Opened 8 years ago

Closed 6 years ago

Last modified 5 years ago

#8137 closed defect (fixed)

add option to allow connections to local addresses

Reported by: proper Owned by: dgoulet
Priority: Medium Milestone:
Component: Core Tor/Torsocks Version:
Severity: Normal Keywords:
Cc: intrigeri@…, sajolida@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

libtorsocks(11014): connect: Connection is to a local address (192.168.0.10), may be a TCP DNS request to a local DNS server so have to reject to be safe. Please report a bug to http://code.google.com/p/torsocks/issues/entry if this is preventing a program from working properly with torsocks.

Please add an option to allow connections to local addresses. Tor doesn't always run on 127.0.0.1, sometimes it's run on a machine on local LAN. This is also the case for Whonix, which is a two machine approach, where Tor runs by design on another machine on local LAN.

Child Tickets

Attachments (1)

0001-Add-AllowOutboundLocalhost.patch (5.6 KB) - added by yawning 6 years ago.

Download all attachments as: .zip

Change History (31)

comment:1 Changed 8 years ago by sysrqb

This only occurs when the applications attempts establishing a connection to a local IP address, not when the Tor client (or other SOCKS proxy) is run on another IP address and Torsocks connects to it. Torsocks should not (and can not if proxying via Tor) make connections for an application on a non-public IP.

If this isn't the case, then can you provide more details about when Torsocks is denying connections to a non-local proxy? Debug logs may help a little too.

comment:2 Changed 8 years ago by proper

Please tell me if I can do anything else for debugging.

/etc/torsocks.conf on Debian Wheezy

# This is the configuration for libtorsocks (transparent socks) for use
# with tor, which is providing a socks server on port 9050 by default.
#
# Lines beginning with # and blank lines are ignored
#
# The basic idea is to specify:
#       - Local subnets - Networks that can be accessed directly without
#                         assistance from a socks server
#       - Paths - Paths are basically lists of networks and a socks server
#                 which can be used to reach these networks
#       - Default server - A socks server which should be used to access
#                          networks for which no path is available
# Much more documentation than provided in these comments can be found in
# torsocks.conf(5) and usewithtor(1) manpages.

# We specify local as 127.0.0.0 - 127.191.255.255 because the
# Tor MAPADDRESS virtual IP range is the rest of net 127.
# Torsocks also treats as local all the subnets that Tor does.
local = 127.0.0.0/255.128.0.0
local = 127.128.0.0/255.192.0.0
local = 169.254.0.0/255.255.0.0
local = 172.16.0.0/255.240.0.0
local = 192.168.0.0/255.255.0.0
  
# Default server
# For connections that aren't to the local subnets 
# the server at 127.0.0.1 should be used (again, hostnames could be used
# too, see note above)
server = 192.168.0.10

# SOCKS server type defaults to 4
server_type = 5

# The port defaults to 1080 but I've stated it here for clarity
server_port = 9159

# Username and password (if required on a SOCKSv5 server)
#default_user =
#default_pass =

# Paths
# For this example this machine needs to access 150.0.0.0/255.255.0.0 as
# well as port 80 on the network 150.1.0.0/255.255.0.0 through
# the socks 5 server at 10.1.7.25 (if this machines hostname was
# "socks.hello.com" we could also specify that, unless --disable-hostnames
# was specified to ./configure).

#path {
#        reaches = 150.0.0.0/255.255.0.0
#        reaches = 150.1.0.0:80/255.255.0.0
#        server = 10.1.7.25
#        server_type = 5
#        default_user = delius
#        default_pass = hello
#}
#

Enabled debugging with.

export TORSOCKS_DEBUG=1

Feel free to stop downloading after seeing the error message.

torsocks git clone git://git.immerda.ch/amnesia.git
libtorsocks(26959): The symbol getipnodebyname() was not found in any shared library. The error reported was: not found!
libtorsocks(26960): The symbol getipnodebyname() was not found in any shared library. The error reported was: not found!
libtorsocks(26957): The symbol getipnodebyname() was not found in any shared library. The error reported was: not found!
libtorsocks(26961): The symbol getipnodebyname() was not found in any shared library. The error reported was: not found!
libtorsocks(26962): The symbol getipnodebyname() was not found in any shared library. The error reported was: not found!
libtorsocks(26963): The symbol getipnodebyname() was not found in any shared library. The error reported was: not found!
libtorsocks(26964): The symbol getipnodebyname() was not found in any shared library. The error reported was: not found!
libtorsocks(26965): The symbol getipnodebyname() was not found in any shared library. The error reported was: not found!
libtorsocks(26966): The symbol getipnodebyname() was not found in any shared library. The error reported was: not found!
libtorsocks(26967): The symbol getipnodebyname() was not found in any shared library. The error reported was: not found!
libtorsocks(26961): The symbol getipnodebyname() was not found in any shared library. The error reported was: not found!
libtorsocks(26969): The symbol getipnodebyname() was not found in any shared library. The error reported was: not found!
libtorsocks(26971): The symbol getipnodebyname() was not found in any shared library. The error reported was: not found!
libtorsocks(26972): The symbol getipnodebyname() was not found in any shared library. The error reported was: not found!
libtorsocks(26961): The symbol getipnodebyname() was not found in any shared library. The error reported was: not found!
Cloning into 'amnesia'...
libtorsocks(26961): connect: Connection is to a local address (192.168.0.10), may be a TCP DNS request to a local DNS server so have to reject to be safe. Please report a bug to http://code.google.com/p/torsocks/issues/entry if this is preventing a program from working properly with torsocks.
libtorsocks(26974): The symbol getipnodebyname() was not found in any shared library. The error reported was: not found!
^Cmote: Counting objects: 38787 

Git fetch causes similar error messages.

comment:3 Changed 8 years ago by sysrqb

Hm, I can't reproduce this with master. It's possible this was fixed since the last deb was created (I don't have a debian install on-hand to check). If possible, can you try installing the latest -rc that Jake released[1] (or git master) and let us know if you still receive that error?

$ torsocks git clone git://git.immerda.ch/amnesia.git
Cloning into 'amnesia'...
remote: Counting objects: 37352

Also, I note that rejecting that connection was not fatal, so I'm not sure exactly what it's trying to do.

[1] https://people.torproject.org/~ioerror/torsocks-1.3.tar.gz

comment:4 Changed 8 years ago by proper

I'll test as soon as cryptographic signature is provided for 1.3 rc. intrigeri already asked for one. (Re: [tor-dev] final torsocks RC 1.3 tar.gz up for testing)

comment:5 Changed 8 years ago by proper

Tested with 1.3 final, the error persists.

(Here is what I did:)

#On Debian

git clone https://git.torproject.org/torsocks.git
git tag -v 1.3
sudo apt-get build-dep torsocks
sudo apt-get remove torsocks
./autogen.sh
./configure
make
sudo make install

comment:6 Changed 8 years ago by proper

It's now completely broken, since switch from 1.2 (Debian) to 1.3 (torproject git).

Config remained the same as posted above.

# Just to show, the Tor is really accessible on that port.
/tmp $ /usr/bin/wget 192.168.0.10:9159
--2013-02-12 05:13:44--  http://192.168.0.10:9159/
Connecting to 192.168.0.10:9159... connected.
HTTP request sent, awaiting response... 501 Tor is not an HTTP Proxy
2013-02-12 05:13:44 ERROR 501: Tor is not an HTTP Proxy.
# external service was up
/tmp $ nslookup github.com
Server:         192.168.0.10
Address:        192.168.0.10#53

Non-authoritative answer:
Name:   github.com
Address: 207.97.227.239
/tmp $ torsocks git clone https://github.com/adrelanos/Whonix.git
libtorsocks(7396): WARNING: The symbol getipnodebyname() was not found in any shared library with the reported error: Not Found!
  Also, we failed to find the symbol __getipnodebyname() with the reported error: Not Found
libtorsocks(7397): WARNING: The symbol getipnodebyname() was not found in any shared library with the reported error: Not Found!
  Also, we failed to find the symbol __getipnodebyname() with the reported error: Not Found
libtorsocks(7394): WARNING: The symbol getipnodebyname() was not found in any shared library with the reported error: Not Found!
  Also, we failed to find the symbol __getipnodebyname() with the reported error: Not Found
Cloning into 'Whonix'...
libtorsocks(7398): WARNING: The symbol getipnodebyname() was not found in any shared library with the reported error: Not Found!
  Also, we failed to find the symbol __getipnodebyname() with the reported error: Not Found
libtorsocks(7398): do_resolve: error connecting to SOCKS server
libtorsocks(7398): failed to resolve: github.com
libtorsocks(7398): do_resolve: error connecting to SOCKS server
libtorsocks(7398): failed to resolve: github.com
error: Couldn't resolve host 'github.com' while accessing https://github.com/adrelanos/Whonix.git/info/refs
fatal: HTTP request failed

comment:7 Changed 8 years ago by proper

wget is now completely broken.

/tmp $ torsocks wget https://check.torproject.org
libtorsocks(8777): WARNING: The symbol getipnodebyname() was not found in any shared library with the reported error: Not Found!
  Also, we failed to find the symbol __getipnodebyname() with the reported error: Not Found
libtorsocks(8778): WARNING: The symbol getipnodebyname() was not found in any shared library with the reported error: Not Found!
  Also, we failed to find the symbol __getipnodebyname() with the reported error: Not Found
libtorsocks(8775): WARNING: The symbol getipnodebyname() was not found in any shared library with the reported error: Not Found!
  Also, we failed to find the symbol __getipnodebyname() with the reported error: Not Found
--2013-02-12 --  https://check.torproject.org/
Resolving check.torproject.org (check.torproject.org)... libtorsocks(8775): do_resolve: error connecting to SOCKS server
libtorsocks(8775): failed to resolve: check.torproject.org
failed: Name or service not known.
wget: unable to resolve host address `check.torproject.org'
/tmp $ 

curl has a lot warnings and debug output, but still works.

/tmp $ torsocks curl https://check.torproject.org
libtorsocks(8900): WARNING: The symbol getipnodebyname() was not found in any shared library with the reported error: Not Found!
  Also, we failed to find the symbol __getipnodebyname() with the reported error: Not Found
libtorsocks(8901): WARNING: The symbol getipnodebyname() was not found in any shared library with the reported error: Not Found!
  Also, we failed to find the symbol __getipnodebyname() with the reported error: Not Found
libtorsocks(8898): WARNING: The symbol getipnodebyname() was not found in any shared library with the reported error: Not Found!
  Also, we failed to find the symbol __getipnodebyname() with the reported error: Not Found
this is curl wrapper. caller: 
libtorsocks(8902): WARNING: The symbol getipnodebyname() was not found in any shared library with the reported error: Not Found!
  Also, we failed to find the symbol __getipnodebyname() with the reported error: Not Found
libtorsocks(8903): WARNING: The symbol getipnodebyname() was not found in any shared library with the reported error: Not Found!
  Also, we failed to find the symbol __getipnodebyname() with the reported error: Not Found
libtorsocks(8904): WARNING: The symbol getipnodebyname() was not found in any shared library with the reported error: Not Found!
  Also, we failed to find the symbol __getipnodebyname() with the reported error: Not Found
libtorsocks(8905): WARNING: The symbol getipnodebyname() was not found in any shared library with the reported error: Not Found!
  Also, we failed to find the symbol __getipnodebyname() with the reported error: Not Found
libtorsocks(8906): WARNING: The symbol getipnodebyname() was not found in any shared library with the reported error: Not Found!
  Also, we failed to find the symbol __getipnodebyname() with the reported error: Not Found
libtorsocks(8907): WARNING: The symbol getipnodebyname() was not found in any shared library with the reported error: Not Found!
  Also, we failed to find the symbol __getipnodebyname() with the reported error: Not Found
libtorsocks(8908): WARNING: The symbol getipnodebyname() was not found in any shared library with the reported error: Not Found!
  Also, we failed to find the symbol __getipnodebyname() with the reported error: Not Found
libtorsocks(8902): WARNING: The symbol getipnodebyname() was not found in any shared library with the reported error: Not Found!
  Also, we failed to find the symbol __getipnodebyname() with the reported error: Not Found
libtorsocks(8910): WARNING: The symbol getipnodebyname() was not found in any shared library with the reported error: Not Found!
  Also, we failed to find the symbol __getipnodebyname() with the reported error: Not Found
libtorsocks(8912): WARNING: The symbol getipnodebyname() was not found in any shared library with the reported error: Not Found!
  Also, we failed to find the symbol __getipnodebyname() with the reported error: Not Found
libtorsocks(8913): WARNING: The symbol getipnodebyname() was not found in any shared library with the reported error: Not Found!
  Also, we failed to find the symbol __getipnodebyname() with the reported error: Not Found
libtorsocks(8902): WARNING: The symbol getipnodebyname() was not found in any shared library with the reported error: Not Found!
  Also, we failed to find the symbol __getipnodebyname() with the reported error: Not Found
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<title>Are you using Tor?</title>
<link rel="shortcut icon" type="image/x-icon" href="./favicon.ico">
<style type="text/css">
img,acronym {
  border: 0;  text-decoration: none;}</style></head>
<body>
<center>

<img alt="Congratulations. Your browser is configured to use Tor." src="/images/tor-on.png">
<br><h1 style="color: #0A0">
Congratulations. Your browser is configured to use Tor.<br>
<br>
</h1>
Please refer to the <a href="https://www.torproject.org/">Tor website</a> for further information about using Tor safely.  You are now free to browse the Internet anonymously.<br>
<br>

<br>
Your IP address appears to be: <b>74.3.165.39</b><br>
<small>
<tt><br>
<br>
<p>This page is also available in the following languages:</p><p><a href="?lang=ar" hreflang="ar" lang="ar" rel="alternate">&#1593;&#1585;&#1576;&#1610;&#1577;&nbsp;(Arabiya)</a> <a href="?lang=bms" hreflang="bms" lang="bms" rel="alternate">Burmese</a> <a href="?lang=cs" hreflang="cs" lang="cs" rel="alternate">&#269;esky</a> <a href="?lang=da" hreflang="da" lang="da" rel="alternate">dansk</a> <a href="?lang=de" hreflang="de" lang="de" rel="alternate">Deutsch</a> <a href="?lang=el" hreflang="el" lang="el" rel="alternate">&#917;&#955;&#955;&#951;&#957;&#953;&#954;&#940;&nbsp;(Ellinika)</a> <a href="?lang=en_US" hreflang="en_US" lang="en_US" rel="alternate">English</a> <a href="?lang=es" hreflang="es" lang="es" rel="alternate">espa&ntilde;ol</a> <a href="?lang=et" hreflang="et" lang="et" rel="alternate">Estonian</a> <a href="?lang=fa_IR" hreflang="fa_IR" lang="fa_IR" rel="alternate">&#1601;&#1575;&#1585;&#1587;&#1740; (F&#257;rs&#299;)</a> <a href="?lang=fi" hreflang="fi" lang="fi" rel="alternate">suomi</a> <a href="?lang=fr" hreflang="fr" lang="fr" rel="alternate">fran&ccedil;ais</a> <a href="?lang=it_IT" hreflang="it_IT" lang="it_IT" rel="alternate">Italiano</a> <a href="?lang=ja" hreflang="ja" lang="ja" rel="alternate">&#26085;&#26412;&#35486;&nbsp;(Nihongo)</a> <a href="?lang=nb" hreflang="nb" lang="nb" rel="alternate">norsk&nbsp;(bokm&aring;l)</a> <a href="?lang=nl" hreflang="nl" lang="nl" rel="alternate">Nederlands</a> <a href="?lang=pl" hreflang="pl" lang="pl" rel="alternate">polski</a> <a href="?lang=pt" hreflang="pt" lang="pt" rel="alternate">Portugu&ecirc;s</a> <a href="?lang=pt_BR" hreflang="pt_BR" lang="pt_BR" rel="alternate">Portugu&ecirc;s do Brasil</a> <a href="?lang=ro" hreflang="ro" lang="ro" rel="alternate">rom&acirc;n&#259;</a> <a href="?lang=ru" hreflang="ru" lang="ru" rel="alternate">&#1056;&#1091;&#1089;&#1089;&#1082;&#1080;&#1081;&nbsp;(Russkij)</a> <a href="?lang=th" hreflang="th" lang="th" rel="alternate">Thai</a> <a href="?lang=tr" hreflang="tr" lang="tr" rel="alternate">T&uuml;rk&ccedil;e</a> <a href="?lang=uk" hreflang="uk" lang="uk" rel="alternate">&#1091;&#1082;&#1088;&#1072;&#1111;&#1085;&#1089;&#1100;&#1082;&#1072;&nbsp;(ukrajins'ka)</a> <a href="?lang=vi" hreflang="vi" lang="vi" rel="alternate">Vietnamese</a> <a href="?lang=zh_CN" hreflang="zh_CN" lang="zh_CN" rel="alternate">&#20013;&#25991;(&#31616;)</a> </p></tt></small></center>
</body></html>/tmp $

comment:8 Changed 8 years ago by proper

Forgot to mention.

After

git tag -v 1.3

I of course done a

git checkout 1.3.

comment:9 Changed 8 years ago by sysrqb

The getipnodebyname warnings are not surprising and can be ignored. The lines

libtorsocks(7398): do_resolve: error connecting to SOCKS server
libtorsocks(7398): failed to resolve: github.com

explain the outcome but they indicate that the issue is a connectivity problem between client and server. Yet, curl was successful. Does curl resolve names a different way?

comment:10 Changed 8 years ago by proper

Does curl resolve names a different way?

I don't know that.

comment:11 Changed 8 years ago by proper

Apparently, I messed up TORSOCKS_CONF_FILE.

  • #8220: "add TORSOCKS_CONF_FILE to debug output"
  • #8221: "add configuration to debug output"

The do_resolve / failed to resolve error is solved.

comment:12 in reply to:  3 Changed 8 years ago by proper

Back to the original question.

Running.

torsocks /usr/bin/git clone git://git.immerda.ch/amnesia.git

Results in

libtorsocks(23746): connect: Connection is to a local address (192.168.0.10), may be a TCP DNS request to a local DNS server so have to reject to be safe. Please report a bug to http://code.google.com/p/torsocks/issues/entry if this is preventing a program from working properly with torsocks.

Also when using 1.3.

It's non-fatal, connection still succeeds.

Can please fix this warning?

comment:13 Changed 8 years ago by intrigeri

Cc: intrigeri@… added

comment:14 Changed 8 years ago by sysrqb

Is this Wheezy 32- or 64-bit? I'm having trouble reproducing on 64-bit Wheezy right now.

comment:15 Changed 8 years ago by proper

Wheezy 32 bit.

comment:16 Changed 8 years ago by sysrqb

Quick update: currently this bug only seems to non-fatally effect operations using the git protocol.

comment:17 Changed 8 years ago by proper

It lets KGpg fail fatally (wrapped gpg with torsocks), because it doesn't understand the torsocks error message.

Gpg itself also fails non-fatally.

comment:18 in reply to:  17 ; Changed 8 years ago by cypherpunks

Replying to proper:

It lets KGpg fail fatally (wrapped gpg with torsocks), because it doesn't understand the torsocks error message.

Can you grab a stack trace of this crash?

Gpg itself also fails non-fatally.

Is this the same situation as we have with git? If so, I'm beginning to think this is the correct behavior because the connections appear to be dns lookups to a local dns server (at least that's what it appears to be in my local tests). Was 192.168.0.10 also a dns server in your environment (in addition to a Tor client)?

comment:19 in reply to:  18 Changed 8 years ago by proper

Replying to cypherpunks:

Replying to proper:

It lets KGpg fail fatally (wrapped gpg with torsocks), because it doesn't understand the torsocks error message.

Can you grab a stack trace of this crash?

Sorry for my wording. "Fails fatally" shouldn't mean crash of kgpg. When I clicked on details after trying to connect, I saw the torsocks warning (the usual ...may be a TCP DNS reque...).

The problem is, kgpg wants to phrase gpg's output and gets confused by the torsocks warning.

Gpg itself also fails non-fatally.

Is this the same situation as we have with git?

Yes.

gpg --recv-keys 9B157153925C303A42253AFB9C131AD3713AAEEF
gpg: requesting key 713AAEEF from hkp server pool.sks-keyservers.net
18:28:01 libtorsocks(4719): connect: Connection is to a local address (192.168.0.10), may be a TCP DNS request to a local DNS server so have to reject to be safe. Please report a bug to http://code.google.com/p/torsocks/issues/entry if this is preventing a program from working properly with torsocks.
gpg: key 713AAEEF: "adrelanos <adrelanos at riseup dot net>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1

Was 192.168.0.10 also a dns server in your environment

Yes.

(Same non-fatal fail when /etc/resolv.conf is empty on 192.168.0.11 and if that DnsPort on 192.168.0.10 is disabled.)

If so, I'm beginning to think this is the correct behavior because the connections appear to be dns lookups to a local dns server (at least that's what it appears to be in my local tests).

Ok, I understand. Could you add an option (configuration file, environment variable or command line switch) to suppress that warning please?

comment:20 Changed 6 years ago by bersam

What happened to this ticket? is any of these repos work properly for this option?

comment:21 Changed 6 years ago by Awgust

Just googled that bug, because of the problem with my ssh.
I have virtual vde2 network that works already.
I started one more vde hub for internal network, and runned whonix gw and whonix workstation without any modifications under qemu.
So apt-get install ... works from both gw and wks.
But when I try to ssh from workstation to another address inside of my local network 10.x.x.x/24 - libtorsocks complains about TCP DNS request and refuses to connect. When I ssh to the external address of the same box - it works.

Connection is to local address (), may be a TCP DNS request to a local DNS server so have to reject to be safe. Please report a bug etc

Whonix 9.3
Linux host 3.2.0-4-686-pae Debian 3.2.60-1+deb7u3 i686

Last edited 6 years ago by Awgust (previous) (diff)

comment:22 Changed 6 years ago by proper

Awgust: This is more of a Whonix support question. Use: https://www.whonix.org/forum/

comment:23 Changed 6 years ago by intrigeri

Due to this missing feature, we at Tails have to use tsocks instead of torsocks more than we would like, e.g. https://git-tails.immerda.ch/tails/commit/?h=bugfix/8680-git-without-polipo&id=c81d8d683844520c8e476cc9bc24418bd497391b.

comment:24 Changed 6 years ago by intrigeri

Owner: changed from ioerror to dgoulet
Status: newassigned

comment:25 Changed 6 years ago by proper

Does dgoulet use this bug tracker yet for torsocks 2.x?

I think we should start with a fresh ticket. All that has been said here was about the now deprecated torsocks 1.x.

Changed 6 years ago by yawning

comment:26 Changed 6 years ago by yawning

Status: assignedneeds_review

This caught my eye as I was looking over the bugs. See the attached patch. It only fixes intrigeri's issue since, that is dead easy. I don't have the time or motivation to bring back the old "local" config directive, although that would be needed for the default VirtualAddrNetworkIPv4/IPv6 config.

Somewhat tested in that:

  • It compiles.
  • The unit tests didn't break (Didn't add any because I'm a bad person).
  • Connections a httpd on 127.0.0.1:someport with aria2c via torsocks:
    • Fail without any option.
    • Fail with the option set to 0.
    • Succeed with the option set to 1.

comment:27 in reply to:  25 Changed 6 years ago by intrigeri

Replying to proper:

Does dgoulet use this bug tracker yet for torsocks 2.x?

I've asked David before assigning to him, and he said OK, so presumably yes.

comment:28 Changed 6 years ago by dgoulet

Resolution: fixed
Status: needs_reviewclosed

Thanks yawning, I've merged the patch!

I agree with proper here, I will open a new ticket because this one applies to torsocks 1.x and I much prefer if things are seperated so we stop the "spaghetti effect" with application version vs tickets.

Closing it, will refer this ticket to the new one I'll create in a jiffy.

comment:29 Changed 6 years ago by sajolida

Cc: sajolida@… added

comment:30 Changed 5 years ago by sajolida

Severity: Normal

See #16765, pending for review.

Note: See TracTickets for help on using tickets.