-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ipv6 support #12
Comments
ipv6 support would be nice: PR welcome 😄 |
Tor connection with IP4+6 is faster and add more compatibility with IPV6 only DNS adressess. I can clearly perceive more speed and stability when browsing with TorBrowser (which has IPV6 through Tor) compared with Firefox with Torjail The only project I know it's using VirtualAddrNetworkIPv6 is the Mailpile: https://github.com/renne/Mailpile/wiki/Mail(pile)-TORified It works nearly the same way as Torjail, except by not having local NAT and having IPV6 through Tor. |
I like to browse using Tor, but is annoying to complete "captchas" and other spam verification methods due to the blocking of Tor exit nodes by many sites (Google and any site behind Cloudflare), so, I use to connect to a VPN after and open the browser next. A friend borrowed me his VPN service, which has both IPv4 and IPv6 connectivity, because of that I'm interested in a Torjail version with IPv6 enabled. To connect to a VPN provider via Tor with Torjail is simple as: mrxvt -e sudo torjail -k -v -n vpnns -s sudo torjail -k -v -u -n vpnns <some_browser> Any .ovpn file which uses TCP will use Tor's connection with any leak this way; VPN Gate has tons of nodes with TCP enabled connection for using as that (http://vpngate.net). Using IPv4+IPv6 VPN service with Torjail would be awesome for me. I will get sysctl configs of Torjail virtual interfaces: sysctl -a | grep -i in-veth0 ... and study for see if it has something wrong here, I just need a little time, if I get this working, I will fork this repo and make a Torjail IPv6 version. |
After searching a lot, a discovered one reason why Tor transport using IPv6 addresses doesn't work: https://stackoverflow.com/questions/36438102/ping-external-ipv6-address-from-a-network-namespace Local private IPv6 addresses are part of ULA and they are not routable, that's the reason why I can ping a host using ping -6 but no response is sent back, though I can get the IPv6 of host:
When I have time, I will test with another addresses and configurations. |
Your modification didn't work here, I made mine just the same way you did, the same problem continues. I had this gist on my bookmarks: https://gist.github.com/meejah/1777585 Refers to a torified virtual interface for using with QEMU using VDE2 (a tool which does the same thing ip-link does), it's IPv4 only and uses REDIRECT (which was included on netfilter6 in the Linux kernel a little time ago). Instead of REDIRECT with ip6tables, there was TPROXY for ip6tables for replacing REDIRECT of iptables, with REDIRECT and TPROXY the ipv6 connectivity with torjail can work. Reference: ysbaddaden/prax.cr#56 Another possibility is that Transport and DNSPort using ipv6 adressess (such as fd00::/64) just don't work as ipv4 ones. I tested a way to torify a QEMU instance, I used SOCKSPort [::1]:9050, proxychains-ng using this address and wrapped the QEMU command line as this: proxychains4 -f /etc/proxychains.conf qemu [arguments] As QEMU uses an internal SLIRP with ipv6 support, IPv4 and v6 connectivity is fully provided to guest in the VM, but there is a big problem here, SLIRP is terribly slow, and the VM torified this way freezes every time a connection is made inside it. ^^ It's a little evidence that ipv6 connectivity only works with SOCKSPort and not with TransPort and DNSPort (the alpha version of Tor includes a HTTP proxy, but I don't tested yet). There is an app called tun2socks (https://github.com/ambrop72/badvpn), part of badvpn package, it doesn't use the (ugly) SLIRP and uses the lwip6 library, it works with both ipv4 and v6, I think this is the last possibility to get torjail working with ipv6. I will test the new REDIRECT option of ip6tables and TPROXY, if they don't work, I will try badvpn-tun2socks. |
Finally I discovered why IPv6 connectivity didn't work inside a namespace: VirtualAddrNetworkIPv6 option don't work if assigned to same peer address. I made a copy-paste sequence of commands to create a namespace with IPv6 connectivity (run as root):
Should have IPv6 connectivity with this Tor configuration: TransPort 10.0.0.1:9040 Trying to add VirtualAddrNetworkIPv4 10.0.0.2/16 to this scheme have no effect on IPv4 connection but VirtualAddrNetworkIPv6 [fdcc:9b1c:14b6:9842::2]/48 drops the IPv6 connectivity. I believe it's a bug, but I have to check and read the Tor documentation better (I'm using Tor 0.3.3.0-alpha-dev (git-853bbb9112a16055+e87771b42) right now) The solution is to make the VirtualAddrNetworkIPv6 bind into an address other than peer (such as VirtualAddrNetworkIPv6 [fc00::]/7), and change these lines of #12 commit (b5f279e): ip6tables -I INPUT -i in-$NAME -p tcp --source $IPNETNS6 --sport $HSERVICEPORT -j ACCEPT to: ip6tables -I INPUT -i in-$NAME -p tcp --source fc00:: --sport $HSERVICEPORT -j ACCEPT ^^ As I tested here with a hidden service, doesn't affect anything with it. How good is to see: |
What about |
Seems there is still no ipv6 support in orjail 1.1 after 3 years. Is this ipv6 branch working? then i have to edit the orjail file in /usr/sbin and add the additional (green) lines from the branch manually? Or is it possible to merge it together automatically? |
Rikkit888 It's the same thing as IPv4, but the IPv6 needs to be bracketed in DNAT rules:
Also, a line for IPv6 needs to be added before the blocking rules:
fd00::2 is the peer address and the fd00::1 is the veth one. IPv6 needs ICMPv6 for working properly. |
Sadly the Tor-Process is not starting with the Branch-Script. |
If listening to IPv6 ports, this command must be passed to assure all ports will listen:
Also, IPv6 address in the torrc file must be bracketed:
IPv6 in Tor is still experimental, there is no way of choosing IPv6 only entry and exit nodes. This parameters help in the the chance of pickuping IPv6 nodes:
IPv6Traffic and PreferIPv6 are not available in the TransPort option. |
I will try that, but the main problem is that the Tor instance is still not starting. |
Put this line on your configuration:
See what is showed in the log. |
I need help on this. |
Tor has an option to use an ipv6 gateway:
$ man tor
[...]
VirtualAddrNetworkIPv6 [Address]/bits
When Tor needs to assign a virtual (unused) address because of a
MAPADDRESS command from the controller or the AutomapHostsOnResolve
feature, Tor picks an unassigned address from this range.
(Defaults: 127.192.0.0/10 and [FE80::]/10 respectively.)
[...]
I was thinking on hacking Torjail and add this option manually here. Could you add it?
The text was updated successfully, but these errors were encountered: