{{Header}}
{{#seo:
|description=Workaround for Tunneling UDP over Tor. Connection Scheme: User → Tor → Destination
|image=Book-2869640.jpg
}}
[[image:Book-2869640.jpg|thumb]]
{{intro|
Workaround for Tunneling UDP over Tor. Connection Scheme:
User → Tor → Destination
}}
= Introduction =
{{mbox
| image = [[File:Ambox_notice.png|40px]]
| text =
The [[Tor]] software does not yet support UDP, [
https://gitlab.torproject.org/legacy/trac/-/issues/7830
] although Tor provides a DnsPort.
If UDP is urgently required in {{project_name_long}}, a limited workaround is provided - see the [[#VPN_Method|VPN Method]] below.
}}
On top of the workaround, it would be required to [[{{project_name_workstation_short}}_Firewall#Allow_UDP|allow UDP in {{project_name_workstation_long}} firewall]].
= Tor Design =
According to the Tor Project: [https://blog.torproject.org/moving-tor-datagram-transport]
Tor transports data over encrypted TLS tunnels between nodes, which is in turn carried by TCP.
The current Tor design does not support the transport of [https://gitlab.torproject.org/legacy/trac/-/issues/7830 UDP-based protocols] through exit nodes in the network. [The Tor ticket was closed as "wontfix" in 2017.] This is unlikely to be supported in the near future due to incompatibility with cryptographic protocols in use and those planned.
The consequence is that UDP-based protocols and applications cannot be used to transmit UDP datagrams between guards and exit nodes in the default configuration. This affects a number of activities, such as [[VoIP]] or video applications. [https://en.wikipedia.org/wiki/User_Datagram_Protocol]
= Methods =
== Transporting UDP Tunnels over Tor with a VPN ==
A solution to this problem is to use a [https://en.wikipedia.org/wiki/Tunneling_protocol tunneling protocol]. In simple terms, this allows a user to access a foreign protocol or network service that the underlying (Tor) network does not support or provide directly.
The tested and working method in {{project_name_short}} is to utilize a Virtual Private Network (VPN) with a trusted provider that does not block UDP traffic in the following configuration: User → Tor → VPN → [Other Anonymizing Network] → Internet. Some VPN protocols like OpenVPN can use UDP while implementing reliable connections and error checking at the application level. [Other VPN implementations may also be useful, but they have not been researched yet.]
Before following the instructions to [[Tunnel_UDP_over_Tor|tunnel UDP over Tor]], please first read the related VPN documentation and warnings:
* [[Tunnels/Connecting to Tor before a VPN|Connecting to Tor before a VPN (User → Tor → VPN → Internet)]].
* [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN Tor Plus VPN or Proxy].
* [[Tunnels/Introduction#Comparison_Table|Tunneling comparison table]].
* [[Terms_of_Service#{{project_name_short}}_VPN_disclaimer|{{project_name_short}} VPN disclaimer]]
The current [https://web.archive.org/web/20170706042927/http://sec.cs.ucl.ac.uk/users/smurdoch/papers/tor11datagramcomparison.pdf Tor architecture] may lead to a negative performance impact on user activities. This arises from high latency due to congestion in the network, queue length on nodes (mixing of traffic across multiple nodes), and TCP mechanisms which attempt to account for lost packets and hold delivery of future packets until a resend is complete. [https://guardianproject.info/2012/12/10/voice-over-tor/]
=== Warnings ===
{{Tunnel/Warnings/Adds_Complexity}}
== VPN Method ==
This tutorial uses OpenVPN and works well inside {{project_name_short}}. Additional VPN implementations like PPTP might be useful -- as well as other VPN protocols which are free and support UDP -- but further research is required.
Before setting up the VPN:
* Refer to related VPN documentation: [[Tunnels/Connecting to Tor before a VPN|How to connect to Tor before a VPN (User → Tor → VPN → Internet)]].
* Familiarize yourself with curl and rdate. The rdate command line switch -p results in just showing the date and time, without setting it. -u uses UDP instead of TCP (the default).
{{Box|text=
'''1.''' Test the {{project_name_short}} setup is generally working. [While enforcing SSL.] [Alternatively the test can be run without enforcing SSL because some VPN services appear to block it.
{{CodeSelect|code=
{{Curl_Plain}} https://check.torproject.org
}}
]
{{CodeSelect|code=
{{Curl_Plain}} {{Curl_Secure}} https://check.torproject.org
}}
This should output "Congratulations. Your browser is configured to use Tor."
'''2.''' [[Whonix-Workstation Firewall]] configuration
See [[{{project_name_workstation_short}}_Firewall#Allow_UDP|allow UDP in {{project_name_workstation_short}} firewall]].
'''3.''' Install rdate for UDP and TCP testing.
{{CodeSelect|code=
sudo apt update
}}
{{CodeSelect|code=
sudo apt install rdate
}}
'''4.''' Run commands for TCP testing.
{{CodeSelect|code=
rdate -p time.u.washington.edu
}}
{{CodeSelect|code=
rdate -p time.nist.gov
}}
{{CodeSelect|code=
rdate -p ptbtime1.ptb.de
}}
'''5.''' Run commands for UDP testing.
{{CodeSelect|code=
rdate -u -p time.u.washington.edu
}}
{{CodeSelect|code=
rdate -u -p time.nist.gov
}}
{{CodeSelect|code=
rdate -u -p ptbtime1.ptb.de
}}
The tests should reveal that without a VPN, TCP works over Tor, but not UDP.
'''6.''' Configure a VPN tunnel link in {{project_name_short}}.
Obviously a VPN provider that does not block UDP is required. Most VPN providers allow UDP.
Follow the setup instructions on the [[Tunnels/Examples|VPN Tunnel Setup Examples]] page; the [[Tunnels/Examples#Riseup|riseup]] and [[Tunnels/Examples#USAIP|usaip]] examples are functional for this purpose.
Afterwards test rdate again, first in TCP mode and then in UDP mode -- both should work correctly.
}}
== SSH Method ==
This method is currently [[Unsupported|undocumented]]. In theory, SSH servers could be utilized to tunnel UDP over Tor. Obstacles:
* Free SSH services are rarely available.
* The existing free SSH services block certain ports, which makes this even harder.
* Even though SSH can provide a SOCKS5 proxy, it is not capable of providing [https://web.archive.org/web/20210204194850/https://www.zarb.org/~gc/html/udp-in-ssh-tunneling.html tunneling support for UDP itself].
** Extra software needs to be installed on both the client and (even worse) the server with root access. Most administrators of free SSH services will not allow this configuration.
* Acquiring a server [[Money|comes with its own challenges]].
* Easy: [[{{project_name_workstation_short}}_Firewall#Allow_UDP|allow UDP in {{project_name_workstation_short}} firewall]].
Therefore this method is only useful if you have your own server, but even then the VPN method is usually preferable.
== SOCKS5 Proxy Method ==
Attempts to tunnel UDP with this configuration have failed. See the [[Design]] Archive for full details: [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorBOX/Dev/ArchivedDiscussion/OPTIONALFEATURE#tunneling-udp-over-tor-optionalfeature-done Tunneling UDP over Tor].
== {{project_name_short}} Recommendations ==
{{project_name_short}} recommends the use of [https://openvpn.net/ OpenVPN] as the most secure (SSL/TLS-based) protocol, rather than reliance upon IKE, L2TP/IPsec or PPTP. OpenVPN is considered extremely secure when used with encryption algorithms such as AES. [
IKE is being exploited by advanced agencies to decrypt IPSec traffic. IPsec configured with pre-shared keys is vulnerable to MITM attacks. PPTP is an obsolete method for VPN implementation with a host of security weaknesses. For further reading on adversary capabilities against VPN protocols see: https://web.archive.org/web/20190324102418/https://www.spiegel.de/media/media-35515.pdf
]
Wireguard was invented after this documentation was written. Whonix developer Patrick Schleizer experienced many issues with wireguard not re-establishing connection. There are many existing bug reports and discussions on reddit about this issue. Therefore wireguard remains [[undocumented]].
A dedicated virtual machine is recommended for this activity; see [[Multiple Whonix-Workstation|Multiple {{project_name_workstation_short}}]].
= Footnotes / References =
{{reflist|close=1}}
{{Footer}}
[[Category:Documentation]]