Opened 4 years ago

Last modified 2 years ago

#17038 new enhancement

Provide scripts to set up transparent proxying, where supported

Reported by: renne Owned by:
Priority: Low Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor: unspecified
Severity: Normal Keywords: torrc, transparent, proxy, lorax, tor-client intro, linux, bsd
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Setting up a transparent TOR proxy is quite complicated when it comes to firewall rules (e.g. IPTables). Any configuration slip breaks the anonymity.

So I suggest to add the options 'Trans{Local|MiddleBox}?IPv{4|6}' to torrc which automagically configure a transparent TOR proxy with all necessary settings (e.g. IPTables rules, system resolver set-up with .onion).

Child Tickets

Change History (4)

comment:1 Changed 4 years ago by yawning

Keywords: lorax added; TOR removed
Milestone: Tor: very long term
Priority: normalminor

I don't think this is a good idea because:

a) Such features are non-portable.
b) Such things need to run as a privileged user, when the daemon should strive to drop as soon as possible.
c) It will likely be doomed to be either overly fragile (breaking in mysterious/annoying to debug ways depending on the user's existing setup), overly complicated, or both.

If someone else wants to go and implement such a thing great, but I don't think this is worth prioritizing over any of the other core tor work. Triaging as such.

comment:2 Changed 3 years ago by nickm

Milestone: Tor: very long termTor: unspecified
Severity: Normal
Summary: New torrc options 'Trans{Local|MiddleBox}IPv{4|6}' to automagically set up transparent proxyingProvide scripts to set up transparent proxying, where supported

Agreed that doing it at the Tor level isn't the best idea: most of Tor doesn't actually need root, so adding more pieces that do would probably be a bad idea for security.

But instead of baking this into Tor, maybe we could just ship scripts that show you how to do it right on different platforms. They'd require root, but at least they'd work, and show you how to do it.

Scripts like this would also make it easier for us to test that our transparent proxy support was actually working, and help us avoid embarrassing bugs like #18100 .

If anybody's interested in writing something like this, please feel free to work one platform at a time.

comment:3 Changed 2 years ago by nickm

Keywords: tor-client intro added

comment:4 Changed 2 years ago by nickm

Keywords: linux bsd added
Note: See TracTickets for help on using tickets.