-
-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Socks v5 support to daemon and wallet #9443
Open
vtnerd
wants to merge
1
commit into
monero-project:master
Choose a base branch
from
vtnerd:feature/socks5
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -0,0 +1,204 @@ | ||||||
# Proxy usage in the Monero ecosystem | ||||||
The CLI/RPC wallets and daemon both support proxies and use the same parameters | ||||||
to configure them. Currently socks 4, 4a, and 5 are supported and can be | ||||||
selected with command-line options. | ||||||
|
||||||
## Wallet | ||||||
The CLI and RPC wallets support proxies via the `--proxy` option. The format | ||||||
for usage is `[socks5://[user:pass]]host:port`. The square brackets indicate | ||||||
an optional portion. This option can only be specified once. Examples: | ||||||
|
||||||
``` | ||||||
--proxy 192.168.0.10:1050 | ||||||
--proxy socks5://192.168.0.10:1050 | ||||||
--proxy socks5://username:[email protected]:1050 | ||||||
--proxy [::1]:1050 | ||||||
--proxy socks5://[::1]:1050 | ||||||
--proxy socks5://username:password@[::1]:1050 | ||||||
``` | ||||||
|
||||||
The first connects to `192.168.0.10` on port `1050` using socks 4a. The second | ||||||
connects to the same location using socks 5. The third uses socks 5 at the same | ||||||
location and sends user authentication if prompted by the proxy server. The | ||||||
last three are identical to the first 3, except an IPv6 address is used | ||||||
instead. While IPv6 connections are invalid for Socks 4 and 4a, the proxy | ||||||
server itself can be connected using IPv6. | ||||||
|
||||||
The username and password fields both support "percent-encoding" for special | ||||||
character support. As an example, `%40` gets converted to `@`, such that | ||||||
`username:p%40ssword` gets converted to `username:p@ssword`. This allows that | ||||||
specific character to be used; specifying the character directly will | ||||||
incorrectly change the specification of the hostname. | ||||||
|
||||||
> NOTE: The username+password will show up in the process list and can be read | ||||||
> by other programs. It is recommended that `--config-file` be used to store | ||||||
> username+password options. The format for a config file is `option=value`, | ||||||
> so in this example the file would contain: | ||||||
> `proxy=socks5://username:[email protected]:1080`. | ||||||
|
||||||
The CLI and RPC wallets currently reject hosts that do **NOT** end in`.onion` | ||||||
or `.i2p` **unless** `--daemon-ssl-ca-certificates` or | ||||||
`--daemon-ssl-allowed-fingerprints` is used. If an onion or i2p address is used, | ||||||
the hostname contains the certificate verification, providing decent security | ||||||
against man-in-the-middle (MitM) attacks. The two `--daemon-ssl-*` options | ||||||
support specifying exact certificates, also preventing MitM attacks. | ||||||
|
||||||
> Perhaps the wallets should be relaxed to allow system-CA checks, but for now | ||||||
> certificates must be strictly provided. | ||||||
|
||||||
## Daemon | ||||||
The daemon has two options for proxies `--proxy` and `--tx-proxy` which can be | ||||||
used in isolation or together. The `--proxy` option controls how | ||||||
IPv4/IPv6/hostname connections are performed, whereas `--tx-proxy` controls | ||||||
how local transactions are relayed. Both options support Socks 4, 4a, and 5. | ||||||
|
||||||
### `--proxy` | ||||||
This option should be used when outbound connections to IPv4/IPv6 addresses and | ||||||
hostnames (other than `.onion` `.i2p`) need to be proxied. Common examples | ||||||
include using Tor exit nodes or a VPN to conceal your local IP. This option | ||||||
will **not** use Tor or I2P hidden services for P2P connections; this is | ||||||
primarily used for proxying standard IPv4 or IPv6 connections to some remote | ||||||
host. Hidden services are not used because this is designed to be more general | ||||||
purpose (i.e. a standard socks VPN can be used). | ||||||
|
||||||
> An additional option for hidden services (separate from `--tx-proxy`) could | ||||||
> arguably be added, which could optionally turn off IPv4/IPv6 connections for | ||||||
> P2P. | ||||||
|
||||||
The format for `--proxy` usage: `[socks5://[user:pass]@127.0.0.1`. The square | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
bracket indicate optional portion. See [wallet](#wallet) section above for | ||||||
examples and other information on the format. The option can only be specified | ||||||
once. The restrictions for MitM attacks apply only to the wallet usage, and not | ||||||
to the daemon. | ||||||
|
||||||
> When using `--proxy`, inbound connections will be impossible unless the | ||||||
> proxy server is somehow setup to forward connections. This setup is a | ||||||
> difficult because each outgoing socks connections can have a unique binding | ||||||
> port. Such a setup is currently out-of-scope for this document. | ||||||
|
||||||
### `--tx-proxy` | ||||||
This option should be used to specify a proxy that can resolve hidden service | ||||||
hostnames, so that local transactions can be forwarded over a privacy | ||||||
preserving network. Currently only Tor or I2P hidden services are supported. | ||||||
This option be specified multiple times, but only once per network (see below). | ||||||
|
||||||
The format for `--tx-proxy` is | ||||||
`network,[socks5://[user:pass@]]ip:port[,max_connections][,disable_noise]`. | ||||||
Examples: | ||||||
|
||||||
``` | ||||||
--tx-proxy tor,127.0.0.1:1050 | ||||||
--tx-proxy tor,127.0.0.1:1050,100 | ||||||
--tx-proxy tor,127.0.0.1:1050,disable_noise | ||||||
--tx-proxy tor,127.0.0.1:1050,100,disable_noise | ||||||
--tx-proxy tor,socks5://127.0.0.1:1050 | ||||||
--tx-proxy tor,socks5://127.0.0.1:1050,100 | ||||||
--tx-proxy tor,socks5://127.0.0.1:1050,disable_noise | ||||||
--tx-proxy tor,socks5://127.0.0.1:1050,100,disable_noise | ||||||
--tx-proxy tor,socks5://username:[email protected]:1050 | ||||||
--tx-proxy tor,socks5://username:[email protected]:1050,100 | ||||||
--tx-proxy tor,socks5://username:[email protected]:1050,disable_noise | ||||||
--tx-proxy tor,socks5://username:[email protected]:1050,100,disable_noise | ||||||
--tx-proxy tor,[::1]:1050 | ||||||
--tx-proxy tor,[::1]:1050,100 | ||||||
--tx-proxy tor,[::1]:1050,disable_noise | ||||||
--tx-proxy tor,[::1]:1050,100,disable_noise | ||||||
--tx-proxy tor,socks5://[::1]:1050 | ||||||
--tx-proxy tor,socks5://[::1]:1050,100 | ||||||
--tx-proxy tor,socks5://[::1]:1050,disable_noise | ||||||
--tx-proxy tor,socks5://[::1]:1050,100,disable_noise | ||||||
--tx-proxy tor,socks5://username:password@[::1]:1050 | ||||||
--tx-proxy tor,socks5://username:password@[::1]:1050,100 | ||||||
--tx-proxy tor,socks5://username:password@[::1]:1050,disable_noise | ||||||
--tx-proxy tor,socks5://username:password@[::1]:1050,100,disable_noise | ||||||
--tx-proxy i2p,127.0.0.1:1050 | ||||||
--tx-proxy i2p,127.0.0.1:1050,100 | ||||||
--tx-proxy i2p,127.0.0.1:1050,disable_noise | ||||||
--tx-proxy i2p,127.0.0.1:1050,100,disable_noise | ||||||
--tx-proxy i2p,socks5://127.0.0.1:1050 | ||||||
--tx-proxy i2p,socks5://127.0.0.1:1050,100 | ||||||
--tx-proxy i2p,socks5://127.0.0.1:1050,disable_noise | ||||||
--tx-proxy i2p,socks5://127.0.0.1:1050,100,disable_noise | ||||||
--tx-proxy i2p,socks5://username:[email protected]:1050 | ||||||
--tx-proxy i2p,socks5://username:[email protected]:1050,100 | ||||||
--tx-proxy i2p,socks5://username:[email protected]:1050,disable_noise | ||||||
--tx-proxy i2p,socks5://username:[email protected]:1050,100,disable_noise | ||||||
--tx-proxy i2p,[::1]:1050 | ||||||
--tx-proxy i2p,[::1]:1050,100 | ||||||
--tx-proxy i2p,[::1]:1050,disable_noise | ||||||
--tx-proxy i2p,[::1]:1050,100,disable_noise | ||||||
--tx-proxy i2p,socks5://[::1]:1050 | ||||||
--tx-proxy i2p,socks5://[::1]:1050,100 | ||||||
--tx-proxy i2p,socks5://[::1]:1050,disable_noise | ||||||
--tx-proxy i2p,socks5://[::1]:1050,100,disable_noise | ||||||
--tx-proxy i2p,socks5://username:password@[::1]:1050 | ||||||
--tx-proxy i2p,socks5://username:password@[::1]:1050,100 | ||||||
--tx-proxy i2p,socks5://username:password@[::1]:1050,disable_noise | ||||||
--tx-proxy i2p,socks5://username:password@[::1]:1050,100,disable_noise | ||||||
``` | ||||||
|
||||||
The above examples are fairly exhaustive of all the possible option scenarios | ||||||
that will be incurred by the typical user. | ||||||
|
||||||
#### The `network` portion of the option | ||||||
The first section (before the first `,`) indicates the network - only `tor` or | ||||||
`i2p` are valid here. | ||||||
|
||||||
This portion of the option tells `--add-node`, `--add-priority-node`, and | ||||||
`--add-exclusive-node` options to use the specified proxy for those nodes. In | ||||||
other words, command-line specified hidden services are forwarded to their | ||||||
corresponding `--tx-proxy` server. Hidden services do **NOT** have to be | ||||||
specified on the command-line, there are built-in seed nodes for each network. | ||||||
|
||||||
#### The `ip:port` portion of the option | ||||||
The second portion of the option (after the first `,` and _optionally_ ending | ||||||
in the next `,`) indicates the location of the socks server. The location | ||||||
**must** include an IPv4/IPv6 AND port. The location can optionally include the | ||||||
socks version - `socks4`, `socks4a`, and `socks5` are all valid here. If | ||||||
the socks version is not specified, `socks4a` is assumed. | ||||||
|
||||||
An optional username and password can also be included. These fields support | ||||||
percent-encoding, see [wallet](#wallet) section for more information. | ||||||
|
||||||
#### The last portion of the option | ||||||
After the ip:port section two options can be specified: the number of max | ||||||
connections and `disable_noise`. They can be specified in either order, but | ||||||
must be after the ip:port section. | ||||||
|
||||||
The max connections does exactly as advertised, it limits the number of | ||||||
outgoing connections to the proxy. The `disable_noise` feature lowers the | ||||||
bandwidth requirements, and decreases the tx-relay time. When **NOT** | ||||||
specified, dummy P2P packets are sent periodically to connections (via the | ||||||
proxy) to conceal when a transaction is forwarded over the connection. When | ||||||
the option is specified, P2P links only send data for peerlist information and | ||||||
local outgoing transactions. | ||||||
|
||||||
### `--anonymous-inbound` | ||||||
Currently the daemon cannot configure incoming hidden services connections. | ||||||
Instead, the user must manually configure Tor or I2P to accept inbound | ||||||
connections. Then, `--anonymous-inbound` must be used to tell the daemon where | ||||||
to listen for incoming connections, and the incoming hidden service address. | ||||||
The option can be specified once for each network type. The format for usage | ||||||
is: `hidden-service-address,[bind-ip:]port[,max_connections]`. Examples: | ||||||
|
||||||
``` | ||||||
--tx-proxy rveahdfho7wo4b2m.onion:18083,18083 | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
--tx-proxy rveahdfho7wo4b2m.onion:18083,18083,100 | ||||||
--tx-proxy rveahdfho7wo4b2m.onion:18083,127.0.0.1:18083 | ||||||
--tx-proxy rveahdfho7wo4b2m.onion:18083,127.0.0.1:18083,100 | ||||||
--tx-proxy udhdrtrcetjm5sxzskjyr5ztpeszydbh4dpl3pl4utgqqw2v4jna.b32.i2p,18083 | ||||||
--tx-proxy udhdrtrcetjm5sxzskjyr5ztpeszydbh4dpl3pl4utgqqw2v4jna.b32.i2p,18083,100 | ||||||
--tx-proxy udhdrtrcetjm5sxzskjyr5ztpeszydbh4dpl3pl4utgqqw2v4jna.b32.i2p,127.0.0.1:18083 | ||||||
--tx-proxy udhdrtrcetjm5sxzskjyr5ztpeszydbh4dpl3pl4utgqqw2v4jna.b32.i2p,127.0.0.1:18083,100 | ||||||
``` | ||||||
|
||||||
Everything before the first `,` is the hidden service hostname. This must be | ||||||
a valid Tor or I2P address. This tells the daemon the **inbound** hidden | ||||||
service as configured for the local Tor or I2P daemons. | ||||||
|
||||||
Everything between `,`s specify the bind ip and bind port. The IP address is | ||||||
optional, and defaults to `127.0.0.1`. The Tor and I2P daemons must be | ||||||
configured to forward incoming hidden service connections to this IP/Port pair. | ||||||
|
||||||
Everything after the second `,` is used to specify the number of max inbound | ||||||
connections. The field is optional. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also
--daemon-ssl-allow-any-cert
i could be wrong, but iirc onion required it too