antitree / private-tor-network Goto Github PK

View Code? Open in Web Editor NEW

156.0 6.0 35.0 151 KB

Run an isolated instance of a tor network in Docker containers

License: GNU General Public License v2.0

Shell 52.11% Python 20.73% Dockerfile 27.16%

tor-network docker-container onion-service tor containers consensus relays research tor-nodes security

private-tor-network's Introduction

Private Tor Network on Docker

An isolated, private tor network running entirely in Docker containers

Quickstart

The easiest way to get a tor network up and running is to use the docker-compose create and then scale function

docker-compose up 
docker-compose scale relay=5 exit=3

This will create 3 directory authorities (DA's), 1 client listning on port 9050, 5 relays, and 3 exits. You can scale to whatever you want.

Uses

If you're going "Why do I want this?" here's a few examples:

tor research: learn how tor interacts with nodes, make modifications to settings and see what happens, understand how the Tor Network operates without affecting real people. Originally this project was part of a class I wrote to teach about how tor works.

tor development: in the case you're working on a patch that is more complex and requires seeing what happens on the tor network, you can apply the patches to the containers.

traffic analysis: Test out the latest tor exploit and pretend to be a nation state adversary.

If this needs to be said, this should never be used as a replacement for tor. This is for research purposes alone.

Storage & Tor Network Configuration

All of the required information that other nodes need to know about on the network are stored in a named volume torvol which you can find the path for doing docker volume inspect privatetornetwork_torvol or use docker volume ls to find its name on your system.

If you are running multiple instances or are rebuilding it, make sure you delete this named volume or you'll accidentally use a previous iteration's keys. Easiest way is:

docker-compose rm
docker volume rm privatetornetwork_torvol

Running Individual Roles

You can manually build a tor network if you don't want to use docker-compose but you'll need to make sure you pass the correct DA fingerprints to each of the servers. Also make sure you create a user defined interface so that it doesn't try to use the default bridge. For example, this would make the first directory authority (DA) docker run -e ROLE=DA --network tornet antitree/private-tor

Or setup a relay: docker run -e ROLE=RELAY --network tornet antitree/private-tor

Watching the logs on a relay docker logs -f {name of your container}

Available roles right now are:

DA - directory authority
RELAY - non-exit relay
EXIT - exit relay
CLIENT - exposes the tor socks port on 9050 to the host

Versions

You can run a variety of the most common tor versions by changing the image name from "antitree/private-tor:latest" to something like "antitree/private-tor:0.3.2". Current tags supported are from 0.2.6 to 0.3.5.

If you'd like to try a very specific version you can rebuild the Dockerfile and edit the "TOR_VER" environment variable. These values should match the branch names from the official tor repo.

Onion Services

If you'd like to run an onion service, you can use the TOR_HS_PORT and TOR_HS_ADDRESS environment variables. By default, there is a hidden service setup in the docker-compose.yml file.

Example configuration that will run an onion service named "hs" and a web server named "web". This will link the web service to the onion service so that "hs" will forward connections to "web" on port 80. This is done using the links configuration feature for docker-compose.

 hs:
  image: antitree/private-tor
  expose:
    - "80"
  environment:
    ROLE: HS
    # This will create a hidden service that points to
    # the service "web" which is runing nginx. You can 
    # change this to whatever ip or hostname you want
    TOR_HS_PORT: "80"
    TOR_HS_ADDR: "web"
  volumes:
    - ./tor:/tor
  depends_on:
    - da1
    - da2
    - da3
  links:
    - web
 web:
  image: nginx
  expose:
    - "80"

NOTE: By default, this just displays the nginx start page so you may want to replace the image with a more interesting one or configure the nginx container with some static HTML to host.

Tor configuration

This configuration is based on the Tor documentation for how to run a private tor network. You should also check out Chutney which does something similar with separate processes instead of containers. If you need to make a modification (such as changing the timing of the DA's) edit the config/torrc and/or config/torrc.da files. You may need to modify the Dockerfile as well.

Environment variables

The container is built off of chriswayg/tor-server but has been heavily modified to support some other env variables that you can pass to it:

TOR_ORPORT - default is 7000
TOR_DIRPORT - default is 9030
TOR_DIR - container path to mount a persistent tor material. default is /tor
TOR_CONTROL_PWD - set the control port password to something besides "password"
TOR_HS_PORT - port to listen for an onion service on
TOR_HS_ADDR - IP or hostname of service you want to point an onion service to

Things to try

The /util/ directory contains a few scripts to play with one the host computer. Once you have a private tor network up and running you can try out some of the tools in there.

Using Arm:

With the tor control port exposed to the host, you can use arm to monitor the client.

apt-get install tor-arm
arm

NOTE: There is a password to protect the control port right now. Enter "password" when prompted

You can also connect arm to one of the containers if you know it's ip. You can find the IPs by running the get_consensus.py script provided or however otherway you feel like.

arm -i 172.19.0.3:9051

Get Consensus:

python util/get_consensus.py

This will connect to the CLIENT docker container via the tor Control Port and download the consensus which contains the nicknames and IPs of the relays on the network. (If this is blank, you may have to wait 30s while they decided on a consensus.)

Tor-prompt:

If you've installed arm you will probably also have the tor-prompt command. You can use it to manually gather information about some of the containers that have their Control Port exposed like so:

tor-prompt -i {ip_of_ontainer}:9051
Control Port password: password

Debugging

Here are a few things to try if you're runing into issues:

Check the tor logs sent to stdout docker logs -f torserver_da_1
Check all the logs with docker-compose logs
Enable verbose logging by changing the ./config/torrc
Check permissions for your ./tor folder
Delete the files in your ./tor folder so you can start from scratch (or specifically the torrc.da file)
To cleanup the environment and start over you can use docker-compose kill and docker-compose rm -ra to remove them all.

TODO

Wait for someone to yell at me about using scale like this and then move to the new networking

Dislaimer

This project is in no way associated with the Tor Project or their developers. Like many people I'm a fan of Tor and recommend considering ways you can help the project. Consider running a relay, donating, or writing code.

Resources

https://github.com/andrewmichaelsmith/private-tor-network-kube Used some of this work to port to a kubernetes config
https://github.com/chriswayg/tor-server
https://www.torproject.org/docs/tor-relay-debian.html.en

private-tor-network's People

Contributors

Stargazers

Watchers

private-tor-network's Issues

How the ROLE variable works?

I'm new to Tor. There is a environment variable "ROLE" when starting the network in docker-compose file, could you tell me how the container react to this variable (where is the corresponding code)? Thank you very much.

Wrong docker image?

As present now, the docker containers are all based on the antitree/private-tor-test. These are not available to me (and likely no one except the author). Removing "-test" finds public images; however, this base image does not result in a successful private tor network. The DAs fail with a message of "TestingTorNetwork may only be configured in combination with a non-default set of DirAuthority or both of AlternateDirAuthority and AlternateBridgeAuthority configured." ... Do the -test base docker images correct this?

eth1 hard coded

When tracking the tor IP it's hard coded to search for eth1 but that's not always true. Should be fixed so that it can find whatever the interfaces are.

No consensus appears to be reached

Building using the 'quickstart' instructions on Debian 8, Debian 9 and Ubuntu, I run into the same issue where consensus doesn't seem to happen. Can connect to the sock proxy, all containers come up, tor directory is consistent across containers.
Cannot connect to hidden service. arm does not show consensus.

/tor/torrc.da: No such file or directory

When I start the containers via docker-componse, I get the following error:

privatetornetwork_da3_1 exited with code 1
client_1  | cat: /tor/torrc.da: No such file or directory
privatetornetwork_client_1 exited with code 1
relay_1   | cat: /tor/torrc.da: No such file or directory
exit_1    | cat: /tor/torrc.da: No such file or directory
hs_1      | cat: /tor/torrc.da: No such file or directory

I think this is because of line 96 where it is using cat ${TOR_DIR}/torrc.da >> /etc/tor/torrc but according to the Dockerfile, ${TOR_DIR} is resolved to /tor while every other config is in the folder /etc/tor

Stuck at 5%: Connecting to directory server

I used the command:
sudo docker-compose up
to build a default network.
But when I tried to use the command:
curl -vL google.com --proxy socks5://localhost:9050
I failed to connect with the prompt:

*   Trying 127.0.0.1:9050...
* SOCKS5 connect to IPv6 2607:f8b0:4004:c1b::71:80 (locally resolved)
* Can't complete SOCKS5 connection to google.com. (6)
* Closing connection 0
curl: (97) Can't complete SOCKS5 connection to google.com. (6)

I searched the logs and found:

[warn] Problem bootstrapping. Stuck at 5%: Connecting to directory server. (Connection refused; CONNECTREFUSED; count 14; recommendation warn; host F7AC491A000055092A185947A3D5FD3226786AF4 at 172.18.0.2:7000)

in private-tor-network-client-1

How could this be? I tried several times but every time the same result as above.

erroneous if

In the entrypoint script, there's an erroneous if on line 24.

thanks

How to browse container web pages from the Tor browser

Hello.
I am from the golden country very impressed with your achievement.

Well I read your README and built a Tor network with containers on a fully local private VM host. I accessed it from a Tor browser proxy, but for some reason the connection is not established.

The logs show that the connection between the client and Tor browser appears to be established.

My goal is to browse the container's web page from the Tor browser through the container's node.

Any solutions or example configurations would be appreciated.
Thanks.

Ignoring unsupported options: links

Docker version:

Docker version 18.06.1-ce, build e68fc7a

The issure:
While I run the command:

docker stack deploy --compose-file docker-compose.yml torstack

The terminal outputs like this:

➜  private-tor-network git:(master) docker stack deploy --compose-file docker-compose.yml torstack
Ignoring unsupported options: links

Updating service torstack_relay (id: tffiq75zoc8grn3qa0wed1qwy)
Updating service torstack_exit (id: aeyhou3i5eck7pa8o8g6pioyw)
Updating service torstack_client (id: yq15cmssxeymvyihlx2fv0ia9)
Updating service torstack_hs (id: dzbjwbrag9135lg1am45wevmp)
Updating service torstack_web (id: kxoa2psvu64i3gfc9vzpidtk9)
Updating service torstack_da1 (id: 0661dlucl6cd9v3gwdhe6cpc5)
Updating service torstack_da2 (id: ezbgb6v528i0ofubjwthpxibg)
Updating service torstack_da3 (id: niij6h9rjdkvwa1rshono0p8g)

And I try to google something, from stackoverflow I get this:

The above answer is actually wrong links: is not supported in docker stack deploy see this link : https://docs.docker.com/compose/compose-file/#not-supported-for-docker-stack-deploy
ref: how to connect to container in docker stack deploy

Could you please make an upgrade?

Question: what makes this a private tor network?

I am still trying to learn and understand the mechanics here.

I have went through the source, but I couldn't figure this out.

config/torrc file has this line;

TestingTorNetwork 1

But any tor node can have that line, what prevents any external node from joining a private tor network?

I was excepting something like a shared-secret, or pub-key auth, something that will block unknown nodes. Am I thinking in the wrong direction?

If you have any links to any explanation/documents, that would be great help.

Thanks!

docker-compose dynamic IP problem

Branch: master.

I reduce the numbers of authority servers to reproduce the problem clearly.

version: '3'
services:
 da1:
  image: antitree/private-tor
  #expose:
  #  - "7000"
  #  - "9030"
  environment:
    ROLE: DA
  volumes:
    ## Needed to keep track of other nodes
    - ./tor:/tor
 relay:
  image: antitree/private-tor
  #expose:
  #  - "7000"
  #  - "9030"
  environment:
    ROLE: RELAY
  volumes:
    - ./tor:/tor
  depends_on:
    # Make sure the DA's are already up
    - da1
 exit:
  image: antitree/private-tor
  #expose:
  #  - "7000"
  #  - "9030"
  environment:
    ROLE: EXIT
  volumes:
    - ./tor:/tor
  depends_on:
    # Make sure the DA's are already up
    - da1
 client:
  image: antitree/private-tor
  ports:
    # Setups a listener on host machine
    - "9050:9050"
    - "9051:9051"
  volumes:
    - ./tor:/tor
  environment:
    ROLE: CLIENT
  depends_on: 
    - da1
 hs:
  image: antitree/private-tor
  #expose:
  #  - "80"
  environment:
    ROLE: HS
    # This will create a hidden service that points to
    # the service "web" which is runing nginx. You can 
    # change this to whatever ip or hostname you want
    TOR_HS_PORT: "80"
    TOR_HS_ADDR: "web"
  volumes:
    - ./tor:/tor
  depends_on:
    - da1
  links:
    - web
 web:
  image: nginx
  #expose:
  #  - "80"

Build it with the new up command with --scale flag(leave client offline now).

$ docker-compose up -d --scale client=0 --scale relay=3 --scale exit=3

da1 log output shows the server starts correctly.

da1_1 | May 18 12:05:01.000 [notice] Bootstrapped 100%: Done

Restart the services.

$ docker-compose stop
Stopping tor_relay_2 ... done
Stopping tor_hs_1    ... done
Stopping tor_relay_3 ... done
Stopping tor_exit_1  ... done
Stopping tor_exit_3  ... done
Stopping tor_relay_1 ... done
Stopping tor_exit_2  ... done
Stopping tor_web_1   ... done
Stopping tor_da1_1   ... done

$ docker-compose start
Starting da1    ... done
Starting relay  ... done
Starting exit   ... done
Starting client ... failed
Starting web    ... done
Starting hs     ... done

da log output shows that the dynamic ip address of the scale command confuses the authority server.

da1_1 | May 18 12:10:38.000 [warn] Tried connecting to router at 172.24.0.4:7000, but RSA + ed25519 identity keys were not as expected: wanted 2F159F06AB914C10DF4470A9D1CE00DCCF977C9F + mKjfetwSu6ORRHQ4r8CBFY8rKh1yqBCET5w6bWark4E but got 9E811E6570880ABB5792FE664FD3B53E914B3393 + b7s4R/pE3ZAjVp9cSf5bN6m33c2Tp4MWposRD2ADO0E.

Suppose client joins the private network now.

$ docker-compose up client

Socks port is already opened.

$ ss -anlt
State         Recv-Q         Send-Q                     Local Address:Port                   Peer Address:Port            
LISTEN        0              128                                    *:9050                              *:*             
LISTEN        0              128                                    *:9051                              *:*

Connection is blocked here.

$ curl --socks5 127.0.0.1:9050 www.google.com

Maybe the scale command is not suitable for building a private tor network here until it can persist the network status.

Thank you for reading.