wiki:doc/TorifyHOWTO/Mumble

WARNING

The intent of this guide is to show users how to run Mumble over the Tor network; we are not vouching for the security of Mumble itself. For chat, some type of XMPP client supporting OTR would likely be a more secure solution, due to many of the properties that OTR offers that Mumble does not (End-To-End Encryption, Deniability, Forward Secrecy, etc).

As for VoIP, a SIP client supporting ZRTP would generally be considered safer than Mumble's design. However, there are relatively few SIP clients that support ZRTP, and even fewer that play well with Tor. While Mumble's design is not obviously broken, it does not provide things like Forward Secrecy, End-To-End Encryption, or many of the other features that the ZRTP protocol offers.

Last edited 2013-08-26

Mumble

Mumble is a low-latency VoIP (Voice over IP) and chat software. It is distributed under the New BSD License. Users can use Mumble to connect to a public Murmur server or set up their own server to connect to, and then communicate with multiple parties at once by voice or by chat.

Acquiring Mumble

Mumble configuration

Torsocks method

We recommend using torsocks 2.x, rather than torsocks 1.x (which is the version currently in deb repositories). There are a number of bugs in Torsocks 1.x, which are fixed in the newer version. Currently it is possible to get torsocks 2.x from git using git clone https://git.torproject.org/torsocks.git, and then compiling.

Mumble can be used with Tor by starting it from the command line with the command torify mumble. Using Wireshark/tcpdump, we did not detect any leaks while using torsocks.

By default, Mumble uses UDP for its voice channel and TCP for its control channel. Since Tor doesn't transport UDP, you will need to tick the 'Force TCP mode' box in the network settings so that voice and chat are both sent over Mumble's TCP control channel. Alternatively, if you are running your own Murmur server, you can block UDP at the server with iptables (see below).

There are a number of other settings here you may also want to enable/disable, based on your preference. For example, 'Reconnect automatically', 'Reconnect to last server on start up', 'Submit anonymous statistics' and 'Suppress certificate and password storage'.

If you use Mumble on Tails, you must start Mumble with the command torify mumble or the Tails firewall will prevent you from connecting. Mumble does not ship with Tails by default. To use it you will need to install it using

sudo apt-get update && sudo apt-get -y install mumble

Mumble proxy settings method

Configuring Mumble to route its connections through a SOCKS5 Proxy on 127.0.0.1 port 9050 leaks DNS requests. Any Mumble server running as a hidden service will also be unreachable using this method. We did not detect any leaks when connecting to Mumble servers by IP address only. However, simply having servers with domain names in your favorites will cause Mumble to attempt a look up. The same behavior can be observed when using an HTTP proxy with Mumble.

For the reasons stated above, we cannot recommend configuring Mumble through the Network Proxy settings. The only recommended way of running Mumble over Tor is with torsocks.

Murmur

Murmur is the server software for Mumble. On Debian the package is named mumble-server.

Murmur configuration

Note: The instructions below were written for use with the official Murmur implementation.

For further details regarding Murmur setup/configuration, please see the official Murmur setup guide at http://mumble.sourceforge.net/Murmurguide.

Firewall rules

"64738" is currently the default port for Murmur. If you have changed the port that Murmur uses, please adjust the rules below to reflect your changes.

Iptables rules:

-A INPUT -p tcp -m tcp --dport 64738 -j ACCEPT
-A INPUT -p udp -m udp --dport 64738 -j ACCEPT
-A INPUT -j DROP

pf rules:

pass in quick inet proto tcp from any to $ext_if port 64738 keep state
pass in quick inet proto udp from any to $ext_if port 64738 keep state

If you want to force TCP at the server, drop the iptables/pf rule for UDP.

Hidden Service configuration

It is possible to set up a Murmur server as hidden service. To do this you need to edit /etc/mumble-server.ini, which is the default Murmur configuration file. Add (or uncomment and edit) this line:

host=127.0.0.1

You may also want to add the line to add a password to your server or to change the port your server will listen on, you may want to edit these lines as well

serverpassword=neitherwordsnorsilence
port=64738 

You will need to restart mumble-server/murmurd for the changes to take effect.

You also need to edit your torrc file. Add (or uncomment and edit) these lines:

HiddenServiceDir /var/lib/tor/hidden_service
HiddenServicePort 64738 127.0.0.1:64738 # Adjust port to match Murmur configuration

Restart Tor to get your hidden service address from /var/lib/tor/hidden_service/hostname.

In testing, Mumble was only able to connect to a hidden service using torsocks, and NOT when using Mumble's proxy settings. Note that as of this writing, torsocks is not available for Windows.

Latency

Latency for tor-server connections seem to be mostly between 200 and 600 ms. Latency for tor-hidden service connections seems to be mostly between 900 and 1300 ms. You can check your latency by right clicking on your profile name in the chat window and clicking 'Information'. Look for 'Average ping' and 'Ping deviation'. If your connection is especially slow, get a new circuit from Tor and reconnect.

Last modified 2 years ago Last modified on Jun 12, 2015, 2:21:02 PM