Add ipv6 support

[ghost]

Tor has an option to use an ipv6 gateway:

$ man tor
[...]
VirtualAddrNetworkIPv6 [Address]/bits
When Tor needs to assign a virtual (unused) address because of a
MAPADDRESS command from the controller or the AutomapHostsOnResolve
feature, Tor picks an unassigned address from this range.
(Defaults: 127.192.0.0/10 and [FE80::]/10 respectively.)

       When providing proxy server service to a network of computers using
       a tool like dns-proxy-tor, change the IPv4 network to
       "10.192.0.0/10" or "172.16.0.0/12" and change the IPv6 network to
       "[FC00::]/7". The default VirtualAddrNetwork address ranges on a
       properly configured machine will route to the loopback or
       link-local interface. The maximum number of bits for the network
       prefix is set to 104 for IPv6 and 16 for IPv4. However, a wider
       network - smaller prefix length

       ·   is preferable since it reduces the chances for an attacker to
           guess the used IP. For local use, no change to the default
           VirtualAddrNetwork setting is needed.

[...]

I was thinking on hacking Torjail and add this option manually here. Could you add it?

[lesion]

ipv6 support would be nice: PR welcome 😄

[ghost]

Tor connection with IP4+6 is faster and add more compatibility with IPV6 only DNS adressess. I can clearly perceive more speed and stability when browsing with TorBrowser (which has IPV6 through Tor) compared with Firefox with Torjail

The only project I know it's using VirtualAddrNetworkIPv6 is the Mailpile: https://github.com/renne/Mailpile/wiki/Mail(pile)-TORified

It works nearly the same way as Torjail, except by not having local NAT and having IPV6 through Tor.

[lesion]

add this as reference:

https://serverfault.com/questions/876949/error-testing-a-torified-and-ipv6-enabled-network-namespace-almost-done

[ghost]

I like to browse using Tor, but is annoying to complete "captchas" and other spam verification methods due to the blocking of Tor exit nodes by many sites (Google and any site behind Cloudflare), so, I use to connect to a VPN after and open the browser next.

A friend borrowed me his VPN service, which has both IPv4 and IPv6 connectivity, because of that I'm interested in a Torjail version with IPv6 enabled.

To connect to a VPN provider via Tor with Torjail is simple as:

mrxvt -e sudo torjail -k -v -n vpnns -s
sudo openvpn /path/to/openvpn_tcp_config_file.ovpn

sudo torjail -k -v -u -n vpnns <some_browser>

Any .ovpn file which uses TCP will use Tor's connection with any leak this way; VPN Gate has tons of nodes with TCP enabled connection for using as that (http://vpngate.net).

Using IPv4+IPv6 VPN service with Torjail would be awesome for me.

I will get sysctl configs of Torjail virtual interfaces:

sysctl -a | grep -i in-veth0
ip netns exec NETNS_NAME sysctl -a | grep -i out-veth0

... and study for see if it has something wrong here, I just need a little time, if I get this working, I will fork this repo and make a Torjail IPv6 version.

[ghost]

@lesion

After searching a lot, a discovered one reason why Tor transport using IPv6 addresses doesn't work: https://stackoverflow.com/questions/36438102/ping-external-ipv6-address-from-a-network-namespace

Local private IPv6 addresses are part of ULA and they are not routable, that's the reason why I can ping a host using ping -6 but no response is sent back, though I can get the IPv6 of host:

ip netns exec NETNS ping -6 v6.testmyipv6.com                     
PING v6.testmyipv6.com(2620:12e:1000::a00:f (2620:12e:1000::a00:f)) 56 data bytes
^C
--- v6.testmyipv6.com ping statistics ---
20 packets transmitted, 0 received, 100% packet loss, time 19447ms

=> https://serverfault.com/questions/876949/error-testing-a-torified-and-ipv6-enabled-network-namespace-almost-done

When I have time, I will test with another addresses and configurations.

[lesion]

for reference: https://blogs.igalia.com/dpino/2016/05/02/network-namespaces-ipv6/

[ghost]

@lesion

Your modification didn't work here, I made mine just the same way you did, the same problem continues.

I had this gist on my bookmarks: https://gist.github.com/meejah/1777585

Refers to a torified virtual interface for using with QEMU using VDE2 (a tool which does the same thing ip-link does), it's IPv4 only and uses REDIRECT (which was included on netfilter6 in the Linux kernel a little time ago). Instead of REDIRECT with ip6tables, there was TPROXY for ip6tables for replacing REDIRECT of iptables, with REDIRECT and TPROXY the ipv6 connectivity with torjail can work. Reference: ysbaddaden/prax.cr#56

Another possibility is that Transport and DNSPort using ipv6 adressess (such as fd00::/64) just don't work as ipv4 ones.

I tested a way to torify a QEMU instance, I used SOCKSPort [::1]:9050, proxychains-ng using this address and wrapped the QEMU command line as this:

proxychains4 -f /etc/proxychains.conf qemu [arguments]

As QEMU uses an internal SLIRP with ipv6 support, IPv4 and v6 connectivity is fully provided to guest in the VM, but there is a big problem here, SLIRP is terribly slow, and the VM torified this way freezes every time a connection is made inside it.

^^ It's a little evidence that ipv6 connectivity only works with SOCKSPort and not with TransPort and DNSPort (the alpha version of Tor includes a HTTP proxy, but I don't tested yet).

There is an app called tun2socks (https://github.com/ambrop72/badvpn), part of badvpn package, it doesn't use the (ugly) SLIRP and uses the lwip6 library, it works with both ipv4 and v6, I think this is the last possibility to get torjail working with ipv6.

I will test the new REDIRECT option of ip6tables and TPROXY, if they don't work, I will try badvpn-tun2socks.

[ghost]

Finally I discovered why IPv6 connectivity didn't work inside a namespace: VirtualAddrNetworkIPv6 option don't work if assigned to same peer address.

I made a copy-paste sequence of commands to create a namespace with IPv6 connectivity (run as root):

# create a new network namespace named NETNS
ip netns add NETNS

# create two virtual ethernet  interface
ip link add OUTSIDE type veth peer name INSIDE

# bind one interface to NETNS network namespace
ip link set INSIDE netns NETNS

# set interfaces ip and default routing
ip addr add 10.0.0.1/24 dev OUTSIDE
ip -6 addr add fdcc:9b1c:14b6:9842::1/64 dev OUTSIDE
ip link set OUTSIDE up
ip netns exec NETNS ip addr add 10.0.0.2/24 dev INSIDE
ip -6 netns exec NETNS ip -6 addr add fdcc:9b1c:14b6:9842::2/64 dev INSIDE
ip netns exec NETNS ip link set INSIDE up

ip netns exec NETNS ip route add default via 10.0.0.1
ip -6 netns exec NETNS ip -6 route add default via fdcc:9b1c:14b6:9842::1

# forward all dns traffic to tor DNSPort
iptables -t nat -A  PREROUTING -i OUTSIDE -p udp -d 10.0.0.1 --dport 53 -j DNAT --to-destination 10.0.0.1:9153
ip6tables -t nat -A  PREROUTING -i OUTSIDE -p udp -d fdcc:9b1c:14b6:9842::1 --dport 53 -j DNAT --to-destination fdcc:9b1c:14b6:9842::1:9153

# forward all traffic to tor TransPort
iptables -t nat -A  PREROUTING -i OUTSIDE -p tcp --syn -j DNAT --to-destination 10.0.0.1:9040
ip6tables -t nat -A  PREROUTING -i OUTSIDE -p tcp --syn -j DNAT --to-destination fdcc:9b1c:14b6:9842::1:9040

# accept established connection
iptables -A OUTPUT -m state -o OUTSIDE --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -m state -o OUTSIDE --state ESTABLISHED,RELATED -j ACCEPT

# accept only forwarded traffic
iptables -I INPUT -i OUTSIDE -p udp --destination 10.0.0.1 --dport 9153 -j ACCEPT
ip6tables -I INPUT -i OUTSIDE -p udp --destination fdcc:9b1c:14b6:9842::1 --dport 9153 -j ACCEPT
iptables -I INPUT -i OUTSIDE -p tcp --destination 10.0.0.1 --dport 9040 -j ACCEPT
ip6tables -I INPUT -i OUTSIDE -p tcp --destination fdcc:9b1c:14b6:9842::1 --dport 9040 -j ACCEPT
iptables -A INPUT -i OUTSIDE -j DROP
ip6tables -A INPUT -i OUTSIDE -j DROP

# make a temporary resolv.conf for this namespace
mkdir -pv /etc/netns
mount -t tmpfs -o nosuid,nodev tmpfs /etc/netns
mkdir -pv /etc/netns/NETNS
echo "nameserver fdcc:9b1c:14b6:9842::1" >> /etc/netns/NETNS/resolv.conf
echo "nameserver 10.0.0.1" >> /etc/netns/NETNS/resolv.conf

# get into namespace

ip netns exec NETNS unshare --ipc --fork --pid --mount --mount-proc bash

# clean

ip netns del NETNS
umount -v /etc/netns
iptables -t nat -D  PREROUTING -i OUTSIDE -p udp -d 10.0.0.1 --dport 53 -j DNAT --to-destination 10.0.0.1:9153
ip6tables -t nat -D  PREROUTING -i OUTSIDE -p udp -d fdcc:9b1c:14b6:9842::1 --dport 53 -j DNAT --to-destination fdcc:9b1c:14b6:9842::1:9153
iptables -t nat -D  PREROUTING -i OUTSIDE -p tcp --syn -j DNAT --to-destination 10.0.0.1:9040
ip6tables -t nat -D  PREROUTING -i OUTSIDE -p tcp --syn -j DNAT --to-destination fdcc:9b1c:14b6:9842::1:9040
iptables -D OUTPUT -m state -o OUTSIDE --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -D OUTPUT -m state -o OUTSIDE --state ESTABLISHED,RELATED -j ACCEPT
iptables -D INPUT -i OUTSIDE -p udp --destination 10.0.0.1 --dport 9153 -j ACCEPT
ip6tables -D INPUT -i OUTSIDE -p udp --destination fdcc:9b1c:14b6:9842::1 --dport 9153 -j ACCEPT
iptables -D INPUT -i OUTSIDE -p tcp --destination 10.0.0.1 --dport 9040 -j ACCEPT
ip6tables -D INPUT -i OUTSIDE -p tcp --destination fdcc:9b1c:14b6:9842::1 --dport 9040 -j ACCEPT
iptables -D INPUT -i OUTSIDE -j DROP
ip6tables -D INPUT -i OUTSIDE -j DROP

Should have IPv6 connectivity with this Tor configuration:

TransPort 10.0.0.1:9040
DNSPort 10.0.0.1:9153
TransPort [fdcc:9b1c:14b6:9842::1]:9040
DNSPort [fdcc:9b1c:14b6:9842::1]:9153
AutomapHostsOnResolve 1
AutomapHostsSuffixes .
ClientUseIPv6 1

Trying to add VirtualAddrNetworkIPv4 10.0.0.2/16 to this scheme have no effect on IPv4 connection but VirtualAddrNetworkIPv6 [fdcc:9b1c:14b6:9842::2]/48 drops the IPv6 connectivity.

I believe it's a bug, but I have to check and read the Tor documentation better (I'm using Tor 0.3.3.0-alpha-dev (git-853bbb9112a16055+e87771b42) right now)

The solution is to make the VirtualAddrNetworkIPv6 bind into an address other than peer (such as VirtualAddrNetworkIPv6 [fc00::]/7), and change these lines of #12 commit (b5f279e):

ip6tables -I INPUT -i in-$NAME -p tcp --source $IPNETNS6 --sport $HSERVICEPORT -j ACCEPT
ip6tables -I INPUT -i in-$NAME -p tcp --destination $IPNETNS6 --dport $HSERVICEPORT -j ACCEPT

to:

ip6tables -I INPUT -i in-$NAME -p tcp --source fc00:: --sport $HSERVICEPORT -j ACCEPT
ip6tables -I INPUT -i in-$NAME -p tcp --destination fc00:: --dport $HSERVICEPORT -j ACCEPT

^^ As I tested here with a hidden service, doesn't affect anything with it.

How good is to see:

[adrelanos]

What about nftables rather than ip6tables?

[Rikkit888]

Finally I discovered why IPv6 connectivity didn't work inside a namespace: VirtualAddrNetworkIPv6 option don't work if assigned to same peer address.

I made a copy-paste sequence of commands to create a namespace with IPv6 connectivity (run as root):

# create a new network namespace named NETNS
ip netns add NETNS

# create two virtual ethernet  interface
ip link add OUTSIDE type veth peer name INSIDE

# bind one interface to NETNS network namespace
ip link set INSIDE netns NETNS

# set interfaces ip and default routing
ip addr add 10.0.0.1/24 dev OUTSIDE
ip -6 addr add fdcc:9b1c:14b6:9842::1/64 dev OUTSIDE
ip link set OUTSIDE up
ip netns exec NETNS ip addr add 10.0.0.2/24 dev INSIDE
ip -6 netns exec NETNS ip -6 addr add fdcc:9b1c:14b6:9842::2/64 dev INSIDE
ip netns exec NETNS ip link set INSIDE up

ip netns exec NETNS ip route add default via 10.0.0.1
ip -6 netns exec NETNS ip -6 route add default via fdcc:9b1c:14b6:9842::1

# forward all dns traffic to tor DNSPort
iptables -t nat -A  PREROUTING -i OUTSIDE -p udp -d 10.0.0.1 --dport 53 -j DNAT --to-destination 10.0.0.1:9153
ip6tables -t nat -A  PREROUTING -i OUTSIDE -p udp -d fdcc:9b1c:14b6:9842::1 --dport 53 -j DNAT --to-destination fdcc:9b1c:14b6:9842::1:9153

# forward all traffic to tor TransPort
iptables -t nat -A  PREROUTING -i OUTSIDE -p tcp --syn -j DNAT --to-destination 10.0.0.1:9040
ip6tables -t nat -A  PREROUTING -i OUTSIDE -p tcp --syn -j DNAT --to-destination fdcc:9b1c:14b6:9842::1:9040

# accept established connection
iptables -A OUTPUT -m state -o OUTSIDE --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -m state -o OUTSIDE --state ESTABLISHED,RELATED -j ACCEPT

# accept only forwarded traffic
iptables -I INPUT -i OUTSIDE -p udp --destination 10.0.0.1 --dport 9153 -j ACCEPT
ip6tables -I INPUT -i OUTSIDE -p udp --destination fdcc:9b1c:14b6:9842::1 --dport 9153 -j ACCEPT
iptables -I INPUT -i OUTSIDE -p tcp --destination 10.0.0.1 --dport 9040 -j ACCEPT
ip6tables -I INPUT -i OUTSIDE -p tcp --destination fdcc:9b1c:14b6:9842::1 --dport 9040 -j ACCEPT
iptables -A INPUT -i OUTSIDE -j DROP
ip6tables -A INPUT -i OUTSIDE -j DROP

# make a temporary resolv.conf for this namespace
mkdir -pv /etc/netns
mount -t tmpfs -o nosuid,nodev tmpfs /etc/netns
mkdir -pv /etc/netns/NETNS
echo "nameserver fdcc:9b1c:14b6:9842::1" >> /etc/netns/NETNS/resolv.conf
echo "nameserver 10.0.0.1" >> /etc/netns/NETNS/resolv.conf

# get into namespace

ip netns exec NETNS unshare --ipc --fork --pid --mount --mount-proc bash

# clean

ip netns del NETNS
umount -v /etc/netns
iptables -t nat -D  PREROUTING -i OUTSIDE -p udp -d 10.0.0.1 --dport 53 -j DNAT --to-destination 10.0.0.1:9153
ip6tables -t nat -D  PREROUTING -i OUTSIDE -p udp -d fdcc:9b1c:14b6:9842::1 --dport 53 -j DNAT --to-destination fdcc:9b1c:14b6:9842::1:9153
iptables -t nat -D  PREROUTING -i OUTSIDE -p tcp --syn -j DNAT --to-destination 10.0.0.1:9040
ip6tables -t nat -D  PREROUTING -i OUTSIDE -p tcp --syn -j DNAT --to-destination fdcc:9b1c:14b6:9842::1:9040
iptables -D OUTPUT -m state -o OUTSIDE --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -D OUTPUT -m state -o OUTSIDE --state ESTABLISHED,RELATED -j ACCEPT
iptables -D INPUT -i OUTSIDE -p udp --destination 10.0.0.1 --dport 9153 -j ACCEPT
ip6tables -D INPUT -i OUTSIDE -p udp --destination fdcc:9b1c:14b6:9842::1 --dport 9153 -j ACCEPT
iptables -D INPUT -i OUTSIDE -p tcp --destination 10.0.0.1 --dport 9040 -j ACCEPT
ip6tables -D INPUT -i OUTSIDE -p tcp --destination fdcc:9b1c:14b6:9842::1 --dport 9040 -j ACCEPT
iptables -D INPUT -i OUTSIDE -j DROP
ip6tables -D INPUT -i OUTSIDE -j DROP

Should have IPv6 connectivity with this Tor configuration:

TransPort 10.0.0.1:9040
DNSPort 10.0.0.1:9153
TransPort [fdcc:9b1c:14b6:9842::1]:9040
DNSPort [fdcc:9b1c:14b6:9842::1]:9153
AutomapHostsOnResolve 1
AutomapHostsSuffixes .
ClientUseIPv6 1

Trying to add VirtualAddrNetworkIPv4 10.0.0.2/16 to this scheme have no effect on IPv4 connection but VirtualAddrNetworkIPv6 [fdcc:9b1c:14b6:9842::2]/48 drops the IPv6 connectivity.

I believe it's a bug, but I have to check and read the Tor documentation better (I'm using Tor 0.3.3.0-alpha-dev (git-853bbb9112a16055+e87771b42) right now)

The solution is to make the VirtualAddrNetworkIPv6 bind into an address other than peer (such as VirtualAddrNetworkIPv6 [fc00::]/7), and change these lines of #12 commit (b5f279e):

ip6tables -I INPUT -i in-$NAME -p tcp --source $IPNETNS6 --sport $HSERVICEPORT -j ACCEPT ip6tables -I INPUT -i in-$NAME -p tcp --destination $IPNETNS6 --dport $HSERVICEPORT -j ACCEPT

to:

ip6tables -I INPUT -i in-$NAME -p tcp --source fc00:: --sport $HSERVICEPORT -j ACCEPT ip6tables -I INPUT -i in-$NAME -p tcp --destination fc00:: --dport $HSERVICEPORT -j ACCEPT

^^ As I tested here with a hidden service, doesn't affect anything with it.

How good is to see:

Seems there is still no ipv6 support in orjail 1.1 after 3 years.

Is this ipv6 branch working?
Can somebody explain how to implement it into orjail 1.1?
If i understand it correctly, i have to use my own torrc file with orjail and use these torrc settings:
TransPort 10.0.0.1:9040
DNSPort 10.0.0.1:9153
TransPort [fdcc:9b1c:14b6:9842::1]:9040
DNSPort [fdcc:9b1c:14b6:9842::1]:9153
AutomapHostsOnResolve 1
AutomapHostsSuffixes .
ClientUseIPv6 1

then i have to edit the orjail file in /usr/sbin and add the additional (green) lines from the branch manually? Or is it possible to merge it together automatically?
b5f279e

[phantomcraft]

Rikkit888

It's the same thing as IPv4, but the IPv6 needs to be bracketed in DNAT rules:

ip6tables -t nat -A PREROUTING -i subnet -p udp -d fd00::1 --dport 53 -j DNAT --to-destination [fd00::1]:9053
ip6tables -t nat -A PREROUTING -i subnet -p tcp --syn -j DNAT --to-destination [fd00::1]:9040

Also, a line for IPv6 needs to be added before the blocking rules:

ip6tables -A INPUT -p ipv6-icmp -s fd00::2 -d fd00::1 -j ACCEPT

fd00::2 is the peer address and the fd00::1 is the veth one. IPv6 needs ICMPv6 for working properly.

[Rikkit888]

Sadly the Tor-Process is not starting with the Branch-Script.
The veth device has now ipv6 assigned, but Tor is not working with this ipv6 settings.

[phantomcraft]

@Rikkit888

If listening to IPv6 ports, this command must be passed to assure all ports will listen:

sysctl -q -w net.ipv6.ip_nonlocal_bind=1

Also, IPv6 address in the torrc file must be bracketed:

TransPort [fd00::1]:9040

IPv6 in Tor is still experimental, there is no way of choosing IPv6 only entry and exit nodes.

This parameters help in the the chance of pickuping IPv6 nodes:

      SOCKSPort [fd00::1]:9050 IPv6Traffic PreferIPv6
      DNSPort [fd00::1]:9053 IPv6Traffic PreferIPv6
      ClientUseIPv6 1
      ClientPreferIPv6DirPort 1
      ClientPreferIPv6ORPort 1

IPv6Traffic and PreferIPv6 are not available in the TransPort option.

[Rikkit888]

I will try that, but the main problem is that the Tor instance is still not starting.
Some settings from the branch-script for the torrc file must be the problem.

[phantomcraft]

Put this line on your configuration:

Log notice file /dev/shm/log

See what is showed in the log.

[lesion]

I need help on this.
I've rebase master into ipv6 branch and made a PR #80 but this is not working