[tor-relays] Ops request: Deploy OpenVPN terminators
Jeroen Massar
jeroen at massar.ch
Thu May 15 13:36:40 UTC 2014
On 2014-05-15 05:06, grarpamp wrote:
[..big snip skipping over the complete nonsense..]
TLDwtR: the proposed setup breaks all anonymity (OpenVPN sends Raw IP
packets) + few users will ever use this, few random exits will support
it, thus 1:1 mapping for the few people who will use it.
Only reason why this is being asked: circumvent site policies where the
operator has already had enough problems with random Tor users and other
proxies defying their access policy.
[.. moved from the reply up here as it is useful ..]
> I run services, they are account based, and I refuse to
> block access to me via tor exits.
If you want to make a positive contribution, please detail how exactly
you handle abusive users, make a good post about this somewhere (and
link it from the blocking services page) and when you encounter a site
operator that for you "wrongly blocks Tor" ask them to reconsider based
on your proposal.
Greets,
Jeroen
---
further blurb...
[..]
>> This service is there so that operators of sites can decide if they
>> want to serve anonymous users or not.
>
> As said and echoed in other threads, I warrant that a signifigant
> portion of them are not making such careful, balanced and thoughful
> decisions as you suggest.
Even though you are guessing that other people, who operate a site,
don't make a "balanced and thoughtful decision", it is not for you to
attempt to circumvent that decision.
That is like saying "they should not have connected it to the network at
all if they did not want me to access it" or "hey look the space shuttle
designs, they should not have allowed me to exploit that hole to get
access to it".
If an operator does not want you on their site, do not circumvent it. It
will only cause more problems for other people who are allowed access to it.
>> Note that that is there to reduce the amount of abuse, and thus the
>> global and full blocking of Tor.
>
> As in other threads, prove that the incidence of abuse via
> tor is greater than the incidence via clearnet.
You mean because people are trying to circumvent the policies of a site?
>> Typically an operator will only block
>> registration through Tor, while allowing logins through Tor.
>
> Doesn't matter which one is blocked, result is the same,
> a service unusable by legit users who care about their
> good privacy interests as noted on the tor front page.
And still, as the operator does not want anonymous users, you will have
to abide by that.
As an example: a service like Netflix. They can provide content because
the "owners" of that content allow them to do so in certain
jurisdictions. Bypassing those rules might cause the "owner" of the
content to drop Netflix as a service.
Hence, if you are bypassing the regulations that Netflix has put in
place, you might damage the content availability for all those users.
Did it help you to be anonymous? Not really. Did it damage lots of
people who played ball, definitely.
>> Who is "We"? Which users complain, and about what exactly?
>
> Ever try to access a site via tor and be rejected for doing nothing
> wrong? That's who.
Obviously you are accessing sites who had problems with Tor users
abusing the functionality of the site.
Not unlogical that they thus classify that access as bad.
What would you do if it was your site, let them run rampant on your site
or make it easy: filter those users out?
As they are anonymous there is little way to differentiate between user
A and user B and if the majority coming through whatever-open-proxy is
being malicious, then it is a good thing to block them.
[..]
> Tor's encrypted circuits give source anonymity.
And that is the primary intent of Tor.
> Tor's exits (or this OpenVPN/binding) give the ways around things.
That is NOT an intent of Tor.
> Absolutely right, I wish to give users
> ways to avoid gratuitous unthoughtful (in respect and consideration
> to the individual legit user wishing access to such services) ways
> around such blocking.
You are thus stating: I want to circumvent a site's decision to block me.
That is not a target of Tor.
Please, don't abuse it as such. Please, go abuse some Open Proxy
somewhere like most people do.
>> By trying to avoid blocks that way, you
>> will only give a bad name to Tor and other similar projects.
>
> Only if you assume tor users are 'bad' actors. That is a shame
> people think that.
Tor users are typically not bad actors. But there are always the people
who do do so and thus cause damage for the normal people who really do
just want to be anonymous.
[..]
>> You are trying to defy policy of a site...
>
> Tor ITSELF is trying to defy all manner of policies, this
> fits that just fine.
It might "defy" a policy to get access to the Tor network (ingress) to
give you anonymity, but Tor itself does not give you the ability to defy
the policy of the site one is connecting to (exit).
Yes, you can likely pick a US exit to see 'some' US content or otherwise
get geolocated differently, but that is not defying policy of the remote
(exit) site directly.
>> not bypassing a bad operator.
>
> This makes no sense. I never said relay ops were bad.
'operator' in that sentence context is that of "ISP operator", eg that
big old lovely Chinese firewall.
>> You don't have to run described openvpn extension if you
>> don't want.
>
>> I don't think anybody will. There are too many ways to abuse that setup
>> and more importantly, too easy to detect.
>
> I'm putting the idea out there. Some relays will, some won't.
> You don't like it, you don't have to. Some blocklists and
> site ops will scan and detect these new IP's, some won't.
I am actually wondering all of a sudden why you think there can be
scanning on the outbound IP address. Thus say that the 'exit' IP from
OpenVPN is 192.0.2.1, thus all traffic coming out of your setup comes
out of there. There does not have to be any anything listening on that
IP address. Hence scanning is not possible.
Note that both client side and server side the OpenVPN can be listening
on 127.0.0.1, which just means that:
browser-> ovpn -> tor -> {tornet} -> tor -> ovpn(lo:1194) -> [exit] ->
{world}
Hence, no listening addresses needed at all on the [exit] IP.
Hence, no scanning or discovery that way either. Indeed TorDNSEL won't
get that special exit IP as well, it does not know about you tunneling
OpenVPN over Tor.
But, as you are sending Raw IP packets, all anonymity properties that
Tor normally gives you are gone.
Also, as the amount of users of this setup will be in the low 10s, let
say 5, and likely even less, this special exit IP address will only have
those 5 users, hence it is VERY easy to see which user it is. At least
you can map it to 5 users.
Remember, with real normal exits, nobody knows how many users there are
as it is a mixnet. Thus 10 mbit of traffic might be 1 or 100 or 1000 users.
Hence, why are you using Tor again? It does not seem to be the anonimity
property you care about that much.
> Any that don't is a win for us.
>
> Abuse it? Laugh, no more than users abuse current
> Tor exits. Actually, it would likely be less incidence
> of mundane flood of abuse since the moronic masses
> of the internet won't bother figuring out how to scan
> and setup OpenVPN over tor or using controller to
> map non OR_IP exits.
Thank you for calling most Tor users "moronic masses".
See above, you lost all your anonymity properties.
Please simply do not use Tor. You give the rest of the users a bad name.
>> Tor and other "open proxies" have a lot to do with abusive users.
>> Typically they come hand in hand.
>
> Seriously? A thousand Tor exits compared to a hundreds of millions
> of clearnet internet IP's cause more incidence of abuse reports that
> need handled by abuse desks and LEA? Please, GET REAL!!!
Please indeed abuse those resources instead, they better fit your purpose.
>> There are good users, and there are bad ones. Depending on how your user
>> base works and how much time one wants to spend, you might not want to
>> keep on banning the people who are obviously trying to hide.
>
> I'm sorry you feel that the majority of tor users are bad.
I've never stated anything in that direction, quite the contrary.
> Have you visited your local coffeeshop or home lately, how
> many of those teenage freeloaders are bad. No difference,
> maybe even worse incidence.
Everybody is aware that one is semi-anonymous[1] in a Starbucks.
But that is not a problem to do with Tor is it?
[1] your computer will show all traces of you though, thus too late.
>> There is a list of these kind of services here:
>> https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlockingTor
>> Attempting to bypassing those restrictions will only cause them to block
>> that method too, and IMHO with good reason.
>
> They are free to do that, we are free to continue to deploy
> countermeasures against indiscriminate non user-account-based
> blocking.
>
>> Haha, yeah China and legalities.... so yes, obviously you are NOT trying
>> to circumvent entity like the GFW.
>> Thus what are you trying to circumvent?
>
> Duh. Already said this many times. Tor users complain
> about being blocked indiscriminantly when doing nothing
> wrong themselves. Posts from these users are frequent
> on tor-talk. And indeed as you listed, on that wiki page
> as well. We should try to help them. This is one way to do
> that. And to continue to put pressure on clearnet services
> to deploy their own account based, NOT archaic ip based,
> abuse management solutions.
You obviously have never run a service of any size that had to deal with
that kind of abuse. IP based blocking is the easiest and best method as
it takes care of most of the abusers.
Please look at Wikipedia, they are pretty open about how they block things.
[..]
> Of course. Unless of course, as suggested before, some operators
> choose the method of binding/routing their exit over an ip different
> from their OR_IP, then it would just be native tor and native TCP.
If they do so, TorDNEL will properly list that IP address as it should
be doing.
[..]
> No it can't. The user is running ovpn and tor on their node,
> and the exit operator is running ovpn and tor on their node.
> The only thing that hits clearnet is tor, not ovpn. So there
> is zero difference to any observer between 'user' and 'ovpn_ip'
> there at all, all they see is tor. Same as before.
Of course it can. For the traffic out of OpenVPN to go anywhere it is
either using a real IP address or doing NAT. Voila, Raw IP.
Or are you connecting through another TCP based proxy inside the OpenVPN
VPN?
[..]
> Then yhy don't you suggest users sign up and pay anonymously
> for three separate vpn/shell services and onionchain them all together
> and roam them around new vpn/shells once in a while. It's the same
> thing. You see.
Far from.
Please watch "The Net" and other such funny movies where they "hack into
each IP" and "trace the user around the world".
Please read up on Mix Networks, eg
https://en.wikipedia.org/wiki/Mix_network
That explains the background concept of Tor and that if you have a 1000
users you will not know which source belongs to which.
>> As I noted, 'getting out', or better 'who allows Tor nodes to connect to
>> their sites' is a decision to be made by those operators.
>
> Yes, and they can still make those decisions. We're just making
> them think more about it.
Indeed, you will make sure that they will never want to have any Tor
users at all, as clearly their intent is to circumvent their blocks.
> On clearnet you as a service op when
> you block an ip are usually taking out just one user.
Ever heard of NAT? Especially with 3G exit IPs or the fun with DSLITE,
there will be a lot more than one single person behind it.
> You should have just deleted their account, but whatever.
So that they can sign up again and start the abusive behavior from the
start?
> When you block a tor ip you are stupidly taking out many many users
> who have nothing to do with the account that caused you grief.
Because for most operators there is no difference.
In your proposal those "extra" IPs will just be blocked next.
> That, in my opinion, is WRONG.
While you might think that, it is THEIR site, thus for them to decide.
[.. moved up..]
>> You clearly do not understand why the DNSEL is published. Please read up
>> on it.
>
> I know exactly why DNSEL is published. On one hand it
> is great, on the other it is abused by clearnet service operators
> who, in my and others opinions, are not giving enough thought
> and effort into other ways they can address 'abuse'. I also know
> Tor Project has a budget for outreach, in part of which is meant to
> educate about some of these other local abuse management ways
> besides blocking access to services via tor. Maybe it's time that
> budget proportion and time allocation was increased.
Please read:
https://www.torproject.org/about/sponsors.html.en
and contribute. If you make a large enough donation you can ask for your
own milestones:
https://trac.torproject.org/projects/tor/wiki/org/sponsors
>> OpenVPN, especially in crypted mode, requires quite a lot more CPU power
>> on the nodes running OpenVPN node.
>
> Obviously. AES-NI helps. However it does not necessarily need to
> be encrypted (or even heavily) since the user still has a full tor-cli to
> tor-exit path established. See the diagram. It is the exit that is
> their security, the ovpn is just adding a new ip/protocol service.
Instead of OpenVPN, which is Raw-IP, just specify the exit IP or use a
TCP-proxy if you don't want them to show up in the TORBL. Saves on the
overhead and avoids losing anonimity features.
More information about the tor-relays
mailing list