censorship circumvention / Tor pluggable transports

Patrick · September 19, 2017, 9:31am

iry:

Patrick:

this post
https://labs.riseup.net/code/issues/8243#note-12 - /etc/hosts …
That’s how he made it work. Should work in Whonix as well.

Tested on Whonix13 with obfs4proxy updated to 0.0.7 and Whonix14,
both successfully connected to the Tor network. My configuration:

in /etc/hosts added:

meek_lite specific 93.184.221.200 ajax.aspnetcdn.com

52.222.172.206 a0.awsstatic.com ## End of meek_lite specific

in /etc/tor/torrc added:

DisableNetwork 0 UseBridges 1 ClientTransportPlugin meek_lite exec
/usr/bin/obfs4proxy Bridge meek_lite 0.0.2.0:2
B9E7141C594AF25699E0079C1F0146F409495296
url=https://d2cly7j4zqgua7.cloudfront.net/ front=a0.awsstatic.com

Great!

Wondering, is it possible to use IP addresses rather than hostnames in
torrc? So we could avoid editing /etc/hosts.

Patrick:

For testing… Login as user
debian-tor.

sudo -u debian-tor bash

Check if DNS resolution is functional.

nslookup whonix.org

In both tests, I did the two commands above and I was getting an
error:

debian-tor@host:/home/user$ nslookup whonix.org
;; connection timed out; no servers could be reached

I also enabled the Transparent Proxy on Whonix-Gateways following:
Whonix-Gateway Traffic: Transparent Proxying

And then tried again. But I still got the error.

Did I do something wrong?

No. My mistake. These instructions don’t make sense here.

Go to a non-Whonix VM. Figure out your nameserver settings.

cat /etc/resolv.conf

Got to sys-whonix and replace its /etc/resolv.conf with the settings
from your non-Whonix VM.

Then.

sudo -u debian-tor bash

Then nslookup torproject.org etc. will work. Just now tested.

That gives Tor full DNS access.

Patrick:

Basically by amending
/etc/hosts we can preseed the IP result of DNS lookups. At the price
of slower updates than IPs would generally update.

https://github.com/Whonix/anon-base-files/blob/master/etc/hosts.anondist

If this is the approach we decided to adopt, I can keep an eye on
this and pull request when the IPs are changed.

Patrick:

Just /etc/resolv.conf on
Whonix-Gateway intentionally is dysfunctional. But that’s not so
important. We could have functional /etc/resolv.conf for user
debian-tor, functional DNS for Tor,

Patrick:

Perhaps the above wiki links
are not even required. Tor is allowed to issue any traffic.

Please forgive my ignorance, the hostname need to be resolved so that
we can connect to the Tor network. Therefore, we can not use send the
DNS request over Tor successfully in this case? In other words, we
had to send the DNS request for resolving a0.awsstatic.com through
clearnet?

Correct.

What above - new - instructions do is: allow Tor do resolve DNS using
clearnet with your usual DNS settings that any clearnet VM would be
using. I will think about this more, but I don’t think this has any
disadvantages. Except:

when Whonix-Firewall would be broken plus at the same time its fail
closed mechanism not work
and when the user is trying to use Whonix-Gateway as a workstation
then the user would be using clearnet

Thank you very much for your guidance, Patrick!

You’re very much welcome!