[tor-relays] Ops request: Deploy OpenVPN terminators

Wed May 14 10:17:28 UTC 2014

On 2014-05-14 03:58, grarpamp wrote:
> On Tue, May 13, 2014 at 8:40 PM, Andy Isaacson <adi at hexapodia.org> wrote:
>> Anecdotally, the GFW blocks OpenVPN endpoints as well.
> 
> You need to specify context... access *to* ovpn nodes?, which
> is moot because that is not the deployment specified here in
> diagram...

That was not the setup you described originally. The diagram that you
included makes your intentions much clearer.

Please note that you are not solving anything for most Tor users. They
get blocked from _accessing_ the Tor network, not from getting out of it.

[..]
> It's about enabling quite some other users other means to get
> around silly ip based blocklists derived from the consensus, the
> tor dns query thing, or poor management models by the site the user
> wishes to access, etc.

As I noted, 'getting out', or better 'who allows Tor nodes to connect to
their sites' is a decision to be made by those operators.

Trying to circumvent that will just cause more blockage there, noting it
is much easier to do so for such an operator and in their full right (if
you like it or not).

> We provide tor exits

Who is "we" here? I am fairly confident you do not speak for any kind of
majority of exit node operators. Note that most exit nodes have a port
and network blocks themselves to avoid them from being abused.

> exact so users can get around stuff

What site is it again that you are trying to circumvent?

Did you list it on:
 https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlockingTor

or is it some private thing you are banned from?

> so adding in an ovpn on a spare ip is no philosophical difference there.

There is a HUGE difference. As noted above, most exits have a block list
for address space and ports. You would have to do the same for openvpn,
next to that, as that is not integrated into Tor, tor cannot make a
decision about when something is being blocked and thus chose another
'exit'.

> Yes, it is a fuck you to old way
> of playing nice by saying "here's all our public nodes, block us",

You clearly do not understand why the DNSEL is published. Please read up
on it.

> and it might cost $few more a month for the ip, and eat some
> cpu on localhost, but that's about it. If it helps some users
> it's worth doing, to each operators own desire.

OpenVPN, especially in crypted mode, requires quite a lot more CPU power
on the nodes running OpenVPN node.

Next to that, due to the overhead of IP over OpenVPN-TCP which then goes
over Tor, your performance will be really bad.

You do not need OpenVPN to solve a 'different exit than published', the
exit operator can just randomly forward/NAT outbound packets over
different IPs.

> Same goes for binding/routing your tor exit out a different ip
> than your OR ip. Except that using OpenVPN can permit
> other protocols for help of user than only TCP.

Which is likely the real requirement you have. Do you want to do gaming,
or is it torrenting you want to do? Or... even worse: the ability to
send raw packets?

Greets,
 Jeroen