Author Topic: How to set up Azureus to work with Tor  (Read 88122 times)

0 Members and 1 Guest are viewing this topic.

Offline crypton

  • Elite
  • *****
  • Posts: 1699
  • Karma: +10/-0
    • View Profile
How to set up Azureus to work with Tor
« on: March 19, 2005, 05:09:11 PM »
         Introduction

Even though this has been said elsewhere, PLEASE don’t run peer-to-peer download data through Tor as it can’t handle the network traffic. If people continue to do this then Tor will start banning such traffic which will badly impact legitimate use (as indicated below).


From the Tor website (http://www.freehaven.net/tor):


 
Tor: an anonymizing overlay network for TCP

 
Tor is a connection-based low-latency anonymous communication system that protects TCP streams: web browsing, instant messaging, irc, ssh, etc.

 
This document contains an overview of how to set up the Azureus BitTorrent client (http://azureus.sourceforge.net/) to use Tor for both Tracker and Peer-Peer data communications.

 
It is currently advisable to only run Tracker communication over Tor due to the current limitations of the Tor network, however it is hoped that this restriction will be lifted in the future. (Note however that use of “superseeding” within Azureus is an efficient way of distributing data to a swarm and can be used over Tor with little impact to the network).

 
That is, do not run normal data communications over Tor at the moment as the network will not handle the load. The only supported configurations are



1) Anonymous Trackers with public clients (4.1.1). All parties need to run Tor.


2) Anonymous initial seeds (4.3.2). Only the seeding client needs to run Tor.

 

Tor is still experimental, versions prior to 1.0 should not be used where anonymity requirements are high!

 

In the following diagrams the “anonymous network” represents Tor, the area outside it denotes the public network.


IP <x> represents an IP address (or corresponding DNS name)


 
HS <y> represents a Tor Hidden Service name.

 
Any data communication that goes through the “Anonymous Network” cloud requires one or more of the parties to be running Tor. The originator of any such connection must run it. The receiver of any such connection, when made to a hidden service, must also be running it.

2.1      Totally public BitTorrent


2.2      Totally Anonymous BitTorrent



3         Software Versions

3.1      Azureus

Release 2.2.0.0 or greater is required.

3.2      Tor

latest stable release http://tor.eff.org/


4         Configurations

Tor uses “hidden services” to expose an anonymous inwardly connectable service. Such a service is defined in the Tor configuration file by adding lines of the form:

 
HiddenServiceDir <directory name>

HiddenServicePort <exposed port> <local intf>:<local port>

 
For example:
 
HiddenServiceDir /Tor/bttracker

HiddenServicePort  6969 127.0.0.1:10069

 
This declares to Tor that there is a hidden service running on port 6969, connections to which should be forwarded onto the loopback interface on port 10069 (the port numbers can be the same if required).

 

When Tor is started, on encountering a new the hidden service entry it will generate some files in the specified directory (in the above example,  /Tor/bttracker). The important file in terms of configuring Azureus is the “hostname” file. This contains the anonymous name for the service, as made available via the Tor network. For example:

 
k61234567895ivw.onion

 

This is not a valid DNS name and hence can’t be used directly. Rather, to use it it needs to be resolved by the Tor network. Tor has a rendezvous mechanism whereby the publisher of such a service, and a client connecting to it, rendezvous anonymously somewhere in the Tor network such that either end of the connection know nothing about the other.

 

In order for normal applications to “get into” the Tor network Tor runs a SOCKS proxy. In order to allow the proxy to handle the service address resolution this required SOCKS 4a (version 5 can support this too, but 4a is the preferred choice). This is because the original version 4 could only receive IP addresses as the endpoint address, rather than the necessary “DNS” name.

 
Don’t use the example hidden service address used in this document, use the one(s) generated for you when you run Tor!!!!

4.1      Anonymous Tracker Server

4.1.1      Public Clients

Public clients are “normal” clients in the sense that they publish their normal IP addresses to the tracker. There fore peer-peer data communication takes place through the internet, not Tor, and is not anonymous.


4.1.1.1  Configuration

Given the above general discussion it should be fairly obvious how to configure an anonymous tracker. Note that there is no requirement here to make outward connections from the tracker through the Tor proxy, so no proxy configuration is required.

4.1.1.1.1   Tor

Add the hidden service for the tracker, for example:

 
HiddenServiceDir /Tor/bttracker[/size]

HiddenServicePort  6969 127.0.0.1:10069[/size]


 

to the configuration file and start Tor (see below)

4.1.1.1.2   Azureus


Extract the hidden service name from the “hostname” file for the “bttracker” service (in the above example this is in /Tor/bttracker/hostname ), e.g.

 

k61234567895ivw.onion

 

and enter this as the “Tracker external IP address” under the Options>Tracker>Server configuration.

If a port other than 6969 has been selected as the local port for the tracker then this also needs to be configured – in the above example this will need to be set to 10069.


 
The tracker can still be configured to run over HTTPS (SSL) and be password protected if required.

 
Note that the tracker will be running as normal on port 10069 (in this example) and will thus be contactable externally via normal tracker protocols. Therefore it is essential to block this port to prevent public access, either by firewall or router configuration.

4.1.2      Anonymous Clients

Here the tracker supports anonymous peer data, and to do so the peers publish their own hidden services to the tracker. Because these are non-resolvable DNS names the tracker needs to be configured to use the original form of the announce protocol. This supports the passing of non-resolved names to the client (as opposed to the more recent “compact” protocol that returns resolved IP addresses only).

 

The diagram here is as for the “totally anonymous BitTorrent above”

4.1.2.1  Tor

Configure as above for public peers

4.1.2.2  Azureus


Configure the tracker server not to support the compact protocol.

4.1.3      Torrent Creation

Given the tracker address configured above, the “create Torrent” wizard will by default have the correct announce URL for the tracker

(in the above example http://k61234567895ivw.onion:6969/announce).

4.1.4      Setting up a browser to view the tracker web pages(see Howto: Tor Hidden service

To browse the anonymous tracker you can use another HTTP proxy such as Privoxy (http://www.privoxy.org) to proxy HTTP into the Tor proxy. Configure your browser with an HTTP (not SOCKS) proxy of 127.0.0.1, port 8118. Edit the Privoxy config file to contain:

forward-socks4a / localhost:9050 .

Note the “.” at the end of the line, this is important!
 
Now browse to, for example, http://k61234567895ivw.onion:6969/. How this works is that the browser proxies the request to Privoxy on port 8118. Privoxy then turns this into a SOCKS 4a request and proxies into the Tor network (the Tor proxy runs on port 9050 by default). The Tor network then resolves the hidden service name and connects the request to the tracker.




 
4.2      Anonymous Tracker Client
For an Azureus client to be able to use an anonymous tracker, the client must also run a Tor proxy and configure Azureus to proxy the tracker communications through it.

4.2.1     Tor[/color]

No configuration is required, just run the Tor proxy on the default SOCKS port of 9050.

4.2.2      Azureus[/color]

Configure the connection proxy for the tracker to be a SOCKS proxy of 127.0.0.1, port 9050 (selected “enable proxying of tracker” and “I have a SOCKS proxy”).

 Do not configure the second proxy, the data proxy, as this is not required for accessing the anonymous tracker.




4.3      Anonymous Outbound Peer Data, public Tracker

It is possible to connect to a public tracker and send/receive peer data anonymously (although inward connections from other peers to your machine are not supported). This takes advantage of the “out proxy” functionality of Tor whereby connections to normal IP addresses/DNS names can be made anonymously. Due to the “outbound” only nature of the data transfer this is not suitable in general (after all, if nobody accepted inbound connections there would be nobody to connect to), but can sensible be used to anonymously seed an initial copy of something (particularly in superseed mode). There are two variants to this approach

4.3.1      Public tracker connection

Here the connection to the tracker is made through the internet, and as such the client’s real address is fully visible. The client must be configured not to be able to receive incoming connections, either by supplying an incoming data port of 0, or by appropriate firewall configuration.

 

However, the data connections are routed through Tor.

 

It is necessary to understand the concept of “peer id”. Normally a BitTorrent client constructs a unique peer id for a given download, this being given to both the tracker and the peers when connecting. The use of the same value allows the connection between the public IP address of the client, and the anonymous originating address of the data traffic to be made, breaking anonymity. It is therefore necessary to configure Azureus to use different values for these. Originally the BitTorrent specification assumed that when a client connected to another client it would verify that the peerid used by the other client was the same as the one registered for that client with the traffic. However, this check is not performed by Azureus, and most (all?) other clients, especially with the advent of “compact” announce protocol as this does not even return the peer-id to the clients.



4.3.1.1  Tor

No configuration is required, just run the Tor proxy on the default SOCKS port of 9050.

4.3.1.2  Azureus

Configure the incoming data port to be 0, or use alternative means to ensure that incoming connections from other peers will not be accepted.

Configure the data proxy to be 127.0.0.1, port 9050, version 4a (note here that the “inform tracker of limitation” box will automatically force the incoming data port to be set to 0. Some trackers won’t accept 0 as a valid port though, hence the alternative approach of using a port that is blocked by a firewall). If you leave the incoming data port open then other clients will be able to connect to your real IP address and transfer data, hence anonymity is lost.

 

Configure the tracker client item “use different peer identities for tracker and data comms” to be checked.


 4.3.2      Anonymous tracker connection

This is the same as above, except the tracker connection is routed through Tor. This is a preferred approach as the clients real IP address is not visible to the tracker, however this may not work for trackers that require registration of client IP addresses, for example.

Configure the same as above, except enable the http proxy in Azureus to be a socks proxy on 127.0.0.1, port 9050.





4.4      Anonymous Inbound Peer Data, Public Tracker

To accept inbound anonymous connections it is necessary for the client to define a hidden service URL in the same way as the tracker’s hidden service was defined. This then allows other Tor-enabled clients to connect to you anonymously. For this to work the tracker used needs to support non-compact announce protocol as the hidden service addresses are registered with the tracker.

 

Of course, if a non-anonymous connection is made to the tracker, the tracker will be aware of the association between the client’s real IP address and its hidden service address, which breaks anonymity. Hence an anonymous connection to the tracker must be used.



4.4.1      Tor

Add the hidden service for the incoming peer data, for example

 

HiddenServicedir /Tor/btdata

HiddenServicePort  6881 127.0.0.1:6881


 

to the configuration file and start Tor (see below)

4.4.2      Azureus

Configure the HTTP proxy as for the “anonymous tracker connection” above.

 

Obtain the hidden service address from, in this example, /Tor/btdata/hostname. For example

 

   l69876543215ivq.onion

 
and configure the tracker client item “override IP address sent to tracker

 with this value (as of version 2.2.0.0 this is confusingly under Connection in the options, it will move in a future version).

 

To be able to accept incoming connections, deselect (uncheck) the “inform tracker of limitation” in the connection data proxy section.


4.5      Anonymous Peer Data, anonymous Tracker

This is the ultimate in anonymity. Each peer has to define a hidden service to accept incoming data connections. All tracker and peer data is anonymously routed through Tor.

 

The configuration is exactly the same as that for the public tracker, except that the tracker is set up to act as an anonymous tracker!

 

Diagram is as for the “Totally Anonymous BitTorrent” above.

4.6      Running Azureus as Tracker and Client concurrently

Azureus supports running as both tracker and client at the same time, indeed the “sharing” functionality is designed specifically for this, and allows a resource to be published on the tracker and seeded at the same time with a single operation.

 

Running this process anonymously simply requires Azureus to be configured to be both an anonymous tracker and an anonymous client.

4.7      Running

4.7.1      Tor

If the configuration file is called “torrc”, start with (for example)

 
Tor-009pre4.exe -f torrc

4.7.2      Azureus

Start as normal

 http://azureus.sourceforge.net/doc/AnonBT/Tor/howto_0.5.htm
« Last Edit: January 10, 2008, 10:29:38 AM by crypton »

Offline bitz

  • Advanced
  • ***
  • Posts: 160
  • Karma: +2/-0
  • Planet Peer Community
    • View Profile
    • My Blog
Re: How to set up Azureus to work with Tor
« Reply #1 on: March 19, 2005, 08:16:24 PM »
IMHO that tor isn't ever going to be used for "Totally Anonymous BitTorrent" and really any major filesharing.
At the moment "Totally Anonymous BitTorrent" does exist and works fine, however it's only availible to people running i2p.

In the case of i2p based bittorrenting, all three ip addresses (tracker, seeder, leecher) are unknown to each other.

Only problem at the moment with i2p based bittorrent is the state of i2p development, the i2p networking isn't ready just yet for thousands of nodes (at least the i2p devs don't think so). Perhaps when version 0.6 is released (supposedly some time this april), i2p and i2p bittorrent will really take off and grow.

IMHO that i2p is the future for filesharing and other services (such as webrowsing, irc, jabber, email).

Yeah currently tor can be used for partially anonymous bittorrent as in leecher/seeder to tracker anonymity.

Anyways good job on this how to. :)

Offline Markus

  • Administrator
  • Elite
  • *****
  • Posts: 5740
  • Karma: +25/-8
    • View Profile
    • http://www.planetpeer.de
Re: How to set up Azureus to work with Tor
« Reply #2 on: March 20, 2005, 12:10:22 AM »
@defnax: Thanks for compiling this nice tutorial :)


Cheers,
Markus

Offline Nemo

  • Global Moderator
  • Elite
  • *****
  • Posts: 1303
  • Karma: +27/-0
    • View Profile
BT over Tor doesn't make sense to me...
« Reply #3 on: March 20, 2005, 09:18:34 AM »
Even though this has been said elsewhere, PLEASE don’t run peer-to-peer download data through Tor as it can’t handle the network traffic. If people continue to do this then Tor will start banning such traffic which will badly impact legitimate use
Hmm.. Why do you post a tutorial for using Azureus on Tor, when Tor can't handle the traffic for the data connections?   ;)
(BTW: Nice tutorial! Thanks a lot!  :))

I think if people want to use anonymous BitTorrent, then they want the REALLY anonymous situation, not only "anonymous Tracker" or "anonymous peer". An anonymous Tracker for copyright protected torrents protects the tracker, but not the clients (**AA only has to participate into this BT swarm and could collect IPs...). And since every user has to run the Tor client for this torrent, it isn't much userfriendly. If users do this step for downloading a torrent, then it wouldn't matter for him if he's really anonymous while running I2P and the I2P-BT-Plugin for Azureus...  ::)

I wonder if Tor really works as concept:
There are dedicated Tor servers and the users uses Tor clients. A provider of a Tor server with a gateway to the Internet has much traffic and is (perhaps) responsible for all illegal activities of anonymous Tor users...

What is the advantage for providing a Tor server? If there's no advantage, then there will be only a handful Tor servers, which handle the load of thousands leeching Tor users...  :P

IMHO I2P is a better system, because every user must provide a router for the network while he uses I2P. He can't be a selfish client to the network.  ;D

Greetings,
Nemo.

Offline postman

  • Advanced
  • ***
  • Posts: 281
  • Karma: +5/-0
  • Planet Peer Community
    • View Profile
Re: BT over Tor doesn't make sense to me...
« Reply #4 on: March 21, 2005, 08:52:09 AM »
Hello,

there might be scenarios, where a setup provided above makes sense.
It solely depends on your threat model. Considering the fact that the tracker operators
are hunted down by most of the **AA people, it might be a good idea to provide the tracker anonymously while the
bunch of users (that still does not care big time) stays in the public network (like they do all the time)
With this setup you could provide the tracker services quite conveniently.

But when trackers operator and clients share the same concerns they have to participate in an
all-anonymous network. But then the filesharing traffic must not be the majority of the allocated bandwidth.
You need a diversity of applications and usages for an anonymous network. If its known to the public that it's solely used
for filesharing it might as well being targeted by **AA - with an acceptable hit ratio :)

just my thoughts :)
postman

--
postman@i2pmail.org
Postmaster and Administrator
http://hq.postman.i2p - I2P's free and anonymous Mailsystem