Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support webtunnel, obfs and snowflake bridges #170

Open
wants to merge 48 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
48 commits
Select commit Hold shift + click to select a range
9dbc5c3
Update Dockerfile
May 9, 2023
a8f2097
Update config.yaml
May 9, 2023
1677607
Update run
May 9, 2023
8726337
Add obfs4 bridges support
May 11, 2023
64a10e9
Merge remote-tracking branch 'upstream/main' into obfs
May 18, 2023
05f9de9
Merge remote-tracking branch 'upstream/main' into obfs
Aug 16, 2023
8557906
Update transaltion
Aug 16, 2023
28532a8
Markdown experiment
Aug 16, 2023
308dde9
Move bridge link to doc from translation
Aug 16, 2023
d241652
Move bridge link to doc from translation
Aug 16, 2023
d42332c
Snowflake bridge support
Aug 17, 2023
dc9d3fc
Move defualt config to docs, update translation
Aug 17, 2023
eaae400
Merge remote-tracking branch 'upstream/main' into obfs
Aug 25, 2023
9ffdfff
Passing snowflake_* options throw bridge's option
Oct 23, 2023
f9f3f30
Merge remote-tracking branch 'upstream/main' into obfs
Oct 23, 2023
43c7c75
Fix dependcy version
Oct 23, 2023
cd2615d
Update docs and fix snowflake port binding privelage
Oct 24, 2023
f047bdb
Add webtunnel bidge support
Oct 24, 2023
b32959a
Increase watchdog interval
Oct 28, 2023
ee0f4f8
Merge remote-tracking branch 'upstream/main' into obfs
Nov 5, 2023
aebefab
Merge remote-tracking branch 'upstream/main' into obfs
Nov 13, 2023
a1e3394
Fix up @frenck comments:
Jan 9, 2024
c156581
Merge remote-tracking branch 'origin/main' into obfs
Jan 11, 2024
255a29d
Fix up @frenck comments:
Jan 11, 2024
ca32749
Merge remote-tracking branch 'upstream/main' into obfs
Jan 16, 2024
f9c9622
Merge branch 'main' into obfs
Feb 2, 2024
f064242
Merge remote-tracking branch 'upstream/main' into obfs
Apr 23, 2024
08ac169
Update transports and their dependencies
Apr 23, 2024
9f48fee
Merge remote-tracking branch 'upstream/main' into obfs
May 23, 2024
fd22dc2
Docker layers
May 23, 2024
fc3b758
Docker layers
May 23, 2024
9238dc8
YAMLLint fixup
May 23, 2024
0bd9e0b
Prettified Code!
akrigator May 23, 2024
91d4acc
Docker layers
May 23, 2024
aa74319
Merge remote-tracking branch 'origin/refactoring' into refactoring
May 23, 2024
8f9779a
Docker layers
May 23, 2024
8de4f8f
Misspelling
May 23, 2024
db3ac52
Remove bridge sources from image
May 24, 2024
69a20f8
coderabbitai suggestions
May 24, 2024
035a760
Revert suggestion
May 24, 2024
8e6dd56
Merge remote-tracking branch 'upstream/main' into obfs
Jul 8, 2024
2b77e9a
Update dependecies
Jul 8, 2024
c531593
Update dependency
Jul 8, 2024
335465e
Update dependincies
Jul 8, 2024
fed695a
Update dependency
Jul 8, 2024
dab5dd8
Merge remote-tracking branch 'upstream/main' into obfs
Aug 9, 2024
0f955a2
Update dependency packages
Aug 9, 2024
4c2ffe5
Update web tunnel version
Aug 9, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions .github/renovate.json
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,31 @@
"versioningTemplate": "loose",
"datasourceTemplate": "repology",
"depNameTemplate": "alpine_3_20/{{package}}"
},
{
"fileMatch": ["/Dockerfile$"],
"matchStrings": ["ARG OBFS_VERSION=[\"']?(?<currentValue>.+?)[\"']?\\s+"],
"versioningTemplate": "loose",
"datasourceTemplate": "github-releases",
"depNameTemplate": "Yawning/obfs4"
},
{
"fileMatch": ["/Dockerfile$"],
"matchStrings": [
"ARG SNOWFLAKE_VERSION=[\"']?(?<currentValue>.+?)[\"']?\\s+"
],
"versioningTemplate": "loose",
"datasourceTemplate": "github-releases",
"depNameTemplate": "tpo/anti-censorship/pluggable-transports/snowflake"
},
{
"fileMatch": ["/Dockerfile$"],
"matchStrings": [
"ARG WEBTUNNEL_VERSION=[\"']?(?<currentValue>.+?)[\"']?\\s+"
],
"versioningTemplate": "loose",
"datasourceTemplate": "github-releases",
"depNameTemplate": "tpo/anti-censorship/pluggable-transports/webtunnel"
}
],
"packageRules": [
Expand Down
60 changes: 60 additions & 0 deletions tor/DOCS.md
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ client_names:
- haremote2
ports:
- 8123
bridges: []
akrigator marked this conversation as resolved.
Show resolved Hide resolved
```

**Note**: _This is just an example, don't copy and past it! Create your own!_
Expand Down Expand Up @@ -150,6 +151,62 @@ The accepted syntaxs of this configuration is:
If you do not define a published port, the local port will be used.
If you do not define a hostname or IP adress `homeassistant` will be used.

### Option: `bridges`

> Ensure the option value is clear to avoid unintended use of transport plugins and bridges.

Bridges are Tor relays that help you circumvent censorship.
akrigator marked this conversation as resolved.
Show resolved Hide resolved
Access to bridges is provided by supported transport plugins:

#### OBFS

Because bridge addresses are not public, you will need to request them yourself. You have a few options:

- Visit [Tor][tor-bridges-obfs4] project and follow the instructions, or
- Email `bridges@torproject.org` from a Gmail, or Riseup email address
- Send a message to @GetBridgesBot on Telegram. Tap on 'Start' or write /start or /bridges in the chat.

For example:

```yaml
bridges:
- >-
obfs4 123.45.67.89:443 EFC6A00EE6272355C023862378AC77F935F091E4
cert=KkdWiWlfetJG9SFrzX8g1teBbgxtsc0zPiN5VLxqNNH+iudVW48CoH/XVXPQntbivXIqZA
iat-mode=0
```

#### Webtunnel

Visit [Tor][tor-bridges-webtunnel] project and follow the instructions

For example:

```yaml
bridges:
- >-
webtunnel 192.0.2.3:1
DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF
url=https://akbwadp9lc5fyyz0cj4d76z643pxgbfh6oyc-167-71-71-157.sslip.io/5m9yq0j4ghkz0fz7qmuw58cvbjon0ebnrsp0
ver=0.0.1
```

#### Snowflake

What is [snowflake][what-is-snowflake], example:
akrigator marked this conversation as resolved.
Show resolved Hide resolved

```yaml
bridges:
- >-
snowflake 192.0.2.3:80 2B280B23E1107BB62ABFC40DDCC8824814F80A72
fingerprint=2B280B23E1107BB62ABFC40DDCC8824814F80A72
url=https://snowflake-broker.torproject.net/
ampcache=https://cdn.ampproject.org/
front=www.google.com
ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478
utls-imitate=hellorandomizedalpn
```

## Tor client access setup

Using this add-on, you can access your Home Assistant instance over Tor from
Expand Down Expand Up @@ -261,3 +318,6 @@ SOFTWARE.
[releases]: https://github.com/hassio-addons/addon-tor/releases
[semver]: http://semver.org/spec/v2.0.0.htm
[tor-hidden-service]: https://www.torproject.org/docs/hidden-services.html.en
[tor-bridges-obfs4]: https://bridges.torproject.org/bridges/?transport=obfs4
[tor-bridges-webtunnel]: https://bridges.torproject.org/bridges/?transport=webtunnel
[what-is-snowflake]: https://support.torproject.org/censorship/what-is-snowflake/
40 changes: 38 additions & 2 deletions tor/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,46 @@ RUN \
apk add --no-cache \
coreutils=9.5-r1 \
openssl=3.3.1-r3 \
tor=0.4.8.12-r0
tor=0.4.8.12-r0 \
go=1.22.5-r0 \
git=2.45.2-r0 \
ca-certificates=20240705-r0 \
libcap=2.70-r0

# Download pluggable-transports sources
WORKDIR /go
ARG OBFS_VERSION=obfs4proxy-0.0.14
ARG SNOWFLAKE_VERSION=v2.9.2
ARG WEBTUNNEL_VERSION=e64b1b3562f3ab50d06141ecd513a21ec74fe8c6
RUN git clone -b ${OBFS_VERSION} --single-branch --depth 1 https://github.com/Yawning/obfs4.git \
&& git clone -b ${SNOWFLAKE_VERSION} --single-branch --depth 1 https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake.git \
&& git clone --single-branch --depth 1 https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel.git

# Build obfs4proxy
WORKDIR /go/obfs4
RUN go build -o /usr/local/bin/obfs4proxy ./obfs4proxy

# Build snowflake
WORKDIR /go/snowflake/client
RUN go get \
&& go build -o /usr/local/bin/snowflake

# Build webtunnel
WORKDIR /go/webtunnel/main/client
RUN git reset --hard ${WEBTUNNEL_VERSION} \
&& go build -ldflags="-s -w" -o /usr/local/bin/webtunnel
akrigator marked this conversation as resolved.
Show resolved Hide resolved

# Clean up after build
WORKDIR /
RUN rm -rf /go

# Give transports clients the capability to bind privileged port.
RUN setcap 'cap_net_bind_service=+ep' /usr/local/bin/obfs4proxy \
&& setcap 'cap_net_bind_service=+ep' /usr/local/bin/snowflake \
&& setcap 'cap_net_bind_service=+ep' /usr/local/bin/webtunnel
akrigator marked this conversation as resolved.
Show resolved Hide resolved

HEALTHCHECK \
--start-period=5m \
--start-period=60m \
akrigator marked this conversation as resolved.
Show resolved Hide resolved
akrigator marked this conversation as resolved.
Show resolved Hide resolved
akrigator marked this conversation as resolved.
Show resolved Hide resolved
--interval=60s \
--timeout=30s \
CMD curl \
Expand Down
3 changes: 3 additions & 0 deletions tor/config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ options:
ports:
- "8123"
- "8123:80"
bridges: []
akrigator marked this conversation as resolved.
Show resolved Hide resolved
schema:
log_level: list(trace|debug|info|notice|warning|error|fatal)?
socks: bool
Expand All @@ -34,3 +35,5 @@ schema:
- match(^[A-Za-z0-9+-_]{1,16}$)
ports:
- match(^(.*:)?(?:[0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])?$)
bridges:
- str
23 changes: 23 additions & 0 deletions tor/rootfs/etc/s6-overlay/s6-rc.d/init-tor/run
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,29 @@ if bashio::config.true 'hidden_services'; then
done
fi

# Configure bridges
if bashio::config.exists 'bridges' \
&& ! bashio::config.is_empty 'bridges';
then
bashio::log.info 'Use bridges:'
echo "UseBridges 1" >> "${torrc}"

# Add client for OBFS transport
echo "ClientTransportPlugin obfs2,obfs3,obfs4,scramblesuit exec /usr/local/bin/obfs4proxy managed" >> "${torrc}"

# Add client for Snowflake transport
echo "ClientTransportPlugin snowflake exec /usr/local/bin/snowflake" >> "${torrc}"

# Add client for WebTunnel transport
echo "ClientTransportPlugin webtunnel exec /usr/local/bin/webtunnel" >> "${torrc}"

# Add bridges
while read -r bridge; do
bashio::log.info "Bridge ${bridge}"
echo "Bridge ${bridge}" >> "${torrc}"
done <<< "$(bashio::config 'bridges')"
fi
akrigator marked this conversation as resolved.
Show resolved Hide resolved

# Figure out the address
if bashio::config.true 'hidden_services'; then
bashio::log.info 'Starting Tor temporarly...'
Expand Down
5 changes: 5 additions & 0 deletions tor/translations/en.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,5 +30,10 @@ configuration:
description: >-
Configures hosts and ports to publish via a Tor Hidden Service. Check
the add-on documentation for the exact format to enter here.
bridges:
name: Bridges
description: >-
Configures bridges to establish connection with Tor Network. Check the
add-on documentation for the exact format to enter here.
network:
9050/tcp: Tor SOCKS proxy port