modified services to run on provided infrastructure

2025-05-28 14:23:59 +02:00 · 2025-05-28 14:23:59 +02:00 · 83a0eb4cb3
commit 83a0eb4cb3
parent b9e13c776e
18 changed files with 64 additions and 159 deletions
--- a/experiment-infra/README.md
+++ b/experiment-infra/README.md
@ -0,0 +1,32 @@
+# Tor Experiment Infrastructure
+
+## Available Systems
+
+| IP | Domain | Location | Purpose | 
+|---:|:-------|:---------|:--------|
+| 164.90.190.0 | rsca.vanrissenbeck.com | Frankfurt | Host a webservice, take measurements. |
+| 95.85.53.75 | n.a. | Amsterdam | Host a private Tor guard node |
+| 64.225.67.64 | n.a. | Amsterdam | Host a private Tor guard node |
+
+## Containers
+
+The `guard` container provides a single guard node, configured so that it
+does not announce its IP to public indices. The container is configured
+by two environment variables, `BIND_ADDRESS` and `NICKNAME`. The values
+in the associated `docker-compose.yml` file are fine as they are.
+kept in the `
+
+The `victim` container provides the Tor service configured as a SOCKS5
+proxy. It connects to one hard-coded guard node, specified using the
+environment variable `GUARD`.
+
+Both containers are stored in the `ghcr.io` registry under the tags
+`ghcr.io/deinernstjetzt/rsca-guard` or `ghcr.io/deinernstjetzt/rsca-victim`
+respectively.
+
+## Exposed Ports
+
+| Name | Host:Port |
+|:---------|------------------|
+| Guard #1 | 95.85.53.75:30720 |
+| Guard #2 | 64.225.67.64:62268 |
--- a/experiment-infra/guard/Dockerfile
+++ b/experiment-infra/guard/Dockerfile
@ -1,6 +1,6 @@
 FROM debian:bookworm
 RUN apt update && apt -y install tor
-ARG BIND_ADDRESS="10.2.0.3"
 COPY ./torrc /etc/tor/torrc
-RUN sed -i "s/{bind-address}/${BIND_ADDRESS}/" /etc/tor/torrc
-CMD [ "bash", "-c", "sleep 5; tor" ]
+COPY --chmod=700 ./entrypoint.sh /entrypoint.sh
+ENTRYPOINT [ "/entrypoint.sh" ]
+CMD [ "tor" ]
--- a/experiment-infra/guard/docker-compose.yml
+++ b/experiment-infra/guard/docker-compose.yml
@ -1,41 +1,10 @@
 services:
-  wg-target:
-    build: ../wireguard
-    cap_add:
-      - NET_ADMIN
-    sysctls:
-      - net.ipv4.conf.all.src_valid_mark=1
-    secrets:
-      - source: wg-target
-        target: wg-config
-
-  wg-dummy:
-    build: ../wireguard
-    cap_add:
-      - NET_ADMIN
-    sysctls:
-      - net.ipv4.conf.all.src_valid_mark=1
-    secrets:
-      - source: wg-dummy
-        target: wg-config
+  guard:
+    image: ghcr.io/deinernstjetzt/rsca-guard
  
-  target:
-    build:
-      dockerfile: ./Dockerfile
-      args:
-        BIND_ADDRESS: "10.2.0.3"
-    network_mode: "service:wg-target"
-
-  dummy:
-    build:
-      dockerfile: ./Dockerfile
-      args:
-        BIND_ADDRESS: "10.2.0.6"
-    network_mode: "service:wg-dummy"
-
-secrets:
-  wg-target:
-    file: ./wg-target.conf
-  
-  wg-dummy:
-    file: ./wg-dummy.conf
+    environment:
+      BIND_ADDRESS: "0.0.0.0:12345"
+      NICKNAME: "simpletestguard"
+    
+    ports:
+      - 12345:12345
--- a/experiment-infra/guard/entrypoint.sh
+++ b/experiment-infra/guard/entrypoint.sh
@ -0,0 +1,5 @@
+#!/bin/bash
+
+sed -i "s/{bind-address}/${BIND_ADDRESS}/" /etc/tor/torrc
+sed -i "s/{nickname}/${NICKNAME}/" /etc/tor/torrc
+exec "$@"
--- a/experiment-infra/guard/torrc
+++ b/experiment-infra/guard/torrc
@ -1,6 +1,8 @@
 AssumeReachable 1
 PublishServerDescriptor 0
-ORPort {bind-address}:443
-Nickname localtestrelay
+ORPort {bind-address}
+Nickname {nickname}
 RelayBandwidthRate 1 MB
 RelayBandwidthBurst 2 MB
+SocksPort 0
+ExitPolicy reject *:*
--- a/experiment-infra/guard/wg-dummy.conf
+++ b/experiment-infra/guard/wg-dummy.conf
@ -1,10 +0,0 @@
-[Interface]
-Address = 10.2.0.6/24
-PrivateKey = <censored>
-MTU = 1000
-
-[Peer]
-PublicKey = <censored>
-AllowedIps = 10.2.0.0/24
-Endpoint = vanrissenbeck.com:41415
-PersistentKeepalive = 10
--- a/experiment-infra/guard/wg-target.conf
+++ b/experiment-infra/guard/wg-target.conf
@ -1,10 +0,0 @@
-[Interface]
-Address = 10.2.0.3/24
-PrivateKey = <censored>
-MTU = 1000
-
-[Peer]
-PublicKey = <censored>
-AllowedIps = 10.2.0.0/24
-Endpoint = vanrissenbeck.com:41415
-PersistentKeepalive = 10
--- a/experiment-infra/proxy/Dockerfile
+++ b/experiment-infra/proxy/Dockerfile
@ -1,7 +0,0 @@
-FROM alpine:latest
-RUN apk add openssh
-RUN ssh-keygen -A && \
-    sed -i 's/GatewayPorts no/GatewayPorts yes/' /etc/ssh/sshd_config && \
-    sed -i 's/AllowTcpForwarding no/AllowTcpForwarding yes/' /etc/ssh/sshd_config && \
-    printf "<censored>\n<censored>\n" | adduser anon
-CMD [ "/usr/sbin/sshd", "-D" ]
--- a/experiment-infra/proxy/docker-compose.yml
+++ b/experiment-infra/proxy/docker-compose.yml
@ -1,19 +0,0 @@
-services:
-  wireguard:
-    build: ../wireguard
-    cap_add:
-      - NET_ADMIN
-    sysctls:
-      - net.ipv4.conf.all.src_valid_mark=1
-    secrets:
-      - wg-config
-    ports:
-      - 2222:22
-  
-  proxy:
-    build: ./
-    network_mode: "service:wireguard"
-
-secrets:
-  wg-config:
-    file: ./wireguard.conf
--- a/experiment-infra/proxy/wireguard.conf
+++ b/experiment-infra/proxy/wireguard.conf
@ -1,10 +0,0 @@
-[Interface]
-Address = 10.2.0.4/24
-PrivateKey = <censored>
-MTU = 1000
-
-[Peer]
-PublicKey = <censored>
-AllowedIps = 10.2.0.0/24
-Endpoint = vanrissenbeck.com:41415
-PersistentKeepalive = 10
--- a/experiment-infra/victim/Dockerfile
+++ b/experiment-infra/victim/Dockerfile
@ -1,8 +1,6 @@
 FROM debian:bookworm
-RUN apt update && apt -y install tor curl wireguard-tools
+RUN apt update && apt -y install tor curl
 COPY ./torrc /etc/tor/torrc
 COPY --chmod=700 ./entrypoint.sh /entrypoint.sh
-COPY --chmod=700 ./script.sh /script.sh
-ENV TARGET="https://rsca.vanrissenbeck.com"
 ENTRYPOINT [ "/entrypoint.sh" ]
-CMD [ "/script.sh" ]
+CMD [ "bash" ]
--- a/experiment-infra/victim/docker-compose.yml
+++ b/experiment-infra/victim/docker-compose.yml
@ -1,17 +1,8 @@
 services:
-  wireguard:
-    build: ../wireguard
-    cap_add:
-      - NET_ADMIN
-    sysctls:
-      - net.ipv4.conf.all.src_valid_mark=1
-    secrets:
-      - wg-config
-
  victim:
-    build: ./
-    network_mode: "service:wireguard"
-
-secrets:
-  wg-config:
-    file: ./wireguard.conf
+    image: ghcr.io/deinernstjetzt/rsca-victim
+    environment:
+      # Guard #1
+      GUARD: "95.85.53.75:30720"
+      # Guard #2
+      # GUARD: "64.225.67.64:62268"
--- a/experiment-infra/victim/entrypoint.sh
+++ b/experiment-infra/victim/entrypoint.sh
@ -1,3 +1,5 @@
 #!/bin/bash
+
+sed -i "s/{guard}/${GUARD}/" /etc/tor/torrc
 tor &
-exec "$@"
+exec "$@"
--- a/experiment-infra/victim/script.sh
+++ b/experiment-infra/victim/script.sh
@ -1,9 +0,0 @@
-#!/bin/bash
-
-while [ true ];
-do
-    printf "Fetching from $TARGET."
-    curl --silent --socks5 127.0.0.1:9050 $TARGET > /dev/null;
-    echo " Ok."
-    sleep 10;
-done;
--- a/experiment-infra/victim/torrc
+++ b/experiment-infra/victim/torrc
@ -1,3 +1,3 @@
-Bridge 10.2.0.3:443
+Bridge {guard}
 UseBridges 1
 StrictNodes 1
--- a/experiment-infra/victim/wireguard.conf
+++ b/experiment-infra/victim/wireguard.conf
@ -1,10 +0,0 @@
-[Interface]
-Address = 10.2.0.2/24
-PrivateKey = <censored>
-MTU = 1000
-
-[Peer]
-PublicKey = <censored>
-AllowedIps = 10.2.0.0/24
-Endpoint = vanrissenbeck.com:41415
-PersistentKeepalive = 10
--- a/experiment-infra/wireguard/Dockerfile
+++ b/experiment-infra/wireguard/Dockerfile
@ -1,5 +0,0 @@
-FROM alpine:latest
-RUN apk add wireguard-tools iptables
-COPY entrypoint.sh /entrypoint.sh
-RUN chmod +x /entrypoint.sh
-CMD [ "/entrypoint.sh" ]
--- a/experiment-infra/wireguard/entrypoint.sh
+++ b/experiment-infra/wireguard/entrypoint.sh
@ -1,14 +0,0 @@
-#!/bin/sh
-
-## Hack to prevent wg-quick from failing when attempting
-## to change the net.ipv4.conf.all.src_valid_mark sysctl.
-## This sysctl is set by docker compose instead, making
-## the call unneccessary anyways.
-
-rm /sbin/sysctl
-printf "#!/bin/sh\ntrue \$@\n" > /sbin/sysctl
-chmod +x /sbin/sysctl
-
-cp /run/secrets/wg-config /etc/wireguard/wg0.conf
-wg-quick up wg0
-exec sleep infinite