Opened 2 years ago

Closed 2 years ago

#23945 closed defect (worksforme)

Unable to Connect to Tor via a Proxy at 127.0.0.0/8

Reported by: cypherpunks Owned by: brade
Priority: Medium Milestone:
Component: Applications/Tor Launcher Version:
Severity: Major Keywords:
Cc: mcs, brade Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

During the initial startup, Tor Browser allows users to connect via a bridge or proxy to bypass restrictive firewalls. However, if the proxy server listens at 127.0.0.0/8, it's not possible to establish a connection to the Tor network, rendering Tor Browser useless.

It's known to affect every version of Tor Browser Bundle, TBB on Tails OS is also affected. Proxies at other private network ranges, such as 192.168.0.0/16, is not affected. Because a proxy server at 127.0.0.1 is provided by common tools (e.g. OpenSSH) and more than useful to bypass Internet censorship, this issue greatly affects the usability of Tor Browser Bundle, especially in places where Internet is censored and anonymity is urgently needed, the bug is qualified as "major" and should be fixed as soon as possible.

Currently, if users want to use a proxy at the range of 127.0.0.0/8, one can work around this issue by using a bridge and a local proxy at the same time. After connected, it's even possible to turn off the bridge afterwards via Tor Button, and use the local proxy alone.

The "torrc" files produced by Tor Browser Bundle has been inspected by the reporter, a suspicious difference is found and believed to be the cause of the bug.

Reproduce

  1. Start a "SOCKS 5" proxy at 127.0.0.1, e.g. "ssh user@server -D 8080".
  2. Start Tor Browser Bundle.
  3. Choose "This computer's Internet connection is censored or proxied".
  4. "Does your ISP block or otherwise censor connections?" Answer "No".
  5. "Does this computer need to use a local proxy?" Answer "Yes".
  6. Enter the "SOCKS 5" proxy at 127.0.0.1 and its port, e.g. 127.0.0.1, port 8080.
  7. Tor Status showed Tor was trying to establishing a connection, but wait at here indefinitely.
  8. Tor failed to establish a Tor network connection.

See Appendix 1 and Appendix 2 for connection logs and generated "torrc" file.

Workaround

One can workaround this issue by using a bridge and a local proxy at the same time.

  1. Repeat Step 1, 2, 3 in "Reproduce".
  2. "Does your ISP block or otherwise censor connections?" Answer "Yes".
  3. "Does this computer need to use a local proxy?" Answer "Yes".
  4. Select a builtin obfs4 transport.
  5. Enter the "SOCKS 5" proxy at 127.0.0.1 and its port, e.g. 127.0.0.1, port 8080.
  6. Tor connected to the network.

See Appendix 3 for generated "torrc" file.

Further Workaround

After connected Tor network, it's even possible to remove the bridge, and Tor continues to work via the proxy server alone.

  1. Repeat all steps in "Workaround".
  2. Click Tor Button.
  3. Disable "My ISP blocks connections to the Tor network".
  4. Ensure "This computer goes through a firewall that only allows connections to certain ports" is not select, per default.

See Appendix 4 for generated "torrc" file.

Further Reproduce

  1. Repeat Stop 1, 2.
  2. Enable "This computer goes through a firewall that only allows connections to certain ports".
  3. Ensure "Allowed ports" are "80,443" per default.

Tor Browser will stop working, and generated "torrc" is identical to the initial broken one in "Reproduce" (Appendix 2).

Identifying the Issue

Comparing the "torrc" files generated each time, it's identified that these three lines only appears in "Reproduce".

ReachableAddresses *:80,*:443
ReachableAddresses reject *:*
ReachableAddresses reject *:*

It looks like for some reasons, These options prepared for fascist firewall can not be used with Socks5Proxy at the same time, at least for those listen on 127.0.0.1.

Appendix 1: Logs for "Workaround".

[NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
[NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
[NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
[NOTICE] Opening Socks listener on 127.0.0.1:9150 
[NOTICE] Bootstrapped 5%: Connecting to directory server 
[NOTICE] Bootstrapped 10%: Finishing handshake with directory server 
[NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150 
[NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
[NOTICE] Closing old Socks listener on 127.0.0.1:9150
[WARN] Problem bootstrapping. Stuck at 10%: Finishing handshake with directory server. (DONE; DONE; count 10; recommendation warn; host [REDACTED] at [REDACTED]:80) 
[WARN] 10 connections have failed: 
[WARN]  10 connections died in state handshaking (TLS) with SSL state SSLv2/v3 read server hello A in HANDSHAKE 
[WARN] Problem bootstrapping. Stuck at 10%: Finishing handshake with directory server. (DONE; DONE; count 11; recommendation warn; host [REDACTED] at [REDACTED]:80) 
[WARN] 11 connections have failed: 
[WARN]  11 connections died in state handshaking (TLS) with SSL state SSLv2/v3 read server hello A in HANDSHAKE 
[NOTICE] Delaying directory fetches: DisableNetwork is set. 

Appendix 2: Generated "torrc" for "Reproduce".

# This file was generated by Tor; if you edit it, comments will not be preserved
# The old torrc file was renamed to torrc.orig.1 or similar, and Tor will ignore it

DataDirectory [REDACTED]
GeoIPFile [REDACTED]
GeoIPv6File [REDACTED]
Socks5Proxy 127.0.0.1:[REDACTED]
ReachableAddresses *:80,*:443
ReachableAddresses reject *:*
ReachableAddresses reject *:*

Appendix 3: Generated "torrc" for "Workaround".

# This file was generated by Tor; if you edit it, comments will not be preserved
# The old torrc file was renamed to torrc.orig.1 or similar, and Tor will ignore it

Bridge obfs4 [REDACTED]
Bridge obfs4 [REDACTED]
Bridge obfs4 [REDACTED]
Bridge obfs4 [REDACTED]
Bridge obfs4 [REDACTED]
[REDACTED ADDITIONAL LINE OF OBFS4 BRIDGES]
DataDirectory [REDACTED]
GeoIPFile [REDACTED]
GeoIPv6File [REDACTED]
Socks5Proxy 127.0.0.1:[REDACTED]
UseBridges 1

Appendix 4: Generated "torrc" for "Further Workaround".

# This file was generated by Tor; if you edit it, comments will not be preserved
# The old torrc file was renamed to torrc.orig.1 or similar, and Tor will ignore it

DataDirectory [REDACTED]
GeoIPFile [REDACTED]
GeoIPv6File [REDACTED]
Socks5Proxy 127.0.0.1:[REDACTED]

Child Tickets

Change History (5)

comment:1 Changed 2 years ago by gk

Cc: mcs brade added
Component: Applications/Tor BrowserApplications/Tor Launcher
Owner: changed from tbb-team to brade
Status: newneeds_information

That's due to #11405. mcs/brade: do we want to do something here or do we think that's esoteric enough that users trying to use Tor Browser that way need to tweak their settings themselves?

comment:2 Changed 2 years ago by cypherpunks

Reproduce

Can't reproduce. No any problems to use TorBrowser with "SOCKS 5" proxy at 127.0.0.1 with any port and predefined ReachableAddresses policy.

comment:3 Changed 2 years ago by cypherpunks

Can't reproduce. No any problems to use TorBrowser with "SOCKS 5" proxy at 127.0.0.1 with any port

What? So it means there isn't any single bug at all, but just a result of my upstream ISP blocking some Tor authorities at 80 and 443 ports, while relays with a 90xx high port are still free to access?! I don't see the reasoning here. It's quite unimaginable...

Sorry for the noise, I'm going to try it again with other upstream ISPs later, and see if there's difference...

comment:4 Changed 2 years ago by cypherpunks

my upstream ISP blocking some Tor authorities at 80 and 443 ports, while relays with a 90xx high port are still free to access?!

Pay internet bill, maybe?

comment:5 in reply to:  1 Changed 2 years ago by mcs

Resolution: worksforme
Status: needs_informationclosed

Replying to gk:

That's due to #11405. mcs/brade: do we want to do something here or do we think that's esoteric enough that users trying to use Tor Browser that way need to tweak their settings themselves?

Kathy and I cannot reproduce this problem. We believe that this configuration works okay for most people, and ticket:11405#comment:7 provides a good rationale for why only using ports 80 and 443 is a good idea when a proxy is configured.

Note: See TracTickets for help on using tickets.