[CALL FOR TESTING] Tor

[fabian]

Just if anyone likes to test:

Log in via SSH, and run this in the shell:

Code Select Expand

pkg install os-tor-devel

Docs may be available soon (URL will probably be https://docs.opnsense.org/manual/how-tos/tor.html)

[franco]

Docs are online now. 8)


Cheers,
Franco

[zitlo]

Great! Thank You!

ipv6 for the relay would be nice.

[fabian]

for which field?

[MAGIC]

Hi I installed it on my testing OPNSense, but the relay option is not working (cant start the deamon) or I am doing something wrong.

I will add some images, maybe you see some mistake.

[fabian]

Can you post the output of tor when you start it via the command line - it should - also you cannot be a relay and host hidden services at the same time.

[fabian]

for your information, tor runs as the user "_tor" so starting it manually is running

Code Select Expand

sudo -u _tor tor

[MAGIC]

Yes that seems to work. Atleast Tor has started

Code Select Expand

magic@opnsense:~ % sudo -u _tor tor
Sep 24 13:56:30.129 [notice] Tor 0.3.0.10 (git-c33db290a9d8d0f9) running on FreeBSD with Libevent 2.1.8-stable, OpenSSL 1.0.2l and Zlib 1.2.8.
Sep 24 13:56:30.129 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Sep 24 13:56:30.129 [notice] Read configuration file "/usr/local/etc/tor/torrc".
Sep 24 13:56:30.132 [notice] Opening Socks listener on 127.0.0.1:9050
Sep 24 13:56:30.000 [notice] Parsing GEOIP IPv4 file /usr/local/share/tor/geoip.
Sep 24 13:56:30.000 [notice] Parsing GEOIP IPv6 file /usr/local/share/tor/geoip6.
Sep 24 13:56:30.000 [notice] Bootstrapped 0%: Starting
Sep 24 13:56:31.000 [notice] Starting with guard context "default"
Sep 24 13:56:31.000 [notice] Bootstrapped 5%: Connecting to directory server
Sep 24 13:56:31.000 [notice] Bootstrapped 10%: Finishing handshake with directory server
Sep 24 13:56:31.000 [notice] Bootstrapped 15%: Establishing an encrypted directory connection
Sep 24 13:56:31.000 [notice] Bootstrapped 20%: Asking for networkstatus consensus
Sep 24 13:56:31.000 [notice] Bootstrapped 25%: Loading networkstatus consensus
Sep 24 13:56:31.000 [notice] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
Sep 24 13:56:31.000 [notice] Bootstrapped 40%: Loading authority key certs
Sep 24 13:56:31.000 [notice] Bootstrapped 45%: Asking for relay descriptors
Sep 24 13:56:31.000 [notice] I learned some more directory information, but not enough to build a circuit: We need more microdescriptors: we have 0/6775, and can only build 0% of likely paths. (We have 0% of guards bw, 0% of midpoint bw, and 0% of exit bw = 0% of path bw.)
Sep 24 13:56:31.000 [notice] Bootstrapped 50%: Loading relay descriptors
Sep 24 13:56:32.000 [notice] Bootstrapped 56%: Loading relay descriptors
Sep 24 13:56:32.000 [notice] Bootstrapped 64%: Loading relay descriptors
Sep 24 13:56:34.000 [notice] Bootstrapped 71%: Loading relay descriptors
Sep 24 13:56:34.000 [notice] Bootstrapped 78%: Loading relay descriptors
Sep 24 13:56:35.000 [notice] Bootstrapped 80%: Connecting to the Tor network
Sep 24 13:56:35.000 [notice] Bootstrapped 85%: Finishing handshake with first hop
Sep 24 13:56:35.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
Sep 24 13:56:35.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Sep 24 13:56:35.000 [notice] Bootstrapped 100%: Done

[fabian]

can you try this command:

configctl tor start

this is what is executed by the web GUI.

this is just a wrapper for

service tor start

[MAGIC]

Yes

Code Select Expand

magic@opnsense:~ % configctl tor start
OK
magic@opnsense:~ % service tor start
Cannot 'start' tor. Set tor_enable to YES in /etc/rc.conf or use 'onestart' instead of 'start'.
magic@opnsense:~ % service tor onestart
/usr/local/etc/rc.d/tor: WARNING: /var/db/tor is not a directory.
/usr/local/etc/rc.d/tor: WARNING: failed precmd routine for tor


[fabian]

there is something wrong as the command should generate this directory and a template should allow start if it is enabled.
https://github.com/opnsense/plugins/blob/master/security/tor/src/opnsense/service/conf/actions.d/actions_tor.conf#L2

can you try to reload the templates: configctl template reload OPNsense/Tor

If the service is enabled, "service tor start" should work.

[fabian]

BTW: There will be a patch soon for a template reloading issue:
https://github.com/opnsense/plugins/commit/5f877635d1834d139bdcdbc5d5b6ec005629f2a1

It should be possible to install the patch here using the command: opnsense-patch -c plugins 5f877635d1834d139bdcdbc5d5b6ec005629f2a1

[MAGIC]

So, after I saw how I can switch to the develop version of OPNSense, I did it.
Then I pulled the patch and reloaded the templated. After invoking service tor start I'll get following output:

Code Select Expand

magic@opnsense:~ % sudo service tor start
Starting tor.
Sep 24 17:07:35.002 [notice] Tor 0.3.0.10 (git-c33db290a9d8d0f9) running on FreeBSD with Libevent 2.1.8-stable, OpenSSL 1.0.2l and Zlib 1.2.8.
Sep 24 17:07:35.002 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Sep 24 17:07:35.002 [notice] Read configuration file "/usr/local/etc/tor/torrc".
Sep 24 17:07:35.006 [warn] You specified a public address 'xxx.xxx.191.150:9050' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Sep 24 17:07:35.006 [notice] Your ContactInfo config option is not set. Please consider setting it, so we can contact you if your server is misconfigured or something else goes wrong.
Sep 24 17:07:35.006 [notice] Based on detected system memory, MaxMemInQueues is set to 1281 MB. You can override this by setting MaxMemInQueues by hand.
Sep 24 17:07:35.007 [warn] You specified a public address 'xxx.xxx.191.150:9050' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Sep 24 17:07:35.007 [notice] Opening Socks listener on 127.0.0.1:9050
Sep 24 17:07:35.007 [notice] Opening Socks listener on [::1]:9050
Sep 24 17:07:35.007 [notice] Opening Socks listener on xxx.xxx.191.150:9050
Sep 24 17:07:35.007 [notice] Opening Control listener on 127.0.0.1:9051
Sep 24 17:07:35.007 [notice] Opening OR listener on xxx.xxx.191.150:9001
Sep 24 17:07:35.000 [warn] Couldn't open file for 'Log debug file /var/log/tor.log': Permission denied
Sep 24 17:07:35.000 [notice] Closing partially-constructed Socks listener on 127.0.0.1:9050
Sep 24 17:07:35.000 [notice] Closing partially-constructed Socks listener on ::1:9050
Sep 24 17:07:35.000 [notice] Closing partially-constructed Socks listener on xxx.xxx.191.150:9050
Sep 24 17:07:35.000 [notice] Closing partially-constructed Control listener on 127.0.0.1:9051
Sep 24 17:07:35.000 [notice] Closing partially-constructed OR listener on xxx.xxx.191.150:9001
Sep 24 17:07:35.000 [warn] Failed to parse/validate config: Failed to init Log options. See logs for details.
Sep 24 17:07:35.000 [err] Reading config failed--see warnings above.
/usr/local/etc/rc.d/tor: WARNING: failed to start tor


[fabian]

Ok that helps more - the output says that the "Log" directives are broken. In this case the log file seems to be not writeable:

Code Select Expand


Sep 24 17:07:35.000 [warn] Couldn't open file for 'Log debug file /var/log/tor.log': Permission denied


Should be possible to fix before the next release.

[NilsS]

you startet tor as root once.
you have to remove /var/log/tor.log to start it as user _tor again
@fabian
tor with gui checkboxes for facist mode should write logs to /dev/null ;-)