Hi!
David Fifield:
For some basic debugging, you should check that these commands work to talk to the endpoint of the meek tunnel:
$ curl https://onion.azureedge.net/ I’m just a happy little web server. $ curl -H 'Host: onion.azureedge.net' https://ajax.aspnetcdn.com/ I’m just a happy little web server.
Looking into this made me eventually realize that there was no DNS resolution possible in the context Tor Launcher is running from inside Tails: it was using little-t-tor (via DNSPort) as resolver, but at the time we're not connected to the Tor network, *and* we even have DisableNetwork set, so that is a no go and we find ourselves in a catch-22 situation. I fixed it by making Tor Launcher use the resolver obtained through DHCP instead. Now I have a basic PoC for Moat in Tails! \o/
Thank you so much for kicking me in the right direction!
If those work, you can try communicating with Moat through the tunnel. You will need to run obfs4proxy and pass it specially formatted SOCKS credentials that encode the url= and front= parameters. You will have to change the XXXXX port number to match what obfs4proxy outputs in the CMETHOD line.
$ TOR_PT_MANAGED_TRANSPORT_VER=1 TOR_PT_STATE_LOCATION=pt_state TOR_PT_CLIENT_TRANSPORTS=meek_lite /usr/local/lib/obfs4proxy/obfs4proxy VERSION 1 CMETHOD meek_lite socks5 127.0.0.1:XXXXX CMETHODS DONE
$ curl --proxy socks5://url%3Dhttps%3A%2F%2Fonion.azureedge.net:%2F@127.0.0.1:XXXXX/ https://bridges.torproject.org/moat/ {"errors": [{"id": "0", "type": "", "version": "0.1.0", "code": 501, "status": "Not Implemented", "detail": "moat version 0.1.0 does not implement GET /moat/"}]}
$ curl --proxy socks5://url%3Dhttps%3A%2F%2Fonion.azureedge.net%2F%3Bfront=ajax.aspnetcdn.co:m@127.0.0.1:XXXXX/ https://bridges.torproject.org/moat/ {"errors": [{"id": "0", "type": "", "version": "0.1.0", "code": 501, "status": "Not Implemented", "detail": "moat version 0.1.0 does not implement GET /moat/"}]}
The errors are really opaque when DNS isn't available! In the Tor Launcher case I got the not-so-informative "NS_ERROR_NET_INTERRUPT" I mentioned in my initial post, and for the above curl commands the failure is:
(35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to bridges.torproject.org
Neither of these got me thinking about DNS resolution. It wasn't until I fired up a packet sniffer that I saw that DNS resolution failed for ajax.aspnetcdn.com. :)
So, case closed!
Cheers!