[tor-dev] Obfsproxy Address Translation

Yawning Angel yawning at schwanenlied.me
Fri Jan 16 14:43:53 UTC 2015


On Fri, 16 Jan 2015 12:05:41 +0100
Alfredo Palhares <masterkorp at masterkorp.net> wrote:

> Between the OpenVPN I an obfsproxy server outside the country and a
> client inside the country. But what I've found out is that Obfsproxy
> server needs to be running as the OpenVPN server and Obfsproxy client
> needs to be on the same machine as the OpenVPN client.

So what you're saying is, you want to do something like:

 * There is an obfsproxy client instance running on c.example.com.

 * There is an obfsproxy server instance running on s.example.com,
   that feeds into an OpenVPN server instance running on
   v.example.com.

 * Multiple clients use c.example.com as the SOCKS proxy for the
   OpenVPN client, connect to s.example.com to get to the OpenVPN
   server running on v.example.com.

My thoughts on the matter are:

 1. This should work.  If it can be shown to be broken via a trivial
    application/test case (Eg: netcat), then it should be fixed
    (The trival test case requirement is because I don't want to debug
    OpenVPN again).

 2. Oh god, c.example.com is going to be running a public SOCKS proxy.
    Granted people trying to use it to get to most destinations will
    have a connection that fails, but bad people can use it as a DDoS
    amplification host (The SOCKS dialog is much much shorter than any
    of the client requests that would be sent).

 3. I don't know enough about the OpenVPN protocol/implementation to
    know if there are application specific quirks unique to OpenVPN that
    would prevent this configuration from working.  That would be an
    OpenVPN problem, unless obfsproxy is altering the data it's relaying
    (Extremely unlikely).

I'll hold off on closing the ticket for now, but unless the code is
broken in the "1." sense, I'm inclined to do so.

Regards,

-- 
Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20150116/b2a82593/attachment.sig>


More information about the tor-dev mailing list