[tor-relays] Ops request: Deploy OpenVPN terminators
Jeroen Massar
jeroen at massar.ch
Tue May 13 21:48:03 UTC 2014
On 2014-05-13 23:09, grarpamp wrote:
[..]
> *But we can
> bind to it and let users find it with their own openvpn scans close
> to (one up or down from) our OR IP.* Just use the standard openvpn
> TCP port on it.
Thank you for suggesting the GFW folks now scan and/or directly block
these IP addresses too.
[..]
> The point is, we already own these extra IP's, and legitimate people
> are being blocked from services for no reason other than kneejerk
> or blind reactions to Tor via blocking services. Ahem, cloudflare,
> et al and other blocking 'services' well known to us.
You are mixing the difference between an operator of a site selecting
who their viewers are and a man-in-the-middle selecting that for both
the user and the server. Don't mix those up.
I am pretty-much-completely pro-Tor as there are good uses, but for
controlling who logs in and who abuses you, Tor is a bad thing as you
don't know what the source is. As an operator of a (server) site, being
able to say "sorry, we do not accept connections from Tor" is a good
thing, as there are situations where that is needed.
[..]
> Yes, blocklists could try the 'one IP up/down' scan method and list
> this project of ours too
As it can be done automatically, it is not "more work" for them.
And actually, they are likely already scanning every IP in the /24 where
a relay is located (well, actually they just scan the whole IPv4 space
anyway, with zmap it is done very very quickly)
> but it's more work for them and they're
> unlikely to do it in any sort of global fashion. Especially since
> they can't prove it's part of Tor (because we don't publish the
> IP's as such).
If the address space (eg the /24) does not contain anything "normally
useful" they will just block it based on that.
Instead of doing OpenVPN (which Wireshark knows and thus is easily
detected by port number but also protocol itself), look at the variety
of Pluggable Transports[1] people have been developing and deploy these.
They are typically scan and protocol analysis resistant which will give
much better bang for your buck.
Of course, using BridgeDB is a good thing there to publish these
details, or you could invent some new method of passing details to
people (puzzle game solving ala captchas being a good start though
defeatable by having slaving-away people getting paid for solving them).
Greets,
Jeroen
[1] =
https://www.torproject.org/docs/pluggable-transports.html.en
More information about the tor-relays
mailing list