Page MenuHomePhabricator
Create Task
Maniphest T322

obfsproxy not working on Qubes R3
Closed, ResolvedPublic
Actions

Description

https://www.whonix.org/forum/index.php/topic,1249.0.html
Quote from: oneoffew on May 21, 2015, 06:32:10 am

I have no idea why, but obfsproxy isn't working on R3. arm shows no network traffic.

Before it's asked:
* Yes, Whonix has worked before, I've been using Whonix on Qubes (R2) for several months.
* No, I haven't changed  the configuration. I spent around 13 hours (tempered by coffee making breaks!) yesterday trying to get it to work, but then I removed qubes-gw-experimental and installed it again (actually, twice) to make sure it wasn't some fuckwittery of my own.
* I managed to get plain Tor to "work" once, I have no idea how since configuration didn't change between rebooting the domain.
* I've tried connecting it directly to the netvm
* I've tried disabling ipv6 (ipv6.disable) in the netvm, firewallvm, and gateway
* I've tried the R2 kernel
* Yes, tbb does work (thank God...) in the Fedora template.

Any help would be greatly appreciated.

I will create an issue for this. I have never used obsproxy before so do not know how to test it off hand. First thing to look into is to make sure it works in regular Whonix 10. Maybe I missed some startup file or firewall rule.

Details

Impact
High

Related Objects

Event Timeline

nrgaway created this task.May 22 2015, 8:29 AM
nrgaway raised the priority of this task from to Needs Triage.
nrgaway updated the task description. (Show Details)
nrgaway added projects: Whonix 10, qubes-whonix 10, Qubes.
nrgaway set Impact to Needs Triage.
nrgaway added subscribers: nrgaway, Patrick, WhonixQubes.
Herald added a project: Whonix. · View Herald TranscriptMay 22 2015, 8:29 AM
Herald added a subscriber: troubadour. · View Herald Transcript
nrgaway added a comment.May 22 2015, 8:31 AM

@Patrick I was wondering if this is working in regular Whonix 10? If so can you give me some clues on how to troubleshoot it (startup scripts, configuration locations, expected firewall rules) since I have never used it before

Patrick triaged this task as High priority.May 22 2015, 1:21 PM
Patrick added a project: Whonix 11.
Patrick changed Impact from Needs Triage to High.
Patrick added a comment.May 22 2015, 1:33 PM
  • works for me in Whonix 10
  • Documentation: https://www.whonix.org/wiki/Bridges
  • obfsproxy: https://www.whonix.org/wiki/Bridges#Using_obfuscated.2C_.28private.29_and.2For_ordinary_bridges
  • no different firewall rules required for obfs3
  • no startup scripts required
  • no other fancy stuff required
  • user configuration is simply added to /etc/tor/torrc
  • make sure the obfsproxy package is installed
  • apparmor was an issue in past, try obfsproxy yourself and check /var/log/kern.log
  • for now, just try it out yourself. Does it work for you? If it works for you, if you can confirm from /var/log/tor/log and arm, that Tor is in fact connecting only to the obfs3 bridges you configured, then it's more likely a user configuration error than Whonix bug.
nrgaway added a comment.May 22 2015, 1:52 PM

Thanks for all the info. I will test it out over the weekend!

Patrick assigned this task to nrgaway.May 30 2015, 2:41 PM
Patrick added a project: qubes-whonix 11.
oneoffew added a subscriber: oneoffew.Jun 4 2015, 7:52 PM

This seems to have gotten lost in the backlog.

Seeing that nrgaway mentioned init scripts and firewalls, here's the output of iptables-save:

{P1}

In case either are useful, tor log:

[warn] Problem bootstrapping. Stuck at 15%: Establishing an encrypted directory connection. (DONE; DONE; count 2; recommendation warn)
[warn] 2 connections have failed:
[warn] 2 connections died in state handshaking (TLS) with SSL state unknown state in HANDSHAKE

obfsproxy log:
{P2}
Note the timing. I don't know what sort of delays iptables can be expected to give, but perhaps someone else can infer something.

torrc matches the guide, with:

DisableNetwork 0

UseBridges 1

ClientTransportPlugin scramblesuit exec /usr/bin/obfsproxy managed

bridge scramblesuit [ip]:[port] [id] password=[password]
bridge scramblesuit [ip]:[port] [id] password=[password]

Both tor and obfsproxy are running as uid 104.

oneoffew added a comment.Jun 4 2015, 11:13 PM

For the record, flushing all rules and defaulting to ACCEPT makes obfsproxy work.

Patrick added a comment.Jun 26 2015, 5:48 PM

For the record, slightly off-topic.
Qubes Q3 RC1, Whonix 10.

DisableNetwork 0
UseBridges 1
ClientTransportPlugin obfs2,obfs3 exec /usr/bin/obfsproxy managed
Bridge obfs3 <ip> <fingerprint>

Without any firewall modifications. Works for me.

scramblesuit not yet tested by me.

Patrick edited projects, added Whonix 12; removed qubes-whonix 11, Whonix 11, qubes-whonix 10, Whonix 10.Jul 27 2015, 6:38 PM
Patrick added a comment.Aug 15 2015, 8:12 PM

Related, there is another unrelated reason why obfsproxy might not work...
"Qubes-Whonix obfsproxy AppArmor issue" -> T396

Patrick added a comment.Aug 17 2015, 1:27 PM

Qubes Q3 RC1, Whonix 11.
obfs4 works for me. Example config:

UseBridges 1
ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy managed
Bridge obfs4 141.201.27.48:420 gibberish cert=more-gibberish iat-mode=0

Now also documented here:
https://www.whonix.org/wiki/Bridges#Using_obfuscated.2C_.28private.29_and.2For_ordinary_bridges

Patrick closed this task as Resolved.Aug 17 2015, 2:15 PM

(No firewall rule changes required.)

Before it's asked:
...

This was a good list by the way. A perhaps missing item:

  • Try getting Tor / pluggable transport to work with Tor from deb.torproject.org on a Debian template.

Since this works for me with Qubes Q3 RC1, Whonix 11 [release announcement most likely follows today, already in the Qubes archive], I consider this fixed. Otherwise please reopen.

Patrick claimed this task.Aug 17 2015, 2:15 PM
Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer