[tor-relays] Ops request: Deploy OpenVPN terminators
grarpamp
grarpamp at gmail.com
Tue May 13 21:09:50 UTC 2014
Ops request: Deploy OpenVPN terminators
We are ops because we want to allow people to avoid censorship and
speak freely. But are we doing all we can? It is well known that
all relays, exit or non-exit are added to a variety of blocklists.
Primarily through scraping the consensus. And those blocklists are
then used to indiscriminately deny legitimate users/people access
to sites, regardless of their 'behaviour', which more often than
not has simply not been determined yet. So we need to augment what
we're doing in order to be effective in our mission. Here's how...
We already run Tor on an IP, that IP is blackballed as noted above,
so using another port on it as a vpn terminator is pointless. Yet
our hosting packages often offer other IP's in the same range, or
we already have them to use as part of the deal (or, failing that,
we can forward the openvpn TCP port on our bad relay IP to another
clean non-bulk-blocked IP we control). We obviously cannot publish
this new openvpn 'exit/termination' IP anywhere, such as in the
comment field of the consensus as it will be banned. *But we can
bind to it and let users find it with their own openvpn scans close
to (one up or down from) our OR IP.* Just use the standard openvpn
TCP port on it.
There is no bandwidth cost to us to do this because all the traffic
is moved between the exit IP and the openvpn termination IP over
localhost. (Well, unless you are forwarding openvpn port on OR IP
to another termination real IP off your box.)
At minimum we should allow TCP transport out from the vpn to the
world, aka the usual nat, so as to make websurfing work for our
users. Bonus for allowing nattable outbound UDP, ICMP, etc. Further
bonus for allowing inbound binds on whatever port on the IP that
is available to be bound to. Obviously sine the IP is scarce to us,
we can't allow full unnatted use of the IP.
The point is, we already own these extra IP's, and legitimate people
are being blocked from services for no reason other than kneejerk
or blind reactions to Tor via blocking services. Ahem, cloudflare,
et al and other blocking 'services' well known to us.
So to the extent we have other IP's available to us, we should set
them up to be unpublished openvpn nodes and let users find us by
trying to terminate their vpn connections on us at that IP and
openvpn port.
Yes, blocklists could try the 'one IP up/down' scan method and list
this project of ours too, but it's more work for them and they're
unlikely to do it in any sort of global fashion. Especially since
they can't prove it's part of Tor (because we don't publish the
IP's as such).
If we wish to make an announcement that we are running such
terminators, obviously it should not be made from addresses related
to our OR IP's.
[FWIW, there is another openvpn terminator project out there. Unlike
ours would be, its nodes are public, and even with that detriment
(though possibly only because it is lesser known) it obtains more
freedom from blocklisting than Tor. However its termination points
perform poorly/unreliably whereas ours would be both nonpublished
and better managed.]
More information about the tor-relays
mailing list