Page MenuHomePhabricator

obfsproxy not working on Qubes R3
Closed, ResolvedPublic

Quote from: oneoffew on May 21, 2015, 06:32:10 am

I have no idea why, but obfsproxy isn't working on R3. arm shows no network traffic.

Before it's asked:
* Yes, Whonix has worked before, I've been using Whonix on Qubes (R2) for several months.
* No, I haven't changed  the configuration. I spent around 13 hours (tempered by coffee making breaks!) yesterday trying to get it to work, but then I removed qubes-gw-experimental and installed it again (actually, twice) to make sure it wasn't some fuckwittery of my own.
* I managed to get plain Tor to "work" once, I have no idea how since configuration didn't change between rebooting the domain.
* I've tried connecting it directly to the netvm
* I've tried disabling ipv6 (ipv6.disable) in the netvm, firewallvm, and gateway
* I've tried the R2 kernel
* Yes, tbb does work (thank God...) in the Fedora template.

Any help would be greatly appreciated.

I will create an issue for this. I have never used obsproxy before so do not know how to test it off hand. First thing to look into is to make sure it works in regular Whonix 10. Maybe I missed some startup file or firewall rule.



Event Timeline

nrgaway raised the priority of this task from to Needs Triage.
nrgaway updated the task description. (Show Details)
nrgaway set Impact to Needs Triage.
nrgaway added subscribers: nrgaway, Patrick, WhonixQubes.

@Patrick I was wondering if this is working in regular Whonix 10? If so can you give me some clues on how to troubleshoot it (startup scripts, configuration locations, expected firewall rules) since I have never used it before

Patrick triaged this task as High priority.May 22 2015, 3:21 PM
Patrick added a project: Whonix 11.
Patrick changed Impact from Needs Triage to High.
  • works for me in Whonix 10
  • Documentation:
  • obfsproxy:
  • no different firewall rules required for obfs3
  • no startup scripts required
  • no other fancy stuff required
  • user configuration is simply added to /etc/tor/torrc
  • make sure the obfsproxy package is installed
  • apparmor was an issue in past, try obfsproxy yourself and check /var/log/kern.log
  • for now, just try it out yourself. Does it work for you? If it works for you, if you can confirm from /var/log/tor/log and arm, that Tor is in fact connecting only to the obfs3 bridges you configured, then it's more likely a user configuration error than Whonix bug.

Thanks for all the info. I will test it out over the weekend!

This seems to have gotten lost in the backlog.

Seeing that nrgaway mentioned init scripts and firewalls, here's the output of iptables-save:


In case either are useful, tor log:

[warn] Problem bootstrapping. Stuck at 15%: Establishing an encrypted directory connection. (DONE; DONE; count 2; recommendation warn)
[warn] 2 connections have failed:
[warn] 2 connections died in state handshaking (TLS) with SSL state unknown state in HANDSHAKE

obfsproxy log:
Note the timing. I don't know what sort of delays iptables can be expected to give, but perhaps someone else can infer something.

torrc matches the guide, with:

DisableNetwork 0

UseBridges 1

ClientTransportPlugin scramblesuit exec /usr/bin/obfsproxy managed

bridge scramblesuit [ip]:[port] [id] password=[password]
bridge scramblesuit [ip]:[port] [id] password=[password]

Both tor and obfsproxy are running as uid 104.

For the record, flushing all rules and defaulting to ACCEPT makes obfsproxy work.

For the record, slightly off-topic.
Qubes Q3 RC1, Whonix 10.

DisableNetwork 0
UseBridges 1
ClientTransportPlugin obfs2,obfs3 exec /usr/bin/obfsproxy managed
Bridge obfs3 <ip> <fingerprint>

Without any firewall modifications. Works for me.

scramblesuit not yet tested by me.

Related, there is another unrelated reason why obfsproxy might not work...
"Qubes-Whonix obfsproxy AppArmor issue" -> T396

Qubes Q3 RC1, Whonix 11.
obfs4 works for me. Example config:

UseBridges 1
ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy managed
Bridge obfs4 gibberish cert=more-gibberish iat-mode=0

Now also documented here:

(No firewall rule changes required.)

Before it's asked:

This was a good list by the way. A perhaps missing item:

  • Try getting Tor / pluggable transport to work with Tor from on a Debian template.

Since this works for me with Qubes Q3 RC1, Whonix 11 [release announcement most likely follows today, already in the Qubes archive], I consider this fixed. Otherwise please reopen.