diff --git a/experiment-infra/README.md b/experiment-infra/README.md new file mode 100644 index 0000000..3c4733a --- /dev/null +++ b/experiment-infra/README.md @@ -0,0 +1,32 @@ +# Tor Experiment Infrastructure + +## Available Systems + +| IP | Domain | Location | Purpose | +|---:|:-------|:---------|:--------| +| 164.90.190.0 | rsca.vanrissenbeck.com | Frankfurt | Host a webservice, take measurements. | +| 95.85.53.75 | n.a. | Amsterdam | Host a private Tor guard node | +| 64.225.67.64 | n.a. | Amsterdam | Host a private Tor guard node | + +## Containers + +The `guard` container provides a single guard node, configured so that it +does not announce its IP to public indices. The container is configured +by two environment variables, `BIND_ADDRESS` and `NICKNAME`. The values +in the associated `docker-compose.yml` file are fine as they are. +kept in the ` + +The `victim` container provides the Tor service configured as a SOCKS5 +proxy. It connects to one hard-coded guard node, specified using the +environment variable `GUARD`. + +Both containers are stored in the `ghcr.io` registry under the tags +`ghcr.io/deinernstjetzt/rsca-guard` or `ghcr.io/deinernstjetzt/rsca-victim` +respectively. + +## Exposed Ports + +| Name | Host:Port | +|:---------|------------------| +| Guard #1 | 95.85.53.75:30720 | +| Guard #2 | 64.225.67.64:62268 | diff --git a/experiment-infra/guard/Dockerfile b/experiment-infra/guard/Dockerfile index b9c48b8..ebebe46 100644 --- a/experiment-infra/guard/Dockerfile +++ b/experiment-infra/guard/Dockerfile @@ -1,6 +1,6 @@ FROM debian:bookworm RUN apt update && apt -y install tor -ARG BIND_ADDRESS="10.2.0.3" COPY ./torrc /etc/tor/torrc -RUN sed -i "s/{bind-address}/${BIND_ADDRESS}/" /etc/tor/torrc -CMD [ "bash", "-c", "sleep 5; tor" ] \ No newline at end of file +COPY --chmod=700 ./entrypoint.sh /entrypoint.sh +ENTRYPOINT [ "/entrypoint.sh" ] +CMD [ "tor" ] \ No newline at end of file diff --git a/experiment-infra/guard/docker-compose.yml b/experiment-infra/guard/docker-compose.yml index 2862092..4909b3a 100644 --- a/experiment-infra/guard/docker-compose.yml +++ b/experiment-infra/guard/docker-compose.yml @@ -1,41 +1,10 @@ services: - wg-target: - build: ../wireguard - cap_add: - - NET_ADMIN - sysctls: - - net.ipv4.conf.all.src_valid_mark=1 - secrets: - - source: wg-target - target: wg-config - - wg-dummy: - build: ../wireguard - cap_add: - - NET_ADMIN - sysctls: - - net.ipv4.conf.all.src_valid_mark=1 - secrets: - - source: wg-dummy - target: wg-config + guard: + image: ghcr.io/deinernstjetzt/rsca-guard - target: - build: - dockerfile: ./Dockerfile - args: - BIND_ADDRESS: "10.2.0.3" - network_mode: "service:wg-target" - - dummy: - build: - dockerfile: ./Dockerfile - args: - BIND_ADDRESS: "10.2.0.6" - network_mode: "service:wg-dummy" - -secrets: - wg-target: - file: ./wg-target.conf - - wg-dummy: - file: ./wg-dummy.conf + environment: + BIND_ADDRESS: "0.0.0.0:12345" + NICKNAME: "simpletestguard" + + ports: + - 12345:12345 diff --git a/experiment-infra/guard/entrypoint.sh b/experiment-infra/guard/entrypoint.sh new file mode 100644 index 0000000..88b35c0 --- /dev/null +++ b/experiment-infra/guard/entrypoint.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +sed -i "s/{bind-address}/${BIND_ADDRESS}/" /etc/tor/torrc +sed -i "s/{nickname}/${NICKNAME}/" /etc/tor/torrc +exec "$@" diff --git a/experiment-infra/guard/torrc b/experiment-infra/guard/torrc index b1b5c15..a77201f 100644 --- a/experiment-infra/guard/torrc +++ b/experiment-infra/guard/torrc @@ -1,6 +1,8 @@ AssumeReachable 1 PublishServerDescriptor 0 -ORPort {bind-address}:443 -Nickname localtestrelay +ORPort {bind-address} +Nickname {nickname} RelayBandwidthRate 1 MB RelayBandwidthBurst 2 MB +SocksPort 0 +ExitPolicy reject *:* \ No newline at end of file diff --git a/experiment-infra/guard/wg-dummy.conf b/experiment-infra/guard/wg-dummy.conf deleted file mode 100644 index 9e74b34..0000000 --- a/experiment-infra/guard/wg-dummy.conf +++ /dev/null @@ -1,10 +0,0 @@ -[Interface] -Address = 10.2.0.6/24 -PrivateKey = -MTU = 1000 - -[Peer] -PublicKey = -AllowedIps = 10.2.0.0/24 -Endpoint = vanrissenbeck.com:41415 -PersistentKeepalive = 10 \ No newline at end of file diff --git a/experiment-infra/guard/wg-target.conf b/experiment-infra/guard/wg-target.conf deleted file mode 100644 index 61d7b82..0000000 --- a/experiment-infra/guard/wg-target.conf +++ /dev/null @@ -1,10 +0,0 @@ -[Interface] -Address = 10.2.0.3/24 -PrivateKey = -MTU = 1000 - -[Peer] -PublicKey = -AllowedIps = 10.2.0.0/24 -Endpoint = vanrissenbeck.com:41415 -PersistentKeepalive = 10 \ No newline at end of file diff --git a/experiment-infra/proxy/Dockerfile b/experiment-infra/proxy/Dockerfile deleted file mode 100644 index 613a513..0000000 --- a/experiment-infra/proxy/Dockerfile +++ /dev/null @@ -1,7 +0,0 @@ -FROM alpine:latest -RUN apk add openssh -RUN ssh-keygen -A && \ - sed -i 's/GatewayPorts no/GatewayPorts yes/' /etc/ssh/sshd_config && \ - sed -i 's/AllowTcpForwarding no/AllowTcpForwarding yes/' /etc/ssh/sshd_config && \ - printf "\n\n" | adduser anon -CMD [ "/usr/sbin/sshd", "-D" ] \ No newline at end of file diff --git a/experiment-infra/proxy/docker-compose.yml b/experiment-infra/proxy/docker-compose.yml deleted file mode 100644 index 10d0584..0000000 --- a/experiment-infra/proxy/docker-compose.yml +++ /dev/null @@ -1,19 +0,0 @@ -services: - wireguard: - build: ../wireguard - cap_add: - - NET_ADMIN - sysctls: - - net.ipv4.conf.all.src_valid_mark=1 - secrets: - - wg-config - ports: - - 2222:22 - - proxy: - build: ./ - network_mode: "service:wireguard" - -secrets: - wg-config: - file: ./wireguard.conf \ No newline at end of file diff --git a/experiment-infra/proxy/wireguard.conf b/experiment-infra/proxy/wireguard.conf deleted file mode 100644 index 38521d3..0000000 --- a/experiment-infra/proxy/wireguard.conf +++ /dev/null @@ -1,10 +0,0 @@ -[Interface] -Address = 10.2.0.4/24 -PrivateKey = -MTU = 1000 - -[Peer] -PublicKey = -AllowedIps = 10.2.0.0/24 -Endpoint = vanrissenbeck.com:41415 -PersistentKeepalive = 10 \ No newline at end of file diff --git a/experiment-infra/victim/Dockerfile b/experiment-infra/victim/Dockerfile index 861c92b..b55a6ee 100644 --- a/experiment-infra/victim/Dockerfile +++ b/experiment-infra/victim/Dockerfile @@ -1,8 +1,6 @@ FROM debian:bookworm -RUN apt update && apt -y install tor curl wireguard-tools +RUN apt update && apt -y install tor curl COPY ./torrc /etc/tor/torrc COPY --chmod=700 ./entrypoint.sh /entrypoint.sh -COPY --chmod=700 ./script.sh /script.sh -ENV TARGET="https://rsca.vanrissenbeck.com" ENTRYPOINT [ "/entrypoint.sh" ] -CMD [ "/script.sh" ] \ No newline at end of file +CMD [ "bash" ] \ No newline at end of file diff --git a/experiment-infra/victim/docker-compose.yml b/experiment-infra/victim/docker-compose.yml index 93afc18..5719394 100644 --- a/experiment-infra/victim/docker-compose.yml +++ b/experiment-infra/victim/docker-compose.yml @@ -1,17 +1,8 @@ services: - wireguard: - build: ../wireguard - cap_add: - - NET_ADMIN - sysctls: - - net.ipv4.conf.all.src_valid_mark=1 - secrets: - - wg-config - victim: - build: ./ - network_mode: "service:wireguard" - -secrets: - wg-config: - file: ./wireguard.conf \ No newline at end of file + image: ghcr.io/deinernstjetzt/rsca-victim + environment: + # Guard #1 + GUARD: "95.85.53.75:30720" + # Guard #2 + # GUARD: "64.225.67.64:62268" diff --git a/experiment-infra/victim/entrypoint.sh b/experiment-infra/victim/entrypoint.sh index 8866389..d2663cb 100644 --- a/experiment-infra/victim/entrypoint.sh +++ b/experiment-infra/victim/entrypoint.sh @@ -1,3 +1,5 @@ #!/bin/bash + +sed -i "s/{guard}/${GUARD}/" /etc/tor/torrc tor & -exec "$@" \ No newline at end of file +exec "$@" diff --git a/experiment-infra/victim/script.sh b/experiment-infra/victim/script.sh deleted file mode 100644 index f4f154e..0000000 --- a/experiment-infra/victim/script.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -while [ true ]; -do - printf "Fetching from $TARGET." - curl --silent --socks5 127.0.0.1:9050 $TARGET > /dev/null; - echo " Ok." - sleep 10; -done; \ No newline at end of file diff --git a/experiment-infra/victim/torrc b/experiment-infra/victim/torrc index 6af96e0..85cc58f 100644 --- a/experiment-infra/victim/torrc +++ b/experiment-infra/victim/torrc @@ -1,3 +1,3 @@ -Bridge 10.2.0.3:443 +Bridge {guard} UseBridges 1 StrictNodes 1 \ No newline at end of file diff --git a/experiment-infra/victim/wireguard.conf b/experiment-infra/victim/wireguard.conf deleted file mode 100644 index c37bae8..0000000 --- a/experiment-infra/victim/wireguard.conf +++ /dev/null @@ -1,10 +0,0 @@ -[Interface] -Address = 10.2.0.2/24 -PrivateKey = -MTU = 1000 - -[Peer] -PublicKey = -AllowedIps = 10.2.0.0/24 -Endpoint = vanrissenbeck.com:41415 -PersistentKeepalive = 10 diff --git a/experiment-infra/wireguard/Dockerfile b/experiment-infra/wireguard/Dockerfile deleted file mode 100644 index 770d5c0..0000000 --- a/experiment-infra/wireguard/Dockerfile +++ /dev/null @@ -1,5 +0,0 @@ -FROM alpine:latest -RUN apk add wireguard-tools iptables -COPY entrypoint.sh /entrypoint.sh -RUN chmod +x /entrypoint.sh -CMD [ "/entrypoint.sh" ] diff --git a/experiment-infra/wireguard/entrypoint.sh b/experiment-infra/wireguard/entrypoint.sh deleted file mode 100644 index 7e4a2b4..0000000 --- a/experiment-infra/wireguard/entrypoint.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/sh - -## Hack to prevent wg-quick from failing when attempting -## to change the net.ipv4.conf.all.src_valid_mark sysctl. -## This sysctl is set by docker compose instead, making -## the call unneccessary anyways. - -rm /sbin/sysctl -printf "#!/bin/sh\ntrue \$@\n" > /sbin/sysctl -chmod +x /sbin/sysctl - -cp /run/secrets/wg-config /etc/wireguard/wg0.conf -wg-quick up wg0 -exec sleep infinite \ No newline at end of file