[REQUEST] Force all traffic on the namespace where controller is deployed though Tor

[samip5]

Is your feature request related to a problem? Please describe. Traffic to the internet from the onions leak though the normal internet connection

Describe the solution you'd like I would like all traffic in that namespace to route though the Tor network

Describe alternatives you've considered N/A

Additional context It would probably be an value that one could set.

[bugfest]

Hi @samip5,

AFAIK TOR can only transport TCP traffic so you'll still face data leaks for UDP traffic. Forwarding all the namespace traffic to a tor instance probably requires a custom CNI plugin in your k8s cluster. Multus does a great job there, but probably will be too complex.

Other possible approach is that if your apps can use a sock proxy, we can implement a Tor socks port to be available in the namespace as a cluster service. If socks is not suportted, but your app(s) talk http and can use an HTTP proxy; one could use an http-to-socks proxy (e.g privoxy) sidecar to let pod get to Internet thru it (container -> sidecar http -> tor socks -> (tor network) -> tor exit node -> internet).

Can you explain a bit more your use case?

[samip5]

I want a Tor mail server onion, which needs traffic routed though Tor by default. Preferably all traffic from a namespace.

[bugfest]

is your mail server capable of using a socks v4/v5 service?

[samip5]

is your mail server capable of using a socks v4/v5 service?

That would be a no, as Postfix doesn't seem to have support for it.

[bugfest]

You might try tsocks to reroute the traffic thru a socks service: https://man.archlinux.org/man/extra/tsocks/tsocks.1.en - if that works, you have two options: A new TOR deployment/pod exposing the socks port and your app using it for outgoing traffic or enable socks port in the pod the one the OnionService spins to get your hidden service set up.

[bugfest]

I'm preparing a new CRD to create a Tor socks service. That should help to fulfill this requirement

[bugfest]

I'm still working on it - I'm close to release the feature

[bugfest]

Hi @samip5,

A similar feature was asked in #19

I've just pushed a Tor object implementation that you can use to spin a Tor instance exposing Socks/HTTPTunnel/DNS and NATD services in your cluster with traffic being routed thru the Tor network. Branch: tor-crd-0.6.1.

As soon as I finish the build/tests I'll merge the changes.