xyzt 1 Posted ... Hello,I am not able to use AirVPN when using obfs4 bridges in Tor.I have found these threads on the topic, but none of them seem to give a conclusive solution:TOR (obfs) & AirVPN not workingTor with obfs4 - can't connect to airvpnI am running the latest 64-bit version of Eddie (2.11.10) and Tor 6.0.8 on Windows x64.I have been very careful to check that IP and ports in Tor network settings (Options --> Advanced --> Network --> Settings) match the ones in the "Proxy/Tor" section of Eddie preferences. Eddie log: I 2017.01.14 03:26:55 - Session starting. . 2017.01.14 03:26:55 - IPv6 disabled with packet filtering. I 2017.01.14 03:26:55 - Checking authorization ... . 2017.01.14 03:26:56 - Tor Control authentication method: Cookie, from C:\Users\<username>\Documents\Tor Browser\Browser\TorBrowser\Data\Tor\control_auth_cookie E 2017.01.14 03:26:56 - Unable to communicate with Tor (Unable to find IP address of Tor first node of an established circuit.). Is Tor up and running? I 2017.01.14 03:26:59 - Cancel requested. . 2017.01.14 03:26:59 - IPv6 restored with packet filtering. . 2017.01.14 03:26:59 - Flushing DNS ! 2017.01.14 03:27:07 - Session terminated. Tor Log: ... 14/01/2017 03:26:56.000 [NOTICE] New control connection opened from 127.0.0.1. ... As soon as I disable obfs4 bridges, AirVPN and Tor work flawlessly (Using AirVPN with Tor)I actually run out of options and any help would be appreciated. Thanks. Quote Share this post Link to post
greenclaydog 6 Posted ... AirVPN is not compatible with Tor using obfs4 at this time. I had a similar problem and staff replied that it may be fixed in future versions. Quote Share this post Link to post
linux1905 0 Posted ... This issue is really important especially for when ToR is banned in a country. If there is a solution we're excitedly waiting for it. Quote Share this post Link to post
Clodo 177 Posted ... If i connect without obfs bridge, Tor shows the list of three IPs about the circuitif i connect with obfs bridge, the first IP is hidden: THIS is the reason about the error Unable to find IP address of Tor first node of an established circuit. Eddie asks for info to "Tor control" about the first IP of the circuit, the Guard IP, but Tor doesn't reply in obfs mode. Need investigation if is possible or not to obtain the first IP of the circuit in obfs mode. ------------------------------------------The ONLY reason of the talk between Eddie and Tor is only knowing the Guard IP for the reason described in the first paragraph here: https://airvpn.org/tor/Eddie will create an automatic rule "data to the Guard IP must be outside the tunnel" during VPN connection. So, in theory it's possibile to mimic it. If you use directly "Socks" as proxy-type, and not "Tor", host 127.0.0.1, port 9150,it's the same thing the "Tor" proxy mode does, but without the attempt to detect the Tor Guard IP and create a rule for it (that causes the error of the first post) - Now, go to : https://bridges.torproject.org/bridgesand obtain a bridges list, like 192.36.31.181:35444 3189748017897CCB46D3CDC20E2A0A120963E2DC 162.243.175.190:35552 DCC2C7053DD50563D4873328542F86DFA18AA62B 91.67.238.155:443 AEE1B9E56103B0B89996D12A2190A819EB9A58FD - Tor Browser -> Tor Network Settings -> My Internet Service Provider (ISP) blocks connections to the Tor network- Check "Enter custom bridges" and enter the lines above- Restart Tor Browser From what i understand, in obfs mode, Tor picks one of the three IPs above (randomly?) to use it as Guard IP (first node of the circuit).So, go to Eddie -> Routes -> create three entries for the above IPs, with "Outside tunnel". --------------------In practice, honestly i don't know why currently, it works also if you don't do this (custom bridges list and manual routes outside tunnel). Only "socks", 127.0.0.1, 9150, and go to connect. Currently i can't reproduce the error in the Tor guide. Feedbacks are welcome Quote Share this post Link to post
Clodo 177 Posted ... In practice, honestly i don't know why currently, it works also if you don't do this (custom bridges list and manual routes outside tunnel). Only "socks", 127.0.0.1, 9105, and go to connect. Currently i can't reproduce the error in the Tor guide. Feedback are welcome When the OS changes the default gateway, macOS and Linux reset the socket catalog. Windows doesn't do that. This is the reason. Quote Share this post Link to post
Clodo 177 Posted ... In theory, another approach is using OutboundBindAddress option of Tor, like @NaDre explains here.If Tor always uses the real network interface for contact Guard IP (even when Tun exists) with binding, the Eddie steps to identify the Guard IP address are not necessary anymore, and will work also with obfs obfuscation.In practice, at least under macOS I could not make it work:Googling, some people say Address and more options are also required, some other persons claim that a bug affects OutboundBindAddress etc.I need to test better with Wireshark to understand if it is a Tor issue or my configs issue, but this is the right direction to support obfs4. Quote Share this post Link to post
NaDre 157 Posted ... ...In practice, at least under macOS I could not make it work:... It may not have worked under MacOS because for Linux and BSD variants (including MacOS), it is not enough to just bind the program to the desired non-gateway IP address. For Linux see the second half of this post (the Linux part about source address routing): https://airvpn.org/topic/14158-question-run-airvpn-as-non-primary-network-adapter/?p=27398 I do not have MacOS, but I played with this on FreeBSD 11.0. Without details, I was able to achieve the desired effect (using a non-default gateway interface) in three ways. One of these MAY work for MacOS? For BSD the ways were: 1) Using the "setfib" command: https://www.freebsd.org/cgi/man.cgi?query=setfib MacOS appears NOT to have this. I set the second routing table up in the OpenVPN "up" script, and then ran the client program using that second routing table. 2) Using the "ipfw" firewall: https://www.freebsd.org/cgi/man.cgi?query=ipfw MacOS appears NOT to have this any more. See: https://discussions.apple.com/thread/6720409 I used a command like this:sudo ipfw add 00050 fwd 192.168.88.1 all from 192.168.88.124 to any That resulted in a program bound to the real IP (192.168.88.124) using the real gateway (192.168.88.1) even when OpenVPN was the default gateway. 3) Using the "pf" firewall: https://www.freebsd.org/cgi/man.cgi?query=pfctl It seems that MacOS does have this. See: https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man5/pf.conf.5.htmlhttps://en.wikipedia.org/wiki/PF_(firewall)https://discussions.apple.com/thread/6720409 It is more effort with "pfctl". There is a single set of input statements that get reloaded using pfctl. I included a statement like this:pass out route-to (em0 192.168.88.1) from 192.168.88.124 It seems that the syntax of rules for pf has changed a lot in recent releases. So the syntax above may not be what is needed for MacOS. === Hope this helps. Quote Share this post Link to post
Clodo 177 Posted ... Thanks for your feedback @NaDre.From what i understand (playing with Tor OutboundBindAddress directive and Wireshark to understand it), OutboundBindAddress binds the traffic to an interface about outgoing request.It's used for example if someone configures many Tor daemons on a Tor Exit relay, where each daemon uses different IP as exit.From what I understand, that doesn't work to bind interface for traffic between Tor and the first guard relay.For me, Tor simply doesn't have a "RelayBindAddress" option.I understand that a workaround exists (like your setfib/ipfw/pf ideas), but to implement it in Eddie we need to understand how to-do it in every OS (also Windows, also iptables etc).I still think that a better approach would be proposing for Tor a patch/implementation of a "RelayBindAddress" directive, but it needs time to develop/test/submit. Quote Share this post Link to post
184d2c52 2 Posted ... Thu Apr 13 18:06:40 BST 2017 Cross platform tor commands (sent to port 9151) after authentication: getconf bridge - (lists all bridges currently being used): column 2 contains IP:port getconf bridge 250-Bridge=obfs4 83.212.101.3:50002 A09D536DD1752D542E1FBB3C9CE4449D51298239 cert=lPRQ/MXdD1t5SRZ9MquYQNT9m5DV757jtdXdlePmRCudUU9CFUOX1Tm7/meFSyPOsud7Cw iat-mode=0 250-Bridge=obfs4 154.35.22.13:443 FE7840FE1E21FE0A0639ED176EDA00A3ECA1E34D cert=fKnzxr+m+jWXXQGCaXe4f2gGoPXMzbL+bTBbXMYXuK0tMotd+nXyS33y2mONZWU29l81CA iat-mode=0 250-Bridge=obfs4 154.35.22.11:16488 A832D176ECD5C7C6B58825AE22FC4C90FA249637 cert=YPbQqXPiqTUBfjGFLpm9JYEFTBvnzEJDKJxXG5Sxzrr/v2qrhGU4Jls9lHjLAhqpXaEfZw iat-mode=0 250-Bridge=obfs4 154.35.22.9:443 C73ADBAC8ADFDBF0FC0F3F4E8091C0107D093716 cert=gEGKc5WN/bSjFa6UkG9hOcft1tuK+cV8hbZ0H6cqXiMPLqSbCh2Q3PHe5OOr6oMVORhoJA iat-mode=0 250-Bridge=obfs4 154.35.22.13:16815 FE7840FE1E21FE0A0639ED176EDA00A3ECA1E34D cert=fKnzxr+m+jWXXQGCaXe4f2gGoPXMzbL+bTBbXMYXuK0tMotd+nXyS33y2mONZWU29l81CA iat-mode=0 250-Bridge=obfs4 154.35.22.10:80 8FB9F4319E89E5C6223052AA525A192AFBC85D55 cert=GGGS1TX4R81m3r0HBl79wKy1OtPPNR2CZUIrHjkRg65Vc2VR8fOyo64f9kmT1UAFG7j0HQ iat-mode=0 250-Bridge=obfs4 154.35.22.12:4304 00DC6C4FA49A65BD1472993CF6730D54F11E0DBB cert=N86E9hKXXXVz6G7w2z8wFfhIDztDAzZ/3poxVePHEYjbKDWzjkRDccFMAnhK75fc65pYSg iat-mode=0 250-Bridge=obfs4 192.95.36.142:443 CDF2E852BF539B82BD10E27E9115A31734E378C2 cert=qUVQ0srL1JI/vO6V6m/24anYXiJD3QP2HgzUKQtQ7GRqqUvs7P+tG43RtAqdhLOALP7DJQ iat-mode=1 250-Bridge=obfs4 109.105.109.147:13764 BBB28DF0F201E706BE564EFE690FE9577DD8386D cert=KfMQN/tNMFdda61hMgpiMI7pbwU1T+wxjTulYnfw+4sgvG0zSH7N7fwT10BI8MUdAD7iJA iat-mode=2 250-Bridge=obfs4 154.35.22.9:80 C73ADBAC8ADFDBF0FC0F3F4E8091C0107D093716 cert=gEGKc5WN/bSjFa6UkG9hOcft1tuK+cV8hbZ0H6cqXiMPLqSbCh2Q3PHe5OOr6oMVORhoJA iat-mode=0 250-Bridge=obfs4 154.35.22.10:443 8FB9F4319E89E5C6223052AA525A192AFBC85D55 cert=GGGS1TX4R81m3r0HBl79wKy1OtPPNR2CZUIrHjkRg65Vc2VR8fOyo64f9kmT1UAFG7j0HQ iat-mode=0 250-Bridge=obfs4 154.35.22.10:15937 8FB9F4319E89E5C6223052AA525A192AFBC85D55 cert=GGGS1TX4R81m3r0HBl79wKy1OtPPNR2CZUIrHjkRg65Vc2VR8fOyo64f9kmT1UAFG7j0HQ iat-mode=0 250-Bridge=obfs4 109.105.109.165:10527 8DFCD8FB3285E855F5A55EDDA35696C743ABFC4E cert=Bvg/itxeL4TWKLP6N1MaQzSOC6tcRIBv6q57DYAZc3b2AzuM+/TfB7mqTFEfXILCjEwzVA iat-mode=1 250-Bridge=obfs4 198.245.60.50:443 752CF7825B3B9EA6A98C83AC41F7099D67007EA5 cert=xpmQtKUqQ/6v5X7ijgYE/f03+l2/EuQ1dexjyUhh16wQlu/cpXUGalmhDIlhuiQPNEKmKw iat-mode=0 250-Bridge=obfs4 85.17.30.79:443 FC259A04A328A07FED1413E9FC6526530D9FD87A cert=RutxZlu8BtyP+y0NX7bAVD41+J/qXNhHUrKjFkRSdiBAhIHIQLhKQ2HxESAKZprn/lR3KA iat-mode=0 250-Bridge=obfs4 154.35.22.11:80 A832D176ECD5C7C6B58825AE22FC4C90FA249637 cert=YPbQqXPiqTUBfjGFLpm9JYEFTBvnzEJDKJxXG5Sxzrr/v2qrhGU4Jls9lHjLAhqpXaEfZw iat-mode=0 250-Bridge=obfs4 154.35.22.12:80 00DC6C4FA49A65BD1472993CF6730D54F11E0DBB cert=N86E9hKXXXVz6G7w2z8wFfhIDztDAzZ/3poxVePHEYjbKDWzjkRDccFMAnhK75fc65pYSg iat-mode=0 250-Bridge=obfs4 192.99.11.54:443 7B126FAB960E5AC6A629C729434FF84FB5074EC2 cert=VW5f8+IBUWpPFxF+rsiVy2wXkyTQG7vEd+rHeN2jV5LIDNu8wMNEOqZXPwHdwMVEBdqXEw iat-mode=0 250-Bridge=obfs4 154.35.22.9:12166 C73ADBAC8ADFDBF0FC0F3F4E8091C0107D093716 cert=gEGKc5WN/bSjFa6UkG9hOcft1tuK+cV8hbZ0H6cqXiMPLqSbCh2Q3PHe5OOr6oMVORhoJA iat-mode=0 250 Bridge=obfs4 154.35.22.11:443 A832D176ECD5C7C6B58825AE22FC4C90FA249637 cert=YPbQqXPiqTUBfjGFLpm9JYEFTBvnzEJDKJxXG5Sxzrr/v2qrhGU4Jls9lHjLAhqpXaEfZw iat-mode=0 Routes for these IP addresses can be added to the config (as is currently done by Eddie for a normal Tor circuit). Once Eddie has connected, the circuit and stream can be verified: getinfo circuit-status getinfo circuit-status 250+circuit-status= 20 BUILT $FE7840FE1E21FE0A0639ED176EDA00A3ECA1E34D~Azadi,$D68C3CDCC7F7E377E5055E03C06255E33073DCAA~rafeal,$F3909D00806F47E1A48B0CA4FD04314A0E4A3EDB~Peppe BUILD_FLAGS=NEED_CAPACITY PURPOSE=GENERAL TIME_CREATED=2017-04-13T17:02:38.087988 26 BUILT $FE7840FE1E21FE0A0639ED176EDA00A3ECA1E34D~Azadi,$58D212692CB7DB6528E687A4AE55758429FCB3B3~klo,$317172AB30696897E1F7FA7AA2FC97B47ABF384F~starfish BUILD_FLAGS=NEED_CAPACITY PURPOSE=GENERAL TIME_CREATED=2017-04-13T17:12:46.070976 25 BUILT $FE7840FE1E21FE0A0639ED176EDA00A3ECA1E34D~Azadi,$B0B29389B594841812B4282F6C939035C60D5300~conti,$EC116BCB80565A408CE67F8EC3FE3B0B02C3A065~orion BUILD_FLAGS=NEED_CAPACITY PURPOSE=GENERAL TIME_CREATED=2017-04-13T17:12:38.071323 18 BUILT $FE7840FE1E21FE0A0639ED176EDA00A3ECA1E34D~Azadi,$DA6B1A467220A797D4C63D9D2AAF496CCE9D9F3D~linuxthefish2,$81CF3F5A88B757C725EC2D482239ED6221DE3088~ididnteditheconfig BUILD_FLAGS=IS_INTERNAL,NEED_CAPACITY,NEED_UPTIME PURPOSE=GENERAL TIME_CREATED=2017-04-13T17:02:36.077828 19 BUILT $FE7840FE1E21FE0A0639ED176EDA00A3ECA1E34D~Azadi,$B9A63C41B4084B4688744512B78F6563014DC080~tuturu,$D68C3CDCC7F7E377E5055E03C06255E33073DCAA~rafeal BUILD_FLAGS=IS_INTERNAL,NEED_CAPACITY,NEED_UPTIME PURPOSE=GENERAL TIME_CREATED=2017-04-13T17:02:37.088741 17 BUILT $FE7840FE1E21FE0A0639ED176EDA00A3ECA1E34D~Azadi,$86C281AD135058238D7A337D546C902BE8505DDE~TykRelay05,$650398831C8B3583B2E4E913C1F01E14F6429E3D~Unnamed BUILD_FLAGS=IS_INTERNAL,NEED_CAPACITY,NEED_UPTIME PURPOSE=GENERAL TIME_CREATED=2017-04-13T17:02:35.119657 . 250 OK getinfo stream-status: getinfo stream-status 250+stream-status= 75 SUCCEEDED 20 104.154.164.197:443 72 SUCCEEDED 20 185.156.175.58:443 . 250 OK The last line shows that stream 72 is connected via circuit 20 to 182.156.175.58 (Sirrah). Quote Share this post Link to post