2016-08-18
Using Freenet over Tor
This post outlines a method of using Freenet over Tor based on posts I wrote on my Freenet hosted blog and subsequent discussions about it. If you read my Freenet hosted blog there's little new here, I'm just making it available on my non-freenet blog.
One issue I've had with Freenet is that it exposes your IP address to peers. Recent law enforcement efforts to monitor Freenet have shown that they have been able to obtain search warrants based on logging requests for blocks of known data and associating them with IP addresses. If law enforcement can do this, so can random bad people.
You can avoid exposing your IP address to random strangers on opennet by using darknet but even then you have to trust your friends aren't monitoring your requests. If it was possible to run Freenet over Tor hidden services then only the hidden service address would be exposed using this logging method. A problem is that Freenet uses UDP which Tor does not support.
A recent post on the Freenet development mailing list pointed out that onioncat provides a virtual network over Tor and tunnels UDP. Using the steps they provided, and some tweaks, it's possible to set up a darknet node that doesn't expose its IP address. It uses the onioncat
generated IPv6 address for communicating with peers - and this address is backed by a Tor hidden service.
The steps below outline how to set this up. Note that this is quite experimental and requires care to not expose your IP address. There are some Freenet issues that make things difficult so you should be aware that you do this at your risk and understand it may still expose your identity if things go wrong.
I'm assuming a Debian/Ubuntu like system for the steps.
Install Tor
Install Tor:
$ sudo apt-get install tor
Edit the /etc/tor/torrc
file to enable a Hidden Service with an entry like:
HiddenServiceDir /var/lib/tor/freenet/
HiddenServicePort 8060 127.0.0.1:8060
Restart Tor and find your hidden service hostname:
$ sudo systemctl restart tor
$ sudo cat /var/lib/tor/freenet/hostname
Install onioncat
Install onioncat:
$ sudo apt-get install onioncat
Edit /etc/default/onioncat
and change the lines matching the following:
ENABLED=yes
DAEMON_OPTS="-d 0 hiddenservicename.onion -U"
Restart onioncat:
$ sudo systemctl stop onioncat
$ sudo systemctl start onioncat
Find your onioncat IP address with:
$ ocat -i hiddenservicename.onion
Install Freenet
Install Freenet in the usual way and go through the browser based setup wizard. Choose "Details settings: (custom)" for the security option. On the subsequent pages of the wizard:
- Disable the UPnP plugin.
- Choose "Only connect to your friends"
- Choose "High" for "Protection against a stranger attacking you over the internet"
- Click the "I trust at least one person already using Freenet" checkbox.
- For "Protection of your downloads..." pick any option you want.
- Pick a node name that your darknet friends will see.
- Pick a datastore size that you want.
- Choose the bandwidth limit.
The node will now be started but have no connections. There will be warnings about this.
Configure Freenet over Tor
The following settings need to be changed in "Configuration/Core Settings" - make sure you have clicked "Switch to advanced mode".
- Change "IP address override" to your onioncat IP address retrieved in the previous section.
- Apply the changes.
Shut down Freenet and edit the wrapper.conf
file in the Freenet installation directory. Change the line that contains java.net.preferIPv4Stack=true
to java.net.preferIPv4Stack=false
. In my wrapper.conf
this is:
wrapper.java.additional.3=-Djava.net.preferIPv4Stack=false
Edit freenet.ini
file in the Freenet installation directory. Change or add the following (replace "onioncat IP address" with the IP address obtained installing onioncat
):
node.opennet.bindTo=onioncat IP address
node.bindTo=onioncat IP address
node.load.subMaxPingTime=2500
node.load.maxPingTime=5k
Save the file and restart Freenet. There might be a warning about "Unknown external address". Ignore this as you've explictly set one. I provide a patch later in this post if you want to get rid of the warning.
Add a friend
Now is the time to add a Darknet friend who is also using Tor/Onioncat. Go to "Friends/Add a friend". Choose your trust and ability to see other friends settings and enter a description of the friend. Paste their noderef
in the "Enter node reference directly" box.
Give your noderef to your friend and have them add it. Once both connections have been added you should see "Connected" in the Friends list for that connection. The IP address should show the onioncat IPv6 address, beginning with "fd".
Optional Freenet patch
When running a Tor based node Freenet thinks the onioncat IP address is a local address. Some places in the Freenet code base check for this and reject it as a valid global routable address. In the FProxy user interface a large warning appears on each page that it couldn't find the external IP address of the node. The other issue is that local addresses aren't counted for bandwidth statistic reporting. The bandwidth box on the statistics page is empty as a result.
I use a patch, onioncat.txt, that provides a workaround for these two issues. The patch is optional as the node works without it but it's a useful improvement if you plan to run a Tor based node long term. You should check the patch before applying it blindly and assure that it's not doing anything nefarious.
Hybrid nodes
If you run a Tor based darknet node then at least one hybrid node must be in the darknet to bridge to the non-tor nodes. These hybrid nodes will have a public clearnet IP address exposed. I outline how to set up a hybrid node later below. For those that trust me, if you send a darknet tor noderef to me at the freemail address on the bottom of this page, or via normal email, I'll connect and send you a noderef of a hybrid node setup in this manner.
Install Tor and Onioncat as described previously. Install Freenet in the usual way and go through the browser based setup wizard. Choose "Details settings: (custom)" for the security option. On the subsequent pages of the wizard:
- Enable or Disable the UPnP plugin as necessary depending on what you need for your clearnet connection to work.
- Choose "Connect to strangers"
- Choose "Low" or "Normal" security as desired.
- For "Protection of your downloads..." pick any option you want.
- Pick a datastore size that you want.
- Choose the bandwidth limit.
The node will start and connect to opennet.
Shut down Freenet and edit the wrapper.conf
file in the Freenet installation directory. Change the line that contains java.net.preferIPv4Stack=true
to java.net.preferIPv4Stack=false
. In my wrapper.conf
this is:
wrapper.java.additional.3=-Djava.net.preferIPv4Stack=false
Edit freenet.ini
file in the Freenet installation directory. Change or add the following:
node.load.subMaxPingTime=2500
node.load.maxPingTime=5k
Save the file and restart Freenet. If you base64 decode the "physical.udp" section of the noderef for the node you should see that it now contains the onioncat IP address as well as the public clearnet IP address.
Adding friends to this node will give those friends access to the wider Freenet datastore when they reciprocate.
Don't forget to check your noderefs to ensure that the ARK and the public IP address contain data you are willing to reveal. Check both the darknet noderef and the opennet noderef. You can decode the base64 of the "physical.udp" line with the GNU base64
command:
$ echo "physical.udp base64 here" |base64 -d
Final steps and caveats
Try visiting a Freenet index site and see if it loads. If it does then the Freenet over Tor setup is working. It will be slower than normal Freenet usage due to Tor latency. If you connect to more darknet nodes it will get faster.
When adding a friends noderef you can check what IP addresses it will connect to by looking at the "physical.udp" line. This is a base64 encoded list of IP addresses. You might want to check this to ensure that there are no clearnet addresses in there. If there is a clearnet address then it could deanonymize your node when it tries to connect to that in preference to the onioncat address.
The "ark.pubURI" portion of the noderef is an SSK that points to updated IP address information. A node can subscribe to the USK version of this and learn about IP address changes. Your friends node could change their IP address to a clearnet address resulting in you connecting to that.
To avoid the above two issues it's worthwhile running Freenet in a VM or container that does not have clearnet network access and only has access to the onioncat network setup. Alternatively you can use iptables to only allow onioncat traffic for the Freenet process or user running it.
The IP addresses exposed in the noderef include all local link addresses and their scopes. This is Freenet bug 6879. This may leak information you don't want leaked. It pays to check the "physical.udp" and "ark.pubURI" to see what you are exposing. Remember that any IP addresses exposed over the ARK is discoverable by looking at previous editions of the USK.
The traffic footprint of Freenet may make it easier to track down your IP address from your Tor ID. The volume of data and the nature of the traffic may make certain types of Tor de-anonymization techniques more effective.
Ideally it would be possible to have an opennet of Tor nodes so the exchange of darknet noderefs wouldn't be needed. I haven't been able to get this working yet but I'll continue to investigate it.
I've been running a Tor darknet node for the past week to test how well it works. With three darknet connections it runs well enough for browsing freesites. Sone and the Web of Trust took quite a while to bootstrap due to the lower speed but once it was running it works well. FMS and Flip are also usable. I'd expect performance to be even better with more connections.