no connection to tor hidden services on arduino yun/openwrt
hi tor-onions list, after trying my best i'm following the hint [1] to seek for help in this list. what i want to achive: i set up a sensor node running openwrt in an area in germany without wifi. so i want to connect (to) it via gsm/gprs (german telekom/d1). connecting from the node to the internet is no problem. problem is: i cant reach any services on the node from the internet because the gsm-carrier runs some intransparant internal ipv4-proxy or switch or whatever to save ipv4-addresses so neither the ip nor dyndns is working. my idea to workaround: run tor hidden services on the node. http [2] for luci/graphical admin interface and ssl [3] for general administrative tasks. for setup i followed one general howto [4] and one ssl specific [5]. i tried to debug via [1]. i enclosed my torrc further down. i waited over one hour for tor to broadcast its new services. but not even just the hello-world-page is popping up in my clients tor browser. didnt even try to connect to ssl yet. checked server config, curl 127.0.0.1:8080 is returning hello-world, checked tor config and files over and over. the tor browser on the client is working. no idea what else to try. i go to bed now. but i appreciate every hint and will report back tomorrow or the day after tomorrow. thanks in advance. mois #### /etc/tor/torrc ## Basic configuration Log notice syslog RunAsDaemon 1 DataDirectory /etc/tor User tor ## Hidden service configuration HiddenServiceDir /etc/tor/hidden_service HiddenServicePort 80 127.0.0.1:8080 HiddenServiceDir /etc/tor/hidden_ssh HiddenServicePort 2233 127.0.0.1:2233 ##EOF [1] https://www.torproject.org/docs/tor-hidden-service.html.en [2] xrscbcihug2ezrrb.onion [3] ntk6i23e5fcxo3j3.onion [4] https://gist.github.com/Informatic/65261ffd1aee8ddae861 [5] http://unethicalblogger.com/2012/06/13/ssh-as-a-hidden-service.html -- http://www.euse.de/honig/beescale/graph.php gpg-key: http://www.euse.de/meuse.asc fingerprint: C21C 61C1 6135 1C64 71AE DACF D382 D03A 42B7 CC03
Hi Markus,
On 16 Feb 2017, at 12:52, Markus <m@euse.de> wrote: ...
what i want to achive:
i set up a sensor node running openwrt in an area in germany without wifi. so i want to connect (to) it via gsm/gprs (german telekom/d1).
connecting from the node to the internet is no problem.
problem is: i cant reach any services on the node from the internet because the gsm-carrier runs some intransparant internal ipv4-proxy or switch or whatever to save ipv4-addresses so neither the ip nor dyndns is working.
Ah, carrier-grade NAT.
my idea to workaround: run tor hidden services on the node. http [2] for luci/graphical admin interface and ssl [3] for general administrative tasks. for setup i followed one general howto [4] and one ssl specific [5]. i tried to debug via [1]. i enclosed my torrc further down.
This should work, onion services are useful for NAT-punching.
i waited over one hour for tor to broadcast its new services. but not even just the hello-world-page is popping up in my clients tor browser. didnt even try to connect to ssl yet.
checked server config, curl 127.0.0.1:8080 is returning hello-world, checked tor config and files over and over. the tor browser on the client is working. no idea what else to try.
There are a few things that could be wrong: Something could be misconfigured. The carrier could block Tor. Some 4G carriers drop long-lived connections. Is your hidden service able to connect to the tor network? What version of tor are you running? It would be very helpful to have the hidden service logs It might help to have the client logs as well. Notice level could help, and is generally safe.
#### /etc/tor/torrc
## Basic configuration Log notice syslog RunAsDaemon 1 DataDirectory /etc/tor User tor
## Hidden service configuration HiddenServiceDir /etc/tor/hidden_service HiddenServicePort 80 127.0.0.1:8080 HiddenServiceDir /etc/tor/hidden_ssh HiddenServicePort 2233 127.0.0.1:2233
##EOF
This torrc looks ok.
[1] https://www.torproject.org/docs/tor-hidden-service.html.en [2] xrscbcihug2ezrrb.onion [3] ntk6i23e5fcxo3j3.onion [4] https://gist.github.com/Informatic/65261ffd1aee8ddae861 [5] http://unethicalblogger.com/2012/06/13/ssh-as-a-hidden-service.html
T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
hi tim, thanks for your quick reply. first: looking around for more logs i discovered that storage was full on yun's internal memory. tor couldn't completely write its caches. so i changed tor data dir to the sd card. now all tor data fits. more logs commenting your requests: Am 16.02.2017 um 03:49 schrieb teor:
Hi Markus,
On 16 Feb 2017, at 12:52, Markus <m@euse.de> wrote: ...
what i want to achive:
i set up a sensor node running openwrt in an area in germany without wifi. so i want to connect (to) it via gsm/gprs (german telekom/d1).
connecting from the node to the internet is no problem.
problem is: i cant reach any services on the node from the internet because the gsm-carrier runs some intransparant internal ipv4-proxy or switch or whatever to save ipv4-addresses so neither the ip nor dyndns is working.
Ah, carrier-grade NAT.
ah, thats how you call it.
my idea to workaround: run tor hidden services on the node. http [2] for luci/graphical admin interface and ssl [3] for general administrative tasks. for setup i followed one general howto [4] and one ssl specific [5]. i tried to debug via [1]. i enclosed my torrc further down.
This should work, onion services are useful for NAT-punching.
i waited over one hour for tor to broadcast its new services. but not even just the hello-world-page is popping up in my clients tor browser. didnt even try to connect to ssl yet.
checked server config, curl 127.0.0.1:8080 is returning hello-world, checked tor config and files over and over. the tor browser on the client is working. no idea what else to try.
There are a few things that could be wrong: Something could be misconfigured. The carrier could block Tor. Some 4G carriers drop long-lived connections.
Is your hidden service able to connect to the tor network?
i think yes according to the hidden service log saying: "Feb 16 09:14:44.128 [notice] Tor has successfully opened a circuit. Looks like client functionality is working. Feb 16 09:14:44.149 [notice] Bootstrapped 100%: Done."
What version of tor are you running?
root@dragino:~# /etc/init.d/tor restart Feb 16 08:14:52.049 [notice] Tor v0.2.2.39 (git-bec76476efb71549). This is experimental software. Do not rely on it for strong anonymity. (Running on Linux mips) Feb 16 08:14:52.076 [notice] Initialized libevent version 2.0.19-stable using method epoll. Good. Feb 16 08:14:52.076 [notice] Opening Socks listener on 127.0.0.1:9050 cannot find a newer package for openwrt/yun got it here: src/gz attitude_adjustment http://www.dragino.com/downloads/downloads/motherboards/ms14/Firmware/Yun/Pa... packages there are identical afai can see to here: # src/gz attitude_adjustment http://downloads.arduino.cc/openwrtyun/1/packages
It would be very helpful to have the hidden service logs
couldn't find any. had to activate logs in torrc. now here we go: https://pad.riseup.net/p/oigEOGIBVKYXJFNGAORI
It might help to have the client logs as well. Notice level could help, and is generally safe.
tor browser log on client: 16.02.2017 07:23:52.500 [NOTICE] Bootstrapped 85%: Finishing handshake with first hop 16.02.2017 07:23:52.600 [NOTICE] Bootstrapped 90%: Establishing a Tor circuit 16.02.2017 07:23:52.900 [NOTICE] Tor has successfully opened a circuit. Looks like client functionality is working. 16.02.2017 07:23:52.900 [NOTICE] Bootstrapped 100%: Done 16.02.2017 07:23:53.700 [NOTICE] New control connection opened from 127.0.0.1. 16.02.2017 07:23:53.700 [NOTICE] New control connection opened from 127.0.0.1. 16.02.2017 07:24:35.400 [NOTICE] Closing stream for '[scrubbed].onion': hidden service is unavailable (try again later). 16.02.2017 07:25:30.400 [NOTICE] Closing stream for '[scrubbed].onion': hidden service is unavailable (try again later). 16.02.2017 07:25:48.500 [NOTICE] Closing stream for '[scrubbed].onion': hidden service is unavailable (try again later). 16.02.2017 07:26:04.100 [WARN] Fetching v2 rendezvous descriptor failed. Retrying at another directory. 16.02.2017 07:26:04.600 [NOTICE] Closing stream for '[scrubbed].onion': hidden service is unavailable (try again later). 16.02.2017 07:26:14.500 [WARN] Fetching v2 rendezvous descriptor failed. Retrying at another directory. 16.02.2017 07:26:14.700 [WARN] Fetching v2 rendezvous descriptor failed. Retrying at another directory. 16.02.2017 07:26:15.000 [WARN] Fetching v2 rendezvous descriptor failed. Retrying at another directory. 16.02.2017 07:26:15.500 [NOTICE] Closing stream for '[scrubbed].onion': hidden service is unavailable (try again later). 16.02.2017 08:13:12.500 [NOTICE] Closing stream for '[scrubbed].onion': hidden service is unavailable (try again later). 16.02.2017 08:13:20.300 [NOTICE] Closing stream for '[scrubbed].onion': hidden service is unavailable (try again later). 16.02.2017 08:18:05.500 [NOTICE] Tried for 120 seconds to get a connection to [scrubbed]:80. Giving up. (waiting for circuit) 16.02.2017 08:22:06.500 [NOTICE] Tried for 120 seconds to get a connection to [scrubbed]:80. Giving up. (waiting for circuit) 16.02.2017 08:25:44.500 [NOTICE] Tried for 120 seconds to get a connection to [scrubbed]:80. Giving up. (waiting for circuit) 16.02.2017 08:32:44.500 [NOTICE] Tried for 120 seconds to get a connection to [scrubbed]:80. Giving up. (waiting for circuit) 16.02.2017 08:45:10.500 [NOTICE] Tried for 120 seconds to get a connection to [scrubbed]:80. Giving up. (waiting for circuit)
#### /etc/tor/torrc
## Basic configuration Log notice syslog RunAsDaemon 1 DataDirectory /etc/tor
changed to: DataDirectory /mnt/sda1/arduino/tor
User tor
## Hidden service configuration HiddenServiceDir /etc/tor/hidden_service HiddenServicePort 80 127.0.0.1:8080 HiddenServiceDir /etc/tor/hidden_ssh HiddenServicePort 2233 127.0.0.1:2233
added: ## Send all messages of level 'notice' or higher to /var/log/tor/notices.log Log notice file /var/log/tor/notices.log ## Send every possible message to /var/log/tor/debug.log # Log debug file /var/log/tor/debug.log let me know if debug.log might help!
##EOF
This torrc looks ok.
[1] https://www.torproject.org/docs/tor-hidden-service.html.en [2] xrscbcihug2ezrrb.onion [3] ntk6i23e5fcxo3j3.onion [4] https://gist.github.com/Informatic/65261ffd1aee8ddae861 [5] http://unethicalblogger.com/2012/06/13/ssh-as-a-hidden-service.html
thanks again, markus
On 16 Feb 2017, at 19:57, Markus <m@euse.de> wrote:
What version of tor are you running?
root@dragino:~# /etc/init.d/tor restart Feb 16 08:14:52.049 [notice] Tor v0.2.2.39 (git-bec76476efb71549). This is experimental software. Do not rely on it for strong anonymity. (Running on Linux mips)
Tor 0.2.2.39 is very old: it has many known severe security issues. I am surprised it believes enough directory authorities to bootstrap: it could stop working at any time. It uses older protocols: I think they are all still supported, but they might not work very well on the current network. (You can't run a relay on versions that old, but clients might work.)
cannot find a newer package for openwrt/yun
It might be worth compiling one yourself.
It would be very helpful to have the hidden service logs
couldn't find any. had to activate logs in torrc. now here we go: https://pad.riseup.net/p/oigEOGIBVKYXJFNGAORI
It looks like the hidden service isn't posting a descriptor. Can you please send the info-level logs from the hidden service? T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
Am 16.02.2017 um 13:06 schrieb teor:
On 16 Feb 2017, at 19:57, Markus <m@euse.de> wrote:
cannot find a newer package for openwrt/yun
It might be worth compiling one yourself.
startet to work myself into the matter. will be my first time compiling for openwrt. i my understandig its crucial to find/use the right makefile. am i on the right path with this one? https://github.com/openwrt/packages/blob/master/net/tor/Makefile
It looks like the hidden service isn't posting a descriptor. Can you please send the info-level logs from the hidden service?
i created debug.log its ~6mb download it here: http://wg3jsuqf7vyxayxe.onion/swung-ogden best, markus
On 17 Feb 2017, at 09:00, Markus <m@euse.de> wrote:
Am 16.02.2017 um 13:06 schrieb teor:
On 16 Feb 2017, at 19:57, Markus <m@euse.de> wrote:
cannot find a newer package for openwrt/yun
It might be worth compiling one yourself.
startet to work myself into the matter. will be my first time compiling for openwrt. i my understandig its crucial to find/use the right makefile. am i on the right path with this one? https://github.com/openwrt/packages/blob/master/net/tor/Makefile
It looks like the right version, but I don't know openwrt.
It looks like the hidden service isn't posting a descriptor. Can you please send the info-level logs from the hidden service?
i created debug.log its ~6mb download it here: http://wg3jsuqf7vyxayxe.onion/swung-ogden
My Tor Browser says: [NOTICE] Closing stream for '[scrubbed].onion': hidden service is unavailable (try again later). Is this service still up? T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
On Thu, Feb 16, 2017 at 09:57:36AM +0100, Markus wrote:
connecting from the node to the internet is no problem.
i waited over one hour for tor to broadcast its new services. but not even just the hello-world-page is popping up in my clients tor browser. didnt even try to connect to ssl yet.
checked server config, curl 127.0.0.1:8080 is returning hello-world, checked tor config and files over and over. the tor browser on the client is working. no idea what else to try. i think yes according to the hidden service log saying: "Feb 16 09:14:44.128 [notice] Tor has successfully opened a circuit. Looks like client functionality is working. Feb 16 09:14:44.149 [notice] Bootstrapped 100%: Done."
Despite connection has been created I still suspect that there is a problem with the system clock. (Arduino doesn't have RTC, does it?) So even if your client got consensus in the hour window, slightly shifted clock may break hidden service logic. Check the time via `date -u`. Also, can check the logs for events about onion service descriptor publishing progress? (Should be on `info` level AFAICT) P.S. Does access to another (valid) onion sevice work from Arduino as a client? -- Ivan Markin
Am 16.02.2017 um 23:46 schrieb Ivan Markin:
On Thu, Feb 16, 2017 at 09:57:36AM +0100, Markus wrote:
connecting from the node to the internet is no problem.
i waited over one hour for tor to broadcast its new services. but not even just the hello-world-page is popping up in my clients tor browser. didnt even try to connect to ssl yet.
checked server config, curl 127.0.0.1:8080 is returning hello-world, checked tor config and files over and over. the tor browser on the client is working. no idea what else to try. i think yes according to the hidden service log saying: "Feb 16 09:14:44.128 [notice] Tor has successfully opened a circuit. Looks like client functionality is working. Feb 16 09:14:44.149 [notice] Bootstrapped 100%: Done."
Despite connection has been created I still suspect that there is a problem with the system clock. (Arduino doesn't have RTC, does it?) So even if your client got consensus in the hour window, slightly shifted clock may break hidden service logic. Check the time via `date -u`.
root@dragino:~# date -u Thu Feb 16 22:51:29 UTC 2017 looks like a correct time stamp to me. its a arduino yun, it has NO rtc, but: http://arduino.stackexchange.com/questions/899/arduino-yun-does-it-have-a-rt...
Also, can check the logs for events about onion service descriptor publishing progress? (Should be on `info` level AFAICT)
this same mail with debug.log in attached zip (700k) is awaiting moderation. until then please read the mail without the attachment.
P.S. Does access to another (valid) onion sevice work from Arduino as a client?
yes, it works: root@dragino:~# curl -v --socks5-hostname localhost:9050 http://xmh57jrzrnw6insl.onion/
GET / HTTP/1.1 User-Agent: curl/7.29.0 Host: xmh57jrzrnw6insl.onion Accept: */*
< HTTP/1.1 200 OK < Date: Thu, 16 Feb 2017 22:59:47 GMT < Server: Apache < Vary: Accept-Encoding < Content-Length: 4192 < Content-Type: text/html < <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>TORCH: Tor Search!</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <meta name="description" content=""/> <meta name="keywords" content=""/> <link rel="shortcut icon" href="favicon.png" type="image/png" /> ... best, markus
On 17 Feb 2017, at 10:09, Markus <m@euse.de> wrote:
Also, can check the logs for events about onion service descriptor publishing progress? (Should be on `info` level AFAICT)
this same mail with debug.log in attached zip (700k) is awaiting moderation. until then please read the mail without the attachment.
I won't approve this attachment: it would leak your hidden service's guards onto a public list. T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
On 16 Feb 2017, at 13:49, teor <teor2345@gmail.com> wrote:
i waited over one hour for tor to broadcast its new services. but not even just the hello-world-page is popping up in my clients tor browser. didnt even try to connect to ssl yet.
checked server config, curl 127.0.0.1:8080 is returning hello-world, checked tor config and files over and over. the tor browser on the client is working. no idea what else to try.
... Some 4G carriers drop long-lived connections.
From your debug log, it looks like your provider is dropping long-lived connections: TLS error: unexpected close while reading (SSL_ST_OK) tor_tls_read(): read returned r=0, err=-8 connection_read_to_buf(): TLS connection closed on read. Closing. (Nickname REDACTED_GUARD_FP, address REDACTED_GUARD_IP) When then causes the hidden service to discard its intro points: rend_services_introduce(): Giving up on [scrubbed] as intro point for [scrubbed]. Which means that the published descriptor is uploaded, but quickly becomes invalid: upload_service_descriptor(): Successfully uploaded v2 rend descriptors! connection_dir_client_reached_eof(): Received response from directory server 'REDACTED_HSDIR_IP': 200 "Service descriptor (v2) stored" Feb 16 22:18:17.485 [info] connection_dir_client_reached_eof(): Uploaded rendezvous descriptor (status 200 ("Service descriptor (v2) stored")) Recent versions of tor handle this much better. There might also be other issues, because this issue shouldn't result in there being no descriptor for your hidden service: it should result in there being a descriptor with no valid intro points. (Or some failure when using those intro points.) T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
hi, Am 17.02.2017 um 07:47 schrieb teor:
On 16 Feb 2017, at 13:49, teor <teor2345@gmail.com> wrote:
i waited over one hour for tor to broadcast its new services. but not even just the hello-world-page is popping up in my clients tor browser. didnt even try to connect to ssl yet.
checked server config, curl 127.0.0.1:8080 is returning hello-world, checked tor config and files over and over. the tor browser on the client is working. no idea what else to try.
... Some 4G carriers drop long-lived connections.
From your debug log, it looks like your provider is dropping long-lived connections:
TLS error: unexpected close while reading (SSL_ST_OK) tor_tls_read(): read returned r=0, err=-8 connection_read_to_buf(): TLS connection closed on read. Closing. (Nickname REDACTED_GUARD_FP, address REDACTED_GUARD_IP)
When then causes the hidden service to discard its intro points:
rend_services_introduce(): Giving up on [scrubbed] as intro point for [scrubbed].
Which means that the published descriptor is uploaded, but quickly becomes invalid:
upload_service_descriptor(): Successfully uploaded v2 rend descriptors!
connection_dir_client_reached_eof(): Received response from directory server 'REDACTED_HSDIR_IP': 200 "Service descriptor (v2) stored" Feb 16 22:18:17.485 [info] connection_dir_client_reached_eof(): Uploaded rendezvous descriptor (status 200 ("Service descriptor (v2) stored"))
Recent versions of tor handle this much better.
if i'm getting your sub-text right: i have to get into compiling and check again with a more recent tor-version. ok, i will try. but that will take me some time. as i have to learn how to work with openwrt's build-system. in any case i will report back as soon as i get my openwrt running an up2date tor version. then we can also see if other issues interfere. best and many thanks so far, markus
There might also be other issues, because this issue shouldn't result in there being no descriptor for your hidden service: it should result in there being a descriptor with no valid intro points. (Or some failure when using those intro points.)
participants (3)
-
Ivan Markin -
Markus -
teor