It is also necessary to + preserve a server's anonymity (server use-case 3). + + Why is this option necessary to protect anonymity? If the Tahoe-LAFS + introducer announces a storage server with non-Tor endpoint + descriptor strings in the connection hints list in the storage + server FURL then this could cause the client to deanonymize itself + by connecting to the storage server without using Tor. + + +Storage Server Configuration +============================ + +Native Tor integration for Tahoe-LAFS uses the txtorcon library for it's +Tor Hidden Services endpoint and parser. Please see the txtorcon documentation +for more information: +* https://txtorcon.readthedocs.org/en/latest/ +* https://github.com/meejah/txtorcon +* http://timaq4ygg2iegci7.onion/ + +Operators of Tahoe-LAFS storage servers can specify a Tor Hidden Service endpoint +descriptor string for the ``tub.location`` value in the ``tahoe.cfg`` like:: + + tub.location = "onion:80:hiddenServiceDir=/var/lib/tor/my_service" + +Setting this configuration option is necessary for Server use-cases 2 and 3 (from `Use cases`_, above). + +XXX Does using tub.locaton for this prevent both Tor Hidden Service and traceable-net service (Server use-case 2)? Maybe instead we need to have a `tub.hidden_service = ` config for this, and turning that on is how you do server Use-case 2, and the way to do Server Use-case 3 is to turn on `tub.hidden_service = ` plus also set `tor_only.enabled = true`? See also Tahoe-LAFS ticket #1010. + +Performance and security issues of Tor Hidden Services +====================================================== + +If you are running a server which does not itself need to be +anonymous, should you make it reachable as a Tor Hidden Service or +not? Or should you make it reachable *both* as a Tor Hidden Service +and as a publicly traceable TCP/IP server? + +There are several trade-offs effected by this decision. + +NAT/Firewall penetration +------------------------ + +Making a server be reachable as a Tor Hidden Service makes it +reachable even if there are NATs or firewalls preventing direct TCP/IP +connections to the server. + +Anonymity +--------- + +Making a Tahoe-LAFS server accessible *only* via Tor Hidden Services +can be used to guarantee that the Tahoe-LAFS clients use Tor to +connect. This prevents misconfigured clients from accidentally +de-anonymizing themselves by connecting to your server through the +traceable Internet. + +Also, interaction, through Tor, with a Tor Hidden Service may be more +protected from network traffic analysis than interaction, through Tor, +with a publicly traceable TCP/IP server. + +XXX is there a document maintained by Tor hackers which substantiates or refutes this belief? If so we need to link to it. If not, then maybe we should explain more here why we think this? + +Performance +----------- + +A client connecting to a Tahoe-LAFS server through Tor incurs +substantially higher latency and sometimes worse throughput than the +same client connecting to the same server over a normal traceable +TCP/IP connection. + +A client connecting to a Tahoe-LAFS server which is a Tor Hidden +Service incurs much more latency and probably worse throughput. + +Positive and negative effects on other Tor users +------------------------------------------------ + +Sending your Tahoe-LAFS traffic over Tor adds cover traffic for other +Tor users who are also transmitting bulk data. So that is good for +them -- increasing their anonymity. + +However, it makes the performance of other Tor users' interactive +sessions -- e.g. ssh sessions -- much worse. This is because Tor +doesn't currently have any prioritization or quality-of-service +features, so someone else's ssh keystrokes may have to wait in line +while your bulk file contents get transmitted. The added delay might +make other people's interactive sessions unusable. + +Both of these effects are doubled if you upload or download files to a +Tor Hidden Service, as compared to if you upload or download files +over Tor to a publicly traceable TCP/IP server. + + From 39820821ce18e924119f85ee884db8f20a479a92 Mon Sep 17 00:00:00 2001 From: David Stainton Date: Sun, 31 Aug 2014 06:20:09 +0000 Subject: [PATCH 02/30] Minor cleanup and added some links --- docs/tor.rst | 54 ++++++++++++++++++++++++++++++++++------------------ 1 file changed, 35 insertions(+), 19 deletions(-) diff --git a/docs/tor.rst b/docs/tor.rst index 6cf811d29..0169fc1c1 100644 --- a/docs/tor.rst +++ b/docs/tor.rst @@ -49,7 +49,8 @@ For Tahoe-LAFS storage servers there are three use-cases: protection for your clients who themselves use Tor to protect their anonymity [*]. -https://www.torproject.org/docs/hidden-services.html.en + See this Tor Project page for more information about Tor Hidden Services: + https://www.torproject.org/docs/hidden-services.html.en 3. The operator wishes to protect their anonymity by making their Tahoe server accessible only via Tor Hidden Services. @@ -60,7 +61,7 @@ Native Tor integration for Tahoe-LAFS ===================================== Native Tor integration for Tahoe-LAFS utilizes the Twisted endpoints API: -https://twistedmatrix.com/documents/14.0.0i XXXX replace with current XXXX /core/howto/endpoints.html +https://twistedmatrix.com/documents/current/core/howto/endpoints.html Twisted's endpoint parser plugin system is extensible via installing additional Twisted packages. The native Tor integration for Tahoe-LAFS uses @@ -69,28 +70,36 @@ txsocksx and txtorcon. txsocksx will try to use the system tor's SOCKS port if available; attempts are made on ports 9050 and 9151. -txtorcon will use the tor control port to configure Tor Hidden Services. +txtorcon will use the system tor control port to configure Tor Hidden Services +( pending resolution of tor trac ticket https://trac.torproject.org/projects/tor/ticket/11291 ) + +See also Tahoe-LAFS Tor related tickets #1010 and #517. + Software Dependencies ===================== * Tor (tor) must be installed. See here: - https://www.torproject.org/docs/tor-doc-unix.html.en XXX link to operating-system-independent howto for tor + https://www.torproject.org/docs/installguide.html.en -* The "Tor-friendly" branch of txsocksx must be installed:: +* The "Tor-friendly" branch of txsocksx must be installed + ( Once this is merged then you can use upstream txsocksx; + https://github.com/habnabit/txsocksx/pull/8 ) +:: pip install git+https://github.com/david415/txsocksx.git - Once this is merged then you can use upstream txsocksx: - https://github.com/habnabit/txsocksx/pull/8 +* txtorcon must be installed +:: + pip install txtorcon +Once these software dependencies are installed and the Tahoe-LAFS node +is restarted, then no further configuration is necessary in order for +it to connect to other Tahoe-LAFS nodes via Tor (client use-case 2 from +`Use cases`_, above). -* txtorcon must be installed:: - pip install txtorcon - -Once these software dependencies are installed and the Tahoe-LAFS node is restarted, then no further configuration is necessary in order for it to connect to other Tahoe-LAFS nodes via Tor (client use-case 2 from `Use cases`_, above). - -In order to implement client use-case 3 or server use-cases 2 or 3, further configuration is necessary. +In order to implement client use-case 3 or server use-cases 2 or 3, further +configuration is necessary. Client Configuration @@ -118,21 +127,27 @@ Client Configuration Storage Server Configuration ============================ +**note:** this feature will be implemented once these 2 critical +tickets are resolved: +1. https://twistedmatrix.com/trac/ticket/7057 +2. https://trac.torproject.org/projects/tor/ticket/11291 + Native Tor integration for Tahoe-LAFS uses the txtorcon library for it's Tor Hidden Services endpoint and parser. Please see the txtorcon documentation for more information: -* https://txtorcon.readthedocs.org/en/latest/ -* https://github.com/meejah/txtorcon -* http://timaq4ygg2iegci7.onion/ + + * https://txtorcon.readthedocs.org/en/latest/ + * http://timaq4ygg2iegci7.onion/ + * https://github.com/meejah/txtorcon Operators of Tahoe-LAFS storage servers can specify a Tor Hidden Service endpoint descriptor string for the ``tub.location`` value in the ``tahoe.cfg`` like:: tub.location = "onion:80:hiddenServiceDir=/var/lib/tor/my_service" -Setting this configuration option is necessary for Server use-cases 2 and 3 (from `Use cases`_, above). +Setting this configuration option is necessary for Server use-cases 2 and 3 +(from `Use cases`_, above). -XXX Does using tub.locaton for this prevent both Tor Hidden Service and traceable-net service (Server use-case 2)? Maybe instead we need to have a `tub.hidden_service = ` config for this, and turning that on is how you do server Use-case 2, and the way to do Server Use-case 3 is to turn on `tub.hidden_service = ` plus also set `tor_only.enabled = true`? See also Tahoe-LAFS ticket #1010. Performance and security issues of Tor Hidden Services ====================================================== @@ -164,7 +179,8 @@ Also, interaction, through Tor, with a Tor Hidden Service may be more protected from network traffic analysis than interaction, through Tor, with a publicly traceable TCP/IP server. -XXX is there a document maintained by Tor hackers which substantiates or refutes this belief? If so we need to link to it. If not, then maybe we should explain more here why we think this? +**XXX is there a document maintained by Tor hackers which substantiates or refutes this belief? +If so we need to link to it. If not, then maybe we should explain more here why we think this?** Performance ----------- From 856f4ce26692615b956af9c2a08a0473e506294c Mon Sep 17 00:00:00 2001 From: David Stainton Date: Sun, 31 Aug 2014 14:07:20 +0000 Subject: [PATCH 03/30] Articulated more configuration subtleties --- docs/tor.rst | 54 +++++++++++++++++++++------------------------------- 1 file changed, 22 insertions(+), 32 deletions(-) diff --git a/docs/tor.rst b/docs/tor.rst index 0169fc1c1..1d2536560 100644 --- a/docs/tor.rst +++ b/docs/tor.rst @@ -85,12 +85,12 @@ Software Dependencies * The "Tor-friendly" branch of txsocksx must be installed ( Once this is merged then you can use upstream txsocksx; - https://github.com/habnabit/txsocksx/pull/8 ) -:: - pip install git+https://github.com/david415/txsocksx.git + https://github.com/habnabit/txsocksx/pull/8 ) :: + + pip install git+https://github.com/david415/txsocksx.git + +* txtorcon must be installed :: -* txtorcon must be installed -:: pip install txtorcon Once these software dependencies are installed and the Tahoe-LAFS node @@ -102,47 +102,37 @@ In order to implement client use-case 3 or server use-cases 2 or 3, further configuration is necessary. -Client Configuration -==================== +Configuration +============= ``[node]`` - ``tor_only.enabled = (boolean, optional)`` This specifies two changes in behavior: 1. Transform all non-Tor client endpoints into Tor client endpoints. - 2. Force ``tub.location`` to be set to "client.fakelocation:1" + 2. Force ``tub.location`` to be set to "safe" values. This option is necessary to preserve the client's anonymity (client use-case 3 from `Use cases`_, above). It is also necessary to preserve a server's anonymity (server use-case 3). - Why is this option necessary to protect anonymity? If the Tahoe-LAFS - introducer announces a storage server with non-Tor endpoint - descriptor strings in the connection hints list in the storage - server FURL then this could cause the client to deanonymize itself - by connecting to the storage server without using Tor. + When ``tor_only.enabled`` is specified then ``tub.location`` does not need + to be specified... and it is an error to specify a ``tub.location`` value + that contains anything other than "UNREACHABLE" or a Tor Hidden Service + Twisted endpoint descriptor string. + If server use-case 2 from `Use cases`_ above is desired then you can set + ``tub.location`` to a Tor Hidden Service endpoint string AND "AUTODETECT" + like this:: + tub.location = "AUTODETECT,onion:80:hiddenServiceDir=/var/lib/tor/my_service" -Storage Server Configuration -============================ - -**note:** this feature will be implemented once these 2 critical -tickets are resolved: -1. https://twistedmatrix.com/trac/ticket/7057 -2. https://trac.torproject.org/projects/tor/ticket/11291 - -Native Tor integration for Tahoe-LAFS uses the txtorcon library for it's -Tor Hidden Services endpoint and parser. Please see the txtorcon documentation -for more information: - - * https://txtorcon.readthedocs.org/en/latest/ - * http://timaq4ygg2iegci7.onion/ - * https://github.com/meejah/txtorcon - -Operators of Tahoe-LAFS storage servers can specify a Tor Hidden Service endpoint -descriptor string for the ``tub.location`` value in the ``tahoe.cfg`` like:: + It is an error to specify a ``tub.location`` value that contains "AUTODETECT" + when ``tor_only.enabled`` is also set to ``true``. +Operators of Tahoe-LAFS storage servers wishing to protect the identity of their +storage server should set ``tor_only.enabled`` to ``true`` and specify a +Tor Hidden Service endpoint descriptor string for the ``tub.location`` +value in the ``tahoe.cfg`` like this:: tub.location = "onion:80:hiddenServiceDir=/var/lib/tor/my_service" Setting this configuration option is necessary for Server use-cases 2 and 3 From 9a6fe0edbd40269cbbc84462e20f5451d27f696e Mon Sep 17 00:00:00 2001 From: David Stainton Date: Sun, 31 Aug 2014 23:03:40 +0000 Subject: [PATCH 04/30] Minor corrections of index and indention --- docs/tor.rst | 42 ++++++++++++++++++++---------------------- 1 file changed, 20 insertions(+), 22 deletions(-) diff --git a/docs/tor.rst b/docs/tor.rst index 1d2536560..86a6a2361 100644 --- a/docs/tor.rst +++ b/docs/tor.rst @@ -7,9 +7,8 @@ Using Tahoe-LAFS with Tor 1. `Use cases`_ 2. `Native Tor integration for Tahoe-LAFS`_ 3. `Software Dependencies`_ -4. `Client Configuration`_ -5. `Storage Server Configuration`_ -6. `Performance and security issues of Tor Hidden Services`_ +4. `Configuration`_ +5. `Performance and security issues of Tor Hidden Services`_ Use cases @@ -94,9 +93,8 @@ Software Dependencies pip install txtorcon Once these software dependencies are installed and the Tahoe-LAFS node -is restarted, then no further configuration is necessary in order for -it to connect to other Tahoe-LAFS nodes via Tor (client use-case 2 from -`Use cases`_, above). +is restarted, then no further configuration is necessary for "unsafe" +Tor connectivity to other Tahoe-LAFS nodes (client use-case 2 from `Use cases`_, above). In order to implement client use-case 3 or server use-cases 2 or 3, further configuration is necessary. @@ -108,26 +106,26 @@ Configuration ``[node]`` ``tor_only.enabled = (boolean, optional)`` - This specifies two changes in behavior: - 1. Transform all non-Tor client endpoints into Tor client endpoints. - 2. Force ``tub.location`` to be set to "safe" values. +This specifies two changes in behavior: + 1. Transform all non-Tor client endpoints into Tor client endpoints. + 2. Force ``tub.location`` to be set to "safe" values. - This option is necessary to preserve the client's anonymity (client - use-case 3 from `Use cases`_, above). It is also necessary to - preserve a server's anonymity (server use-case 3). +This option is **critical** to preserving the client's anonymity (client +use-case 3 from `Use cases`_, above). It is also necessary to +preserve a server's anonymity (server use-case 3). - When ``tor_only.enabled`` is specified then ``tub.location`` does not need - to be specified... and it is an error to specify a ``tub.location`` value - that contains anything other than "UNREACHABLE" or a Tor Hidden Service - Twisted endpoint descriptor string. +When ``tor_only.enabled`` is specified then ``tub.location`` does not need +to be specified... and it is an error to specify a ``tub.location`` value +that contains anything other than "UNREACHABLE" or a Tor Hidden Service +Twisted endpoint descriptor string. - If server use-case 2 from `Use cases`_ above is desired then you can set - ``tub.location`` to a Tor Hidden Service endpoint string AND "AUTODETECT" - like this:: - tub.location = "AUTODETECT,onion:80:hiddenServiceDir=/var/lib/tor/my_service" +If server use-case 2 from `Use cases`_ above is desired then you can set +``tub.location`` to a Tor Hidden Service endpoint string AND "AUTODETECT" +like this:: + tub.location = "AUTODETECT,onion:80:hiddenServiceDir=/var/lib/tor/my_service" - It is an error to specify a ``tub.location`` value that contains "AUTODETECT" - when ``tor_only.enabled`` is also set to ``true``. +It is an error to specify a ``tub.location`` value that contains "AUTODETECT" +when ``tor_only.enabled`` is also set to ``true``. Operators of Tahoe-LAFS storage servers wishing to protect the identity of their storage server should set ``tor_only.enabled`` to ``true`` and specify a From 5859a17efc4eae159c108406c89f01dc2b61e886 Mon Sep 17 00:00:00 2001 From: David Stainton Date: Mon, 1 Sep 2014 18:42:54 +0000 Subject: [PATCH 05/30] Add legacy torsocks usage --- docs/tor.rst | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/docs/tor.rst b/docs/tor.rst index 86a6a2361..b409386dd 100644 --- a/docs/tor.rst +++ b/docs/tor.rst @@ -9,7 +9,7 @@ Using Tahoe-LAFS with Tor 3. `Software Dependencies`_ 4. `Configuration`_ 5. `Performance and security issues of Tor Hidden Services`_ - +6. `Torsocks: the old way of configuring Tahoe-LAFS to use Tor`_ Use cases ========= @@ -200,3 +200,32 @@ Tor Hidden Service, as compared to if you upload or download files over Tor to a publicly traceable TCP/IP server. + +Torsocks: the old way of configuring Tahoe-LAFS to use Tor +========================================================== + +Before the native Tor integration for Tahoe-LAFS, users would use Torsocks. +Please see these pages for more information about Torsocks:: +* https://code.google.com/p/torsocks/ +* https://trac.torproject.org/projects/tor/wiki/doc/torsocks +* https://github.com/dgoulet/torsocks/ + + +Starting And Stopping +--------------------- + +Assuming you have your Tahoe-LAFS node directory placed in **~/.tahoe**, +use Torsocks to start Tahoe like this: + usewithtor tahoe start + +Likewise if restarting, then with Torsocks like this:: + usewithtor tahoe restart + +After Tahoe is started, additional Tahoe commandline commands will not +need to be executed with Torsocks because the Tahoe gateway long running +process handles all the network connectivity. + + +Configuration +------------- + From 2a82c2c63c2b394d92124a0b51209d9145639d0f Mon Sep 17 00:00:00 2001 From: David Stainton Date: Mon, 1 Sep 2014 20:53:05 +0000 Subject: [PATCH 06/30] Add more Torsocks Tahoe Tor usage documentation --- docs/tor.rst | 37 ++++++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/docs/tor.rst b/docs/tor.rst index b409386dd..d96e96fb9 100644 --- a/docs/tor.rst +++ b/docs/tor.rst @@ -215,7 +215,7 @@ Starting And Stopping --------------------- Assuming you have your Tahoe-LAFS node directory placed in **~/.tahoe**, -use Torsocks to start Tahoe like this: +use Torsocks to start Tahoe like this:: usewithtor tahoe start Likewise if restarting, then with Torsocks like this:: @@ -229,3 +229,38 @@ process handles all the network connectivity. Configuration ------------- +Before Tahoe-LAFS had native Tor integration it would deanonymize the user if a +``tub.location`` value is not set. This is because Tahoe-LAFS at that time +defaulted to autodetecting the external IP interface and announced that IP +address to the server. + +Tahoe-LAFS + Torsocks client configuration:: + + * Run a node using ``torsocks``, in client-only mode (i.e. we can + make outbound connections, but other nodes will not be able to connect + to us). The literal '``client.fakelocation``' will not resolve, but will + serve as a reminder to human observers that this node cannot be reached. + "Don't call us.. we'll call you":: + + tub.port = 8098 + tub.location = client.fakelocation:0 + + +Tahoe-LAFS + Torsocks storage server configuration:: + + * Run a node behind a Tor proxy, and make the server available as a Tor + "hidden service". (This assumes that other clients are running their + node with ``torsocks``, such that they are prepared to connect to a + ``.onion`` address.) The hidden service must first be configured in + Tor, by giving it a local port number and then obtaining a ``.onion`` + name, using something in the ``torrc`` file like:: + + HiddenServiceDir /var/lib/tor/hidden_services/tahoe + HiddenServicePort 29212 127.0.0.1:8098 + + once Tor is restarted, the ``.onion`` hostname will be in + ``/var/lib/tor/hidden_services/tahoe/hostname``. Then set up your + ``tahoe.cfg`` like:: + + tub.port = 8098 + tub.location = ualhejtq2p7ohfbb.onion:29212 From 92c908d332878fdcd09782dd2da3e4e63e71211c Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Sat, 22 Aug 2015 13:16:32 +0100 Subject: [PATCH 07/30] Attempt to fix formating for torsocks section --- docs/tor.rst | 43 ++++++++++++++++++++++--------------------- 1 file changed, 22 insertions(+), 21 deletions(-) diff --git a/docs/tor.rst b/docs/tor.rst index d96e96fb9..fbd7deb35 100644 --- a/docs/tor.rst +++ b/docs/tor.rst @@ -167,7 +167,7 @@ Also, interaction, through Tor, with a Tor Hidden Service may be more protected from network traffic analysis than interaction, through Tor, with a publicly traceable TCP/IP server. -**XXX is there a document maintained by Tor hackers which substantiates or refutes this belief? +**XXX is there a document maintained by Tor developers which substantiates or refutes this belief? If so we need to link to it. If not, then maybe we should explain more here why we think this?** Performance @@ -236,31 +236,32 @@ address to the server. Tahoe-LAFS + Torsocks client configuration:: - * Run a node using ``torsocks``, in client-only mode (i.e. we can - make outbound connections, but other nodes will not be able to connect - to us). The literal '``client.fakelocation``' will not resolve, but will - serve as a reminder to human observers that this node cannot be reached. - "Don't call us.. we'll call you":: +* Run a node using ``torsocks``, in client-only mode (i.e. we can + make outbound connections, but other nodes will not be able to connect + to us). The literal '``client.fakelocation``' will not resolve, but will + serve as a reminder to human observers that this node cannot be reached. + "Don't call us.. we'll call you":: - tub.port = 8098 - tub.location = client.fakelocation:0 + tub.port = 8098 + tub.location = client.fakelocation:0 Tahoe-LAFS + Torsocks storage server configuration:: - * Run a node behind a Tor proxy, and make the server available as a Tor - "hidden service". (This assumes that other clients are running their - node with ``torsocks``, such that they are prepared to connect to a - ``.onion`` address.) The hidden service must first be configured in - Tor, by giving it a local port number and then obtaining a ``.onion`` - name, using something in the ``torrc`` file like:: +* Run a node behind a Tor proxy, and make the server available as a Tor + "hidden service". (This assumes that other clients are running their + node with ``torsocks``, such that they are prepared to connect to a + ``.onion`` address.) The hidden service must first be configured in + Tor, by giving it a local port number and then obtaining a ``.onion`` + name, using something in the ``torrc`` file like:: - HiddenServiceDir /var/lib/tor/hidden_services/tahoe - HiddenServicePort 29212 127.0.0.1:8098 + HiddenServiceDir /var/lib/tor/hidden_services/tahoe + HiddenServicePort 29212 127.0.0.1:8098 - once Tor is restarted, the ``.onion`` hostname will be in - ``/var/lib/tor/hidden_services/tahoe/hostname``. Then set up your - ``tahoe.cfg`` like:: + once Tor is restarted, the ``.onion`` hostname will be in + ``/var/lib/tor/hidden_services/tahoe/hostname``. Then set up your + ``tahoe.cfg`` like:: + + tub.port = 8098 + tub.location = ualhejtq2p7ohfbb.onion:29212 - tub.port = 8098 - tub.location = ualhejtq2p7ohfbb.onion:29212 From ed38d69302e6b43a5d6a8a9083298747616745ef Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Sat, 22 Aug 2015 13:18:23 +0100 Subject: [PATCH 08/30] Add more details in the Tor integration section --- docs/tor.rst | 53 +++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 48 insertions(+), 5 deletions(-) diff --git a/docs/tor.rst b/docs/tor.rst index fbd7deb35..579c9f910 100644 --- a/docs/tor.rst +++ b/docs/tor.rst @@ -59,18 +59,30 @@ For Tahoe-LAFS storage servers there are three use-cases: Native Tor integration for Tahoe-LAFS ===================================== -Native Tor integration for Tahoe-LAFS utilizes the Twisted endpoints API: -https://twistedmatrix.com/documents/current/core/howto/endpoints.html +Native Tor integration for Tahoe-LAFS utilizes the Twisted endpoints API:: +* https://twistedmatrix.com/documents/current/core/howto/endpoints.html Twisted's endpoint parser plugin system is extensible via installing additional Twisted packages. The native Tor integration for Tahoe-LAFS uses -txsocksx and txtorcon. +endpoint and parser plugins from the txsocksx and txtorcon modules. +Although the Twisted endpoint API is very flexible it is missing a feature so that +servers can be written in an endpoint agnostic style. We've opened a Twisted trac +ticket for this feature here:: +* https://twistedmatrix.com/trac/ticket/7603 + +Once this ticket is resolved then an additional changes can be made to Foolscap +so that it's server side API is completely endpoint agnostic which will allow +users to easily to use Tahoe-LAFS with many protocols on the server side. txsocksx will try to use the system tor's SOCKS port if available; -attempts are made on ports 9050 and 9151. +attempts are made on ports 9050 and 9151. Currently the maintainer of txsocksx +has not merged in our code for the Tor client endpoint. We'll use +this branch until the Tor endpoint code is merged upstream:: +* https://github.com/david415/txsocksx/tree/endpoint_parsers_retry_socks txtorcon will use the system tor control port to configure Tor Hidden Services -( pending resolution of tor trac ticket https://trac.torproject.org/projects/tor/ticket/11291 ) +pending resolution of tor trac ticket 11291:: +* https://trac.torproject.org/projects/tor/ticket/11291 See also Tahoe-LAFS Tor related tickets #1010 and #517. @@ -265,3 +277,34 @@ Tahoe-LAFS + Torsocks storage server configuration:: tub.port = 8098 tub.location = ualhejtq2p7ohfbb.onion:29212 +**Troubleshooting** + +On some NetBSD systems, torsocks may segfault:: + + $ torsocks telnet www.google.com 80 + Segmentation fault (core dumped) + +and backtraces show looping libc and syscalls:: + + #7198 0xbbbda26e in *__socket30 (domain=2, type=1, protocol=6) at socket.c:64 + #7199 0xbb84baf9 in socket () from /usr/lib/libc.so.12 + #7200 0xbbbda19b in tsocks_socket (domain=2, type=1, protocol=6) at socket.c:56 + #7201 0xbbbda26e in *__socket30 (domain=2, type=1, protocol=6) at socket.c:64 + #7202 0xbb84baf9 in socket () from /usr/lib/libc.so.12 + [...etc...] + +This has to do with the nature of the torsocks socket() call wrapper being unaware +of NetBSD's internal binary backwards compatibility. + +Information on a the first parts of a solution patch can be found in a tor-dev +thread here from Thomas Klausner: + +* https://lists.torproject.org/pipermail/tor-dev/2013-November/005741.html + +As of this writing, torsocks still exists in the pkgsrc wip tree here: + +* http://pkgsrc.se/wip/torsocks + +but the NetBSD-specific patches have been merged upstream into torsocks as of commitid 6adfba809267d9c217906d6974468db22293ab9b: + +* https://gitweb.torproject.org/torsocks.git/commit/6adfba809267d9c217906d6974468db22293ab9b From ce889d5834379365fb72c05e1806999432e9ec24 Mon Sep 17 00:00:00 2001 From: David Stainton Date: Thu, 4 Sep 2014 04:01:50 +0000 Subject: [PATCH 09/30] Change option name to anonymize for ticket #1010 --- docs/tor.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/tor.rst b/docs/tor.rst index 579c9f910..b7238f2de 100644 --- a/docs/tor.rst +++ b/docs/tor.rst @@ -116,7 +116,7 @@ Configuration ============= ``[node]`` -``tor_only.enabled = (boolean, optional)`` +``anonymize = (boolean, optional)`` This specifies two changes in behavior: 1. Transform all non-Tor client endpoints into Tor client endpoints. @@ -126,7 +126,7 @@ This option is **critical** to preserving the client's anonymity (client use-case 3 from `Use cases`_, above). It is also necessary to preserve a server's anonymity (server use-case 3). -When ``tor_only.enabled`` is specified then ``tub.location`` does not need +When ``anonymize`` is set to ``true`` then ``tub.location`` does not need to be specified... and it is an error to specify a ``tub.location`` value that contains anything other than "UNREACHABLE" or a Tor Hidden Service Twisted endpoint descriptor string. @@ -137,10 +137,10 @@ like this:: tub.location = "AUTODETECT,onion:80:hiddenServiceDir=/var/lib/tor/my_service" It is an error to specify a ``tub.location`` value that contains "AUTODETECT" -when ``tor_only.enabled`` is also set to ``true``. +when ``anonymize`` is also set to ``true``. Operators of Tahoe-LAFS storage servers wishing to protect the identity of their -storage server should set ``tor_only.enabled`` to ``true`` and specify a +storage server should set ``anonymize`` to ``true`` and specify a Tor Hidden Service endpoint descriptor string for the ``tub.location`` value in the ``tahoe.cfg`` like this:: tub.location = "onion:80:hiddenServiceDir=/var/lib/tor/my_service" From 3242a67c3f654d5b3c41db56015c730806a469ab Mon Sep 17 00:00:00 2001 From: David Stainton Date: Fri, 5 Sep 2014 00:24:36 +0000 Subject: [PATCH 10/30] Add anonymity roadmap --- docs/anonymity-roadmap.rst | 42 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 docs/anonymity-roadmap.rst diff --git a/docs/anonymity-roadmap.rst b/docs/anonymity-roadmap.rst new file mode 100644 index 000000000..c8ab49d63 --- /dev/null +++ b/docs/anonymity-roadmap.rst @@ -0,0 +1,42 @@ +.. -*- coding: utf-8-with-signature; fill-column: 77 -*- + +============================= +Anonymity Development Roadmap +============================= + + +Development phases +================== + +1. Use Tor for network connectivity and protect identity of client. + +**note:** Client side is endpoint agnostic and server side has TCP endpoint support. + +Dependencies +------------ +* txsocksx: get this merged upstream -->> https://github.com/david415/txsocksx/tree/endpoint_parsers_retry_socks +* foolscap#203 +* #1010 +* #517 + + +2. Use I2p for network connectivity and protect identity of client. + +* txi2p + + +3. endpoint-agnostic Foolscap server side + +Completing these two tickets will make Foolscap endpoint agnostic on the server side. Therefore any Twisted server endpoint/parser can be used with Foolscap :: + +* teach twisted to serialize a listeningPort into a client endpoint descriptor - https://twistedmatrix.com/trac/ticket/7603 + +* new foolscap ticket - Add getClientEndpoint() to use the feature from twisted trac ticket 7603 + + +4. Integrated Tor Hidden Service feature for storage servers + +* teach tor to create Hidden Service directories with group rx perms https://trac.torproject.org/projects/tor/ticket/11291 + +* new txtorcon ticket - Teach endpoint to use control port feature from tor trac ticket 11291 + From 832a79837411f19d793f39e7ea31cbdae9c27d73 Mon Sep 17 00:00:00 2001 From: David Stainton Date: Fri, 5 Sep 2014 00:30:19 +0000 Subject: [PATCH 11/30] Fix formatting --- docs/anonymity-roadmap.rst | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/docs/anonymity-roadmap.rst b/docs/anonymity-roadmap.rst index c8ab49d63..56aff644b 100644 --- a/docs/anonymity-roadmap.rst +++ b/docs/anonymity-roadmap.rst @@ -8,26 +8,25 @@ Anonymity Development Roadmap Development phases ================== -1. Use Tor for network connectivity and protect identity of client. +1. Use Tor for network connectivity and protect identity of client **note:** Client side is endpoint agnostic and server side has TCP endpoint support. -Dependencies ------------- -* txsocksx: get this merged upstream -->> https://github.com/david415/txsocksx/tree/endpoint_parsers_retry_socks -* foolscap#203 -* #1010 -* #517 +**Dependencies** :: + * txsocksx: get this merged upstream -->> https://github.com/david415/txsocksx/tree/endpoint_parsers_retry_socks + * foolscap#203 + * #1010 + * #517 -2. Use I2p for network connectivity and protect identity of client. +2. Use I2p for network connectivity and protect identity of client * txi2p 3. endpoint-agnostic Foolscap server side -Completing these two tickets will make Foolscap endpoint agnostic on the server side. Therefore any Twisted server endpoint/parser can be used with Foolscap :: +Completing these two tickets will make Foolscap endpoint agnostic on the server side. Therefore any Twisted server endpoint/parser can be used with Foolscap * teach twisted to serialize a listeningPort into a client endpoint descriptor - https://twistedmatrix.com/trac/ticket/7603 From f3bc270a4e3db3657bb2e8d47767a7459cec8f53 Mon Sep 17 00:00:00 2001 From: str4d Date: Fri, 5 Sep 2014 01:14:22 +0000 Subject: [PATCH 12/30] Changes required for safe txi2p use --- docs/anonymity-roadmap.rst | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/docs/anonymity-roadmap.rst b/docs/anonymity-roadmap.rst index 56aff644b..2e2a78667 100644 --- a/docs/anonymity-roadmap.rst +++ b/docs/anonymity-roadmap.rst @@ -22,6 +22,25 @@ Development phases 2. Use I2p for network connectivity and protect identity of client * txi2p +* Add "endpoint parameters" to Tahoe + * Servers provide the minimum client endpoint string required to connect to them: + * ``tcp:example.org:1337`` + * ``ssl:example.org:443`` + * ``i2p:longstring.b32.i2p`` + * Clients may need to extend the strings with client-specific per-type parameters in order to successfully connect: + * ``tcp:example.org:1337:timeout=60`` + * ``ssl:example.org:443:caCertsDir=/etc/ssl/certs`` + * ``i2p:longstring.b32.i2p:tunnelNick=tahoe:inport=10000`` + * These should be set in ``tahoe.cfg``: + * ``[node]clientEndpointParams = tcp:timeout=60,ssl:caCertsDir=/etc/ssl/certs,i2p:tunnelNick=tahoe:inport=10000`` + * Tahoe parses, keeps an internal map, applies the relevant params to a client endpoint string before connecting +* Client endpoint string whitelisting + * Server publishes an endpoint string for a client to connect to + * A malicious server could publish strings containing client-specific parameters that compromise the user + * Unsure what parameters could actually be used maliciously on their own, but definitely possible in concert with other attacks. + * The client should not accept strings that contain client-specific parameters + * How to tell the difference? Tahoe can't keep a list of everything that is safe. + * Maybe an endpoint API method that takes a client endpoint string and returns a safe one. 3. endpoint-agnostic Foolscap server side From 3126d49d32f3d5c96431502d4db540cec8923457 Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Sat, 22 Aug 2015 13:20:45 +0100 Subject: [PATCH 13/30] Rename tor.rst to anonymity-configuration.rst. Signed-off-by: Daira Hopwood --- docs/{tor.rst => anonymity-configuration.rst} | 61 +++++++++++++++---- 1 file changed, 48 insertions(+), 13 deletions(-) rename docs/{tor.rst => anonymity-configuration.rst} (88%) diff --git a/docs/tor.rst b/docs/anonymity-configuration.rst similarity index 88% rename from docs/tor.rst rename to docs/anonymity-configuration.rst index b7238f2de..e5a113b84 100644 --- a/docs/tor.rst +++ b/docs/anonymity-configuration.rst @@ -1,8 +1,8 @@ .. -*- coding: utf-8-with-signature; fill-column: 77 -*- -========================= -Using Tahoe-LAFS with Tor -========================= +====================================================== +Using Tahoe-LAFS with an anonymizing network: Tor, I2P +====================================================== 1. `Use cases`_ 2. `Native Tor integration for Tahoe-LAFS`_ @@ -18,6 +18,8 @@ Tor is an anonymizing network used to help hide the identity of internet clients and servers. Please see the Tor Project's website for more information: https://www.torproject.org/ +Informative description about what i2p is... here. + There are three potential use-cases for Tahoe-LAFS on the client side: @@ -25,11 +27,12 @@ There are three potential use-cases for Tahoe-LAFS on the client side: storage servers. This document is not useful to you... so stop reading. 2. User does not care to protect their anonymity but they wish to connect to - Tahoe-LAFS storage servers which are accessbile only via Tor Hidden Services. + Tahoe-LAFS storage servers which are accessbile only via Tor Hidden Services or I2P. + (For Tor users this means only use Tor if the endpoint string has a .onion address.) -3. User wishes to always use Tor to protect their anonymity when +3. User wishes to always use an anonymizing network (Tor, I2P) to protect their anonymity when connecting to Tahoe-LAFS storage grids (whether or not the storage servers - are Tor Hidden Services) [*]. + are anonymous). For Tahoe-LAFS storage servers there are three use-cases: @@ -38,19 +41,22 @@ For Tahoe-LAFS storage servers there are three use-cases: nor to help the clients protect theirs. Stop reading this document and run your Tahoe-LAFS storage server using publicly routed TCP/IP. -2. The operator does not require anonymity for his storage server, but - he wants it to be available over both publicly routed TCP/IP and - through Tor Hidden Services. One possible reason to do this is - because being reachable through Tor Hidden Services is a convenient +2. The operator does not require anonymity for the storage server, but + they want it to be available over both publicly routed TCP/IP and + through an anonymizing network (I2P, Tor Hidden Services). One possible reason to do this is + because being reachable through an anonymizing network is a convenient way to bypass NAT or firewall that prevents publicly routed TCP/IP connections to your server. Another is that making your storage - server reachable through Tor Hidden Services can provide better - protection for your clients who themselves use Tor to protect their - anonymity [*]. + server reachable through an anonymizing network can provide better + protection for your clients who themselves use that anonymizing network to protect their + anonymity. See this Tor Project page for more information about Tor Hidden Services: https://www.torproject.org/docs/hidden-services.html.en + See this I2P Project page for more information about I2P: + https://... + 3. The operator wishes to protect their anonymity by making their Tahoe server accessible only via Tor Hidden Services. @@ -212,6 +218,29 @@ Tor Hidden Service, as compared to if you upload or download files over Tor to a publicly traceable TCP/IP server. +Native I2P Integration for Tahoe-LAFS +===================================== + +Really cool and interesting description of how the I2p integration works... + + +Software Dependencies +===================== + +I2p software deps here + + +Configuration +============= + +informative configuration info for i2p users + + +Performance and security issues of I2p (if applicable) +====================================================== + +i2p info here + Torsocks: the old way of configuring Tahoe-LAFS to use Tor ========================================================== @@ -308,3 +337,9 @@ As of this writing, torsocks still exists in the pkgsrc wip tree here: but the NetBSD-specific patches have been merged upstream into torsocks as of commitid 6adfba809267d9c217906d6974468db22293ab9b: * https://gitweb.torproject.org/torsocks.git/commit/6adfba809267d9c217906d6974468db22293ab9b + + +Legacy I2P Tahoe-LAFS Configuration +=================================== + +legacy i2p info here From 4f0b7e0f83a240ceede7404a148d0b3b47ba9d7a Mon Sep 17 00:00:00 2001 From: David Stainton Date: Fri, 5 Sep 2014 17:30:39 +0000 Subject: [PATCH 14/30] Removed I2P ticket info because it belongs in a trac ticket --- docs/anonymity-configuration.rst | 5 ++++- docs/anonymity-roadmap.rst | 28 +++++----------------------- 2 files changed, 9 insertions(+), 24 deletions(-) diff --git a/docs/anonymity-configuration.rst b/docs/anonymity-configuration.rst index e5a113b84..dddfe02f8 100644 --- a/docs/anonymity-configuration.rst +++ b/docs/anonymity-configuration.rst @@ -233,7 +233,10 @@ I2p software deps here Configuration ============= -informative configuration info for i2p users +informative configuration info for i2p users goes here + +link to tahoe trac ticket regarding client endpoint string +parameter concatenation Performance and security issues of I2p (if applicable) diff --git a/docs/anonymity-roadmap.rst b/docs/anonymity-roadmap.rst index 2e2a78667..f99033d5b 100644 --- a/docs/anonymity-roadmap.rst +++ b/docs/anonymity-roadmap.rst @@ -8,7 +8,7 @@ Anonymity Development Roadmap Development phases ================== -1. Use Tor for network connectivity and protect identity of client +1. Use Tor for network connectivity and to protect identity of client **note:** Client side is endpoint agnostic and server side has TCP endpoint support. @@ -19,29 +19,11 @@ Development phases * #517 -2. Use I2p for network connectivity and protect identity of client - -* txi2p -* Add "endpoint parameters" to Tahoe - * Servers provide the minimum client endpoint string required to connect to them: - * ``tcp:example.org:1337`` - * ``ssl:example.org:443`` - * ``i2p:longstring.b32.i2p`` - * Clients may need to extend the strings with client-specific per-type parameters in order to successfully connect: - * ``tcp:example.org:1337:timeout=60`` - * ``ssl:example.org:443:caCertsDir=/etc/ssl/certs`` - * ``i2p:longstring.b32.i2p:tunnelNick=tahoe:inport=10000`` - * These should be set in ``tahoe.cfg``: - * ``[node]clientEndpointParams = tcp:timeout=60,ssl:caCertsDir=/etc/ssl/certs,i2p:tunnelNick=tahoe:inport=10000`` - * Tahoe parses, keeps an internal map, applies the relevant params to a client endpoint string before connecting -* Client endpoint string whitelisting - * Server publishes an endpoint string for a client to connect to - * A malicious server could publish strings containing client-specific parameters that compromise the user - * Unsure what parameters could actually be used maliciously on their own, but definitely possible in concert with other attacks. - * The client should not accept strings that contain client-specific parameters - * How to tell the difference? Tahoe can't keep a list of everything that is safe. - * Maybe an endpoint API method that takes a client endpoint string and returns a safe one. +2. Use I2p for network connectivity and to protect identity of client +**Dependencies** :: + * new Tahoe-LAFS trac ticket regarding client endpoint string parameter concatenation + * txi2p 3. endpoint-agnostic Foolscap server side From cb44f883e5345f84c23f115f3e45055edeaa2c3c Mon Sep 17 00:00:00 2001 From: David Stainton Date: Sun, 7 Sep 2014 03:57:14 +0000 Subject: [PATCH 15/30] Fix formatting --- docs/anonymity-roadmap.rst | 70 ++++++++++++++++++++++++-------------- 1 file changed, 45 insertions(+), 25 deletions(-) diff --git a/docs/anonymity-roadmap.rst b/docs/anonymity-roadmap.rst index f99033d5b..197caaee3 100644 --- a/docs/anonymity-roadmap.rst +++ b/docs/anonymity-roadmap.rst @@ -1,42 +1,62 @@ .. -*- coding: utf-8-with-signature; fill-column: 77 -*- -============================= +============================== Anonymity Development Roadmap -============================= +============================== + Development phases ================== -1. Use Tor for network connectivity and to protect identity of client -**note:** Client side is endpoint agnostic and server side has TCP endpoint support. +Phase 1. Use Tor for network connectivity and to protect identity of client +--------------------------------------------------------------------------- -**Dependencies** :: - * txsocksx: get this merged upstream -->> https://github.com/david415/txsocksx/tree/endpoint_parsers_retry_socks - * foolscap#203 - * #1010 - * #517 +**note:** Client side is endpoint agnostic and server side has TCP endpoint support only. + +**Dependencies** + +* txsocksx: get this merged upstream -->> https://github.com/david415/txsocksx/tree/endpoint_parsers_retry_socks - *client Twisted endpoint for Tor* +* `Foolscap trac ticket 203`_: *switch to using Twisted Endpoints* +* `Tahoe-LAFS trac ticket 1010`_: *anonymous client mode* +* `Tahoe-LAFS trac ticket 517`_: *make tahoe Tor- and I2P-friendly* + +.. _`Foolscap trac ticket 203`: http://foolscap.lothar.com/trac/ticket/203 +.. _`Tahoe-LAFS trac ticket 1010`: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1010 +.. _`Tahoe-LAFS trac ticket 517`: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/517 -2. Use I2p for network connectivity and to protect identity of client - -**Dependencies** :: - * new Tahoe-LAFS trac ticket regarding client endpoint string parameter concatenation - * txi2p - -3. endpoint-agnostic Foolscap server side - -Completing these two tickets will make Foolscap endpoint agnostic on the server side. Therefore any Twisted server endpoint/parser can be used with Foolscap - -* teach twisted to serialize a listeningPort into a client endpoint descriptor - https://twistedmatrix.com/trac/ticket/7603 - -* new foolscap ticket - Add getClientEndpoint() to use the feature from twisted trac ticket 7603 -4. Integrated Tor Hidden Service feature for storage servers +Phase 2. Use I2p for network connectivity and to protect identity of client +--------------------------------------------------------------------------- -* teach tor to create Hidden Service directories with group rx perms https://trac.torproject.org/projects/tor/ticket/11291 +**Dependencies** -* new txtorcon ticket - Teach endpoint to use control port feature from tor trac ticket 11291 +#. Tahoe-LAFS trac ticket regarding client endpoint string parameter concatenation +#. txi2p + + + +Phase 3. endpoint-agnostic Foolscap server side +----------------------------------------------- + +Completing these two tickets will make Foolscap endpoint agnostic +on the server side. Therefore any Twisted server endpoint/parser +can be used with Foolscap + +#. Teach twisted to serialize a listeningPort into a client endpoint + descriptor - https://twistedmatrix.com/trac/ticket/7603 +#. open new foolscap ticket - Add getClientEndpoint() to use the feature + from twisted trac ticket 7603 + + +Phase 4. Integrated Tor Hidden Service feature for storage servers +------------------------------------------------------------------ + +#. teach tor to create Hidden Service directories with group + rx perms https://trac.torproject.org/projects/tor/ticket/11291 +#. open new txtorcon ticket - Teach endpoint to use control port feature + from tor trac ticket 11291 From 8d1fa17d701f647312d326ad64f240d08577dbf0 Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Sat, 22 Aug 2015 13:22:40 +0100 Subject: [PATCH 16/30] Add more info to docs about usage with tor --- docs/anonymity-configuration.rst | 81 +++++++++++++++++++++----------- 1 file changed, 54 insertions(+), 27 deletions(-) diff --git a/docs/anonymity-configuration.rst b/docs/anonymity-configuration.rst index dddfe02f8..0be4c922a 100644 --- a/docs/anonymity-configuration.rst +++ b/docs/anonymity-configuration.rst @@ -11,6 +11,8 @@ Using Tahoe-LAFS with an anonymizing network: Tor, I2P 5. `Performance and security issues of Tor Hidden Services`_ 6. `Torsocks: the old way of configuring Tahoe-LAFS to use Tor`_ + + Use cases ========= @@ -118,6 +120,7 @@ In order to implement client use-case 3 or server use-cases 2 or 3, further configuration is necessary. + Configuration ============= @@ -155,6 +158,7 @@ Setting this configuration option is necessary for Server use-cases 2 and 3 (from `Use cases`_, above). + Performance and security issues of Tor Hidden Services ====================================================== @@ -218,18 +222,21 @@ Tor Hidden Service, as compared to if you upload or download files over Tor to a publicly traceable TCP/IP server. + Native I2P Integration for Tahoe-LAFS ===================================== Really cool and interesting description of how the I2p integration works... + Software Dependencies ===================== I2p software deps here + Configuration ============= @@ -239,30 +246,39 @@ link to tahoe trac ticket regarding client endpoint string parameter concatenation + Performance and security issues of I2p (if applicable) ====================================================== i2p info here + Torsocks: the old way of configuring Tahoe-LAFS to use Tor ========================================================== Before the native Tor integration for Tahoe-LAFS, users would use Torsocks. -Please see these pages for more information about Torsocks:: -* https://code.google.com/p/torsocks/ -* https://trac.torproject.org/projects/tor/wiki/doc/torsocks -* https://github.com/dgoulet/torsocks/ +Please see these pages for more information about Torsocks: +https://code.google.com/p/torsocks/ + +https://trac.torproject.org/projects/tor/wiki/doc/torsocks + +https://github.com/dgoulet/torsocks/ Starting And Stopping --------------------- Assuming you have your Tahoe-LAFS node directory placed in **~/.tahoe**, -use Torsocks to start Tahoe like this:: +use Torsocks to start Tahoe like this +:: + usewithtor tahoe start -Likewise if restarting, then with Torsocks like this:: + +Likewise if restarting, then with Torsocks like this +:: + usewithtor tahoe restart After Tahoe is started, additional Tahoe commandline commands will not @@ -278,36 +294,46 @@ Before Tahoe-LAFS had native Tor integration it would deanonymize the user if a defaulted to autodetecting the external IP interface and announced that IP address to the server. -Tahoe-LAFS + Torsocks client configuration:: +**Tahoe-LAFS + Torsocks client configuration** -* Run a node using ``torsocks``, in client-only mode (i.e. we can - make outbound connections, but other nodes will not be able to connect - to us). The literal '``client.fakelocation``' will not resolve, but will - serve as a reminder to human observers that this node cannot be reached. - "Don't call us.. we'll call you":: +**NOTE:** before diving into Tor + Tahoe-LAFS configurations you should ensure +your familiarity with with installing Tor on unix systems. If you intend to operate +an anonymous Tahoe-LAFS storage node then you will also want to read about configuring +Tor Hidden Services. See here: - tub.port = 8098 +https://www.torproject.org/docs/tor-doc-unix.html.en + +https://www.torproject.org/docs/tor-hidden-service.html.en + +Run a node using ``torsocks``, in client-only mode (i.e. we can +make outbound connections, but other nodes will not be able to connect +to us). The literal '``client.fakelocation``' will not resolve, but will +serve as a reminder to human observers that this node cannot be reached. +"Don't call us.. we'll call you":: + + tub.port = tcp:interface=127.0.0.1:8098 tub.location = client.fakelocation:0 -Tahoe-LAFS + Torsocks storage server configuration:: +**Tahoe-LAFS + Torsocks storage server configuration** -* Run a node behind a Tor proxy, and make the server available as a Tor - "hidden service". (This assumes that other clients are running their - node with ``torsocks``, such that they are prepared to connect to a - ``.onion`` address.) The hidden service must first be configured in - Tor, by giving it a local port number and then obtaining a ``.onion`` - name, using something in the ``torrc`` file like:: +Run a node behind a Tor proxy, and make the server available as a Tor +"hidden service". (This assumes that other clients are running their +node with ``torsocks``, such that they are prepared to connect to a +``.onion`` address.) Your instance of Tor should be configured for +Hidden Services... for instance specify the Hidden Service listening on port +29212 should proxy to 127.0.0.1 port 8098 by adding this to your ``torrc`` :: - HiddenServiceDir /var/lib/tor/hidden_services/tahoe - HiddenServicePort 29212 127.0.0.1:8098 + HiddenServiceDir /var/lib/tor/services/tahoe-storage + HiddenServicePort 29212 127.0.0.1:8098 - once Tor is restarted, the ``.onion`` hostname will be in - ``/var/lib/tor/hidden_services/tahoe/hostname``. Then set up your - ``tahoe.cfg`` like:: +once Tor is restarted, the ``.onion`` hostname will be in +``/var/lib/tor/services/tahoe-storage/hostname``. Then set up your +``tahoe.cfg`` like:: + + tub.port = tcp:interface=127.0.0.1:8098 + tub.location = ualhejtq2p7ohfbb.onion:29212 - tub.port = 8098 - tub.location = ualhejtq2p7ohfbb.onion:29212 **Troubleshooting** @@ -342,6 +368,7 @@ but the NetBSD-specific patches have been merged upstream into torsocks as of co * https://gitweb.torproject.org/torsocks.git/commit/6adfba809267d9c217906d6974468db22293ab9b + Legacy I2P Tahoe-LAFS Configuration =================================== From 1a3f4f2f35bffd14480751867bbfa1848cab37c5 Mon Sep 17 00:00:00 2001 From: str4d Date: Mon, 8 Sep 2014 02:16:33 +0000 Subject: [PATCH 17/30] I2P information --- docs/anonymity-configuration.rst | 102 ++++++++++++++++++++----------- 1 file changed, 65 insertions(+), 37 deletions(-) diff --git a/docs/anonymity-configuration.rst b/docs/anonymity-configuration.rst index 0be4c922a..a8d84d76c 100644 --- a/docs/anonymity-configuration.rst +++ b/docs/anonymity-configuration.rst @@ -4,25 +4,35 @@ Using Tahoe-LAFS with an anonymizing network: Tor, I2P ====================================================== +0. `Overview`_ 1. `Use cases`_ -2. `Native Tor integration for Tahoe-LAFS`_ +2. `Native anonymizing network integration for Tahoe-LAFS`_ + 2.1 `Unresolved tickets`_ 3. `Software Dependencies`_ + 3.1 `Tor`_ + 3.2 `I2P`_ + 3.3 `Post-install`_ 4. `Configuration`_ 5. `Performance and security issues of Tor Hidden Services`_ 6. `Torsocks: the old way of configuring Tahoe-LAFS to use Tor`_ -Use cases -========= +Overview +======== Tor is an anonymizing network used to help hide the identity of internet clients and servers. Please see the Tor Project's website for more information: https://www.torproject.org/ -Informative description about what i2p is... here. +I2P is a decentralized anonymizing network that focuses on end-to-end anonymity +between clients and servers. Please see the I2P website for more information: +https://geti2p.net/ +Use cases +========= + There are three potential use-cases for Tahoe-LAFS on the client side: 1. User does not care to protect their anonymity or to connect to anonymous @@ -30,7 +40,8 @@ There are three potential use-cases for Tahoe-LAFS on the client side: 2. User does not care to protect their anonymity but they wish to connect to Tahoe-LAFS storage servers which are accessbile only via Tor Hidden Services or I2P. - (For Tor users this means only use Tor if the endpoint string has a .onion address.) + * Tor is only used if a server endpoint string has a ``.onion`` address. + * I2P is only used if a server endpoint string has a ``.i2p`` address. 3. User wishes to always use an anonymizing network (Tor, I2P) to protect their anonymity when connecting to Tahoe-LAFS storage grids (whether or not the storage servers @@ -57,22 +68,33 @@ For Tahoe-LAFS storage servers there are three use-cases: https://www.torproject.org/docs/hidden-services.html.en See this I2P Project page for more information about I2P: - https://... + https://geti2p.net/en/about/intro 3. The operator wishes to protect their anonymity by making their - Tahoe server accessible only via Tor Hidden Services. + Tahoe server accessible only over I2P, via Tor Hidden Services, or both. -Native Tor integration for Tahoe-LAFS -===================================== +Native anonymizing network integration for Tahoe-LAFS +===================================================== -Native Tor integration for Tahoe-LAFS utilizes the Twisted endpoints API:: +Tahoe-LAFS utilizes the Twisted endpoints API:: * https://twistedmatrix.com/documents/current/core/howto/endpoints.html Twisted's endpoint parser plugin system is extensible via installing additional -Twisted packages. The native Tor integration for Tahoe-LAFS uses -endpoint and parser plugins from the txsocksx and txtorcon modules. +Twisted packages. Tahoe-LAFS utilizes this extensibility to support native Tor +and I2P integration. + +* Native Tor integration uses the `txsocksx`_ and `txtorcon`_ modules. +* Native I2P integration uses the `txi2p`_ module. + +.. _`txsocksx`: https://pypi.python.org/pypi/txsocksx +.. _`txtorcon`: https://pypi.python.org/pypi/txtorcon +.. _`txi2p`: https://pypi.python.org/pypi/txi2p + +Unresolved tickets +------------------ + Although the Twisted endpoint API is very flexible it is missing a feature so that servers can be written in an endpoint agnostic style. We've opened a Twisted trac ticket for this feature here:: @@ -94,11 +116,19 @@ pending resolution of tor trac ticket 11291:: See also Tahoe-LAFS Tor related tickets #1010 and #517. +I2P endpoints (and potentially other endpoint types) require the ability to +append a preconfigured set of parameters to any server-provided client endpoint +string. See `Tahoe-LAFS ticket #2293`_ for progress. + +.. _`Tahoe-LAFS ticket #2293`: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2293 Software Dependencies ===================== +Tor +--- + * Tor (tor) must be installed. See here: https://www.torproject.org/docs/installguide.html.en @@ -112,9 +142,31 @@ Software Dependencies pip install txtorcon +I2P +--- + +* I2P must ben installed. See here: + https://geti2p.net/en/download + +* The BOB API must be enabled. + * Start I2P. + * Visit http://127.0.0.1:7657/configclients in your browser. + * Under "Client Configuration", check the "Run at Startup?" box for "BOB + application bridge". + * Click "Save Client Configuration". + * Click the "Start" control for "BOB application bridge", or restart I2P. + +* txi2p must be installed :: + + pip install txi2p + +Post-install +------------ + Once these software dependencies are installed and the Tahoe-LAFS node is restarted, then no further configuration is necessary for "unsafe" -Tor connectivity to other Tahoe-LAFS nodes (client use-case 2 from `Use cases`_, above). +Tor or I2P connectivity to other Tahoe-LAFS nodes (client use-case 2 from +`Use cases`_, above). In order to implement client use-case 3 or server use-cases 2 or 3, further configuration is necessary. @@ -223,30 +275,6 @@ over Tor to a publicly traceable TCP/IP server. -Native I2P Integration for Tahoe-LAFS -===================================== - -Really cool and interesting description of how the I2p integration works... - - - -Software Dependencies -===================== - -I2p software deps here - - - -Configuration -============= - -informative configuration info for i2p users goes here - -link to tahoe trac ticket regarding client endpoint string -parameter concatenation - - - Performance and security issues of I2p (if applicable) ====================================================== From 8cc2307d8063e6f388445d72ac2c6c97a362bb32 Mon Sep 17 00:00:00 2001 From: str4d Date: Mon, 8 Sep 2014 02:27:45 +0000 Subject: [PATCH 18/30] Spelling, rST layout fixes --- docs/anonymity-configuration.rst | 68 ++++++++++++++++++-------------- 1 file changed, 39 insertions(+), 29 deletions(-) diff --git a/docs/anonymity-configuration.rst b/docs/anonymity-configuration.rst index a8d84d76c..59dea773c 100644 --- a/docs/anonymity-configuration.rst +++ b/docs/anonymity-configuration.rst @@ -7,11 +7,15 @@ Using Tahoe-LAFS with an anonymizing network: Tor, I2P 0. `Overview`_ 1. `Use cases`_ 2. `Native anonymizing network integration for Tahoe-LAFS`_ - 2.1 `Unresolved tickets`_ + + 1. `Unresolved tickets`_ + 3. `Software Dependencies`_ - 3.1 `Tor`_ - 3.2 `I2P`_ - 3.3 `Post-install`_ + + 1. `Tor`_ + 2. `I2P`_ + 3. `Post-install`_ + 4. `Configuration`_ 5. `Performance and security issues of Tor Hidden Services`_ 6. `Torsocks: the old way of configuring Tahoe-LAFS to use Tor`_ @@ -39,9 +43,10 @@ There are three potential use-cases for Tahoe-LAFS on the client side: storage servers. This document is not useful to you... so stop reading. 2. User does not care to protect their anonymity but they wish to connect to - Tahoe-LAFS storage servers which are accessbile only via Tor Hidden Services or I2P. - * Tor is only used if a server endpoint string has a ``.onion`` address. - * I2P is only used if a server endpoint string has a ``.i2p`` address. + Tahoe-LAFS storage servers which are accessible only via Tor Hidden Services or I2P. + + * Tor is only used if a server endpoint string has a ``.onion`` address. + * I2P is only used if a server endpoint string has a ``.i2p`` address. 3. User wishes to always use an anonymizing network (Tor, I2P) to protect their anonymity when connecting to Tahoe-LAFS storage grids (whether or not the storage servers @@ -78,7 +83,8 @@ For Tahoe-LAFS storage servers there are three use-cases: Native anonymizing network integration for Tahoe-LAFS ===================================================== -Tahoe-LAFS utilizes the Twisted endpoints API:: +Tahoe-LAFS utilizes the Twisted endpoints API: + * https://twistedmatrix.com/documents/current/core/howto/endpoints.html Twisted's endpoint parser plugin system is extensible via installing additional @@ -97,7 +103,8 @@ Unresolved tickets Although the Twisted endpoint API is very flexible it is missing a feature so that servers can be written in an endpoint agnostic style. We've opened a Twisted trac -ticket for this feature here:: +ticket for this feature here: + * https://twistedmatrix.com/trac/ticket/7603 Once this ticket is resolved then an additional changes can be made to Foolscap @@ -107,11 +114,13 @@ users to easily to use Tahoe-LAFS with many protocols on the server side. txsocksx will try to use the system tor's SOCKS port if available; attempts are made on ports 9050 and 9151. Currently the maintainer of txsocksx has not merged in our code for the Tor client endpoint. We'll use -this branch until the Tor endpoint code is merged upstream:: +this branch until the Tor endpoint code is merged upstream: + * https://github.com/david415/txsocksx/tree/endpoint_parsers_retry_socks txtorcon will use the system tor control port to configure Tor Hidden Services -pending resolution of tor trac ticket 11291:: +pending resolution of tor trac ticket 11291: + * https://trac.torproject.org/projects/tor/ticket/11291 See also Tahoe-LAFS Tor related tickets #1010 and #517. @@ -145,16 +154,17 @@ Tor I2P --- -* I2P must ben installed. See here: +* I2P must be installed. See here: https://geti2p.net/en/download * The BOB API must be enabled. - * Start I2P. - * Visit http://127.0.0.1:7657/configclients in your browser. - * Under "Client Configuration", check the "Run at Startup?" box for "BOB - application bridge". - * Click "Save Client Configuration". - * Click the "Start" control for "BOB application bridge", or restart I2P. + + * Start I2P. + * Visit http://127.0.0.1:7657/configclients in your browser. + * Under "Client Configuration", check the "Run at Startup?" box for "BOB + application bridge". + * Click "Save Client Configuration". + * Click the "Start" control for "BOB application bridge", or restart I2P. * txi2p must be installed :: @@ -176,8 +186,10 @@ configuration is necessary. Configuration ============= -``[node]`` -``anonymize = (boolean, optional)`` +:: + + [node] + anonymize = (boolean, optional) This specifies two changes in behavior: 1. Transform all non-Tor client endpoints into Tor client endpoints. @@ -195,6 +207,7 @@ Twisted endpoint descriptor string. If server use-case 2 from `Use cases`_ above is desired then you can set ``tub.location`` to a Tor Hidden Service endpoint string AND "AUTODETECT" like this:: + tub.location = "AUTODETECT,onion:80:hiddenServiceDir=/var/lib/tor/my_service" It is an error to specify a ``tub.location`` value that contains "AUTODETECT" @@ -204,6 +217,7 @@ Operators of Tahoe-LAFS storage servers wishing to protect the identity of their storage server should set ``anonymize`` to ``true`` and specify a Tor Hidden Service endpoint descriptor string for the ``tub.location`` value in the ``tahoe.cfg`` like this:: + tub.location = "onion:80:hiddenServiceDir=/var/lib/tor/my_service" Setting this configuration option is necessary for Server use-cases 2 and 3 @@ -287,25 +301,21 @@ Torsocks: the old way of configuring Tahoe-LAFS to use Tor Before the native Tor integration for Tahoe-LAFS, users would use Torsocks. Please see these pages for more information about Torsocks: -https://code.google.com/p/torsocks/ -https://trac.torproject.org/projects/tor/wiki/doc/torsocks - -https://github.com/dgoulet/torsocks/ +* https://code.google.com/p/torsocks/ +* https://trac.torproject.org/projects/tor/wiki/doc/torsocks +* https://github.com/dgoulet/torsocks/ Starting And Stopping --------------------- Assuming you have your Tahoe-LAFS node directory placed in **~/.tahoe**, -use Torsocks to start Tahoe like this -:: +use Torsocks to start Tahoe like this:: usewithtor tahoe start - -Likewise if restarting, then with Torsocks like this -:: +Likewise if restarting, then with Torsocks like this:: usewithtor tahoe restart From d09173cbf79f5a2145e2c22c2de9a2486aa2f0ef Mon Sep 17 00:00:00 2001 From: str4d Date: Mon, 8 Sep 2014 03:26:55 +0000 Subject: [PATCH 19/30] Expanded explanation of [node]anonymize --- docs/anonymity-configuration.rst | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/docs/anonymity-configuration.rst b/docs/anonymity-configuration.rst index 59dea773c..1be1c7909 100644 --- a/docs/anonymity-configuration.rst +++ b/docs/anonymity-configuration.rst @@ -186,14 +186,31 @@ configuration is necessary. Configuration ============= -:: +Tahoe-LAFS provides a configuration flag for explicitly stating whether or not +anonymity is required for a node:: [node] anonymize = (boolean, optional) -This specifies two changes in behavior: - 1. Transform all non-Tor client endpoints into Tor client endpoints. - 2. Force ``tub.location`` to be set to "safe" values. +Setting ``anonymize = True`` causes several changes in the behavior of +Tahoe-LAFS: + +1. Tahoe-LAFS will not start if any of the configuration options in ``tahoe.cfg`` + would compromise the identity of the node. In particular, ``tub.location`` + is forced to have "safe" values. +2. Tahoe-LAFS will not make any outgoing connections that are not over a + supported anonymizing network. + + * If a server's FURL contains one or more location hints for anonymizing + networks, Tahoe-LAFS will prefer those hints to connect to the server. + An anonymizing network location hint will only be used if the correct + modules are installed. + * If a server's FURL contains no location hints for anonymizing networks + (or Tahoe-LAFS could not contact the server via any of the provided + anonymizing network location hints), and the user has the required modules + for Tor installed, Tahoe-LAFS will connect to the server using Tor as an + anonymizing proxy. + * In all other cases, Tahoe-LAFS will never connect to the server. This option is **critical** to preserving the client's anonymity (client use-case 3 from `Use cases`_, above). It is also necessary to From 0fdae0b96aad18fec79afafca250771d77ec2bc5 Mon Sep 17 00:00:00 2001 From: str4d Date: Mon, 8 Sep 2014 23:59:22 +0000 Subject: [PATCH 20/30] Configuration details --- docs/anonymity-configuration.rst | 82 +++++++++++++++++++++++--------- 1 file changed, 59 insertions(+), 23 deletions(-) diff --git a/docs/anonymity-configuration.rst b/docs/anonymity-configuration.rst index 1be1c7909..61a7df54b 100644 --- a/docs/anonymity-configuration.rst +++ b/docs/anonymity-configuration.rst @@ -189,15 +189,20 @@ Configuration Tahoe-LAFS provides a configuration flag for explicitly stating whether or not anonymity is required for a node:: - [node] - anonymize = (boolean, optional) + [node] + anonymize = (boolean, optional) Setting ``anonymize = True`` causes several changes in the behavior of Tahoe-LAFS: 1. Tahoe-LAFS will not start if any of the configuration options in ``tahoe.cfg`` - would compromise the identity of the node. In particular, ``tub.location`` - is forced to have "safe" values. + would compromise the identity of the node. + + * In particular, ``tub.location`` is forced to contain safe values. It is an + error to specify a ``tub.location`` that contains anything other than the + special string ``UNREACHABLE``, or a comma-separated list of Twisted server + endpoint descriptor strings for supported anonymizing networks. + 2. Tahoe-LAFS will not make any outgoing connections that are not over a supported anonymizing network. @@ -213,32 +218,63 @@ Tahoe-LAFS: * In all other cases, Tahoe-LAFS will never connect to the server. This option is **critical** to preserving the client's anonymity (client -use-case 3 from `Use cases`_, above). It is also necessary to -preserve a server's anonymity (server use-case 3). +use-case 3 from `Use cases`_, above). It is also necessary to preserve a +server's anonymity (server use-case 3). -When ``anonymize`` is set to ``true`` then ``tub.location`` does not need -to be specified... and it is an error to specify a ``tub.location`` value -that contains anything other than "UNREACHABLE" or a Tor Hidden Service -Twisted endpoint descriptor string. +Client configuration +-------------------- -If server use-case 2 from `Use cases`_ above is desired then you can set -``tub.location`` to a Tor Hidden Service endpoint string AND "AUTODETECT" -like this:: +To configure a client node for anonymity, ``tahoe.cfg`` **must** contain the +following configuration flags:: - tub.location = "AUTODETECT,onion:80:hiddenServiceDir=/var/lib/tor/my_service" + [node] + anonymize = True + tub.location = UNREACHABLE -It is an error to specify a ``tub.location`` value that contains "AUTODETECT" -when ``anonymize`` is also set to ``true``. +Once the Tahoe-LAFS node has been restarted, it can be used anonymously (client +use-case 3). -Operators of Tahoe-LAFS storage servers wishing to protect the identity of their -storage server should set ``anonymize`` to ``true`` and specify a -Tor Hidden Service endpoint descriptor string for the ``tub.location`` -value in the ``tahoe.cfg`` like this:: +Server configuration +-------------------- - tub.location = "onion:80:hiddenServiceDir=/var/lib/tor/my_service" +To configure a server node to listen on an anonymizing network, a corresponding +server endpoint descriptor string must be specified in ``tahoe.cfg``:: -Setting this configuration option is necessary for Server use-cases 2 and 3 -(from `Use cases`_, above). + tub.location = onion:80:hiddenServiceDir=/var/lib/tor/my_service + +Multiple anonymizing networks are supported by specifying multiple server +endpoint strings, separated by commas:: + + tub.location = onion:80:hiddenServiceDir=/var/lib/tor/my_service,i2p:/var/lib/i2p/my_service.keypair + +To configure a server node for anonymity, ``anonymize`` **must** be set to +``True`` (as for the client node case), and ``tub.location`` **must only** +contain endpoint strings for supported anonymizing networks. A complete +configuration for server use-case 3 would look like:: + + [node] + anonymize = True + tub.location = onion:80:hiddenServiceDir=/var/lib/tor/my_service,i2p:/var/lib/i2p/my_service.keypair + +If server anonymity is not required (server use-case 2 from `Use cases`_ above) +then ``tub.location`` can contain server endpoint strings for non-anonymizing +networks:: + + tub.location = tcp:123.456.789.0:80,onion:80:hiddenServiceDir=/var/lib/tor/my_service + +The special string ``AUTODETECT`` tells Tahoe-LAFS to try to detect the public +interface and use it:: + + tub.location = "AUTODETECT,onion:80:hiddenServiceDir=/var/lib/tor/my_service" + +It is an error to specify a ``tub.location`` value that contains ``AUTODETECT`` +or server endpoint strings for non-anonymizing networks when ``anonymize`` is +set to ``True``. ``anonymize`` **must** either be unset, or set to ``False``. A +complete configuration for server use-case 2 would look like:: + + [node] + anonymize = False + tub.location = AUTODETECT,onion:80:hiddenServiceDir=/var/lib/tor/my_service,i2p:/var/lib/i2p/my_service.keypair From aa8de0737c2c94629ac473823a7cb7b028011309 Mon Sep 17 00:00:00 2001 From: str4d Date: Tue, 9 Sep 2014 00:10:35 +0000 Subject: [PATCH 21/30] ToC and headings --- docs/anonymity-configuration.rst | 40 ++++++++++++++++++-------------- 1 file changed, 23 insertions(+), 17 deletions(-) diff --git a/docs/anonymity-configuration.rst b/docs/anonymity-configuration.rst index 61a7df54b..4e93319c1 100644 --- a/docs/anonymity-configuration.rst +++ b/docs/anonymity-configuration.rst @@ -4,21 +4,27 @@ Using Tahoe-LAFS with an anonymizing network: Tor, I2P ====================================================== -0. `Overview`_ -1. `Use cases`_ -2. `Native anonymizing network integration for Tahoe-LAFS`_ +#. `Overview`_ +#. `Use cases`_ +#. `Native anonymizing network integration for Tahoe-LAFS`_ - 1. `Unresolved tickets`_ + #. `Unresolved tickets`_ -3. `Software Dependencies`_ +#. `Software Dependencies`_ - 1. `Tor`_ - 2. `I2P`_ - 3. `Post-install`_ + #. `Tor`_ + #. `I2P`_ + #. `Post-install`_ -4. `Configuration`_ -5. `Performance and security issues of Tor Hidden Services`_ -6. `Torsocks: the old way of configuring Tahoe-LAFS to use Tor`_ +#. `Configuration`_ + + #. `Client configuration`_ + #. `Server configuration`_ + +#. `Performance and security issues with Tor Hidden Services`_ +#. `Performance and security issues with I2P`_ +#. `Torsocks: the old way of configuring Tahoe-LAFS to use Tor`_ +#. `Legacy I2P Tahoe-LAFS Configuration`_ @@ -278,8 +284,8 @@ complete configuration for server use-case 2 would look like:: -Performance and security issues of Tor Hidden Services -====================================================== +Performance and security issues with Tor Hidden Services +======================================================== If you are running a server which does not itself need to be anonymous, should you make it reachable as a Tor Hidden Service or @@ -342,10 +348,10 @@ over Tor to a publicly traceable TCP/IP server. -Performance and security issues of I2p (if applicable) -====================================================== +Performance and security issues with I2P +======================================== -i2p info here +TBC @@ -463,4 +469,4 @@ but the NetBSD-specific patches have been merged upstream into torsocks as of co Legacy I2P Tahoe-LAFS Configuration =================================== -legacy i2p info here +TBC From 3661fc72cf07d8d8b31e31fd4e075ccd4bbe5ba6 Mon Sep 17 00:00:00 2001 From: str4d Date: Mon, 21 Sep 2015 14:17:29 +0000 Subject: [PATCH 22/30] Updated I2P content --- docs/anonymity-configuration.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/anonymity-configuration.rst b/docs/anonymity-configuration.rst index 4e93319c1..377c493da 100644 --- a/docs/anonymity-configuration.rst +++ b/docs/anonymity-configuration.rst @@ -163,14 +163,14 @@ I2P * I2P must be installed. See here: https://geti2p.net/en/download -* The BOB API must be enabled. +* The SAM API must be enabled. * Start I2P. * Visit http://127.0.0.1:7657/configclients in your browser. - * Under "Client Configuration", check the "Run at Startup?" box for "BOB + * Under "Client Configuration", check the "Run at Startup?" box for "SAM application bridge". * Click "Save Client Configuration". - * Click the "Start" control for "BOB application bridge", or restart I2P. + * Click the "Start" control for "SAM application bridge", or restart I2P. * txi2p must be installed :: From 1edb6331c13ba3a996f4f2a739043c8f5e70dda1 Mon Sep 17 00:00:00 2001 From: str4d Date: Mon, 21 Sep 2015 14:20:36 +0000 Subject: [PATCH 23/30] [node]anonymize -> [node]anonymous --- docs/anonymity-configuration.rst | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/anonymity-configuration.rst b/docs/anonymity-configuration.rst index 377c493da..3a7e48ef6 100644 --- a/docs/anonymity-configuration.rst +++ b/docs/anonymity-configuration.rst @@ -196,9 +196,9 @@ Tahoe-LAFS provides a configuration flag for explicitly stating whether or not anonymity is required for a node:: [node] - anonymize = (boolean, optional) + anonymous = (boolean, optional) -Setting ``anonymize = True`` causes several changes in the behavior of +Setting ``anonymous = True`` causes several changes in the behavior of Tahoe-LAFS: 1. Tahoe-LAFS will not start if any of the configuration options in ``tahoe.cfg`` @@ -234,7 +234,7 @@ To configure a client node for anonymity, ``tahoe.cfg`` **must** contain the following configuration flags:: [node] - anonymize = True + anonymous = True tub.location = UNREACHABLE Once the Tahoe-LAFS node has been restarted, it can be used anonymously (client @@ -253,13 +253,13 @@ endpoint strings, separated by commas:: tub.location = onion:80:hiddenServiceDir=/var/lib/tor/my_service,i2p:/var/lib/i2p/my_service.keypair -To configure a server node for anonymity, ``anonymize`` **must** be set to +To configure a server node for anonymity, ``anonymous`` **must** be set to ``True`` (as for the client node case), and ``tub.location`` **must only** contain endpoint strings for supported anonymizing networks. A complete configuration for server use-case 3 would look like:: [node] - anonymize = True + anonymous = True tub.location = onion:80:hiddenServiceDir=/var/lib/tor/my_service,i2p:/var/lib/i2p/my_service.keypair If server anonymity is not required (server use-case 2 from `Use cases`_ above) @@ -274,12 +274,12 @@ interface and use it:: tub.location = "AUTODETECT,onion:80:hiddenServiceDir=/var/lib/tor/my_service" It is an error to specify a ``tub.location`` value that contains ``AUTODETECT`` -or server endpoint strings for non-anonymizing networks when ``anonymize`` is -set to ``True``. ``anonymize`` **must** either be unset, or set to ``False``. A +or server endpoint strings for non-anonymizing networks when ``anonymous`` is +set to ``True``. ``anonymous`` **must** either be unset, or set to ``False``. A complete configuration for server use-case 2 would look like:: [node] - anonymize = False + anonymous = False tub.location = AUTODETECT,onion:80:hiddenServiceDir=/var/lib/tor/my_service,i2p:/var/lib/i2p/my_service.keypair From 24beb033d687bef032d513b4e8a46bcb66c786cf Mon Sep 17 00:00:00 2001 From: str4d Date: Tue, 22 Sep 2015 02:57:48 +0000 Subject: [PATCH 24/30] Update content to match current design --- docs/anonymity-configuration.rst | 84 +++++++++++++++++++------------- 1 file changed, 49 insertions(+), 35 deletions(-) diff --git a/docs/anonymity-configuration.rst b/docs/anonymity-configuration.rst index 3a7e48ef6..70fca201e 100644 --- a/docs/anonymity-configuration.rst +++ b/docs/anonymity-configuration.rst @@ -14,12 +14,13 @@ Using Tahoe-LAFS with an anonymizing network: Tor, I2P #. `Tor`_ #. `I2P`_ - #. `Post-install`_ -#. `Configuration`_ +#. `Connection configuration`_ - #. `Client configuration`_ - #. `Server configuration`_ +#. `Anonymity configuration`_ + + #. `Client anonymity`_ + #. `Server anonymity`_ #. `Performance and security issues with Tor Hidden Services`_ #. `Performance and security issues with I2P`_ @@ -40,6 +41,7 @@ between clients and servers. Please see the I2P website for more information: https://geti2p.net/ + Use cases ========= @@ -138,6 +140,7 @@ string. See `Tahoe-LAFS ticket #2293`_ for progress. .. _`Tahoe-LAFS ticket #2293`: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2293 + Software Dependencies ===================== @@ -147,13 +150,11 @@ Tor * Tor (tor) must be installed. See here: https://www.torproject.org/docs/installguide.html.en -* The "Tor-friendly" branch of txsocksx must be installed - ( Once this is merged then you can use upstream txsocksx; - https://github.com/habnabit/txsocksx/pull/8 ) :: +* txsocksx must be installed :: - pip install git+https://github.com/david415/txsocksx.git + pip install txsocksx -* txtorcon must be installed :: +* For storage servers, txtorcon must be installed :: pip install txtorcon @@ -176,21 +177,34 @@ I2P pip install txi2p -Post-install ------------- -Once these software dependencies are installed and the Tahoe-LAFS node -is restarted, then no further configuration is necessary for "unsafe" -Tor or I2P connectivity to other Tahoe-LAFS nodes (client use-case 2 from -`Use cases`_, above). -In order to implement client use-case 3 or server use-cases 2 or 3, further -configuration is necessary. +Connection configuration +======================== + +``[connections]`` + +``tcp.socks-proxy = (string, optional)`` + + When this option is present, Tahoe-LAFS will install a plugin that routes + regular internet connections through a SOCKS proxy. + +``tor.socks-proxy = (string, optional)`` + + When this option is present, Tahoe-LAFS will install a plugin that handles + Tor Hidden service (``.onion``) connections for clients. If provided but + left blank, the plugin will try the default Tor SOCKS proxy ports. + +``i2p.sam-api = (string, optional)`` + + When this option is present, Tahoe-LAFS will install a plugin that handles + I2P connections. If provided but left blank, the plugin will use the default + SAM port on localhost. -Configuration -============= +Anonymity configuration +======================= Tahoe-LAFS provides a configuration flag for explicitly stating whether or not anonymity is required for a node:: @@ -204,10 +218,10 @@ Tahoe-LAFS: 1. Tahoe-LAFS will not start if any of the configuration options in ``tahoe.cfg`` would compromise the identity of the node. - * In particular, ``tub.location`` is forced to contain safe values. It is an - error to specify a ``tub.location`` that contains anything other than the - special string ``UNREACHABLE``, or a comma-separated list of Twisted server - endpoint descriptor strings for supported anonymizing networks. + * In particular, ``tub.location`` is forced to either be empty, or contain + safe values. It is an error to specify a ``tub.location`` that contains + anything other than a comma-separated list of location hints for supported + anonymizing networks. 2. Tahoe-LAFS will not make any outgoing connections that are not over a supported anonymizing network. @@ -215,7 +229,7 @@ Tahoe-LAFS: * If a server's FURL contains one or more location hints for anonymizing networks, Tahoe-LAFS will prefer those hints to connect to the server. An anonymizing network location hint will only be used if the correct - modules are installed. + modules are installed (see `Connection configuration`_ above). * If a server's FURL contains no location hints for anonymizing networks (or Tahoe-LAFS could not contact the server via any of the provided anonymizing network location hints), and the user has the required modules @@ -227,21 +241,21 @@ This option is **critical** to preserving the client's anonymity (client use-case 3 from `Use cases`_, above). It is also necessary to preserve a server's anonymity (server use-case 3). -Client configuration --------------------- +Client anonymity +---------------- To configure a client node for anonymity, ``tahoe.cfg`` **must** contain the following configuration flags:: [node] anonymous = True - tub.location = UNREACHABLE + tub.location = Once the Tahoe-LAFS node has been restarted, it can be used anonymously (client use-case 3). -Server configuration --------------------- +Server anonymity +---------------- To configure a server node to listen on an anonymizing network, a corresponding server endpoint descriptor string must be specified in ``tahoe.cfg``:: @@ -268,19 +282,19 @@ networks:: tub.location = tcp:123.456.789.0:80,onion:80:hiddenServiceDir=/var/lib/tor/my_service -The special string ``AUTODETECT`` tells Tahoe-LAFS to try to detect the public +The special string ``AUTO`` tells Tahoe-LAFS to try to detect the public interface and use it:: - tub.location = "AUTODETECT,onion:80:hiddenServiceDir=/var/lib/tor/my_service" + tub.location = "AUTO,onion:80:hiddenServiceDir=/var/lib/tor/my_service" -It is an error to specify a ``tub.location`` value that contains ``AUTODETECT`` -or server endpoint strings for non-anonymizing networks when ``anonymous`` is -set to ``True``. ``anonymous`` **must** either be unset, or set to ``False``. A +It is an error to specify a ``tub.location`` value that contains ``AUTO`` or +server endpoint strings for non-anonymizing networks when ``anonymous`` is set +to ``True``. ``anonymous`` **must** either be unset, or set to ``False``. A complete configuration for server use-case 2 would look like:: [node] anonymous = False - tub.location = AUTODETECT,onion:80:hiddenServiceDir=/var/lib/tor/my_service,i2p:/var/lib/i2p/my_service.keypair + tub.location = AUTO,onion:80:hiddenServiceDir=/var/lib/tor/my_service,i2p:/var/lib/i2p/my_service.keypair From 21013284c9d414cc6d89f3ad33c151acee28277f Mon Sep 17 00:00:00 2001 From: str4d Date: Tue, 22 Sep 2015 03:42:58 +0000 Subject: [PATCH 25/30] Improved section on performance and security issues --- docs/anonymity-configuration.rst | 52 +++++++++++++++++++------------- 1 file changed, 31 insertions(+), 21 deletions(-) diff --git a/docs/anonymity-configuration.rst b/docs/anonymity-configuration.rst index 70fca201e..b81d0c6e6 100644 --- a/docs/anonymity-configuration.rst +++ b/docs/anonymity-configuration.rst @@ -298,12 +298,12 @@ complete configuration for server use-case 2 would look like:: -Performance and security issues with Tor Hidden Services -======================================================== +Performance and security issues +=============================== If you are running a server which does not itself need to be -anonymous, should you make it reachable as a Tor Hidden Service or -not? Or should you make it reachable *both* as a Tor Hidden Service +anonymous, should you make it reachable via an anonymizing network or +not? Or should you make it reachable *both* via an anonymizing network and as a publicly traceable TCP/IP server? There are several trade-offs effected by this decision. @@ -311,18 +311,16 @@ There are several trade-offs effected by this decision. NAT/Firewall penetration ------------------------ -Making a server be reachable as a Tor Hidden Service makes it -reachable even if there are NATs or firewalls preventing direct TCP/IP -connections to the server. +Making a server be reachable via Tor or I2P makes it reachable even if there +are NATs or firewalls preventing direct TCP/IP connections to the server. Anonymity --------- -Making a Tahoe-LAFS server accessible *only* via Tor Hidden Services -can be used to guarantee that the Tahoe-LAFS clients use Tor to -connect. This prevents misconfigured clients from accidentally -de-anonymizing themselves by connecting to your server through the -traceable Internet. +Making a Tahoe-LAFS server accessible *only* via Tor or I2P can be used to +guarantee that the Tahoe-LAFS clients use Tor or I2P to connect. This prevents +misconfigured clients from accidentally de-anonymizing themselves by connecting +to your server through the traceable Internet. Also, interaction, through Tor, with a Tor Hidden Service may be more protected from network traffic analysis than interaction, through Tor, @@ -334,13 +332,12 @@ If so we need to link to it. If not, then maybe we should explain more here why Performance ----------- -A client connecting to a Tahoe-LAFS server through Tor incurs -substantially higher latency and sometimes worse throughput than the -same client connecting to the same server over a normal traceable -TCP/IP connection. +A client connecting to a publicly traceable Tahoe-LAFS server through Tor incurs +substantially higher latency and sometimes worse throughput than the same client +connecting to the same server over a normal traceable TCP/IP connection. -A client connecting to a Tahoe-LAFS server which is a Tor Hidden -Service incurs much more latency and probably worse throughput. +A client connecting to a Tahoe-LAFS server which is a Tor Hidden Service or I2P +server incurs much more latency and probably worse throughput. Positive and negative effects on other Tor users ------------------------------------------------ @@ -360,12 +357,25 @@ Both of these effects are doubled if you upload or download files to a Tor Hidden Service, as compared to if you upload or download files over Tor to a publicly traceable TCP/IP server. +Positive and negative effects on other I2P users +------------------------------------------------ +Sending your Tahoe-LAFS traffic over I2P adds cover traffic for other I2P users +who are also transmitting data. So that is good for them -- increasing their +anonymity. It will not directly impair the performance of other I2P users' +interactive sessions, because the I2P network has several congestion control and +quality-of-service features, such as prioritizing smaller packets. -Performance and security issues with I2P -======================================== +However, if many users are sending Tahoe-LAFS traffic over I2P, and do not have +their I2P routers configured to participate in much traffic, then the I2P +network as a whole will suffer degradation. Each Tahoe-LAFS router using I2P has +their own anonymizing tunnels that their data is sent through. On average, one +Tahoe-LAFS node requires 12 other I2P routers to participate in their tunnels. -TBC +It is therefore important that your I2P router is sharing bandwidth with other +routers, so that you can give back as you use I2P. This will never impair the +performance of your Tahoe-LAFS node, because your I2P router will always +prioritize your own traffic. From f075fa0e85d986dae3bbe70059919b77b9b8d13d Mon Sep 17 00:00:00 2001 From: str4d Date: Fri, 29 Jul 2016 22:27:11 +1200 Subject: [PATCH 26/30] Remove references to closed tickets --- docs/anonymity-configuration.rst | 11 ----------- docs/anonymity-roadmap.rst | 23 ++++++----------------- 2 files changed, 6 insertions(+), 28 deletions(-) diff --git a/docs/anonymity-configuration.rst b/docs/anonymity-configuration.rst index b81d0c6e6..49836a7a1 100644 --- a/docs/anonymity-configuration.rst +++ b/docs/anonymity-configuration.rst @@ -126,19 +126,8 @@ this branch until the Tor endpoint code is merged upstream: * https://github.com/david415/txsocksx/tree/endpoint_parsers_retry_socks -txtorcon will use the system tor control port to configure Tor Hidden Services -pending resolution of tor trac ticket 11291: - -* https://trac.torproject.org/projects/tor/ticket/11291 - See also Tahoe-LAFS Tor related tickets #1010 and #517. -I2P endpoints (and potentially other endpoint types) require the ability to -append a preconfigured set of parameters to any server-provided client endpoint -string. See `Tahoe-LAFS ticket #2293`_ for progress. - -.. _`Tahoe-LAFS ticket #2293`: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2293 - Software Dependencies diff --git a/docs/anonymity-roadmap.rst b/docs/anonymity-roadmap.rst index 197caaee3..e37caa842 100644 --- a/docs/anonymity-roadmap.rst +++ b/docs/anonymity-roadmap.rst @@ -10,8 +10,8 @@ Development phases ================== -Phase 1. Use Tor for network connectivity and to protect identity of client ---------------------------------------------------------------------------- +Phase 1. Use Tor and I2P for network connectivity and to protect identity of client +----------------------------------------------------------------------------------- **note:** Client side is endpoint agnostic and server side has TCP endpoint support only. @@ -29,17 +29,7 @@ Phase 1. Use Tor for network connectivity and to protect identity of client -Phase 2. Use I2p for network connectivity and to protect identity of client ---------------------------------------------------------------------------- - -**Dependencies** - -#. Tahoe-LAFS trac ticket regarding client endpoint string parameter concatenation -#. txi2p - - - -Phase 3. endpoint-agnostic Foolscap server side +Phase 2. Endpoint-agnostic Foolscap server side ----------------------------------------------- Completing these two tickets will make Foolscap endpoint agnostic @@ -52,11 +42,10 @@ can be used with Foolscap from twisted trac ticket 7603 -Phase 4. Integrated Tor Hidden Service feature for storage servers ------------------------------------------------------------------- +Phase 3. Integrated Tor and I2P Hidden Service feature for storage servers +-------------------------------------------------------------------------- -#. teach tor to create Hidden Service directories with group - rx perms https://trac.torproject.org/projects/tor/ticket/11291 #. open new txtorcon ticket - Teach endpoint to use control port feature from tor trac ticket 11291 +#. open new txi2p ticket - Add support for starting a local instance From 52e35852b1d56334b604ecbc2df8e632f381647c Mon Sep 17 00:00:00 2001 From: str4d Date: Fri, 29 Jul 2016 22:43:05 +1200 Subject: [PATCH 27/30] Update connection config docs to match the current ticket:517 syntax --- docs/anonymity-configuration.rst | 35 +++++++++++++++++++++++--------- 1 file changed, 25 insertions(+), 10 deletions(-) diff --git a/docs/anonymity-configuration.rst b/docs/anonymity-configuration.rst index 49836a7a1..9a896aecf 100644 --- a/docs/anonymity-configuration.rst +++ b/docs/anonymity-configuration.rst @@ -171,24 +171,39 @@ I2P Connection configuration ======================== -``[connections]`` +``[tor]`` -``tcp.socks-proxy = (string, optional)`` - - When this option is present, Tahoe-LAFS will install a plugin that routes - regular internet connections through a SOCKS proxy. - -``tor.socks-proxy = (string, optional)`` +``enable = (boolean, optional)`` When this option is present, Tahoe-LAFS will install a plugin that handles Tor Hidden service (``.onion``) connections for clients. If provided but left blank, the plugin will try the default Tor SOCKS proxy ports. -``i2p.sam-api = (string, optional)`` +``socks.port = (string, optional)`` + +``control.port = (string, optional)`` + +``launch = (boolean, optional)`` + +``tor.executable = (string, optional)`` + +``data.directory = (string, optional)`` + +``[i2p]`` + +``enable = (boolean, optional)`` When this option is present, Tahoe-LAFS will install a plugin that handles - I2P connections. If provided but left blank, the plugin will use the default - SAM port on localhost. + I2P (``.i2p``) connections. If provided but left blank, the plugin will use + the default SAM port on localhost. + +``sam.port = (Twisted client endpoint descriptor, optional)`` + +``launch = (boolean, optional)`` + +``i2p.executable = (string, optional)`` + +``i2p.configdir = (string, optional)`` From 327bef338305703f1a30cf40ec493efaef5d96f4 Mon Sep 17 00:00:00 2001 From: Brian Warner Date: Mon, 29 Aug 2016 18:11:32 -0700 Subject: [PATCH 28/30] update tor/i2p docs to match current config syntax This removes the section that describes automatic configuration using transport-agnostic endpoint-centric tub.port strings. That was the approach where tub.port used "onion:80:hiddenServiceDir=PATH", and Foolscap was able to query the generated Listener to find out what address it was supposed to advertise. We considered this for a long time, but in the end decided to use a more static approach, where foolscap/tahoe never try to guess it's location: Tahoe always requires tub.location= to be set. When we get automatic configuration implemented, it'll be a simple CLI argument, something like "tahoe create-server --listen=tor". Instead, this document now explains how to configure Tor to create the hidden service, then how to copy the generated .onion address into the tahoe config. This also removes a lot of other text that seems irrelevant now, and refers the user to the tahoe.cfg docs (configuration.rst) instead of including all the `[tor]`/`[i2p]` docs inline. Closes ticket:2815 --- docs/anonymity-configuration.rst | 319 ++++++++++++++++--------------- docs/index.rst | 2 + 2 files changed, 172 insertions(+), 149 deletions(-) diff --git a/docs/anonymity-configuration.rst b/docs/anonymity-configuration.rst index 9a896aecf..3340954de 100644 --- a/docs/anonymity-configuration.rst +++ b/docs/anonymity-configuration.rst @@ -53,28 +53,31 @@ There are three potential use-cases for Tahoe-LAFS on the client side: 2. User does not care to protect their anonymity but they wish to connect to Tahoe-LAFS storage servers which are accessible only via Tor Hidden Services or I2P. - * Tor is only used if a server endpoint string has a ``.onion`` address. - * I2P is only used if a server endpoint string has a ``.i2p`` address. + * Tor is only used if a server connection hint uses ``tor:``. These hints + generally have a ``.onion`` address. + * I2P is only used if a server connection hint uses ``i2p:``. These hints + generally have a ``.i2p`` address. -3. User wishes to always use an anonymizing network (Tor, I2P) to protect their anonymity when - connecting to Tahoe-LAFS storage grids (whether or not the storage servers - are anonymous). +3. User wishes to always use an anonymizing network (Tor, I2P) to protect + their anonymity when connecting to Tahoe-LAFS storage grids (whether or + not the storage servers are anonymous). For Tahoe-LAFS storage servers there are three use-cases: -1. Storage server operator does not care to protect their own anonymity - nor to help the clients protect theirs. Stop reading this document - and run your Tahoe-LAFS storage server using publicly routed TCP/IP. +1. Storage server operator does not care to protect their own anonymity nor + to help the clients protect theirs. Stop reading this document and run + your Tahoe-LAFS storage server using publicly routed TCP/IP. -2. The operator does not require anonymity for the storage server, but - they want it to be available over both publicly routed TCP/IP and - through an anonymizing network (I2P, Tor Hidden Services). One possible reason to do this is - because being reachable through an anonymizing network is a convenient - way to bypass NAT or firewall that prevents publicly routed TCP/IP - connections to your server. Another is that making your storage - server reachable through an anonymizing network can provide better - protection for your clients who themselves use that anonymizing network to protect their +2. The operator does not *require* anonymity for the storage server, but they + want it to be available over both publicly routed TCP/IP and through an + anonymizing network (I2P, Tor Hidden Services). One possible reason to do + this is because being reachable through an anonymizing network is a + convenient way to bypass NAT or firewall that prevents publicly routed + TCP/IP connections to your server (for clients capable of connecting to + such servers). Another is that making your storage server reachable + through an anonymizing network can provide better protection for your + clients who themselves use that anonymizing network to protect their anonymity. See this Tor Project page for more information about Tor Hidden Services: @@ -83,51 +86,25 @@ For Tahoe-LAFS storage servers there are three use-cases: See this I2P Project page for more information about I2P: https://geti2p.net/en/about/intro -3. The operator wishes to protect their anonymity by making their - Tahoe server accessible only over I2P, via Tor Hidden Services, or both. +3. The operator wishes to protect their anonymity by making their Tahoe + server accessible only over I2P, via Tor Hidden Services, or both. -Native anonymizing network integration for Tahoe-LAFS -===================================================== - -Tahoe-LAFS utilizes the Twisted endpoints API: - -* https://twistedmatrix.com/documents/current/core/howto/endpoints.html - -Twisted's endpoint parser plugin system is extensible via installing additional -Twisted packages. Tahoe-LAFS utilizes this extensibility to support native Tor -and I2P integration. - -* Native Tor integration uses the `txsocksx`_ and `txtorcon`_ modules. -* Native I2P integration uses the `txi2p`_ module. - -.. _`txsocksx`: https://pypi.python.org/pypi/txsocksx -.. _`txtorcon`: https://pypi.python.org/pypi/txtorcon -.. _`txi2p`: https://pypi.python.org/pypi/txi2p - Unresolved tickets ------------------ -Although the Twisted endpoint API is very flexible it is missing a feature so that -servers can be written in an endpoint agnostic style. We've opened a Twisted trac -ticket for this feature here: +Tahoe's anonymity support does not yet include automatic configuration of +servers. This issue is tracked by Tahoe tickets `#2490`_ and `#2773`_: until +those are resolved, anonymous servers (running as Tor Onion services or I2P +servers) must be configured manually, as described below. -* https://twistedmatrix.com/trac/ticket/7603 - -Once this ticket is resolved then an additional changes can be made to Foolscap -so that it's server side API is completely endpoint agnostic which will allow -users to easily to use Tahoe-LAFS with many protocols on the server side. - -txsocksx will try to use the system tor's SOCKS port if available; -attempts are made on ports 9050 and 9151. Currently the maintainer of txsocksx -has not merged in our code for the Tor client endpoint. We'll use -this branch until the Tor endpoint code is merged upstream: - -* https://github.com/david415/txsocksx/tree/endpoint_parsers_retry_socks - -See also Tahoe-LAFS Tor related tickets #1010 and #517. +See also Tahoe-LAFS Tor related tickets `#1010`_ and `#517`_. +.. _`#2490`: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2490 +.. _`#2773`: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2773 +.. _`#1010`: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1010 +.. _`#517`: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/517 Software Dependencies @@ -136,20 +113,29 @@ Software Dependencies Tor --- +Clients who wish to connect to Tor-based servers must install the following. + * Tor (tor) must be installed. See here: - https://www.torproject.org/docs/installguide.html.en + https://www.torproject.org/docs/installguide.html.en . On Debian/Ubuntu, + use ``apt-get install tor``. You can also install and run the Tor Browser + Bundle. -* txsocksx must be installed :: +* Tahoe-LAFS must be installed with the ``[tor]`` "extra" enabled. This will + install ``txtorcon`` :: - pip install txsocksx + pip install tahoe-lafs[tor] -* For storage servers, txtorcon must be installed :: - - pip install txtorcon +Manually-configured Tor-based servers must install Tor, but do not need +``txtorcon`` or the ``[tor]`` extra. Automatic configuration, when +implemented, will need these, just like clients. I2P --- +Clients who wish to connect to I2P-based servers must install the following. +As with Tor, manually-configured I2P-based servers need the I2P daemon, but +no special Tahoe-side supporting libraries. + * I2P must be installed. See here: https://geti2p.net/en/download @@ -162,84 +148,70 @@ I2P * Click "Save Client Configuration". * Click the "Start" control for "SAM application bridge", or restart I2P. -* txi2p must be installed :: +* Tahoe-LAFS must be installed with the ``[i2p]`` extra enabled, to get + ``txi2p`` :: - pip install txi2p + pip install tahoe-lafs[i2p] Connection configuration ======================== -``[tor]`` +See :ref:`configuration` "Client Configuration" for a description of the +``[tor]`` and ``[i2p]`` sections of ``tahoe.cfg``. These control how the +Tahoe client will connect to a Tor/I2P daemon, and thus make connections to +Tor/I2P -based servers. -``enable = (boolean, optional)`` +The ``[tor]`` and ``[i2p]`` sections only need to be modified to use unusual +configurations, or to enable automatic server setup. - When this option is present, Tahoe-LAFS will install a plugin that handles - Tor Hidden service (``.onion``) connections for clients. If provided but - left blank, the plugin will try the default Tor SOCKS proxy ports. +The default configuration will attempt to contact a local Tor/I2P daemon +listening on the usual ports (9050/9150 for Tor, 7656 for I2P). As long as +there is a daemon running on the local host, and the necessary support +libraries were installed, clients will be able to user Tor-based servers +without any special configuration. -``socks.port = (string, optional)`` - -``control.port = (string, optional)`` - -``launch = (boolean, optional)`` - -``tor.executable = (string, optional)`` - -``data.directory = (string, optional)`` - -``[i2p]`` - -``enable = (boolean, optional)`` - - When this option is present, Tahoe-LAFS will install a plugin that handles - I2P (``.i2p``) connections. If provided but left blank, the plugin will use - the default SAM port on localhost. - -``sam.port = (Twisted client endpoint descriptor, optional)`` - -``launch = (boolean, optional)`` - -``i2p.executable = (string, optional)`` - -``i2p.configdir = (string, optional)`` +However note that this default configuration does not improve the client's +anonymity: normal TCP connections will still be made to any server that +offers a regular address (it fulfills the second client use case above, not +the third). To protect their anonymity, users must configure the +``[connections]`` section as follows:: + [connections] + tcp = tor +With this in place, the client will use Tor (instead of an +IP-address -revealing direct connection) to reach TCP-based servers. Anonymity configuration ======================= -Tahoe-LAFS provides a configuration flag for explicitly stating whether or not -anonymity is required for a node:: +Tahoe-LAFS provides a configuration "safety flag" for explicitly stating +whether or not anonymity is required for a node:: [node] anonymous = (boolean, optional) -Setting ``anonymous = True`` causes several changes in the behavior of -Tahoe-LAFS: +When ``anonymous = True``, Tahoe-LAFS will not start if any of the +configuration options in ``tahoe.cfg`` would compromise the identity of the +node: -1. Tahoe-LAFS will not start if any of the configuration options in ``tahoe.cfg`` - would compromise the identity of the node. +* ``[connections] tcp = tor`` is required: otherwise the client would make + direct connections to the Introducer, or any TCP-based servers it learns + from the Introducer, revealing its IP address to those servers and a + network eavesdropper. With this in place, Tahoe-LAFS will not make any + outgoing connections that are not over a supported anonymizing network. - * In particular, ``tub.location`` is forced to either be empty, or contain - safe values. It is an error to specify a ``tub.location`` that contains - anything other than a comma-separated list of location hints for supported - anonymizing networks. - -2. Tahoe-LAFS will not make any outgoing connections that are not over a - supported anonymizing network. - - * If a server's FURL contains one or more location hints for anonymizing - networks, Tahoe-LAFS will prefer those hints to connect to the server. - An anonymizing network location hint will only be used if the correct - modules are installed (see `Connection configuration`_ above). - * If a server's FURL contains no location hints for anonymizing networks - (or Tahoe-LAFS could not contact the server via any of the provided - anonymizing network location hints), and the user has the required modules - for Tor installed, Tahoe-LAFS will connect to the server using Tor as an - anonymizing proxy. - * In all other cases, Tahoe-LAFS will never connect to the server. +* ``tub.location`` is required to either be empty, or contain safe values. + This value is advertised to other nodes via the Introducer: it is how a + server advertises it's location so clients can connect to it. In anonymous + mode, it is an error to specify a ``tub.location`` that contains anything + other than a comma-separated list of location hints for supported + anonymizing networks (XXX is this true? check `#1010`_). The default value + of ``tub.location`` (when the key is missing entirely) is ``AUTO``, which + uses ``ifconfig`` to guess the node's external IP address, which would + reveal it to the server and other clients. This option is **critical** to preserving the client's anonymity (client use-case 3 from `Use cases`_, above). It is also necessary to preserve a @@ -258,48 +230,95 @@ following configuration flags:: Once the Tahoe-LAFS node has been restarted, it can be used anonymously (client use-case 3). -Server anonymity ----------------- +Server anonymity, manual configuration +-------------------------------------- -To configure a server node to listen on an anonymizing network, a corresponding -server endpoint descriptor string must be specified in ``tahoe.cfg``:: +To configure a server node to listen on an anonymizing network, we must first +configure Tor to run an "Onion Service", and route inbound connections to the +local Tahoe port. Then we configure Tahoe to advertise the ``.onion` address +to clients. We also configure Tahoe to not make direct TCP connections. - tub.location = onion:80:hiddenServiceDir=/var/lib/tor/my_service +* Decide on a local listening port number, named PORT. This can be any unused + port from about 1024 up to 65535 (depending upon the host's kernel/network + config). We will tell Tahoe to listen on this port, and we'll tell Tor to + route inbound connections to it. +* Decide on an external port number, named VIRTPORT. This will be used in the + advertised location, and revealed to clients. It can be any number from 1 + to 65535. It can be the same as PORT, if you like. +* Decide on a "hidden service directory", usually in ``/var/lib/tor/NAME``. + We'll be asking Tor to save the onion-service state here, and Tor will + write the ``.onion`` address here after it is generated. -Multiple anonymizing networks are supported by specifying multiple server -endpoint strings, separated by commas:: +Then, do the following: - tub.location = onion:80:hiddenServiceDir=/var/lib/tor/my_service,i2p:/var/lib/i2p/my_service.keypair +* Create the Tahoe server node (with ``tahoe create-node``), but do **not** + launch it yet. -To configure a server node for anonymity, ``anonymous`` **must** be set to -``True`` (as for the client node case), and ``tub.location`` **must only** -contain endpoint strings for supported anonymizing networks. A complete -configuration for server use-case 3 would look like:: +* Edit the Tor config file (typically in ``/etc/tor/torrc``). We need to add + a section to define the hidden service. If our PORT is 2000, VIRTPORT is + 3000, and we're using ``/var/lib/tor/tahoe`` as the hidden service + directory, the section should look like:: - [node] - anonymous = True - tub.location = onion:80:hiddenServiceDir=/var/lib/tor/my_service,i2p:/var/lib/i2p/my_service.keypair + HiddenServiceDir /var/lib/tor/tahoe + HiddenServicePort 3000 127.0.0.1:2000 -If server anonymity is not required (server use-case 2 from `Use cases`_ above) -then ``tub.location`` can contain server endpoint strings for non-anonymizing -networks:: +* Restart Tor, with ``/etc/init.d/tor restart`` or a systemd command. Wait a + few seconds. - tub.location = tcp:123.456.789.0:80,onion:80:hiddenServiceDir=/var/lib/tor/my_service +* Read the ``hostname`` file in the hidden service directory (e.g. + ``/var/lib/tor/tahoe/hostname``). This will be a ``.onion`` address, like + ``u33m4y7klhz3b.onion``. Call this ONION. -The special string ``AUTO`` tells Tahoe-LAFS to try to detect the public -interface and use it:: +* Edit ``tahoe.cfg`` to set ``tub.port`` to use + ``tcp:PORT:interface=127.0.0.1``, and ``tub.location`` to use + ``tor:ONION.onion:VIRTPORT``. Using the examples above, this would be:: - tub.location = "AUTO,onion:80:hiddenServiceDir=/var/lib/tor/my_service" + [node] + tub.port = tcp:2000:interface=127.0.0.1 + tub.location = tor:u33m4y7klhz3b.onion:3000 + anonymous = true + [connections] + tcp = tor -It is an error to specify a ``tub.location`` value that contains ``AUTO`` or -server endpoint strings for non-anonymizing networks when ``anonymous`` is set -to ``True``. ``anonymous`` **must** either be unset, or set to ``False``. A -complete configuration for server use-case 2 would look like:: +* Launch the Tahoe server with ``tahoe start $NODEDIR`` - [node] - anonymous = False - tub.location = AUTO,onion:80:hiddenServiceDir=/var/lib/tor/my_service,i2p:/var/lib/i2p/my_service.keypair +The ``tub.port`` section will cause the Tahoe server to listen on PORT, but +bind the listening socket to the loopback interface, which is not reachable +from the outside world (but *is* reachable by the local Tor daemon). Then the +``tcp = tor`` section causes Tahoe to use Tor when connecting to the +Introducer, hiding it's IP address. The node will then announce itself to all +clients using ``tub.location``, so clients will know that they must use Tor +to reach this server (and not revealing it's IP address through the +announcement). When clients connect to the onion address, their packets will +flow through the anonymizing network and eventually land on the local Tor +daemon, which will then make a connection to PORT on localhost, which is +where Tahoe is listening for connections. +Follow a similar process to build a Tahoe server that listens on I2P. The +same process can be used to listen on both Tor and I2P (``tub.location = +tor:ONION.onion:VIRTPORT,i2p:ADDR.i2p``). It can also listen on both Tor and +plain TCP (use-case 2), with ``tub.port = tcp:PORT``, ``tub.location = +tcp:HOST:PORT,tor:ONION.onion:VIRTPORT``, and ``anonymous = false`` (and omit +the ``tcp = tor`` setting, as the address is already being broadcast through +the location announcement). + + +Server anonymity, automatic configuration +----------------------------------------- + +(note: this is not yet implemented, see Tahoe tickets `#2490`_ and `#2773`_ +for progress) + + +To configure a server node to listen on an anonymizing network, create the +node with the ``--listen=tor`` option. This requires a Tor configuration that +either launches a new Tor daemon, or has access to the Tor control port (and +enough authority to create a new onion service). + +This option will set ``anonymous = true``, ``[connections] tcp = tor``. It +will allocate the necessary ports, instruct Tor to create the onion service, +obtain the ``.onion`` address, and populate ``tub.port`` and ``tub.location`` +correctly. Performance and security issues @@ -336,12 +355,14 @@ If so we need to link to it. If not, then maybe we should explain more here why Performance ----------- -A client connecting to a publicly traceable Tahoe-LAFS server through Tor incurs -substantially higher latency and sometimes worse throughput than the same client -connecting to the same server over a normal traceable TCP/IP connection. +A client connecting to a publicly traceable Tahoe-LAFS server through Tor +incurs substantially higher latency and sometimes worse throughput than the +same client connecting to the same server over a normal traceable TCP/IP +connection. When the server is on a Tor Hidden Service, it incurs even more +latency, and possibly even worse throughput. -A client connecting to a Tahoe-LAFS server which is a Tor Hidden Service or I2P -server incurs much more latency and probably worse throughput. +Connecting to Tahoe-LAFS servers which are I2P servers incurs higher latency +and worse throughput too. Positive and negative effects on other Tor users ------------------------------------------------ diff --git a/docs/index.rst b/docs/index.rst index 83f363a50..29decd973 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -34,6 +34,8 @@ Contents: write_coordination backupdb + anonymity-configuration + nodekeys performance logging From f54d2a81a85835776370a87766120268c9536042 Mon Sep 17 00:00:00 2001 From: Brian Warner Date: Tue, 30 Aug 2016 08:45:31 -0700 Subject: [PATCH 29/30] fix TOC, remove empty "Legacy I2P" section --- docs/anonymity-configuration.rst | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/docs/anonymity-configuration.rst b/docs/anonymity-configuration.rst index 3340954de..ec8933e8f 100644 --- a/docs/anonymity-configuration.rst +++ b/docs/anonymity-configuration.rst @@ -6,9 +6,7 @@ Using Tahoe-LAFS with an anonymizing network: Tor, I2P #. `Overview`_ #. `Use cases`_ -#. `Native anonymizing network integration for Tahoe-LAFS`_ - - #. `Unresolved tickets`_ +#. `Unresolved tickets`_ #. `Software Dependencies`_ @@ -20,12 +18,11 @@ Using Tahoe-LAFS with an anonymizing network: Tor, I2P #. `Anonymity configuration`_ #. `Client anonymity`_ - #. `Server anonymity`_ + #. `Server anonymity, manual configuration`_ + #. `Server anonymity, automatic configuration`_ -#. `Performance and security issues with Tor Hidden Services`_ -#. `Performance and security issues with I2P`_ +#. `Performance and security issues`_ #. `Torsocks: the old way of configuring Tahoe-LAFS to use Tor`_ -#. `Legacy I2P Tahoe-LAFS Configuration`_ @@ -92,7 +89,7 @@ For Tahoe-LAFS storage servers there are three use-cases: Unresolved tickets ------------------- +================== Tahoe's anonymity support does not yet include automatic configuration of servers. This issue is tracked by Tahoe tickets `#2490`_ and `#2773`_: until @@ -512,10 +509,3 @@ As of this writing, torsocks still exists in the pkgsrc wip tree here: but the NetBSD-specific patches have been merged upstream into torsocks as of commitid 6adfba809267d9c217906d6974468db22293ab9b: * https://gitweb.torproject.org/torsocks.git/commit/6adfba809267d9c217906d6974468db22293ab9b - - - -Legacy I2P Tahoe-LAFS Configuration -=================================== - -TBC From 9057c7301c069e1d3ffec849c58c0bf6f3e3d179 Mon Sep 17 00:00:00 2001 From: Brian Warner Date: Tue, 30 Aug 2016 08:54:16 -0700 Subject: [PATCH 30/30] incorporate dawuud's feedback * remove anonymity-roadmap * remove old torsocks section * minor edits --- docs/anonymity-configuration.rst | 139 ++++--------------------------- docs/anonymity-roadmap.rst | 51 ------------ 2 files changed, 17 insertions(+), 173 deletions(-) delete mode 100644 docs/anonymity-roadmap.rst diff --git a/docs/anonymity-configuration.rst b/docs/anonymity-configuration.rst index ec8933e8f..03731977c 100644 --- a/docs/anonymity-configuration.rst +++ b/docs/anonymity-configuration.rst @@ -22,7 +22,6 @@ Using Tahoe-LAFS with an anonymizing network: Tor, I2P #. `Server anonymity, automatic configuration`_ #. `Performance and security issues`_ -#. `Torsocks: the old way of configuring Tahoe-LAFS to use Tor`_ @@ -166,7 +165,7 @@ configurations, or to enable automatic server setup. The default configuration will attempt to contact a local Tor/I2P daemon listening on the usual ports (9050/9150 for Tor, 7656 for I2P). As long as there is a daemon running on the local host, and the necessary support -libraries were installed, clients will be able to user Tor-based servers +libraries were installed, clients will be able to use Tor-based servers without any special configuration. However note that this default configuration does not improve the client's @@ -259,8 +258,7 @@ Then, do the following: HiddenServiceDir /var/lib/tor/tahoe HiddenServicePort 3000 127.0.0.1:2000 -* Restart Tor, with ``/etc/init.d/tor restart`` or a systemd command. Wait a - few seconds. +* Restart Tor, with ``systemctl restart tor``. Wait a few seconds. * Read the ``hostname`` file in the hidden service directory (e.g. ``/var/lib/tor/tahoe/hostname``). This will be a ``.onion`` address, like @@ -313,9 +311,9 @@ either launches a new Tor daemon, or has access to the Tor control port (and enough authority to create a new onion service). This option will set ``anonymous = true``, ``[connections] tcp = tor``. It -will allocate the necessary ports, instruct Tor to create the onion service, -obtain the ``.onion`` address, and populate ``tub.port`` and ``tub.location`` -correctly. +will allocate the necessary ports, instruct Tor to create the onion service +(saving the private key somewhere inside NODEDIR/private/), obtain the +``.onion`` address, and populate ``tub.port`` and ``tub.location`` correctly. Performance and security issues @@ -331,16 +329,23 @@ There are several trade-offs effected by this decision. NAT/Firewall penetration ------------------------ -Making a server be reachable via Tor or I2P makes it reachable even if there -are NATs or firewalls preventing direct TCP/IP connections to the server. +Making a server be reachable via Tor or I2P makes it reachable (by +Tor/I2P-capable clients) even if there are NATs or firewalls preventing +direct TCP/IP connections to the server. Anonymity --------- Making a Tahoe-LAFS server accessible *only* via Tor or I2P can be used to -guarantee that the Tahoe-LAFS clients use Tor or I2P to connect. This prevents -misconfigured clients from accidentally de-anonymizing themselves by connecting -to your server through the traceable Internet. +guarantee that the Tahoe-LAFS clients use Tor or I2P to connect +(specifically, the server should only advertise Tor/I2P addresses in the +``tub.location`` config key). This prevents misconfigured clients from +accidentally de-anonymizing themselves by connecting to your server through +the traceable Internet. + +Clearly, a server which is available as both a Tor/I2P service *and* a +regular TCP address is not itself anonymous: the .onion address and the real +IP address of the server are easily linkable. Also, interaction, through Tor, with a Tor Hidden Service may be more protected from network traffic analysis than interaction, through Tor, @@ -399,113 +404,3 @@ routers, so that you can give back as you use I2P. This will never impair the performance of your Tahoe-LAFS node, because your I2P router will always prioritize your own traffic. - - -Torsocks: the old way of configuring Tahoe-LAFS to use Tor -========================================================== - -Before the native Tor integration for Tahoe-LAFS, users would use Torsocks. -Please see these pages for more information about Torsocks: - -* https://code.google.com/p/torsocks/ -* https://trac.torproject.org/projects/tor/wiki/doc/torsocks -* https://github.com/dgoulet/torsocks/ - - -Starting And Stopping ---------------------- - -Assuming you have your Tahoe-LAFS node directory placed in **~/.tahoe**, -use Torsocks to start Tahoe like this:: - - usewithtor tahoe start - -Likewise if restarting, then with Torsocks like this:: - - usewithtor tahoe restart - -After Tahoe is started, additional Tahoe commandline commands will not -need to be executed with Torsocks because the Tahoe gateway long running -process handles all the network connectivity. - - -Configuration -------------- - -Before Tahoe-LAFS had native Tor integration it would deanonymize the user if a -``tub.location`` value is not set. This is because Tahoe-LAFS at that time -defaulted to autodetecting the external IP interface and announced that IP -address to the server. - -**Tahoe-LAFS + Torsocks client configuration** - -**NOTE:** before diving into Tor + Tahoe-LAFS configurations you should ensure -your familiarity with with installing Tor on unix systems. If you intend to operate -an anonymous Tahoe-LAFS storage node then you will also want to read about configuring -Tor Hidden Services. See here: - -https://www.torproject.org/docs/tor-doc-unix.html.en - -https://www.torproject.org/docs/tor-hidden-service.html.en - -Run a node using ``torsocks``, in client-only mode (i.e. we can -make outbound connections, but other nodes will not be able to connect -to us). The literal '``client.fakelocation``' will not resolve, but will -serve as a reminder to human observers that this node cannot be reached. -"Don't call us.. we'll call you":: - - tub.port = tcp:interface=127.0.0.1:8098 - tub.location = client.fakelocation:0 - - -**Tahoe-LAFS + Torsocks storage server configuration** - -Run a node behind a Tor proxy, and make the server available as a Tor -"hidden service". (This assumes that other clients are running their -node with ``torsocks``, such that they are prepared to connect to a -``.onion`` address.) Your instance of Tor should be configured for -Hidden Services... for instance specify the Hidden Service listening on port -29212 should proxy to 127.0.0.1 port 8098 by adding this to your ``torrc`` :: - - HiddenServiceDir /var/lib/tor/services/tahoe-storage - HiddenServicePort 29212 127.0.0.1:8098 - -once Tor is restarted, the ``.onion`` hostname will be in -``/var/lib/tor/services/tahoe-storage/hostname``. Then set up your -``tahoe.cfg`` like:: - - tub.port = tcp:interface=127.0.0.1:8098 - tub.location = ualhejtq2p7ohfbb.onion:29212 - - -**Troubleshooting** - -On some NetBSD systems, torsocks may segfault:: - - $ torsocks telnet www.google.com 80 - Segmentation fault (core dumped) - -and backtraces show looping libc and syscalls:: - - #7198 0xbbbda26e in *__socket30 (domain=2, type=1, protocol=6) at socket.c:64 - #7199 0xbb84baf9 in socket () from /usr/lib/libc.so.12 - #7200 0xbbbda19b in tsocks_socket (domain=2, type=1, protocol=6) at socket.c:56 - #7201 0xbbbda26e in *__socket30 (domain=2, type=1, protocol=6) at socket.c:64 - #7202 0xbb84baf9 in socket () from /usr/lib/libc.so.12 - [...etc...] - -This has to do with the nature of the torsocks socket() call wrapper being unaware -of NetBSD's internal binary backwards compatibility. - -Information on a the first parts of a solution patch can be found in a tor-dev -thread here from Thomas Klausner: - -* https://lists.torproject.org/pipermail/tor-dev/2013-November/005741.html - -As of this writing, torsocks still exists in the pkgsrc wip tree here: - -* http://pkgsrc.se/wip/torsocks - -but the NetBSD-specific patches have been merged upstream into torsocks as of commitid 6adfba809267d9c217906d6974468db22293ab9b: - -* https://gitweb.torproject.org/torsocks.git/commit/6adfba809267d9c217906d6974468db22293ab9b diff --git a/docs/anonymity-roadmap.rst b/docs/anonymity-roadmap.rst deleted file mode 100644 index e37caa842..000000000 --- a/docs/anonymity-roadmap.rst +++ /dev/null @@ -1,51 +0,0 @@ -.. -*- coding: utf-8-with-signature; fill-column: 77 -*- - -============================== -Anonymity Development Roadmap -============================== - - - -Development phases -================== - - -Phase 1. Use Tor and I2P for network connectivity and to protect identity of client ------------------------------------------------------------------------------------ - -**note:** Client side is endpoint agnostic and server side has TCP endpoint support only. - -**Dependencies** - -* txsocksx: get this merged upstream -->> https://github.com/david415/txsocksx/tree/endpoint_parsers_retry_socks - *client Twisted endpoint for Tor* -* `Foolscap trac ticket 203`_: *switch to using Twisted Endpoints* -* `Tahoe-LAFS trac ticket 1010`_: *anonymous client mode* -* `Tahoe-LAFS trac ticket 517`_: *make tahoe Tor- and I2P-friendly* - -.. _`Foolscap trac ticket 203`: http://foolscap.lothar.com/trac/ticket/203 -.. _`Tahoe-LAFS trac ticket 1010`: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1010 -.. _`Tahoe-LAFS trac ticket 517`: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/517 - - - - -Phase 2. Endpoint-agnostic Foolscap server side ------------------------------------------------ - -Completing these two tickets will make Foolscap endpoint agnostic -on the server side. Therefore any Twisted server endpoint/parser -can be used with Foolscap - -#. Teach twisted to serialize a listeningPort into a client endpoint - descriptor - https://twistedmatrix.com/trac/ticket/7603 -#. open new foolscap ticket - Add getClientEndpoint() to use the feature - from twisted trac ticket 7603 - - -Phase 3. Integrated Tor and I2P Hidden Service feature for storage servers --------------------------------------------------------------------------- - -#. open new txtorcon ticket - Teach endpoint to use control port feature - from tor trac ticket 11291 - -#. open new txi2p ticket - Add support for starting a local instance