New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Socks Proxy (for Tor/i2pd/Kovri) Support to Wallets #5090
Conversation
d37ef70
to
ff04506
Compare
Pushed some tests and rebased against the parent Tor PR. |
I think the restriction on domain names / CA is a bit too strict, or even irrelevant. It's always possible to ask the socks5 server to resolve the domain on behalf of the user, and assuming the socks5 server is doing the right thing, the user is just as safe as using an IP. I also might want to use a different socks5 server other then tor/i2p. Is it possible to decouple the commit into smaller ones for educational purpose? |
The socks server is always doing the domain resolution. If a user wants to use a socks proxy in some other context, they can download the certificate of the CA for that site and specify with
There are already two commits - one from the PR for p2p+tor, and a second for socks rpc. Did you want this broken down further? |
Thanks for the explanation @vtnerd. I see now that the default is to not trust root CA, then this seems to be the best practice. Yes, I was hoping the commits can be broken down further more, if possible? |
@fuwa0529
Why? The 2 commits are very logical units of work. |
@jtgrassie Maybe because I don't understand it, and was a bit frustrated about myself. But if you think these are of reasonable size, then sure I'll stop complaining. |
contrib/epee/src/net_helper.cpp
Outdated
m_ssl_stream.emplace(m_io_service); | ||
m_ssl_stream->socket.next_layer() = connection.get(); | ||
m_deadline.cancel(); | ||
m_deadline.expires_at(std::chrono::steady_clock::time_point::max()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this scheduling an event for essentially never ?
ff04506
to
758cb58
Compare
It is merged. |
@vtnerd please rebase |
@vtnerd still waiting on a rebase :) |
ANONYMITY_NETWORKS.md
Outdated
|
||
An anonymity network can be configured to forward incoming connections to a | ||
`monerod` RPC port - which is independent from the configuration for incoming | ||
P2P anonymity connections. The anonymity network (tor, i2pd, kovri, etc.) is |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor request, can we change "(tor, i2pd, kovri, etc.)" to simply "tor/i2p"? This keeps implementation names out.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will update shortly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks
ANONYMITY_NETWORKS.md
Outdated
> HiddenServiceDir /var/lib/tor/data/monero | ||
> HiddenServicePort 18081 127.0.0.1:18081 | ||
|
||
Then the wallet will be configured to use a tor/i2pd/kovri proxy and onion/i2p |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as above comment.
Yeah, I got caught working on the SSL PR. This has reverted prior changes for SSL, and is rebased to mainline. @moneromooo-monero may want to review shortly since it technically has changed, although the "new" changes are primarily just reverting changes that were previously made. |
0ad6651
to
7acfa9f
Compare
Ok, finally rebased entirely (hopefully) with @jtgrassie changes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed
7acfa9f Added socks proxy (tor/i2pd/kovri) support to wallet (Lee Clagett)
Allows wallets to connect to daemon over tor/i2pd/kovri. If proxy usage is enabled, the daemon address must be onion/i2p based or use
--daemon-cert-file
. The idea is to prevent root CA shadiness over these networks in addition to the authenticated/unencrypted problems. A root CA can be combined with an onion/i2p address (the former can definitely be signed by a few CAs) by using--daemon-address https://xyz.onion
. Additionally,--daemon-address https://...
and--daemon-cert-file
will work with ipv4 or ICANN hostnames.Will have to coordinate with @moneromooo-monero for the SSL changes. The first commit (for p2p tor/socks) will be rebased away once its merged.