feat: allow tor proxy to be bypassed for outbound tcp connections (#3424

) Description --- - Adds `tor_proxy_bypass_for_outbound_tcp` setting that allows direct outbound connections to be made for TCP nodes, bypassing tor - Mobile will have this set for now until it can be configured by the apps Motivation and Context --- By default, the most private mode is set and all traffic is routed through tor. With this option set outbound tcp traffic bypasses tor for outbound TCP peer addresses in exchange for better bandwidth and latency. How Has This Been Tested? --- Some unit tests + manually
tari-project · Oct 6, 2021 · 6a5982e · 6a5982e
1 parent ce17627
commit 6a5982e
Show file tree

Hide file tree

Showing 18 changed files with 275 additions and 42 deletions.
diff --git a/applications/tari_app_utilities/src/utilities.rs b/applications/tari_app_utilities/src/utilities.rs
@@ -22,6 +22,7 @@
 
 use futures::future::Either;
 use log::*;
+use std::sync::Arc;
 use thiserror::Error;
 use tokio::{runtime, runtime::Runtime};
 
@@ -42,6 +43,7 @@ use tari_p2p::transport::{TorConfig, TransportType};
 
 use crate::identity_management::load_from_json;
 use tari_common_types::emoji::EmojiId;
+use tari_comms::transports::predicate::FalsePredicate;
 
 pub const LOG_TARGET: &str = "tari::application";
 
@@ -185,7 +187,7 @@ pub fn create_transport_type(config: &GlobalConfig) -> TransportType {
             tor_socks_config: tor_socks_address.map(|proxy_address| SocksConfig {
                 proxy_address,
                 authentication: tor_socks_auth.map(convert_socks_authentication).unwrap_or_default(),
-                proxy_bypass_addresses: vec![],
+                proxy_bypass_predicate: Arc::new(FalsePredicate::new()),
             }),
         },
         CommsTransport::TorHiddenService {
@@ -195,6 +197,7 @@ pub fn create_transport_type(config: &GlobalConfig) -> TransportType {
             auth,
             onion_port,
             tor_proxy_bypass_addresses,
+            tor_proxy_bypass_for_outbound_tcp,
         } => {
             let identity = Some(&config.base_node_tor_identity_file)
                 .filter(|p| p.exists())
@@ -227,6 +230,7 @@ pub fn create_transport_type(config: &GlobalConfig) -> TransportType {
                 socks_address_override,
                 socks_auth: socks::Authentication::None,
                 tor_proxy_bypass_addresses,
+                tor_proxy_bypass_for_outbound_tcp,
             })
         },
         CommsTransport::Socks5 {
@@ -237,7 +241,7 @@ pub fn create_transport_type(config: &GlobalConfig) -> TransportType {
             socks_config: SocksConfig {
                 proxy_address,
                 authentication: convert_socks_authentication(auth),
-                proxy_bypass_addresses: vec![],
+                proxy_bypass_predicate: Arc::new(FalsePredicate::new()),
             },
             listener_address,
         },

diff --git a/base_layer/p2p/src/initialization.rs b/base_layer/p2p/src/initialization.rs
@@ -305,7 +305,11 @@ async fn initialize_hidden_service(
         .with_socks_authentication(config.socks_auth)
         .with_control_server_auth(config.control_server_auth)
         .with_control_server_address(config.control_server_addr)
-        .with_bypass_proxy_addresses(config.tor_proxy_bypass_addresses);
+        .with_bypass_proxy_addresses(config.tor_proxy_bypass_addresses.into());
+
+    if config.tor_proxy_bypass_for_outbound_tcp {
+        builder = builder.bypass_tor_for_tcp_addresses();
+    }
 
     if let Some(identity) = config.identity {
         builder = builder.with_tor_identity(*identity);

diff --git a/base_layer/p2p/src/transport.rs b/base_layer/p2p/src/transport.rs
@@ -61,14 +61,22 @@ pub struct TorConfig {
     /// If the underlying SOCKS transport encounters these addresses, bypass the proxy and dial directly using the
     /// TcpTransport
     pub tor_proxy_bypass_addresses: Vec<Multiaddr>,
+    /// Use a direct TCP/IP connection if a TCP address is given instead of the tor proxy. This is worse for privacy
+    /// but can use the full available connection bandwidth
+    pub tor_proxy_bypass_for_outbound_tcp: bool,
 }
 
 impl fmt::Display for TorConfig {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         write!(
             f,
-            "control_server_addr = {}, control_server_auth = {}, {}, socks_address_override = {:?}",
-            self.control_server_addr, self.control_server_auth, self.port_mapping, self.socks_address_override
+            "control_server_addr: {}, control_server_auth: {}, {}, socks_address_override: {:?}, \
+             tor_proxy_bypass_outbound_tcp_addresses = {:?}",
+            self.control_server_addr,
+            self.control_server_auth,
+            self.port_mapping,
+            self.socks_address_override,
+            self.tor_proxy_bypass_for_outbound_tcp
         )
     }
 }
diff --git a/base_layer/wallet_ffi/src/lib.rs b/base_layer/wallet_ffi/src/lib.rs
@@ -2424,6 +2424,8 @@ pub unsafe extern "C" fn transport_tor_create(
         socks_address_override: None,
         socks_auth: authentication,
         tor_proxy_bypass_addresses: vec![],
+        // Prefer performance
+        tor_proxy_bypass_for_outbound_tcp: true,
     };
     let transport = TariTransportType::Tor(tor_config);
 

diff --git a/common/config/presets/tari_config_example.toml b/common/config/presets/tari_config_example.toml
@@ -232,6 +232,8 @@ tor_control_auth = "none" # or "password=xxxxxx"
 # When these addresses are encountered when dialing another peer, the tor proxy is bypassed and the connection is made
 # direcly over TCP. /ip4, /ip6, /dns, /dns4 and /dns6 are supported.
 # tor_proxy_bypass_addresses = ["/dns4/my-foo-base-node/tcp/9998"]
+# When using the tor transport and set to true, outbound TCP connections bypass the tor proxy. Defaults to false for better privacy
+# tor_proxy_bypass_for_outbound_tcp = false;
 
 ########################################################################################################################
 #                                                                                                                      #
@@ -409,6 +411,8 @@ console_wallet_tor_identity_file = "config/console_wallet_tor.json"
 # When these addresses are encountered when dialing another peer, the tor proxy is bypassed and the connection is made
 # direcly over TCP. /ip4, /ip6, /dns, /dns4 and /dns6 are supported.
 # tor_proxy_bypass_addresses = ["/dns4/my-foo-base-node/tcp/9998"]
+# When using the tor transport and set to true, outbound TCP connections bypass the tor proxy. Defaults to false for better privacy
+# tor_proxy_bypass_for_outbound_tcp = false;
 
 ########################################################################################################################
 #                                                                                                                      #

diff --git a/common/config/presets/tari_igor_config.toml b/common/config/presets/tari_igor_config.toml
@@ -232,6 +232,8 @@ tor_control_auth = "none" # or "password=xxxxxx"
 # When these addresses are encountered when dialing another peer, the tor proxy is bypassed and the connection is made
 # direcly over TCP. /ip4, /ip6, /dns, /dns4 and /dns6 are supported.
 # tor_proxy_bypass_addresses = ["/dns4/my-foo-base-node/tcp/9998"]
+# When using the tor transport and set to true, outbound TCP connections bypass the tor proxy. Defaults to false for better privacy
+# tor_proxy_bypass_for_outbound_tcp = false;
 
 ########################################################################################################################
 #                                                                                                                      #
@@ -281,10 +283,10 @@ data_dir = "igor"
 # new nodes can use to introduce themselves to the network.
 # peer_seeds = ["public_key1::address1", "public_key2::address2",... ]
 peer_seeds = [
-    "8e7eb81e512f3d6347bf9b1ca9cd67d2c8e29f2836fc5bd608206505cc72af34::/onion3/l4wouomx42nezhzexjdzfh7pcou5l7df24ggmwgekuih7tkv2rsaokqd:18141", 
-    "00b35047a341401bcd336b2a3d564280a72f6dc72ec4c739d30c502acce4e803::/onion3/ojhxd7z6ga7qrvjlr3px66u7eiwasmffnuklscbh5o7g6wrbysj45vid:18141", 
-    "40a9d8573745072534bce7d0ecafe882b1c79570375a69841c08a98dee9ecb5f::/onion3/io37fylc2pupg4cte4siqlsmuszkeythgjsxs2i3prm6jyz2dtophaad:18141", 
-    "126c7ee64f71aca36398b977dd31fbbe9f9dad615df96473fb655bef5709c540::/onion3/6ilmgndocop7ybgmcvivbdsetzr5ggj4hhsivievoa2dx2b43wqlrlid:18141", 
+    "8e7eb81e512f3d6347bf9b1ca9cd67d2c8e29f2836fc5bd608206505cc72af34::/onion3/l4wouomx42nezhzexjdzfh7pcou5l7df24ggmwgekuih7tkv2rsaokqd:18141",
+    "00b35047a341401bcd336b2a3d564280a72f6dc72ec4c739d30c502acce4e803::/onion3/ojhxd7z6ga7qrvjlr3px66u7eiwasmffnuklscbh5o7g6wrbysj45vid:18141",
+    "40a9d8573745072534bce7d0ecafe882b1c79570375a69841c08a98dee9ecb5f::/onion3/io37fylc2pupg4cte4siqlsmuszkeythgjsxs2i3prm6jyz2dtophaad:18141",
+    "126c7ee64f71aca36398b977dd31fbbe9f9dad615df96473fb655bef5709c540::/onion3/6ilmgndocop7ybgmcvivbdsetzr5ggj4hhsivievoa2dx2b43wqlrlid:18141",
 ]
 
 # This allowlist provides a method to force syncing from any known nodes you may choose, for example if you have a
@@ -392,6 +394,8 @@ console_wallet_tor_identity_file = "config/console_wallet_tor.json"
 # When these addresses are encountered when dialing another peer, the tor proxy is bypassed and the connection is made
 # direcly over TCP. /ip4, /ip6, /dns, /dns4 and /dns6 are supported.
 # tor_proxy_bypass_addresses = ["/dns4/my-foo-base-node/tcp/9998"]
+# When using the tor transport and set to true, outbound TCP connections bypass the tor proxy. Defaults to false for better privacy
+# tor_proxy_bypass_for_outbound_tcp = false;
 
 ########################################################################################################################
 #                                                                                                                      #

diff --git a/common/src/configuration/global.rs b/common/src/configuration/global.rs
@@ -904,13 +904,17 @@ fn network_transport_config(
                 None => None,
             };
 
+            let key = config_string(app_str, network, "tor_proxy_bypass_for_outbound_tcp");
+            let tor_proxy_bypass_for_outbound_tcp = optional(cfg.get_bool(&key))?.unwrap_or(false);
+
             Ok(CommsTransport::TorHiddenService {
                 control_server_address,
                 auth,
                 socks_address_override,
                 forward_address,
                 onion_port,
                 tor_proxy_bypass_addresses,
+                tor_proxy_bypass_for_outbound_tcp,
             })
         },
         "socks5" => {
@@ -1051,6 +1055,7 @@ pub enum CommsTransport {
         auth: TorControlAuthentication,
         onion_port: NonZeroU16,
         tor_proxy_bypass_addresses: Vec<Multiaddr>,
+        tor_proxy_bypass_for_outbound_tcp: bool,
     },
     /// Use a SOCKS5 proxy transport. This transport recognises any addresses supported by the proxy.
     Socks5 {

diff --git a/comms/examples/stress/node.rs b/comms/examples/stress/node.rs
@@ -32,7 +32,7 @@ use tari_comms::{
     protocol::{messaging::MessagingProtocolExtension, ProtocolNotification, Protocols},
     tor,
     tor::{HsFlags, TorIdentity},
-    transports::{SocksConfig, TcpWithTorTransport},
+    transports::{predicate::FalsePredicate, SocksConfig, TcpWithTorTransport},
     CommsBuilder,
     CommsNode,
     NodeIdentity,
@@ -123,7 +123,7 @@ pub async fn create(
             .spawn_with_transport(TcpWithTorTransport::with_tor_socks_proxy(SocksConfig {
                 proxy_address: TOR_SOCKS_ADDR.parse().unwrap(),
                 authentication: Default::default(),
-                proxy_bypass_addresses: vec![],
+                proxy_bypass_predicate: Arc::new(FalsePredicate::new()),
             }))
             .await
             .unwrap()

diff --git a/comms/src/macros.rs b/comms/src/macros.rs
@@ -25,21 +25,21 @@
 macro_rules! setter {
     (
      $(#[$outer:meta])*
-     $func:ident, $name: ident, Option<$type: ty>
+     $func:ident, $($name: ident).+, Option<$type: ty>
  ) => {
         $(#[$outer])*
         pub fn $func(mut self, val: $type) -> Self {
-            self.$name = Some(val);
+            self.$($name).+ = Some(val);
             self
         }
     };
     (
         $(#[$outer:meta])*
-        $func:ident, $name: ident, $type: ty
+        $func:ident, $($name: ident).+, $type: ty
     ) => {
         $(#[$outer])*
         pub fn $func(mut self, val: $type) -> Self {
-            self.$name = val;
+            self.$($name).+ = val;
             self
         }
     };

diff --git a/comms/src/tor/hidden_service/builder.rs b/comms/src/tor/hidden_service/builder.rs
@@ -24,10 +24,16 @@ use super::controller::HiddenServiceControllerError;
 use crate::{
     multiaddr::Multiaddr,
     socks,
-    tor::{hidden_service::controller::HiddenServiceController, Authentication, PortMapping, TorIdentity},
+    tor::{
+        hidden_service::{controller::HiddenServiceController, TorProxyOpts},
+        Authentication,
+        PortMapping,
+        TorIdentity,
+    },
 };
 use bitflags::bitflags;
 use log::*;
+use std::sync::Arc;
 use tari_shutdown::{OptionalShutdownSignal, ShutdownSignal};
 use thiserror::Error;
 
@@ -60,7 +66,7 @@ pub struct HiddenServiceBuilder {
     port_mapping: Option<PortMapping>,
     socks_addr_override: Option<Multiaddr>,
     control_server_addr: Option<Multiaddr>,
-    proxy_bypass_addresses: Vec<Multiaddr>,
+    proxy_opts: TorProxyOpts,
     control_server_auth: Authentication,
     socks_auth: socks::Authentication,
     hs_flags: HsFlags,
@@ -84,8 +90,8 @@ impl HiddenServiceBuilder {
     setter!(
         /// Configure the underlying SOCKS transport to bypass the proxy and connect directly to these addresses
         with_bypass_proxy_addresses,
-        proxy_bypass_addresses,
-        Vec<Multiaddr>
+        proxy_opts.bypass_addresses,
+        Arc<Vec<Multiaddr>>
     );
 
     setter!(
@@ -117,6 +123,13 @@ impl HiddenServiceBuilder {
         HsFlags
     );
 
+    /// Use a direct TCP/IP connection if a TCP address is given instead of the tor proxy. This is worse for privacy
+    /// but can use the full available connection bandwidth
+    pub fn bypass_tor_for_tcp_addresses(mut self) -> Self {
+        self.proxy_opts.bypass_for_tcpip = true;
+        self
+    }
+
     /// The address of the SOCKS5 server. If an address is None, the hidden service builder will use the SOCKS
     /// listener address as given by the tor control port.
     pub fn with_shutdown_signal(mut self, shutdown_signal: ShutdownSignal) -> Self {
@@ -164,7 +177,7 @@ impl HiddenServiceBuilder {
             self.socks_auth,
             self.identity,
             self.hs_flags,
-            self.proxy_bypass_addresses,
+            self.proxy_opts,
             self.shutdown_signal,
         );
 

diff --git a/comms/src/tor/hidden_service/controller.rs b/comms/src/tor/hidden_service/controller.rs
@@ -29,6 +29,7 @@ use crate::{
             commands::{AddOnionFlag, AddOnionResponse},
             TorControlEvent,
         },
+        hidden_service::TorProxyOpts,
         Authentication,
         HiddenService,
         HsFlags,
@@ -42,7 +43,7 @@ use crate::{
 };
 use futures::{future, future::Either, pin_mut, StreamExt};
 use log::*;
-use std::{net::SocketAddr, time::Duration};
+use std::{net::SocketAddr, sync::Arc, time::Duration};
 use tari_shutdown::OptionalShutdownSignal;
 use thiserror::Error;
 use tokio::{sync::broadcast, time};
@@ -75,7 +76,7 @@ pub struct HiddenServiceController {
     identity: Option<TorIdentity>,
     hs_flags: HsFlags,
     is_authenticated: bool,
-    proxy_bypass_addresses: Vec<Multiaddr>,
+    proxy_opts: TorProxyOpts,
     shutdown_signal: OptionalShutdownSignal,
 }
 
@@ -89,7 +90,7 @@ impl HiddenServiceController {
         socks_auth: socks::Authentication,
         identity: Option<TorIdentity>,
         hs_flags: HsFlags,
-        proxy_bypass_addresses: Vec<Multiaddr>,
+        proxy_opts: TorProxyOpts,
         shutdown_signal: OptionalShutdownSignal,
     ) -> Self {
         Self {
@@ -102,7 +103,7 @@ impl HiddenServiceController {
             hs_flags,
             identity,
             is_authenticated: false,
-            proxy_bypass_addresses,
+            proxy_opts,
             shutdown_signal,
         }
     }
@@ -119,7 +120,7 @@ impl HiddenServiceController {
         Ok(SocksTransport::new(SocksConfig {
             proxy_address: socks_addr,
             authentication: self.socks_auth.clone(),
-            proxy_bypass_addresses: self.proxy_bypass_addresses.clone(),
+            proxy_bypass_predicate: Arc::new(self.proxy_opts.to_bypass_predicate()),
         }))
     }
 

diff --git a/comms/src/tor/hidden_service/mod.rs b/comms/src/tor/hidden_service/mod.rs
@@ -24,11 +24,15 @@ mod builder;
 pub use builder::{HiddenServiceBuilder, HiddenServiceBuilderError, HsFlags};
 
 mod controller;
+pub use controller::{HiddenServiceController, HiddenServiceControllerError};
+
+mod proxy_opts;
+pub use proxy_opts::TorProxyOpts;
+
 use crate::{
     multiaddr::Multiaddr,
     tor::{PrivateKey, TorClientError},
 };
-pub use controller::{HiddenServiceController, HiddenServiceControllerError};
 use serde_derive::{Deserialize, Serialize};
 use std::fmt;
 use tari_shutdown::OptionalShutdownSignal;