OPNsense Forum
Archive => 17.7 Legacy Series => Topic started by: fabian on September 19, 2017, 02:25:25 pm
-
Just if anyone likes to test:
Log in via SSH, and run this in the shell:
pkg install os-tor-devel
Docs may be available soon (URL will probably be https://docs.opnsense.org/manual/how-tos/tor.html)
-
Docs are online now. 8)
Cheers,
Franco
-
Great! Thank You!
ipv6 for the relay would be nice.
-
for which field?
-
Hi I installed it on my testing OPNSense, but the relay option is not working (cant start the deamon) or I am doing something wrong.
I will add some images, maybe you see some mistake.
(https://m.mufff.in/25f.png)
(https://m.mufff.in/747.png)
-
Can you post the output of tor when you start it via the command line - it should - also you cannot be a relay and host hidden services at the same time.
-
for your information, tor runs as the user "_tor" so starting it manually is running
sudo -u _tor tor
-
Yes that seems to work. Atleast Tor has started
magic@opnsense:~ % sudo -u _tor tor
Sep 24 13:56:30.129 [notice] Tor 0.3.0.10 (git-c33db290a9d8d0f9) running on FreeBSD with Libevent 2.1.8-stable, OpenSSL 1.0.2l and Zlib 1.2.8.
Sep 24 13:56:30.129 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Sep 24 13:56:30.129 [notice] Read configuration file "/usr/local/etc/tor/torrc".
Sep 24 13:56:30.132 [notice] Opening Socks listener on 127.0.0.1:9050
Sep 24 13:56:30.000 [notice] Parsing GEOIP IPv4 file /usr/local/share/tor/geoip.
Sep 24 13:56:30.000 [notice] Parsing GEOIP IPv6 file /usr/local/share/tor/geoip6.
Sep 24 13:56:30.000 [notice] Bootstrapped 0%: Starting
Sep 24 13:56:31.000 [notice] Starting with guard context "default"
Sep 24 13:56:31.000 [notice] Bootstrapped 5%: Connecting to directory server
Sep 24 13:56:31.000 [notice] Bootstrapped 10%: Finishing handshake with directory server
Sep 24 13:56:31.000 [notice] Bootstrapped 15%: Establishing an encrypted directory connection
Sep 24 13:56:31.000 [notice] Bootstrapped 20%: Asking for networkstatus consensus
Sep 24 13:56:31.000 [notice] Bootstrapped 25%: Loading networkstatus consensus
Sep 24 13:56:31.000 [notice] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
Sep 24 13:56:31.000 [notice] Bootstrapped 40%: Loading authority key certs
Sep 24 13:56:31.000 [notice] Bootstrapped 45%: Asking for relay descriptors
Sep 24 13:56:31.000 [notice] I learned some more directory information, but not enough to build a circuit: We need more microdescriptors: we have 0/6775, and can only build 0% of likely paths. (We have 0% of guards bw, 0% of midpoint bw, and 0% of exit bw = 0% of path bw.)
Sep 24 13:56:31.000 [notice] Bootstrapped 50%: Loading relay descriptors
Sep 24 13:56:32.000 [notice] Bootstrapped 56%: Loading relay descriptors
Sep 24 13:56:32.000 [notice] Bootstrapped 64%: Loading relay descriptors
Sep 24 13:56:34.000 [notice] Bootstrapped 71%: Loading relay descriptors
Sep 24 13:56:34.000 [notice] Bootstrapped 78%: Loading relay descriptors
Sep 24 13:56:35.000 [notice] Bootstrapped 80%: Connecting to the Tor network
Sep 24 13:56:35.000 [notice] Bootstrapped 85%: Finishing handshake with first hop
Sep 24 13:56:35.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
Sep 24 13:56:35.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Sep 24 13:56:35.000 [notice] Bootstrapped 100%: Done
-
can you try this command:
configctl tor start
this is what is executed by the web GUI.
this is just a wrapper for
service tor start
-
Yes
magic@opnsense:~ % configctl tor start
OK
magic@opnsense:~ % service tor start
Cannot 'start' tor. Set tor_enable to YES in /etc/rc.conf or use 'onestart' instead of 'start'.
magic@opnsense:~ % service tor onestart
/usr/local/etc/rc.d/tor: WARNING: /var/db/tor is not a directory.
/usr/local/etc/rc.d/tor: WARNING: failed precmd routine for tor
-
there is something wrong as the command should generate this directory and a template should allow start if it is enabled.
https://github.com/opnsense/plugins/blob/master/security/tor/src/opnsense/service/conf/actions.d/actions_tor.conf#L2
can you try to reload the templates: configctl template reload OPNsense/Tor
If the service is enabled, "service tor start" should work.
-
BTW: There will be a patch soon for a template reloading issue:
https://github.com/opnsense/plugins/commit/5f877635d1834d139bdcdbc5d5b6ec005629f2a1
It should be possible to install the patch here using the command: opnsense-patch -c plugins 5f877635d1834d139bdcdbc5d5b6ec005629f2a1
-
So, after I saw how I can switch to the develop version of OPNSense, I did it.
Then I pulled the patch and reloaded the templated. After invoking service tor start I'll get following output:
magic@opnsense:~ % sudo service tor start
Starting tor.
Sep 24 17:07:35.002 [notice] Tor 0.3.0.10 (git-c33db290a9d8d0f9) running on FreeBSD with Libevent 2.1.8-stable, OpenSSL 1.0.2l and Zlib 1.2.8.
Sep 24 17:07:35.002 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Sep 24 17:07:35.002 [notice] Read configuration file "/usr/local/etc/tor/torrc".
Sep 24 17:07:35.006 [warn] You specified a public address 'xxx.xxx.191.150:9050' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Sep 24 17:07:35.006 [notice] Your ContactInfo config option is not set. Please consider setting it, so we can contact you if your server is misconfigured or something else goes wrong.
Sep 24 17:07:35.006 [notice] Based on detected system memory, MaxMemInQueues is set to 1281 MB. You can override this by setting MaxMemInQueues by hand.
Sep 24 17:07:35.007 [warn] You specified a public address 'xxx.xxx.191.150:9050' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Sep 24 17:07:35.007 [notice] Opening Socks listener on 127.0.0.1:9050
Sep 24 17:07:35.007 [notice] Opening Socks listener on [::1]:9050
Sep 24 17:07:35.007 [notice] Opening Socks listener on xxx.xxx.191.150:9050
Sep 24 17:07:35.007 [notice] Opening Control listener on 127.0.0.1:9051
Sep 24 17:07:35.007 [notice] Opening OR listener on xxx.xxx.191.150:9001
Sep 24 17:07:35.000 [warn] Couldn't open file for 'Log debug file /var/log/tor.log': Permission denied
Sep 24 17:07:35.000 [notice] Closing partially-constructed Socks listener on 127.0.0.1:9050
Sep 24 17:07:35.000 [notice] Closing partially-constructed Socks listener on ::1:9050
Sep 24 17:07:35.000 [notice] Closing partially-constructed Socks listener on xxx.xxx.191.150:9050
Sep 24 17:07:35.000 [notice] Closing partially-constructed Control listener on 127.0.0.1:9051
Sep 24 17:07:35.000 [notice] Closing partially-constructed OR listener on xxx.xxx.191.150:9001
Sep 24 17:07:35.000 [warn] Failed to parse/validate config: Failed to init Log options. See logs for details.
Sep 24 17:07:35.000 [err] Reading config failed--see warnings above.
/usr/local/etc/rc.d/tor: WARNING: failed to start tor
-
Ok that helps more - the output says that the "Log" directives are broken. In this case the log file seems to be not writeable:
Sep 24 17:07:35.000 [warn] Couldn't open file for 'Log debug file /var/log/tor.log': Permission denied
Should be possible to fix before the next release.
-
you startet tor as root once.
you have to remove /var/log/tor.log to start it as user _tor again
@fabian
tor with gui checkboxes for facist mode should write logs to /dev/null ;-)
-
Fix is available: https://github.com/opnsense/plugins/pull/286 (https://github.com/opnsense/plugins/pull/286)
@NilsS Logs can be fully disabled. In that case they are not even written to /dev/null.
-
you startet tor as root once.
you have to remove /var/log/tor.log to start it as user _tor again
Removed it and restarted it with tor user. Still same error that it can't write the log.
Maybe I'll install a opnsense from scratch and try again
-
as fabian wrote, he fixed this already.
but the parent directory dont allow the user _tor to create the file in that directory.
touch /var/log/tor.log
chown _tor._tor /var/log/tor.log
should fix the problem for you.
others can wait for the fix to be commited or apply the patch manually
-
The current state of the plugin will be available as stable with the next release so there is not much wait time to get the stable release which will include the fix.
-
As a side node, building/installing from the plugins repo is quite easy from the command line:
# opnsense-code plugins
# cd /usr/plugins/security/tor
# make upgrade
Cheers,
Franco