From d42332c43d324fb1ceed0a78cb9ad1962c7d20f8 Mon Sep 17 00:00:00 2001 From: akrigator Date: Thu, 17 Aug 2023 19:23:28 +0300 Subject: [PATCH] Snowflake bridge support --- tor/DOCS.md | 22 +++++++++++++- tor/Dockerfile | 12 +++++--- tor/config.yaml | 22 ++++++++++++-- .../etc/s6-overlay/s6-rc.d/init-tor/run | 29 +++++++++++++++---- 4 files changed, 73 insertions(+), 12 deletions(-) diff --git a/tor/DOCS.md b/tor/DOCS.md index 849604e..5c5de4e 100644 --- a/tor/DOCS.md +++ b/tor/DOCS.md @@ -151,11 +151,30 @@ The accepted syntaxs of this configuration is: If you do not define a published port, the local port will be used. If you do not define a hostname or IP adress `homeassistant` will be used. +### Option: `snowflake_url` + +URL of signaling broker for snowflake client + +### Option: `snowflake_front` + +Front domain for snowflake client + +### Option: `snowflake_ice` + +List of ICE servers for snowflake client + ### Option: `bridges` -> The addon supports `obfs4` bridge only +> Keep the option value clean to avoid using of any transport plugins and bridges. Bridges are Tor relays that help you circumvent censorship. +Access to bridges is provided by supported transport plugins: + +#### Snowflake + +Look [here][what-is-snowflake] about + +#### OBFS Because bridge addresses are not public, you will need to request them yourself. You have a few options: @@ -282,3 +301,4 @@ SOFTWARE. [semver]: http://semver.org/spec/v2.0.0.htm [tor-hidden-service]: https://www.torproject.org/docs/hidden-services.html.en [tor-bridges-obfs4]: https://bridges.torproject.org/bridges/?transport=obfs4 +[what-is-snowflake]: https://support.torproject.org/censorship/what-is-snowflake/ \ No newline at end of file diff --git a/tor/Dockerfile b/tor/Dockerfile index 275e6e9..0540786 100755 --- a/tor/Dockerfile +++ b/tor/Dockerfile @@ -21,16 +21,20 @@ RUN mkdir -p /go/src /go/bin RUN chmod -R 644 /go ENV GOPATH /go ENV PATH /go/bin:$PATH -WORKDIR /go # Remove cache to reduce image size. RUN rm -rf /var/cache/apk/* # Install obfs4proxy -RUN git clone https://github.com/Yawning/obfs4.git +RUN git clone https://github.com/Yawning/obfs4.git /go/obfs4/ WORKDIR /go/obfs4/ -RUN go build -o obfs4proxy/obfs4proxy ./obfs4proxy -RUN mv obfs4proxy/obfs4proxy /usr/local/bin/obfs4proxy +RUN go build -o /usr/local/bin/obfs4proxy ./obfs4proxy + +# Install snowflake +RUN git clone https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake.git /go/snowflake/ +WORKDIR /go/snowflake/client/ +RUN go get +RUN go build -o /usr/local/bin/snowflake # Give obfs4proxy the capability to bind port 80. This line isn't necessary if # you use a high (unprivileged) port. diff --git a/tor/config.yaml b/tor/config.yaml index 8cacb68..5fe2caf 100644 --- a/tor/config.yaml +++ b/tor/config.yaml @@ -27,7 +27,21 @@ options: ports: - "8123" - "8123:80" - bridges: [] + snowflake_url: "https://snowflake-broker.torproject.net.global.prod.fastly.net/" + snowflake_front: "cdn.sstatic.net" + snowflake_ice: + - "stun:stun.voip.blackberry.com:3478" + - "stun:stun.antisip.com:3478" + - "stun:stun.bluesip.net:3478" + - "stun:stun.dus.net:3478" + - "stun:stun.epygi.com:3478" + - "stun:stun.sonetel.com:3478" + - "stun:stun.sonetel.net:3478" + - "stun:stun.uls.co.za:3478" + - "stun:stun.voipgate.com:3478" + - "stun:stun.voys.nl:3478" + bridges: + - "snowflake 192.0.2.4:80 8838024498816A039FCBBAB14E6F40A0843051FA" schema: log_level: list(trace|debug|info|notice|warning|error|fatal)? socks: bool @@ -37,5 +51,9 @@ schema: - match(^[A-Za-z0-9+-_]{1,16}$) ports: - match(^(.*:)?(?:[0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])?$) + snowflake_url: url + snowflake_front: str + snowflake_ice: + - str bridges: - - match(^obfs4 ((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}:((6553[0-5])|(655[0-2][0-9])|(65[0-4][0-9]{2})|(6[0-4][0-9]{3})|([1-5][0-9]{4})|([0-5]{0,5})|([0-9]{1,4}))( \w{40})( cert=\S{70})( iat-mode=[0-2])?$) + - str \ No newline at end of file diff --git a/tor/rootfs/etc/s6-overlay/s6-rc.d/init-tor/run b/tor/rootfs/etc/s6-overlay/s6-rc.d/init-tor/run index 0702b45..0046a04 100755 --- a/tor/rootfs/etc/s6-overlay/s6-rc.d/init-tor/run +++ b/tor/rootfs/etc/s6-overlay/s6-rc.d/init-tor/run @@ -126,18 +126,37 @@ if bashio::config.true 'hidden_services'; then fi # Configure bridges -if bashio::config.exists 'bridges'; +if bashio::config.exists 'bridges' \ + && ! bashio::config.is_empty 'bridges'; then + bashio::log.info 'Use bridges:' echo "UseBridges 1" >> "${torrc}" - echo 'ClientTransportPlugin obfs4 exec /usr/local/bin/obfs4proxy managed' >> "${torrc}" - bashio::log.info 'Setup obfs4 bridges:' + # Add client for OBFS transport + echo "ClientTransportPlugin obfs2,obfs3,obfs4,scramblesuit exec /usr/local/bin/obfs4proxy managed" >> "${torrc}" + + # Add client for Snowflake transport + snowflake_plugin_conf="ClientTransportPlugin snowflake exec /usr/local/bin/snowflake" + if bashio::config.exists 'snowflake_url'; + then + snowflake_plugin_conf+=" -url $(bashio::config 'snowflake_url')" + fi + if bashio::config.exists 'snowflake_front'; + then + snowflake_plugin_conf+=" -front $(bashio::config 'snowflake_front')" + fi + if bashio::config.exists 'snowflake_ice'\ + && ! bashio::config.is_empty 'snowflake_ice'; + then + snowflake_plugin_conf+=" -ice `echo $(bashio::config 'snowflake_ice') | tr ' ' ','`" + fi + echo "$snowflake_plugin_conf" >> "${torrc}" + + # Add bridges while read -r bridge; do bashio::log.info "Bridge ${bridge}" echo "Bridge ${bridge}" >> "${torrc}" done <<< "$(bashio::config 'bridges')" -else - bashio::log.info 'obfs4 bridges disabled' fi # Figure out the address