[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] app -> socks5-openvpn -> socks5-tor ?



On Thu, Jul 9, 2015 at 3:42 AM, coderman <coderman@gmail.com> wrote:
> a http-proxy/socks-proxy

privoxy can stuff http over socks, so whether or not this socks to
vpn tool supports http-proxy is moot.

(nb: ip traffic of socks can't be stuffed over http without a far
end de-encapsulator. Same reason why socks provided by SSH won't
work here.)

> it did not create a tun/tap device on host.

Not sure it would need to do that, yet one of two things is probably
needed...

A) socks5 server code in openvpn itself (like Tor has) so that openvpn
can send it directly through the process and physically out the tun
to the far side, including any DNS lookups on behalf of client.
(Yes, useful :)

B) A standalone shim with socks5 on the front
 1) that knows how to route on the back (in conjunction with setting
    arp to the vpn far end ip, or can talk to the raw tun).
 2) or tell the kernel to ignore the route table for such a socks
    server bound to the tun interface (like dante), combined with
    arp to actually route. SO_DONTROUTE isn't that, SO_SETFIB might.
 Also complicated by the tun interface bouncing up-down and/or it's
 ip address/mask changing. See also policy/source/user/process
 routing, etc. Seems to make B even more complex than VM.

If you're certain your app usage will only talk to a known set of
hosts, simply openvpn with split horizon routing table entries works.

But if you're testing a browser, torrent, bitcoin, something that can
randomly contact anywhere... and you want to use your stack normally
with other apps... you can't default everything into openvpn, so you
need to use the app's socks containment channel. Thus this thread.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk