[tor-talk] Tor transparent proxy implementation on Windows

coderman coderman at gmail.com
Thu Dec 29 06:13:43 UTC 2011

On Wed, Dec 28, 2011 at 5:47 PM, Lee Fisher <blibbet at gmail.com> wrote:
> ...
> I think a native driver could help with Tor performance, if that really was
> an issue -- perhaps transparency issues aside -- to be addressed at some
> level by Tor's sponsors. [or contributors, or other willing parties]

it would be useful for many reasons, including:
- fail-safe configuration by enforcing Tor or nothing behavior.
- high performance interface to VM networking (virtio capable).
- robust QoS on client traffic by application, user or protocol.
- native transparent proxy support without VMs of course.

> But a Windows driver solution would be hard in a variety of ways:
> 1) to develop. You'll need NT driver skills, not LSB/POSIX/eLinux skills.

agreed. i'd be happy to assist with this effort as a technical
resource, but i cannot be a significant developer.

> 2) to build. You'll need to use MSC and KD/Windbg,
> ...
> Also, the DDK/WDK tools are curently freeware,...

this was integrated into the Tor VM for the WinPCAP and Tap32 driver
builds via MSVC command line and WDK/DDK tools. the build
configuration is annoying, but straightforward _as long as the tools
are free_.

> at times they [DDK/WDK] were
> commerical only, by paying for MSDN, and pulled from online free download
> for a while. I sadly expect that Win8 will change for the worse in this
> area. This might also be an issue for the OpenVPN driver.

a wildcard for sure. you're going to pay for the driver testing &
signature anyway, so there is no way to escape some tithe to Microsoft
when going the native driver route. given this fact, additional
licenses for a DDK/WDK may not be onerous.

> 3) to support. When Tor users have BSODs and ask for help... Having to deal
> with NT kernel dumps would be an increase in resources. Having to document
> how to install a driver, deal with driver signing, locked down systems that
> don't allow drivers, dealing with crashes, would require a large doc
> project.

i hadn't considered these difficulties much, but support requirements
would indeed be unique and perhaps significant. i've seen more than a
few VPN and Firewall solutions on windows conflict badly with other
intermediate and filter drivers.

> As for maintaining legacy versions of Windows platforms, you can only track
> Windows versions so long, until vendor doesn't provide security patches for
> it, then it's a worthless platform for anything that needs privacy/security.

it would be nice to formally deprecate XP. at Vista and above things
become less stratified.

> I also asked around, to see if there was any more NT guidance for specific
> driver model recommendations. It appears the NDIS "raw IP medium" type
> (NdisMediumIP)" driver is one to investigate. In addition to WFP. Some NDIS
> driver models are being deprecated for WFP, but I'm not sure if NDIS
> NdisMediumIP drivers are on that list.
> http://www.osronline.com/showthread.cfm?link=217920

we could find out, dig up tech details, and document on the wiki. :)

> Also, I'm not sure if WFP is technically able to handle all transproxy
> needs. There are 2 WDK samples for WFP that seem like a good place to start,
> if anyone is interested.

sure, link them here. i can take a stab at a wiki page and will
include these resources as part of the discussion.

best regards,

More information about the tor-talk mailing list