Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Socks v5 support to daemon and wallet #9443

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

vtnerd
Copy link
Contributor

@vtnerd vtnerd commented Aug 17, 2024

Socks v5 adds IPv6 support and basic username/password authentication. The user/pass authentication is a cheap way to prevent rogue applications from requesting proxied connections. Tor and SSH do not support authentication but I2P, Nym, and Dante do.

When I started this implementation, I didn't know Nym added Socks v4 support. This makes the patch somewhat less useful, as the original #8562 Socks v5 request was for Nym support. This patch might want to be rejected on that reason alone - the only useful features are user/pass and IPv6.

This includes a fairly extensive explanation of proxies in the daemon and cli wallets, so that might be useful for keeping regardless.

@vtnerd
Copy link
Contributor Author

vtnerd commented Aug 18, 2024

Crap, looks like older versions of boost don't have some ASIO functionality I used. Crap, will have to update.

@tobtoht
Copy link
Contributor

tobtoht commented Aug 18, 2024

What would be the minimum Boost version for this PR?

Is it time to undust #9162 and bump the minimum Boost requirement?

@vtnerd
Copy link
Contributor Author

vtnerd commented Aug 18, 2024

The minimum version for this feature would be 1.67. In this case, its not really critical, I should be able to work-around it.

@iamamyth
Copy link

After many years, IPv6 has started to see substantial, and increasing, adoption, so I think this would be a reasonable addition. However, it's not urgent, and, based on the comments in #9162, I think you could safely assume Boost 1.67 (Ubuntu 18.04 continues to wither) and roll out this feature after a boost version upgrade to 1.67. Of course, you can do the extra work to support the current Boost version, but you may very well have better uses for your time.

@vtnerd
Copy link
Contributor Author

vtnerd commented Aug 21, 2024

I just pushed a change to fix the Boost issues. Everything looks good for that.

The functional tests failed, but it looks spurious right now. Testing locally to confirm, and may just push a dummy update to re-run the tests.

@vtnerd
Copy link
Contributor Author

vtnerd commented Aug 21, 2024

Good for review!

Copy link
Contributor

@sneurlax sneurlax left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adds SOCKSv5 support with tests and documentation included. Tested working. The code looks relatively minimal such that I don't see anything to remove, really. I don't see any potential privacy or security concerns, LGTM

@sneurlax
Copy link
Contributor

Closes #9443

@woodser
Copy link
Contributor

woodser commented Oct 8, 2024

Closes #9390 ?

is: `hidden-service-address,[bind-ip:]port[,max_connections]`. Examples:

```
--tx-proxy rveahdfho7wo4b2m.onion:18083,18083
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
--tx-proxy rveahdfho7wo4b2m.onion:18083,18083
--anonymous-inbound rveahdfho7wo4b2m.onion:18083,18083

> arguably be added, which could optionally turn off IPv4/IPv6 connections for
> P2P.

The format for `--proxy` usage: `[socks5://[user:pass]@127.0.0.1`. The square
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The format for `--proxy` usage: `[socks5://[user:pass]@127.0.0.1`. The square
The format for `--proxy` usage: `[socks5://[user:pass]]@127.0.0.1`. The square


The CLI and RPC wallets currently reject hosts that do **NOT** end in`.onion`
or `.i2p` **unless** `--daemon-ssl-ca-certificates` or
`--daemon-ssl-allowed-fingerprints` is used. If an onion or i2p address is used,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also --daemon-ssl-allow-any-cert

i could be wrong, but iirc onion required it too

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants