make tahoe Tor- and I2P-friendly

[warner]

Jake Appelbaum and I were talking at the last hackfest about what it would take to run Tahoe safely through the Tor (anonymizing onion-router) proxy.

I figured it wouldn't take much: just removing the automatically-added local IP addresses from the advertised FURLs. You'd treat the tubid as a pseudonym (i.e. never run this node without Tor). Listeners would be a complete loss (that is, other nodes would not be able to establish connections to yours, until 1: we get SOCKS4A client-side support into Twisted, 2: make sure Foolscap can use .onion names in connection hints, and 3: add a Foolscap Listener that establishes itself on a Tor hidden-service port).

But beyond that, it should just be a question of running Tahoe under 'tsocks', so that all of its outbound connections go through the socks proxy and then through Tor to the other servers.

So the task for this ticket: provide a configuration knob to override the default "find all my IP addresses and add them to the connection hints (via Tub.setLocation)" behavior, and instead provide a hard-coded list of hints instead.

[warner]

fixed misspelling of Jake's name.. oops.

[warner]

9976bd439ac50be5 adds "tub.location" to tahoe.cfg . I haven't tested it at all, but I think this ought to handle the main issue. I think all that's left is for someone Tor-knowledgeable to test it out and write up a short guide on running tahoe under tsocks.

[zooko]

To close this ticket write up documentation of how to use Tahoe-LAFS with Tor. Also use Tahoe-LAFS with Tor and make sure that it works. :-)

[zooko]

See the docs about tub.location in configuration.txt.

[ioerror]

Should the Tor documentation show how to run Tahoe transparently? Should it be for a Tahoe storage node? For a Tahoe client connecting to the test grid?

What would be useful?

[ioerror]

It seems like we have a few possible interesting use cases:

1. Tahoe as a client to any grid where all connections leave the Tor network
2. Tahoe storage nodes that advertise their address as their respective .onion address
   1. All outgoing TCP connections from the storage node must only connect through Tor
   2. The storage node should not leak it's own known IP
3. A full Tahoe grid that is only available over Tor
   1. The introducer should reject listing all peers that aren't .onions
   2. All nodes should be reachable as .onions (thus we solve the NAT problem)
   3. It's super slow and everyone loves the idea but the practice is full of shame

I think that 1 is currently possible with tsocks and a functional Tor client. 2 seems to be easy enough to do with the tub.location patch and iptables wizardry. 3 seems likely best solved with transparent Tor proxying and manual tub.location stuffing.

As a side note, it's probably the case that Tahoe should weight reconstruction and not use blocks from .onions as their first choice for streaming data.

Is there anything else that's missing? What other ways should we use Tor and Tahoe together?

[sid77]

Maybe an initial setup could be a tahoe running machine transparent proxied through Tor, just to see if it work.

[leif]

Running a grid on Tor hidden services works for me (by setting tub.location to an onion address and running tahoe under usewithtor), but I've noticed two IP address leaks so far (#1942 and #1947).