Add Socks Proxy (for Tor/i2pd/Kovri) Support to Wallets #5090
Conversation
vtnerd
changed the title
vtnerd
force-pushed
the
feature/tor_rpc
branch
from
d37ef70
to
ff04506
Compare
|
Pushed some tests and rebased against the parent Tor PR. |
|
I think the restriction on domain names / CA is a bit too strict, or even irrelevant. It's always possible to ask the socks5 server to resolve the domain on behalf of the user, and assuming the socks5 server is doing the right thing, the user is just as safe as using an IP. I also might want to use a different socks5 server other then tor/i2p. Is it possible to decouple the commit into smaller ones for educational purpose? |
The socks server is always doing the domain resolution. If a user wants to use a socks proxy in some other context, they can download the certificate of the CA for that site and specify with
There are already two commits - one from the PR for p2p+tor, and a second for socks rpc. Did you want this broken down further? |
|
Thanks for the explanation @vtnerd. I see now that the default is to not trust root CA, then this seems to be the best practice. Yes, I was hoping the commits can be broken down further more, if possible? |
|
@fuwa0529
Why? The 2 commits are very logical units of work. |
|
@jtgrassie Maybe because I don't understand it, and was a bit frustrated about myself. But if you think these are of reasonable size, then sure I'll stop complaining. |
contrib/epee/src/net_helper.cpp
Outdated
| m_ssl_stream.emplace(m_io_service); | ||
| m_ssl_stream->socket.next_layer() = connection.get(); | ||
| m_deadline.cancel(); | ||
| m_deadline.expires_at(std::chrono::steady_clock::time_point::max()); |
There was a problem hiding this comment.
Is this scheduling an event for essentially never ?
vtnerd
force-pushed
the
feature/tor_rpc
branch
from
ff04506
to
758cb58
Compare
|
It is merged. |
|
@vtnerd please rebase |
|
@vtnerd still waiting on a rebase :) |
ANONYMITY_NETWORKS.md
Outdated
|
|
||
| An anonymity network can be configured to forward incoming connections to a | ||
| `monerod` RPC port - which is independent from the configuration for incoming | ||
| P2P anonymity connections. The anonymity network (tor, i2pd, kovri, etc.) is |
There was a problem hiding this comment.
Minor request, can we change "(tor, i2pd, kovri, etc.)" to simply "tor/i2p"? This keeps implementation names out.
There was a problem hiding this comment.
Will update shortly.
ANONYMITY_NETWORKS.md
Outdated
| > HiddenServiceDir /var/lib/tor/data/monero | ||
| > HiddenServicePort 18081 127.0.0.1:18081 | ||
|
|
||
| Then the wallet will be configured to use a tor/i2pd/kovri proxy and onion/i2p |
Yeah, I got caught working on the SSL PR. This has reverted prior changes for SSL, and is rebased to mainline. @moneromooo-monero may want to review shortly since it technically has changed, although the "new" changes are primarily just reverting changes that were previously made. |
vtnerd
force-pushed
the
feature/tor_rpc
branch
2 times, most recently
from
0ad6651
to
7acfa9f
Compare
|
Ok, finally rebased entirely (hopefully) with @jtgrassie changes. |
7acfa9f Added socks proxy (tor/i2pd/kovri) support to wallet (Lee Clagett)
Allows wallets to connect to daemon over tor/i2pd/kovri. If proxy usage is enabled, the daemon address must be onion/i2p based or use
--daemon-cert-file. The idea is to prevent root CA shadiness over these networks in addition to the authenticated/unencrypted problems. A root CA can be combined with an onion/i2p address (the former can definitely be signed by a few CAs) by using--daemon-address https://xyz.onion. Additionally,--daemon-address https://...and--daemon-cert-filewill work with ipv4 or ICANN hostnames.Will have to coordinate with @moneromooo-monero for the SSL changes. The first commit (for p2p tor/socks) will be rebased away once its merged.