[tor-talk] using UDPGW and tun2socks over Tor

grarpamp grarpamp at gmail.com
Mon Oct 27 17:00:38 UTC 2014


On Fri, Oct 24, 2014 at 1:35 AM, Nathan Freitas <nathan at freitas.net> wrote:
> Is there any reason we shouldn't consider supporting UDP over Tor with
> Orbot, by tunneling the packets using the combination of badvpn's
> tun2socks and udpgw ("udp gateway") feature?

There's no reason raw IP itself (any/none of its numbered protocols)
shouldn't / couldn't be transported over Tor using OpnVPN (at least
until Tor itself is extended as such).

> This has come up as we are
> implementing the Android VPNService, and discovered how easy to
> implement and well performing the badvpn UDP tunneling capability is.

> This means we can support SIP calling over Tor, video conference and
> streaming, among other applications...

> https://code.google.com/p/badvpn/
> https://code.google.com/p/badvpn/wiki/tun2socks
> https://github.com/ambrop72/badvpn

... Not necessarily, unless you're statically mapping all the people
(IP's) you want to communicate with beforehand, (which you can't with
random unknown participants ie: Bittorrent, or people on dynamic or
mobile), you're currently constrained by address collisions:
- Trying to pack the entire IPv4 address space you might want to
'call' into your tiny 10.0.0.0/24 adapter space. Same for put entire IPv6
space into your private IPv6/48 adapter space.
- Similarly what you're going to do when Tor moves to wider than
80bit onion addressing which currently fits nicely into a private IPv6/48.
(Need a secure IPv6<->onion address mapping layer pushed into a
DHT/blockchain or just resorting to trusting some volunteer run in-net
lookup service.)

edit: Just noticed badvpn's mention of pushing a *VM* on a 10 address
through socks with this, at least for TCP, which is simpler. As opposed
to pushing any app on the raw iron through a *VPN* which could be
constrained as above. Left this anyway for thought in related things.

> It does mean that someone would have to operate the
> gateway/infrastructure portion of udpgw at a capacity necessary to
> handle all udp streaming traffic sent for all Orbot users, but I would
> consider that to be feasible. Perhaps udpgw instances can be run along
> side all Tor exit nodes?

Read below thread flowing on both tor-talk and tor-relays, flows over
May and June, with better specification/answers in later posts.
https://lists.torproject.org/pipermail/tor-relays/2014-May/004516.html
Subject: Ops request: Deploy OpenVPN terminators


More information about the tor-talk mailing list