[tor-talk] app -> socks5-openvpn -> socks5-tor ?
grarpamp at gmail.com
Thu Jul 9 20:05:00 UTC 2015
On Thu, Jul 9, 2015 at 3:42 AM, coderman <coderman at gmail.com> wrote:
> a http-proxy/socks-proxy
privoxy can stuff http over socks, so whether or not this socks to
vpn tool supports http-proxy is moot.
(nb: ip traffic of socks can't be stuffed over http without a far
end de-encapsulator. Same reason why socks provided by SSH won't
> it did not create a tun/tap device on host.
Not sure it would need to do that, yet one of two things is probably
A) socks5 server code in openvpn itself (like Tor has) so that openvpn
can send it directly through the process and physically out the tun
to the far side, including any DNS lookups on behalf of client.
(Yes, useful :)
B) A standalone shim with socks5 on the front
1) that knows how to route on the back (in conjunction with setting
arp to the vpn far end ip, or can talk to the raw tun).
2) or tell the kernel to ignore the route table for such a socks
server bound to the tun interface (like dante), combined with
arp to actually route. SO_DONTROUTE isn't that, SO_SETFIB might.
Also complicated by the tun interface bouncing up-down and/or it's
ip address/mask changing. See also policy/source/user/process
routing, etc. Seems to make B even more complex than VM.
If you're certain your app usage will only talk to a known set of
hosts, simply openvpn with split horizon routing table entries works.
But if you're testing a browser, torrent, bitcoin, something that can
randomly contact anywhere... and you want to use your stack normally
with other apps... you can't default everything into openvpn, so you
need to use the app's socks containment channel. Thus this thread.
More information about the tor-talk