[tor-dev] using obfs4 to tunnel to a SOCKS proxy server

David Fifield david at bamsoftware.com
Wed Jan 23 18:25:01 UTC 2019


On Wed, Jan 23, 2019 at 11:41:42AM +0000, Yawning Angel wrote:
> > For example, could the obfs4 server side provide a generic SOCKS proxy?
> 
> There is no functionality for doing such a thing in mainline obfs4proxy.
> 
> What currently will work is any one of:
> 
>  * Stick a proxy server of your choice behind the obfs4proxy server.
> From the application end it will essentially be connecting to a (for
> example) SOCKS5 proxy over another SOCKS5 proxy.
> 
>  * Connect the obfs4proxy server to a load-balancer or reverse-proxy
> that re-dispatches requests to the correct location based on the SNI
> block or `Host` header (depending on how you want to treat TLS).

This is the right answer. Fundamentally you need two layers of proxying:
one at the PT layer (obfs4proxy PT interface) and one at your
application layer (where you implement problem-specific logic like
domain whitelists).

On the server, you will point TOR_PT_ORPORT at a SOCKS server or load
balancer, rather than directly at the target web server. The
obfs4_server.sh script will work fine for that; you could also try
https://github.com/twisteroidambassador/ptadapter. The SOCKS server will
have to support a destination whitelist--or you could just put it on a
host with an appropriate outgoing firewall. Instead of a SOCKS server,
you could use load balancer/reverse proxy like Yawning says. Here are a
few that have SNI proxying (I've personally only used sslh):
https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/
https://github.com/yrutschle/sslh
https://github.com/dlundquist/sniproxy

But you're going to encounter an undesirable feature of this setup:
there's a 1:1 relationship between application-layer connections and
obfuscation-layer tunnels. That is, if the app makes 2 HTTPS connections
to 2 different Wikimedia domains, there will be 2 obfs4 tunnels
happening. It will work, but it's more conspicuous and will notionally
make website fingerprinting easier. What you may want is a multiplexing
protocol that collapses multiple streams into one on the client side (to
feed into the obfs4 tunnel) and splits them back apart again on the
server side. (In the usual Tor setup, it's the Tor protocol that serves
this multiplexing function--you only have one long-lived connection to
your guard, not a separate connection for every application-layer
stream.) Unfortunately I don't know of any out-of-the-box that does
this. You might try https://github.com/xtaci/smux; also lately I've been
thinking a lot about applying https://github.com/lucas-clemente/quic-go
to this problem.


More information about the tor-dev mailing list