'''WARNING: The intent of this guide is to show users how to run Mumble over the Tor network; we are not vouching for the security of Mumble itself.''' For chat, some type of XMPP client supporting OTR would likely be a more secure solution, due to many of the properties that OTR offers that Mumble does not (End-To-End Encryption, Deniability, Forward Secrecy, etc).
Mumble
Mumble is an open source low-latency VoIP (Voice over IP) chat software primarily intended for use while gaming. It is distributed under the New BSD License. Users can use Mumble to connect to the public server or set up their own server to connect to with Murmur, allowing one to communicate with multiple parties at once by voice-over chat. Mumble connects to a server via a TLS/TCP control channel. While it normally uses a UDP audio channel, using Mumble over Tor forces traffic entirely over the control channel, and uses the ciphers that it supports. This is due to Tors inability to handle UDP packets.
Mumble is end-to-server encrypted with AES in OCB mode to increase user privacy. OCB is used to provide both secrecy and authentication while maintaining low latency.
In 1.2.0 Mumble implemented certificate authentication, eliminating the need for passwords and providing a significantly more secure form of verification. Many servers now require such certificate authentication to connect.
As of 1.2.9, Mumble also supports forward secrecy.
== Acquiring Mumble ==
- Linux: Mumble is available via standard PPA (Personal Package Archive) installation.
- FreeBSD: Mumble is available in the FreeBSD ports collection.
- Windows: Download Mumble from https://mumble.info/
- OSX: Download Mumble from https://mumble.info/
- iOS: Download Mumble from iTunes.
There are other third-party clients available for Mumble:
- Plumble(Android): Download from Google Play Store.
- Mumblefy(iOS): Download from iTunes.
Torifying Mumble
Mumble's Proxy Settings
The easiest way to use Mumble via Tor is using the internal proxy settings. This method was previously discouraged due to DNS leaks caused by QHostAddress resolving addresses ahead of time in a few processes, thus causing the DNS request to not go through the configured proxy. However, as of this patch, that issue has been officially resolved and the internal settings have become the recommended choice for Torifying Mumble. The patch also implemented support for .onion
addresses. Please read the commit note for a detailed outline of all the features implemented.
Torsocks Method
Mumble can be used with Torsocks by starting it from the command line with the command torsocks mumble
.
By default, Mumble uses UDP for its voice channel and TCP for its control channel. Since Tor doesn't transport UDP, you will need to tick the 'Force TCP mode' box in the network settings so that voice and chat are both sent over Mumble's TCP control channel. Alternatively, if you are running your own Murmur server, you can block UDP at the server with iptables (see below).
There are a number of other settings here you may also want to enable/disable, based on your preference. It's advised to go through the settings to their entirety to see which ones are useful for your purposes.
If you use Mumble on Tails, you must start Mumble with the command torify mumble
or the
Tails firewall will prevent you from connecting. Mumble does not ship with Tails by
default. To use it you will need to install it using
sudo apt-get update && sudo apt-get -y install mumble
Murmur
Murmur is the server software for Mumble. It is packaged as mumble-server in Debian, Ubuntu, and their derivatives.
Murmur configuration
''' Note: The instructions below were written for use with the official Murmur implementation.
For further details regarding Murmur setup/configuration, please see the official Murmur setup guide on the Mumble Wiki.
Firewall rules
"64738" is currently the default port for Murmur. If you have changed the port that Murmur uses, please adjust the rules below to reflect your changes.
Iptables rules:
-A INPUT -p tcp -m tcp --dport 64738 -j ACCEPT
-A INPUT -p udp -m udp --dport 64738 -j ACCEPT
-A INPUT -j DROP
pf rules:
pass in quick inet proto tcp from any to $ext_if port 64738 keep state
pass in quick inet proto udp from any to $ext_if port 64738 keep state
If you want to force TCP at the server, drop the iptables/pf rule for UDP.
Hidden Service configuration
It is possible to set up a Murmur server as hidden service. To do this you need to edit /etc/mumble-server.ini, which is the default Murmur configuration file. Add (or uncomment and edit) this line:
host=127.0.0.1
You may also want to add the line to add a password to your server or to change the port your server will listen on, you may want to edit these lines as well
serverpassword=neitherwordsnorsilence
port=64738
You will need to restart mumble-server/murmurd for the changes to take effect.
You also need to edit your torrc file. Add (or uncomment and edit) these lines:
HiddenServiceDir /var/lib/tor/hidden_service
HiddenServicePort 64738 127.0.0.1:64738 # Adjust port to match Murmur configuration
Restart Tor to get your hidden service address from /var/lib/tor/hidden_service/hostname.
Latency
Latency for tor-server connections seem to be mostly between 200 and 600 ms. Latency for tor-hidden service connections seems to be mostly between 900 and 1300 ms. You can check your latency by right clicking on your profile name in the chat window and clicking 'Information'. Look for 'Average ping' and 'Ping deviation'. If your connection is especially slow, get a new circuit from Tor and reconnect.