Connections drop on Tor 0.4.8.9

Patrick · November 25, 2023, 9:10am

Qubes bug report:

Tor 0.4.8.9 broken in combination with vanguards in Qubes Debian templates

opened 09:10AM - 25 Nov 23 UTC

T: bug P: default

### Qubes OS release Qubes R4.2 ### Summary Downloads over Tor (with va…nguards enabled) get interrupted after a few seconds. This bug was introduced between Tor version `0.4.7.16-1` (from Debian `bookworm` security repository) and Tor version `0.4.8.9-1~d12.bookworm+1` (from `deb.torproject.org`). I am certain that I could pinpoint it to it. The issue is only reproducible if `vanguards` is installed. The older Tor version from Debian `bookworm` security repository version `0.4.7.16-1` does not have this issue. ### Steps to reproduce: 1. Get Qubes. 2. Use a Qubes Debian `bookworm` Template. 3. Enable `deb.torproject.org` 4. `sudo apt update` 5. `sudo apt install --no-install-recommends vanguards tor` 6. Edit `/etc/tor/vanguards.conf` and change `control_socket =` to `control_socket = /run/tor/control` ([related ticket](https://github.com/mikeperry-tor/vanguards/issues/47)) 7. `sudo systemctl enable vanguards` ([potential Debian bug not being enabled by default](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948975)) 8. `sudo systemctl restart tor@default` 9. `sudo systemctl restart vanguards` 10. (In App Qube) 11. `torsocks curl --fail --output /tmp/test.tar.xz https://dist.torproject.org/torbrowser/13.0.5/tor-browser-linux-x86_64-13.0.5.tar.xz` ### What is the current bug behavior? Connection drops after a bit of continued file downloads. torsocks curl --fail --output /tmp/test.tar.xz https://dist.torproject.org/torbrowser/13.0.5/tor-browser-linux-x86_64-13.0.5.tar.xz ``` % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 3 107M 3 3624k 0 0 24100 0 1:17:51 0:02:34 1:15:17 29815 curl: (18) transfer closed with 108874640 bytes remaining to read zsh: exit 18 torsocks curl --fail --output /tmp/test.tar.xz ``` ### What is the expected behavior? No connection drops. ### Environment * Qubes R4.2 * Debian based App Qube * Tor version `0.4.8.9-1~d12.bookworm+1` * `deb.torproject.org` `bookworm` repository * vanguards version `0.3.1-2.3` from `packages.debian.org` Also reproducible in Qubes-Whonix and Non-Qubes-Whonix (Whonix for VirtualBox). I wasn't able to reproduce this yet on a real (non-Qubes) Debian `bookworm` yet. ### Additional information `sudo systemctl stop vanguards && sudo systemctl restart tor@default` fixes this issue. This shows that this issue is only happening if Tor is combined with vanguards. ### Tor bug Is this a Tor bug? Possibly, yes. Reported upstream: * https://gitlab.torproject.org/tpo/core/tor/-/issues/40892 * https://github.com/mikeperry-tor/vanguards/issues/100 Why am I reporting this against Qubes? Because in the past there was a similar Qubes bug: * https://github.com/QubesOS/qubes-issues/issues/2840 (a Qubes kernel upgrade randomly broke SSL connections) Since this issue is reproducible in VMs (Qubes Debian App Qube) and in VirtualBox (Whonix) but not reproducible on real (non-Qubes) Debian, this implies that this might be a Qubes specific issue. ### For issue tracking * cause by Whonix: no * except maybe if arguing vanguards should be installed but then still most likely no Whonix specific source code causing this * affects Qubes-Whonix yes:

apparatius · November 25, 2023, 9:19am

I’ve tested this in debian-12 VM in KVM and I can reproduce the issue.
Check if vanguards is running, the service is not enabled by default when it’s installed.
Also the issue seems to be occurring after some time will pass when you visit a few sites or wait a few minutes.

extraextra · November 25, 2023, 12:20pm

Maybe only VMs are causing this but hardware doesn’t?

tempest · November 26, 2023, 4:16pm

I can confirm that this is also an issue in KVM Whonix as well.

apparatius · November 27, 2023, 11:32am

I’ve reproduced this issue on bare metal debian as well.

c4c56543 · January 6, 2024, 10:36am

Any updates on the issue? I did not see progress on the bug reports since last month, however, the problem still persists and it makes Whonix completely unusable to be honest.

extraextra · January 6, 2024, 12:02pm

Then you’re suffering from this issue for no reason. Solution available for a long time already.

Patrick · February 12, 2024, 8:15am

No, not really. From public sources only. Quote from that Bug report:

Mike Perry assigned to @mikeperry 2 weeks ago

Mike Perry added Next label 2 weeks ago

Patrick · February 16, 2024, 5:54am

Patrick · February 17, 2024, 1:45pm

Newer Tor version and vanguards disabling is now in the testers repository.