Closed alphazo closed 6 years ago
Hi @alphazo,
The Tor plugin maintainer @fabianfrz is currently indisposed so I have to get back on this in his place after a bit of research as I don't know a lot about the topic yet. :)
Cheers, Franco
No problem. Seems to be fairly simple to get the stealth mode working.
After adding a hidden service called testme using the GUI I went to the command line and added the following line to /usr/local/etc/tor/torrc
HiddenServiceAuthorizeClient stealth client1,client2
I then restarted tor via the gui and the information tab now shows:
Hidden Service Name | Hostname |
testme | 7xevfoo6aq4fvvp6.onion 1dVQrgk/IGI0WwcQQKb88x # client: client1 6iylcdtlyhisrusn.onion 832wXTfkGaj9SZTug9QPnh # client: client2
The website can no longer be viewed using only its 7xevfoo6aq4fvvp6.onion address.
On the client side I now have to add 7xevfoo6aq4fvvp6.onion 1dVQrgk/IGI0WwcQQKb88x
in the tor browser's torrc or tor client's torrc in order to view the hidden website.
So a GUI that allows to enter the name multiple client names to be added to /usr/local/etc/tor/torrc would be nice. An improved parsing of /var/db/tor/testme/hostname would be required to properly display the hidden website URL and associated key.
@alphazo thanks, that helped a lot. So I've added the client authorisation to hidden services... can you try the following patch?
# opnsense-patch -c plugins 6dc272c
If it works as expected we can fix the information GUI page.
There might be an edit bug in there if a hidden service ACL is defined, I will look at it later. As long as there is no ACL assigned to the service the edit seems to work fine.
@fichtner I have never used opnsense-patch service. Before I play around with it, is there a way to revert back to how it was before the patch?
Thanks
opnsense-patch pulls the commit via hash from github and installs it. rerunning the command with the same hash will remove the patch again
you can also reset your tor plugin via:
# opnsense-revert os-tor
which will revert to the latest known version in the online repository
Thanks for the patch that worked quite nicely. Here are my comments:
myc1 myc2
then I receive the following error message when trying to save the settings The authorized clients should only consist of alphanumeric characters, dashes, underscores and plus sign.
Not Found Error
. I can no longer switch back to Basic mode or even remove that particular entry. The only way to edit or remove the entry is to first remove the corresponding entry in the Hidden Service Routing tab.HidServAuth cld7uazv7brtgxb4.onion xTYCjhRNrPNeF2HdZ2TWAh # client: myc1
to the Tor client that needs to connect to this resource.If you remove the ACL (next tab) from the service the editing works as expected instead of "Not Found Error"... it's a bug somewhere in the backend that needs fixing, but it seemed to be there before this was added.
You need to type "," or hit enter to render each client, the input is tokenized :)
Saw your answer just after editing my comment. As stated, removing the ACL fixes the issue. It also allowed me to enter multiple clients. It's all good!
Jolly good, thanks for your help and comments. I will address the remaining issues in the next days and ping you again.
@fichtner because you are working on this ticket: don't forget that there is also the other end of the connection which needs HidServAuth
to access such a service. HidServAuth is 1:n which means that it needs a custom page.
The directive is (from tor man page)
HidServAuth onion-address auth-cookie [service-name]
so the form will be onion-address as text and auth-cookie as text.
Right now I'm more concerned about an API config bug in core https://github.com/opnsense/core/issues/1885 and if that is solved I'd rather release what we already have and keep this open
we don't have a pretty information page parsing, but it seems like a low value target to me. all the info is there, tor just writes it in a weird way...
@fichtner As far as I know I have added a workaround to prettify that a bit (convert \n to br tags)
@fichtner needed a fixup - pushed it to master: https://github.com/opnsense/plugins/commit/528e3674a257405831a0bb9e123d1e6fb1745dfd
thanks!
I just tried out the new official Tor plugin and found it awesome. I was wondering if there was any plan to add a GUI option for managing client authorization through HiddenServiceAuthorizeClient. Thanks