Jump to content
Not connected, Your IP: 3.146.65.134

Recommended Posts

Hello,

I am not able to use AirVPN when using obfs4 bridges in Tor.

I have found these threads on the topic, but none of them seem to give a conclusive solution:

I am running the latest 64-bit version of Eddie (2.11.10) and Tor 6.0.8 on Windows x64.

I have been very careful to check that IP and ports in Tor network settings (Options --> Advanced --> Network --> Settings) match the ones in the "Proxy/Tor" section of Eddie preferences.

 

Eddie log:

I 2017.01.14 03:26:55 - Session starting.
. 2017.01.14 03:26:55 - IPv6 disabled with packet filtering.
I 2017.01.14 03:26:55 - Checking authorization ...
. 2017.01.14 03:26:56 - Tor Control authentication method: Cookie, from C:\Users\<username>\Documents\Tor Browser\Browser\TorBrowser\Data\Tor\control_auth_cookie
E 2017.01.14 03:26:56 - Unable to communicate with Tor (Unable to find IP address of Tor first node of an established circuit.). Is Tor up and running?
I 2017.01.14 03:26:59 - Cancel requested.
. 2017.01.14 03:26:59 - IPv6 restored with packet filtering.
. 2017.01.14 03:26:59 - Flushing DNS
! 2017.01.14 03:27:07 - Session terminated.

 

Tor Log:

...
14/01/2017 03:26:56.000 [NOTICE] New control connection opened from 127.0.0.1.
​...

 

As soon as I disable obfs4 bridges, AirVPN and Tor work flawlessly (Using AirVPN with Tor)

I actually run out of options and any help would be appreciated.

 

Thanks.

 

 

Share this post


Link to post

AirVPN is not compatible with Tor using obfs4 at this time. I had a similar problem and staff replied that it may be fixed in future versions. 

 

Capture.png

Share this post


Link to post

​This issue is really important especially for when ToR is banned in a country. If there is a solution we're excitedly waiting for it.

Share this post


Link to post
 
 
If i connect without obfs bridge, Tor shows the list of three IPs about the circuit
7f0d6f7b551ea113ad3dbd51920392ec8fb26d0d
if i connect with obfs bridge, the first IP is hidden:
4be19d4d151c6fea8583bb9315cabd76f6d030c2
 
THIS is the reason about the error 

Unable to find IP address of Tor first node of an established circuit.

 

 

Eddie asks for info to "Tor control" about the first IP of the circuit, the Guard IP, but Tor doesn't reply in obfs mode. Need investigation if is possible or not to obtain the first IP of the circuit in obfs mode.
 
------------------------------------------
The ONLY reason of the talk between Eddie and Tor is only knowing the Guard IP for the reason described in the first paragraph here: https://airvpn.org/tor/
Eddie will create an automatic rule "data to the Guard IP must be outside the tunnel" during VPN connection.
 
So, in theory it's possibile to mimic it.
 
If you use directly "Socks" as proxy-type, and not "Tor", host 127.0.0.1, port 9150,
it's the same thing the "Tor" proxy mode does, but without the attempt to detect the Tor Guard IP and create a rule for it (that causes the error of the first post)
 
and obtain a bridges list, like
192.36.31.181:35444 3189748017897CCB46D3CDC20E2A0A120963E2DC
162.243.175.190:35552 DCC2C7053DD50563D4873328542F86DFA18AA62B
91.67.238.155:443 AEE1B9E56103B0B89996D12A2190A819EB9A58FD
- Tor Browser -> Tor Network Settings -> My Internet Service Provider (ISP) blocks connections to the Tor network
- Check "Enter custom bridges" and enter the lines above
- Restart Tor Browser
 
From what i understand, in obfs mode, Tor picks one of the three IPs above (randomly?) to use it as Guard IP (first node of the circuit).
So, go to Eddie -> Routes -> create three entries for the above IPs, with "Outside tunnel".
 
--------------------
In practice, honestly i don't know why currently, it works also if you don't do this (custom bridges list and manual routes outside tunnel). Only "socks", 127.0.0.1, 9150, and go to connect. 
Currently i can't reproduce the error in the Tor guide. Feedbacks are welcome :p

Share this post


Link to post

In practice, honestly i don't know why currently, it works also if you don't do this (custom bridges list and manual routes outside tunnel). Only "socks", 127.0.0.1, 9105, and go to connect. 

Currently i can't reproduce the error in the Tor guide. Feedback are welcome :p

 

When the OS changes the default gateway, macOS and Linux reset the socket catalog. Windows doesn't do that. This is the reason.

Share this post


Link to post

In theory, another approach is using OutboundBindAddress option of Tor, like @NaDre explains here.
If Tor always uses the real network interface for contact Guard IP (even when Tun exists) with binding, the Eddie steps to identify the Guard IP address are not necessary anymore, and will work also with obfs obfuscation.

In practice, at least under macOS I could not make it work:
Googling, some people say Address and more options are also required, some other persons claim that a bug affects OutboundBindAddress etc.
I need to test better with Wireshark to understand if it is a Tor issue or my configs issue, but this is the right direction to support obfs4.

Share this post


Link to post

...

In practice, at least under macOS I could not make it work:

...

 

It may not have worked under MacOS because for Linux and BSD variants (including MacOS), it is not enough to just bind the program to the desired non-gateway IP address.

 

For Linux see the second half of this post (the Linux part about source address routing):

 

https://airvpn.org/topic/14158-question-run-airvpn-as-non-primary-network-adapter/?p=27398

 

I do not have MacOS, but I played with this on FreeBSD 11.0. Without details, I was able to achieve the desired effect (using a non-default gateway interface) in three ways. One of these MAY work for MacOS? For BSD the ways were:

 

1) Using the "setfib" command:

 

https://www.freebsd.org/cgi/man.cgi?query=setfib

 

MacOS appears NOT to have this.

 

I set the second routing table up in the OpenVPN "up" script, and then ran the client program using that second routing table.

 

2) Using the "ipfw" firewall:

 

https://www.freebsd.org/cgi/man.cgi?query=ipfw

 

MacOS appears NOT to have this any more. See:

 

https://discussions.apple.com/thread/6720409

 

I used a command like this:

sudo ipfw add 00050 fwd 192.168.88.1 all from 192.168.88.124 to any
 

That resulted in a program bound to the real IP (192.168.88.124) using the real gateway (192.168.88.1) even when OpenVPN was the default gateway.

 

3) Using the "pf" firewall:

 

https://www.freebsd.org/cgi/man.cgi?query=pfctl

 

It seems that MacOS does have this. See:

 

https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man5/pf.conf.5.html

https://en.wikipedia.org/wiki/PF_(firewall)

https://discussions.apple.com/thread/6720409

 

It is more effort with "pfctl". There is a single set of input statements that get reloaded using pfctl. I included a statement like this:

pass out route-to (em0 192.168.88.1) from 192.168.88.124
It seems that the syntax of rules for pf has changed a lot in recent releases. So the syntax above may not be what is needed for MacOS.

 

===

 

Hope this helps.

Share this post


Link to post

Thanks for your feedback @NaDre.
From what i understand (playing with Tor OutboundBindAddress directive and Wireshark to understand it), OutboundBindAddress binds the traffic to an interface about outgoing request.
It's used for example if someone configures many Tor daemons on a Tor Exit relay, where each daemon uses different IP as exit.
From what I understand, that doesn't work to bind interface for traffic between Tor and the first guard relay.
For me, Tor simply doesn't have a "RelayBindAddress" option.

I understand that a workaround exists (like your setfib/ipfw/pf ideas), but to implement it in Eddie we need to understand how to-do it in every OS (also Windows, also iptables etc).
I still think that a better approach would be proposing for Tor a patch/implementation of a "RelayBindAddress" directive, but it needs time to develop/test/submit.

Share this post


Link to post

 

Thu Apr 13 18:06:40 BST 2017

 

Cross platform tor commands (sent to port 9151) after authentication:

 

getconf bridge   -  (lists all bridges currently being used):  column 2 contains IP:port

 

 

getconf bridge
250-Bridge=obfs4 83.212.101.3:50002 A09D536DD1752D542E1FBB3C9CE4449D51298239 cert=lPRQ/MXdD1t5SRZ9MquYQNT9m5DV757jtdXdlePmRCudUU9CFUOX1Tm7/meFSyPOsud7Cw iat-mode=0
250-Bridge=obfs4 154.35.22.13:443 FE7840FE1E21FE0A0639ED176EDA00A3ECA1E34D cert=fKnzxr+m+jWXXQGCaXe4f2gGoPXMzbL+bTBbXMYXuK0tMotd+nXyS33y2mONZWU29l81CA iat-mode=0
250-Bridge=obfs4 154.35.22.11:16488 A832D176ECD5C7C6B58825AE22FC4C90FA249637 cert=YPbQqXPiqTUBfjGFLpm9JYEFTBvnzEJDKJxXG5Sxzrr/v2qrhGU4Jls9lHjLAhqpXaEfZw iat-mode=0
250-Bridge=obfs4 154.35.22.9:443 C73ADBAC8ADFDBF0FC0F3F4E8091C0107D093716 cert=gEGKc5WN/bSjFa6UkG9hOcft1tuK+cV8hbZ0H6cqXiMPLqSbCh2Q3PHe5OOr6oMVORhoJA iat-mode=0
250-Bridge=obfs4 154.35.22.13:16815 FE7840FE1E21FE0A0639ED176EDA00A3ECA1E34D cert=fKnzxr+m+jWXXQGCaXe4f2gGoPXMzbL+bTBbXMYXuK0tMotd+nXyS33y2mONZWU29l81CA iat-mode=0
250-Bridge=obfs4 154.35.22.10:80 8FB9F4319E89E5C6223052AA525A192AFBC85D55 cert=GGGS1TX4R81m3r0HBl79wKy1OtPPNR2CZUIrHjkRg65Vc2VR8fOyo64f9kmT1UAFG7j0HQ iat-mode=0
250-Bridge=obfs4 154.35.22.12:4304 00DC6C4FA49A65BD1472993CF6730D54F11E0DBB cert=N86E9hKXXXVz6G7w2z8wFfhIDztDAzZ/3poxVePHEYjbKDWzjkRDccFMAnhK75fc65pYSg iat-mode=0
250-Bridge=obfs4 192.95.36.142:443 CDF2E852BF539B82BD10E27E9115A31734E378C2 cert=qUVQ0srL1JI/vO6V6m/24anYXiJD3QP2HgzUKQtQ7GRqqUvs7P+tG43RtAqdhLOALP7DJQ iat-mode=1
250-Bridge=obfs4 109.105.109.147:13764 BBB28DF0F201E706BE564EFE690FE9577DD8386D cert=KfMQN/tNMFdda61hMgpiMI7pbwU1T+wxjTulYnfw+4sgvG0zSH7N7fwT10BI8MUdAD7iJA iat-mode=2
250-Bridge=obfs4 154.35.22.9:80 C73ADBAC8ADFDBF0FC0F3F4E8091C0107D093716 cert=gEGKc5WN/bSjFa6UkG9hOcft1tuK+cV8hbZ0H6cqXiMPLqSbCh2Q3PHe5OOr6oMVORhoJA iat-mode=0
250-Bridge=obfs4 154.35.22.10:443 8FB9F4319E89E5C6223052AA525A192AFBC85D55 cert=GGGS1TX4R81m3r0HBl79wKy1OtPPNR2CZUIrHjkRg65Vc2VR8fOyo64f9kmT1UAFG7j0HQ iat-mode=0
250-Bridge=obfs4 154.35.22.10:15937 8FB9F4319E89E5C6223052AA525A192AFBC85D55 cert=GGGS1TX4R81m3r0HBl79wKy1OtPPNR2CZUIrHjkRg65Vc2VR8fOyo64f9kmT1UAFG7j0HQ iat-mode=0
250-Bridge=obfs4 109.105.109.165:10527 8DFCD8FB3285E855F5A55EDDA35696C743ABFC4E cert=Bvg/itxeL4TWKLP6N1MaQzSOC6tcRIBv6q57DYAZc3b2AzuM+/TfB7mqTFEfXILCjEwzVA iat-mode=1
250-Bridge=obfs4 198.245.60.50:443 752CF7825B3B9EA6A98C83AC41F7099D67007EA5 cert=xpmQtKUqQ/6v5X7ijgYE/f03+l2/EuQ1dexjyUhh16wQlu/cpXUGalmhDIlhuiQPNEKmKw iat-mode=0
250-Bridge=obfs4 85.17.30.79:443 FC259A04A328A07FED1413E9FC6526530D9FD87A cert=RutxZlu8BtyP+y0NX7bAVD41+J/qXNhHUrKjFkRSdiBAhIHIQLhKQ2HxESAKZprn/lR3KA iat-mode=0
250-Bridge=obfs4 154.35.22.11:80 A832D176ECD5C7C6B58825AE22FC4C90FA249637 cert=YPbQqXPiqTUBfjGFLpm9JYEFTBvnzEJDKJxXG5Sxzrr/v2qrhGU4Jls9lHjLAhqpXaEfZw iat-mode=0
250-Bridge=obfs4 154.35.22.12:80 00DC6C4FA49A65BD1472993CF6730D54F11E0DBB cert=N86E9hKXXXVz6G7w2z8wFfhIDztDAzZ/3poxVePHEYjbKDWzjkRDccFMAnhK75fc65pYSg iat-mode=0
250-Bridge=obfs4 192.99.11.54:443 7B126FAB960E5AC6A629C729434FF84FB5074EC2 cert=VW5f8+IBUWpPFxF+rsiVy2wXkyTQG7vEd+rHeN2jV5LIDNu8wMNEOqZXPwHdwMVEBdqXEw iat-mode=0
250-Bridge=obfs4 154.35.22.9:12166 C73ADBAC8ADFDBF0FC0F3F4E8091C0107D093716 cert=gEGKc5WN/bSjFa6UkG9hOcft1tuK+cV8hbZ0H6cqXiMPLqSbCh2Q3PHe5OOr6oMVORhoJA iat-mode=0
250 Bridge=obfs4 154.35.22.11:443 A832D176ECD5C7C6B58825AE22FC4C90FA249637 cert=YPbQqXPiqTUBfjGFLpm9JYEFTBvnzEJDKJxXG5Sxzrr/v2qrhGU4Jls9lHjLAhqpXaEfZw iat-mode=0
 

 

Routes for these IP addresses can be added to the config (as is currently done by Eddie for a normal Tor circuit).

 

Once Eddie has connected,  the circuit and stream can be verified:

 

getinfo circuit-status

 

getinfo circuit-status
250+circuit-status=
20 BUILT $FE7840FE1E21FE0A0639ED176EDA00A3ECA1E34D~Azadi,$D68C3CDCC7F7E377E5055E03C06255E33073DCAA~rafeal,$F3909D00806F47E1A48B0CA4FD04314A0E4A3EDB~Peppe BUILD_FLAGS=NEED_CAPACITY PURPOSE=GENERAL TIME_CREATED=2017-04-13T17:02:38.087988
26 BUILT $FE7840FE1E21FE0A0639ED176EDA00A3ECA1E34D~Azadi,$58D212692CB7DB6528E687A4AE55758429FCB3B3~klo,$317172AB30696897E1F7FA7AA2FC97B47ABF384F~starfish BUILD_FLAGS=NEED_CAPACITY PURPOSE=GENERAL TIME_CREATED=2017-04-13T17:12:46.070976
25 BUILT $FE7840FE1E21FE0A0639ED176EDA00A3ECA1E34D~Azadi,$B0B29389B594841812B4282F6C939035C60D5300~conti,$EC116BCB80565A408CE67F8EC3FE3B0B02C3A065~orion BUILD_FLAGS=NEED_CAPACITY PURPOSE=GENERAL TIME_CREATED=2017-04-13T17:12:38.071323
18 BUILT $FE7840FE1E21FE0A0639ED176EDA00A3ECA1E34D~Azadi,$DA6B1A467220A797D4C63D9D2AAF496CCE9D9F3D~linuxthefish2,$81CF3F5A88B757C725EC2D482239ED6221DE3088~ididnteditheconfig BUILD_FLAGS=IS_INTERNAL,NEED_CAPACITY,NEED_UPTIME PURPOSE=GENERAL TIME_CREATED=2017-04-13T17:02:36.077828
19 BUILT $FE7840FE1E21FE0A0639ED176EDA00A3ECA1E34D~Azadi,$B9A63C41B4084B4688744512B78F6563014DC080~tuturu,$D68C3CDCC7F7E377E5055E03C06255E33073DCAA~rafeal BUILD_FLAGS=IS_INTERNAL,NEED_CAPACITY,NEED_UPTIME PURPOSE=GENERAL TIME_CREATED=2017-04-13T17:02:37.088741
17 BUILT $FE7840FE1E21FE0A0639ED176EDA00A3ECA1E34D~Azadi,$86C281AD135058238D7A337D546C902BE8505DDE~TykRelay05,$650398831C8B3583B2E4E913C1F01E14F6429E3D~Unnamed BUILD_FLAGS=IS_INTERNAL,NEED_CAPACITY,NEED_UPTIME PURPOSE=GENERAL TIME_CREATED=2017-04-13T17:02:35.119657
.
250 OK
 

getinfo stream-status:

getinfo stream-status
250+stream-status=
75 SUCCEEDED 20 104.154.164.197:443
72 SUCCEEDED 20 185.156.175.58:443
.
250 OK
 

 

The last line shows that stream 72 is connected via circuit 20 to 182.156.175.58 (Sirrah).

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...