diet_f
August 10, 2022, 7:38am
1
I’ve read about HTTPTunnelPort in Stream isolation chapter.torsocks.
So tried it out with curl as example (inside Workstation):
curl.anondist-orig \
-x http://$(qubesdb-read /qubes-gateway):9220 \
https://check.torproject.org
# curl: (28) Failed to connect to 10.137.0.12 port 9220:
# Connection timed out
Port 9220 should be open HTTPTunnelPort according to /usr/share/tor/tor-service-defaults-torrc.anondist in the gateway.
Whereas SOCKS works as usual:
curl.anondist-orig \
-x socks5h://$(qubesdb-read /qubes-gateway):9162 \
https://check.torproject.org
curl does support HTTPS CONNECT method. Is there something else to do?
My environment is Qubes Whonix 16 with transparent proxying being disabled in gateway:
WORKSTATION_TRANSPARENT_TCP=0
WORKSTATION_TRANSPARENT_DNS=0
Syntax seems correct.
If Tor is stopped using the following command on Whonix-Gateway:
sudo systemctl stop tor
Then in Whonix-Workstation:
curl.anondist-orig --head http://$(qubesdb-read /qubes-gateway):9228
curl: (7) Failed to connect to 10.137.0.14 port 9228: Connection refused
So let’s restart Tor in Whonix-Gateway.
sudo systemctl restart tor
Then try again in Whonix-Workstation:
curl.anondist-orig --head http://$(qubesdb-read /qubes-gateway):9228
curl: (56) Recv failure: Connection reset by peer
Conclusion: Not a Whonix firewall issue. The port is reachable.
I don’t know why it’s not working.
Could you try please if Tor HTTPTunnelPort is currently functional outside of Whonix?
Generic Bug Reproduction is most likely required here. See Tor Generic Bug Reproduction .
1 Like
diet_f
August 10, 2022, 2:15pm
3
Sure - I’ll try to reproduce on a vanilla qube with just Tor installed. Can’t say exactly, when I have time again for the setup.
1 Like
diet_f
August 12, 2022, 8:15am
4
sudo apt install --no-install-recommends tor
/etc/tor/torrc:
SocksPort 9050 # Default: Bind to localhost:9050 for local connections.
SocksPort 9100 IsolateDestAddr IsolateDestPort
HTTPTunnelPort 9220 IsolateDestAddr IsolateDestPort
HTTPTunnelPort 9230
All these commands work:
curl -x socks5h://localhost:9050 https://check.torproject.org
curl -x socks5h://localhost:9100 https://check.torproject.org
curl -x http://localhost:9220 https://check.torproject.org
curl -x http://localhost:9230 https://check.torproject.org
Verbose curl output:
* Trying ::1:9220...
* connect to ::1 port 9220 failed: Connection refused
* Trying 127.0.0.1:9220...
* Connected to localhost (127.0.0.1) port 9220 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to check.torproject.org:443
> CONNECT check.torproject.org:443 HTTP/1.1
> Host: check.torproject.org:443
> User-Agent: curl/7.74.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.0 200 OK
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
...
Install as usual.
Works (from Workstation):
curl.anondist-orig -x socks5h://$(qubesdb-read /qubes-gateway):9162 https://check.torproject.org
Fails:
curl.anondist-orig -x http://$(qubesdb-read /qubes-gateway):9220 https://check.torproject.org
curl.anondist-orig -x http://$(qubesdb-read /qubes-gateway):9190 https://check.torproject.org
curl: (56) Recv failure: Connection reset by peer
Verbose curl output:
* Trying 10.137.0.160:9220...
* Connected to 10.137.0.160 (10.137.0.160) port 9220 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to check.torproject.org:443
> CONNECT check.torproject.org:443 HTTP/1.1
> Host: check.torproject.org:443
> User-Agent: curl/7.74.0
> Proxy-Connection: Keep-Alive
>
* Proxy CONNECT aborted
* CONNECT phase completed!
* Closing connection 0
curl: (56) Proxy CONNECT aborted
There is no further log in journalctl. Clearly, curl tried to use HTTP Connect method in the same way, but fails.
I guess, next step would be to analyze network traffic with tcpdump or so?
1 Like