TorBox v.0.5.3 released

TorBox Chat Secure 2.0 log in screen
TorBox Chat Secure 2.0 log in screen

With the current release, we were focused on improving the functionalities in TorBox. For example, TorBox Chat Secure can now be a chatroom with an “open” channel for all participants and private channels (similar to the old and mighty IRC). We also added support and generation of SSH keys for the TorBox login, even though we stuck to the password authentication as default. However, turning off the password authentication in favor of the SSH public key authentication is possible and added to the Danger Zone sub-menu. The Danger Zone sub-menu comprises more risky features or ones still in testing. For example, you will find in this sub-menu a feature to exclude domains from tor protection. In other words, starting with this version of TorBox, you can decide that certain domains are always directly connected. This feature was a request from a user who wanted specific governmental sites in an authoritarian country to be connected directly and not through tor, even if he used tor for all other connections to protect himself. This feature can be helpful but is highly dependent on your threat model. If not applied in the right way, this feature can be harmful. We will add more features in this sub-menu with the next release. Aside from these new or improved features, we fixed a lot under the hood, which should improve usability. To do so in the future, we need your feedback. With the TorBox GitHub repository, it is straightforward for everyone to report issues or change the code and propose it in a pull request

TorBox Chat Secure v. 2.0 chat room
TorBox Chat Secure 2.0 chat room

TorBox Image (about 1.1 GB): v.0.5.3 (09.07.2023) – SHA-256 values
TorBox Menu only: v.0.5.3 (09.07.2023) – SHA-256 values

Since we had to install additional software packages and update the configuration files, it is necessary to use the new image or reinstall TorBox using one of our installation scripts.

• • •

Changelog: v.0.5.–> v.0.5.3 (09.07.2023)
  • Update: The system is based on Raspberry Pi OS “Bullseye” lite (64-bit) with Linux Kernel 6.1.21 and Tor version 0.4.7.13 with obfs4proxy version 0.0.14 and Snowflake 2.6.0. All installation scripts are updated to work with Raspberry Pi OS “Bullseye” (64-bit), Debian 11, 12, Ubuntu Server 22.04.02 LTS, and Ubuntu Server 23.04. We also improved the compatibility with Debian and Ubuntu and updated TorBox’s internal list of OBFS4 and Snowflake bridges.
  • Update: Realtek RTL8821CU wireless network driver
  • Update: TorBox Chat Secure version 2.0 (TCS). The idea behind the new version is to have a chatroom rather than only a person-to-person messenger. Also, by downloading a key, people can leave the chat room and log in later to see the “open” conversations and their messages in the private channels. All conversations are encrypted on the TorBox, but cannot be decrypted without the key. Turning TCS off will delete all encrypted data.
  • New: The Danger Zone sub-menu collects features that are considered risky or could compromise the user’s security and anonymity. Therefore these features should only be used if the user knows the potential risks and consequences. For example, the “forwarding only” mode for client data traffic will function as a router without tor protection. This feature was also a request, but most of the time, it makes only sense in connection with developing and debugging.
WebSSH login with password
WebSSH login with password
  • New: Also, in the Danger Zone sub-menu, we added the possibility of excluding domains from being routed through tor. TorBox will communicate directly with the destination without protection if the domain is on the exclusion list. For example, if you use TorBox in the country Authoritarian (.aaa), you may use tor for all communications, but not when you have to go to a governmental website (let’s say www.government.aaa). In this case, you can exclude government.aaa from being routed through tor. Another use case could be that you want to stream something that doesn’t need protection (for example, a local music station) but uses much bandwidth. Please remember that tor does not protect the traffic to/from the IPs on the exclusion list. It would be best to assume that everyone will see that you connect these IP addresses. If not correctly encrypted (for example, by using HTTP, which is blocked by default), everyone can see the content of the communication to/from these IP addresses!
  • New: During the start-up of TorBox, by default, there is a failsafe in place to put TorBox’s AP back on wlan0 if it was used on wlan1. It will prevent a lock-out of the TorBox user. Based on another user request in the Danger Zone sub-menu TorBox’s AP can be permanently put on wlan1.
  • New: In the configuration sub menu, we added support and generation of SSH keys for the TorBox login. If SSH public key authentication are configured, it is possible to turn off SSH password login in the Danger zone.
  • New: WebSSH supports now SSH keys. Also, we applied the new style from TCS to WebSSH.
WebSSH login with SSH key
WebSSH login with SSH key
  • New: In highly authoritarian countries connecting the tor network could be seen as suspicious. Because ISPs can see, log, and even block hostnames, the installation scripts and also the first start-up dialogue allow changing or randomizing the default hostname of the TorBox. There is also a new entry in the countermeasure sub-menu, which allows to change or randomize a hostname later. This feature was also based on user feedback.
  • New: You can remove all tor bridges , fetch and use built-in bridges from the TorBrowser in the Update and Maintenance sub-menu. However, we think this is only a measure of last resort if nothing else gives you workable bridges.
  • New: The Update and Maintenance sub-menu gives the possibility to synchronize TorBox’s time via ntp. If this fails, the user will be prompted to enter the right time and date.
  • New: In the last TorBox version we added the possibility to exclude of slow relays. In this version we added the possibility to renew the exclusion list Update and Maintenance sub-menu.
  • New: Insecure http requests are blocked by default. However, currently, there is no way to overcome the shortcomings of this kind of blocking. It will not work for applications and clients using TorBox’s SOCKS 5 functionality, in a VPN over Tor or a Tor over Tor situation.
  • New: Using “AvoidDiskWrites 1” in torrc, which will lead to tor writing less frequently to disk than we would otherwise.
  • Fixed: Snowflake and Meek functionality (they need local DNS resolution, which was still blocked).
  • Fixed: The OFFLINE/ONLINE status of Snowflake- and Meek-Bridges is always labeled as OFFLINE in the bridge database. Therefore, the status is no longer taken into account and is removed.
  • Fixed: VPN support. 
  • Fixed: Sometimes, pressing the ESC key didn’t close the menu, instead, it reloaded again.
  • Fixed: The WLAN regulatory domain was not set permanently.
  • Fixed: rc.local will now work more reliably and automatically establish a tor connection if possible and previously used.
  • Improved: VPN over WLAN starts the Torbox Wireless Manager (TWM) if the connection with wlan0 is not established. It also supports captive portals deployed from WLAN. However, there is no need for captive portal support before connecting with the VPN provider (that was an error). Unfortunately, we couldn’t test all VPN-client/Internet interface combinations yet and need more feedback.
  • Improved: If TorBox could not synchronize the system time during booting, tor would not load. The first start-up dialogue covers that, and if an automatic synchronization isn’t possible, the user will be asked for the correct date and time.
  • Improved: Installing TorBox on unreliable bandwidth connections could be problematic. The install scripts have new added some tests to check if the necessary packages are installed. If packages are missing, the connection is rechecked and a new attempt to install the package is made. In some cases (for example go, tor, …), if the download of a package is not possible, the installation script try other ways to install it.
  • Improved: Implementation of a new, more reliable way to install, update and check Python modules.
  • Improved: The usability of reactivating Onion Services.
  • Improved: TWM will work now with special characters. Also, is TWM confronted by WPS, it will not ask for a password.
  • Improved: If the Bridge Relay is configured for the first time, but tor is not restarted, the user will be reminded to restart tor when looking up his personal OBFS4 bridge address.
  • Improved: Resetting tor in the Update and Maintenance sub-menu will also deactivate the exclusion of slow tor relays.
  • Improved: rfkill is now soft-blocking bluetooth.
  • Improved: Installs/updates automatically the newest version of go.
  • Improved: Compatibility for Debian and Ubuntu.
  • Improved: We’ve cleaned up the project’s file structure and tucked all the helper scripts into the bin directory.
  • Security: Path traversal vulnerability in TFS fixed (see here: https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/)

• • •

How to update from TorBox v.0.5.2?

Again: Since we had to make substantial changes in the configuration files, it is recommended to use the new image or reinstall TorBox using one of our installation scripts. Nevertheless, you can perform the following tasks to update a TorBox v.0.5.2 installation. It will delete all your custom-made configurations.

  1. Please, make sure that TorBox has Internet connectivity.
  2. Go to the Update and Reset sub-menu, update the TorBox menu and reset TorBox’s configuration files (entries 1 and 6).
  3. Manually compare if torrc in /etc/tor/torrc (compare with the GitHub version) and the runfile (run/torbox.run -> compare with the GitHub version) have similar entries. If unsure, just copy the versions from the GitHub repository over the ones on your system (/etc/tor/torrc and /home/torbox/torbox/run/torbox.run).
  4. Reboot TorBox, and again, make sure that TorBox has Internet connectivity.
  5. Go to the Update and Reset sub-menu, and update the base system (entries 1).
  6. Manually install ipset and rfkill (only for Debian and Ubuntu).
  7. Reboot TorBox, and again, make sure that TorBox has Internet connectivity.
  8. Update the rest in the Update and Reset sub-menu: additional network drivers with entry 2, and tor with entry 4
  9. Reboot TorBox.

• • •

We need your feedback!!

We hope this version pleases you. However, we are dependent on feedback. It is not just about fixing bugs and improving usability, but also about supporting additional interfaces and hardware in future releases:

  • What do you like?
  • What should be improved (why and how)?
  • What would you like to see next? Which features do you request?

With the TorBox GitHub repository, it is straightforward for everyone to report issues or change the code and propose it in a pull request. Because we continue to travel around, it sometimes needs more time to address the issues and proposals. 

For future versions, it is essential that we know what you need and want to see from the Onion Services implementation. Please feel free to use the discussion forum to tell us your needs.

• • •

Known problems and bugs

BUG: Because of a wrong path, the information windows after choosing “Restore TorBox’s configuration from a backup file” in the Update and Maintenance sub-menu is blank. You can fix the bug by updating the TorBox menu (update and maintenance sub menu entry 5) and and reselecting entry 7. BUG FIXED✔︎

Mullvad Browser – ideal to use with TorBox

Monday, 3rd of April 2023, Tor Project and Mullvad announced the launch of the Mullvad Browser. This browser is built on the same principles and with similar safety levels as the Tor Browser — but that works independently of the Tor network. In short: the Mullvad Browser is Tor Browser without the Tor Network. It gives Mullvad Browser some advantages in combination with TorBox. With this combination, you route all client network traffic through tor and use a safe Browser. In parallel, you avoid the problems with the tor over tor situation, which the Tor Browser creates if used with TorBox.

The browser’s ‘out-of-the-box’ configurations and settings will mask many parameters and features commonly used to extract information from a person’s device that can make them identifiable, including fonts, rendered content, and several hardware APIs. By default, Mullvad Browser has private mode enabled, blocks third-party trackers and cookies, and makes it easy to delete cookies between visiting pages during the same session.

If you want to visit .onion sites with the Mullvad Browser, you have to use the SOCKS v5 proxy functionality of your TorBox and configure the Mullvad Browser accordingly:

Under about:preferences, “General”, scroll down to the bottom and click under “Network Settings” on “Settings…”, choose “Manual proxy configuration”, and under “SOCKS Host” enter following IP: 192.168.42.1 / Port: 9050 (wlan) or IP: 192.168.43.1 / Port: 9050 (cable). Toggle on “Proxy DNS when using SOCKS v5”.

Alternatively, instead of port 9050, 9052 can be used, if you want to use destination address stream isolation. Because with using port 9052, each destination address has its circuit, the performance could be negatively impacted.

Tor is slow right now. Here is what is happening

originally released on February 7, 2023 by isabella, taken from the tor blog (slightly redacted)

For at least 7 months, several different types of ongoing denial of service (DoS) attacks have affected the Tor network. At some points, the attacks impacted the network severely enough that users could not load pages or access onion services.

Throughout the work to improve the network’s defenses, many people have stepped up to support the tor community, fight this attack, and make sure the Tor network is stable for users. Allies have highlighted the importance of financially supporting Torheld fundraisers to add more relays to the networkfunded current relay operator associations, and come together to form the Onion Services Resource Coalition, which has allowed to hire two new network team developers who will focus specifically on onion services. This, plus the countless supporters who have spread the word about helping Tor on social media and in their communities.

You can help too! Here is how

The Tor Project is 70% towards its goal of fully funding two years worth of onion service development to mitigate the impacts of these attacks. It has $155,000 left to raise.

If you believe in the importance of the Tor network and defending it against attacks, please make a donation directly towards this work:

You can contribute to the Onion Support Coalition fund by making a donation. To lead by example, TorBox donated $250 today.

If you have any information that could help to better understand the nature of these attacks you can contact the Tor Project via signal: https://signal.me/#p/+17787431312.

If you are a relay operator and would like to know more about what to do to defend your relay from these types of attacks you can connect with the Tor Project through the email “list tor-relays at lists.torproject.org”. It is recommended for all relay operators to join this list to be up to date with best practices to keep the Tor network healthy.

TorBox v.0.5.2 released — Chat Secure

Update – 10.03.2023
With this update, we brought TorBox’s software to the latest state: Raspberry Pi OS “Bullseye” lite 64bit (Release date: February 21st, 2023) with the Linux Kernel 5.15.84 and Tor version 0.4.7.13 with obfs4proxy version 0.0.14 and Snowflake 2.5.1. We also fixed some critical bugs in connection with Snowflake and Meek, which blocked the correct functioning of these two bridges (see below). We added a better time synchronization to avoid problems with building tor circuits, especially in cases without Internet connectivity. As always, we appreciate feedback, ideas, bug reports, pull requests etc.

TorBox Image (about 1.1 GB): v.0.5.2 (10.03.2023) – SHA-256 values
TorBox Menu only: v.0.5.2 (10.03.2023) – SHA-256 values

Update – 16.02.2023
If TorBox is started for the first time, and the connection is selected through WiFi by the “first run” script, then synchronising the system clock certainly fails. As a consequence, tor will not be able to build a circuit. With this update, the “first run” script will newly display the system time and allow the user to synchronise the system clock automatically or manually. Also, we integrated a new menu entry in the Update and Maintenance submenu to synchronise the system clock.

More than a year ago, we started to integrate Onion Services into TorBox. In the sub-menu Onion Services, it is easy to set up an Onion Service and to share a folder or a simple website, as well as TorBox File Sharing (TFS). With TorBox v.0.5.2, we additionally integrated TorBox Chat Secure (TCS). This is a secure way to communicate between two people using a specific onion domain. We still have some ideas for Onion Services for the following TorBox versions, for example, to allow users to install MariaDB/MySQL, PHP and WordPress through the menu so that dynamic website can be easily hosted on TorBox as an Onion service. Another idea currently under review is the further development of TCS into a chat room where several people can chat. With all these or other ideas, as well as eliminating errors and simplifying processes, active feedback from users is essential. Also, some bugs have been fixed in the new version, mainly as they occurred in our daily use. However, we still hear far too little from users.

Since we had to make substantial changes in the configuration files, it is recommended to use the new image or reinstall TorBox using one of our installation scripts.

TorBox Chat Secure on an .onion domain
TorBox Chat Secure on an .onion domain
Changelog: v.0.5.1 –> v.0.5.2 (02.01.2023)
  • Update: The system is based on Raspberry Pi OS “Bullseye” lite (64-bit) with Linux Kernel 5.15.76 and Tor version 0.4.7.12 with obfs4proxy version 0.0.14 and Snowflake 2.4.1. Obfs4proxy version 0.0.14 will fix some critical obfuscation bugs. All installation scripts are updated to work with Raspberry Pi OS “Bullseye”, Debian 11 and Ubuntu Server 22.04 LTS. Additionally, we also updated TorBox’s internal list of OBFS4, Snowflake and Meek-Azure bridges.
  • Update: Support for additional network drivers. We also moved the installation of additional network drivers from the installation to the “first use” script. Thus a kernel update during the installation will not break the installation of the drivers.
  • Update: Noname 3.5″ TFT display support.
  • New: TorBox Chat Secure (TCS) in the Onion Service sub-menu. TCS is a straightforward way to communicate between two people with safeguarding anonymity. No information about the conversation is stored on the TorBox.
  • New: Support of handling multiple Snowflake bridge lines in the torrc. Similar to OBFS4 bridges, this feature will make circumventing tor blocking in countries like China, Iran, Russia and Turkmenistan more effective because you can select the right Snowflake bridge to activate according to the country in which you are located. Snowflake bridge lines can be activated, added, removed, deactivated and listed. However, currently, Snowflake supports only one active bridge line. If you activate several bridge lines, only the first will be used.
  • New: Related to the point above, TorBox’s automatic fetching feature for OBFS4 and Snowflake bridges support now country-specific bridges. However, country-specific bridges are currently available only for certain countries (see also here). Also, if available, TorBox will fetch up to three bridges at once. To make these new features possible and to help people in censored countries, TorBox fetches bridges using the moat distributor. The moat distributor is an API that clients use to get bridges and circumvention settings. Clients must use domain fronting to avoid censorship when connecting to the API. In the case of TorBox, users in censoring countries have to use Snowflake or Meek-Azure to get more OBFS4 bridges (see here for more information).
  • New: The “first-use” script is now supporting Snowflake, with the idea to make it easier for people in strictly censored countries to get TorBox running.
  • New: Exclusion of slow relays (entry 15 in the Configuration sub-menu). Thanks to Nonie689 for bringing this idea up! Please test it extensively and give us feedback because we are considering adding this feature to the “first-use” script.
  • New: Backup and restore cover the entire TorBox configuration (OBSF4 Bridge Relay, Onion Services and shared folders included). It can be found centrally in the Update and Maintenance sub-menu.
  • New: Onion Services support client authorisation, which makes an Onion Service private and authenticated. With the former version, TorBox could control clients’ access from outside to TorBox’s Onion Services. With this version, we can provide the internal clients behind TorBox access to other Onion Services using the client authorisation on TorBox. In other words, if you register the server’s private key under the Onion Service menu entry 13, then not only the TorBox itself will have access to the Onion Service but also all client devices for which data traffic is routed through the TorBox, even if TorBox itself provides the Onion Service (in this case, TorBox is server and client). However, after the initial start, it can take up to 30′ minutes to take effect (thanks for figuring this out goes to nyxnor).
  • Fixed: If Onion Services with shared folders were deleted, the removal of Nginx’s configuration failed.
  • Fixed: Automatically adding bridges will work again. The script bridges_get.py started to fail because the HTML generated by https://bridges.torproject.org/bridges?transport=obfs4%27 has changed –> we added a patch written by lockcda (thanks for that!). Also, there is a bug in installing mechanise 0.4.8. For that reason, we still work with version 0.4.7. Anyhow, by using the moat distributor, this kind of problem should be gone.
  • Fixed: GitHub changed how it replies to the script’s question about the available tor versions. The changed behaviour broke the installation and update scripts, which are fixed now. We also removed the tor-specific entries in torbox.run because of the complexity, and it doesn’t give an added value.
  • Fixed: Blocking HTTP plain text traffic doesn’t block access to webssh and .onion addresses anymore, which both work through HTTP. Please test it extensively and give us feedback because we are considering activating this feature as default in the next TorBox version.  
  • Fixed: Under certain circumstances, TACA, even if activated, couldn’t synchronize the clock.
  • Fixed: Sometimes, pressing the ESC key didn’t close the menu, instead, it reloaded again.
  • Fixed: The WPA password has to be between 8-63 characters – if the user changes this password, TorBox has to check it. Thanks to DEC-entralized finding that bug.
  • Improved: To activate, remove and/or deactivate OBFS4 and Snowflake bridges, you no longer have to enter numbers of the concerning bridges, which you had to look up in the list. With this version, you can easily select the bridges you want to manipulate.
  • Improved: OBFS4 and Snowflake bridges can be added and removed regardless of the actual type of connection. It gives the user, for example, the possibility to connect the tor network using Snowflake to automatically fetch country-specific OBFS4 bridges and then switch to OBFS4, which is more performant and more reliable than Snowflake.
  • Improved: A new method of installing obfs4proxy ensures that the latest version is used. If the URL to the obfs4proxy repository is blocked, the version from the distribution will be installed, which could be outdated. Updating the base system in the Update and Maintenance submenu obfs4proxy will also be updated.
  • Improved: The configuration reset using menu entry 6 in the Update and Maintenance submenu.
  • Improved: The support for Ubuntu as the underlying operating system.
  • Improved: Leaving the tor log with q instead of CTRL-C (improvement for the usability of webssh)
  • Improved: If configured, the OBFS4 Bridge Relay will start directly after the boot. There is no need to  log into the TorBox menu.
  • Improved: The handling of the countermeasure against tightly configured firewalls in the “first-use” script. The underlying problem is that bridges usually don’t work correctly with the countermeasure against tightly configured firewalls being activated. However, depending on the situation, sometimes it works.
  • Improved: Faster boot time due to changes in rc.local. Also, wlan1 and ppp0 connections to the internet should be automatically reestablished during start-up if used before the restart. Thanks to ipwebnl, who mentioned the need to improve this.
  • Removed: Additional USB wifi drivers from Fars Robotics due to missing updates for one year now. We already replaced these drivers with others from dedicated GitHub sites but kept the possibility to switch back if necessary. The fact is that intensive tests show that the replacements are working even better.
  • Removed: Vanguards because there is nothing new happening on that project. It may be because parts of Vanguards were implemented in newer tor versions. The problem is that I’m not sure if this creates interferences. Last but not least, I didn’t see any positive effect since its implementation.
  • Removed: In the  Update and Maintenance sub-menu: Force to deactivate the OBFS4 mode.
  • Removed: http://www.torbox.ch as a jump-site to trigger for a captive portal because torbox.ch will no longer support insecure http access for security reasons.
  • Removed: The restriction that local DNS resolution will be solely resolved through tor because this was the cause of many problems. TorBox needs direct DNS resolution with Bridges, captive portals, VPN connections, time synchronisation, and other maintenance tasks. These functions must work regardless of whether or not tor has a connection with the tor network. That said, data traffic from the connected clients, which has to be protected, is completely routed through tor (including DNS requests). TorBox is configured so that any direct DNS requests from clients are blocked. See also here.

• • •

How to update from TorBox v.0.5.1?

Again: Since we had to make substantial changes in the configuration files, it is recommended to use the new image or reinstall TorBox using one of our installation scripts. Nevertheless, you can perform the following tasks to update a TorBox v.0.5.1 installation. It will delete all your custom-made configurations.

  1. Please, make sure that TorBox has Internet connectivity.
  2. Go to the Update and Reset sub-menu, update the TorBox menu and reset TorBox’s configuration files (entries 1 and 6).
  3. Manually compare if torrc in /etc/tor/torrc (compare with the GitHub version) and the runfile (run/torbox.run -> compare with the GitHub version) have similar entries. If unsure, just copy the versions from the GitHub repository over the ones on your system (/etc/tor/torrc and /home/torbox/torbox/run/torbox.run).
  4. Reboot TorBox, and again, make sure that TorBox has Internet connectivity.
  5. Go to the Update and Reset sub-menu, and update the base system (entries 1).
  6. Reboot TorBox, and again, make sure that TorBox has Internet connectivity.
  7. Update the rest in the Update and Reset sub-menu: additional network drivers with entry 2, and tor with entry 4
  8. Reboot TorBox.
We need your feedback!!

We hope this version pleases you. However, we are dependent on feedback. It is not just about fixing bugs and improving usability, but also about supporting additional interfaces and hardware in future releases:

  • What do you like?
  • What should be improved (why and how)?
  • What would you like to see next? Which features do you request?

With the TorBox GitHub repository, it is straightforward for everyone to report issues or change the code and propose it in a pull request. Because we continue to travel around, it sometimes needs more time to address the issues and proposals. 

For future versions, it is essential that we know what you need and want to see from the Onion Services implementation. Please feel free to use the discussion forum to tell us your needs.

• • •

Known problems and bugs

BUG: Snowflake and Meek don’t work. Snowflake is showing the following error: Managed proxy "/usr/bin/snowflake-client": broker failure dial tcp: lookup cdn.sstatic.net on [scrubbed]: read udp [scrubbed]->[scrubbed]: i/o timeout.
The reason is that because of a bug, we block local DNS resolution for Snowflake and Meek. You can fix the bug by updating the TorBox menu (update and maintenance sub-menu entry 5) and reselect the source of the Internet (main menu entries 5-10). BUG FIXED✔︎

PROBLEM: The Countermeasures sub-menu entry 17 should connect the TorBox to a VPN server without routing the tor data traffic through the VPN. It doesn’t seem to work with an Internet connection from a wireless interface (wlan0 or wlan1). It should be that when we tested this feature, we only used cable as an Internet source (eth0). Unfortunately, currently, we cannot test this hypothesis. It may also have something to do with the configuration in the .opvn file. Therefore we would be glad to hear feedback from people who successfully or unsuccessfully tried this entry. RESEARCH ?

Update your TorBox

Again, some time has passed since the initial release of TorBox v.0.5.1. Even if we already started to work on TorBox v.0.5.2, we decided to release an updated image of TorBox v.0.5.1 due to some critical fixes and a new tor version.

This version is based on Raspberry Pi OS “Bullseye” lite (64 bit) with Linux Kernel 5.15.61 and Tor version 0.4.7.10. It contains several major fixes to reduce memory pressure on relays and possible side-channel. It also includes a major bugfix related to congestion control to reduce memory pressure on relays. Finally, another major bugfix is related to Vanguard L2 layer node selection.

One bug in the initial release was that TorBox would not automatically add a bridge when that option was chosen in the Countermeasure sub-menu. This problem is in connection with mechanize 0.4.8. For that reason, we went back to version 0.4.7. Also, bridges_get.py failed because the HTML generated by https://bridges.torproject.org/bridges?transport=obfs4 has changed. To fix it, we added the patch from lockcda (see issue #173 on GitHub). Also, the way GitHub reports the available tor versions changed and broke the installation and update scripts. We fixed the affected scripts. Also, we removed the tor-specific entries in torbox.run because of the complexity, it doesn’t give an added value.

Here are the links to the new updated TorBox v.0.5.1:
TorBox Image (about 1 GB): v.0.5.1 (20.10.2022) – SHA-256 values
TorBox Menu only: v.0.5.1 (20.10.2022) – SHA-256 values

How to update an old TorBox v.0.5.1 (19.07.2022) installation?
You can perform the following tasks to update an older TorBox v.0.5.1 (19.07.2022) installation. This shouldn’t alter your custom-made configurations – however, I don’t promise anything (if needed, make a backup!).

  1. Please, make sure that TorBox has Internet connectivity.
  2. First, update the TorBox menu in the Update and Maintenance sub-menu (entry 5) to immediately benefit from the bugfixes.
  3. Press ESC until you have left the Torbox menu and find yourself back at the command line. Here use the following commands for
    .
    • removing mechanize 0.4.8: sudo pip3 uninstall mechanize
    • installing mechanize 0.4.7: sudo pip3 install mechanize==0.4.7

• • •

Known problems and bugs
  • PROBLEM: The meek bridge has gone offline, and there is a new one to take its place (see here). The torrc is fixed – get it by updating the TorBox menu with the Update and Maintenance sub-menu and replacing your old torrc: sudo cp /home/torbox/torbox/etc/tor/torrc /etc/tor/ However, this will remove all your custom made configurations. Alternatively, you can execute the following command: sudo sed -i "s/Bridge meek_lite 192.0.2.2:2.*/Bridge meek_lite 192.0.2.18:80 BE776A53492E1E044A26F17306E1BC46A55A1625 url=https://meek.azureedge.net/ front=ajax.aspnetcdn.com/". The image file is not fixed yet — PENDING! 
  • PROBLEM: With TorBox v.0.5.1, local DNS resolution is solely resolved through tor. This restriction led to problems with the Snowflake and Meek bridge functionality because both protocols need local DNS resolution. The problem is more complex than it looks, and we will deal with it in version 0.5.2. However, as a quick fix, we changed the snowflake and meek-azure scripts to enable local DNS resolution. You can fix the bug by updating the TorBox menu with the Update and Maintenance sub-menu. We also changed the Snowflake configuration in the torrc and added a second Snowflake bridge. With version 0.5.2, we will support multiple Snowflake bridges as we do with OBFS4 bridges. The image file is not fixed yet — PENDING! 
  • BUG: Due to permission problems, in some cases, temporarily stored files are blocking bridges_get.py from fetching a new OBFS4 address line. You can quickly solve the problem with the following command: rm -r /tmp/captcha.*. However, this is not a permanent solution. You can fix the bug by updating the TorBox menu with the Update and Maintenance sub-menu. The image file is not fixed yet — PENDING! 

TorBox v.0.5.1 released — smashing Bugs

Honestly, TorBox v.0.5.0 was not one of our finest. When I started to fix some known problems and bugs almost a month ago, I found so much more. It was time to go into details and especially to fix to code added with version 0.5.0 – row by row. This version should run more reliable and stable than the versions before. Nevertheless, we also added and updated some of the features. However, once again, it shows also the importance of user feedback. Please report to us your problems and found bugs. We also need to know what you would like to see next and which features you request? With the TorBox GitHub repository, it is straightforward for everyone to report issues or change the code and propose it in a pull request

TorBox Image (about 1 GB): v.0.5.1 (19.07.2022) – SHA-256 values
TorBox Menu only: v.0.5.1 (19.07.2022) – SHA-256 values

Since we had to install additional software packages and update the configuration files, it is necessary to use the new image or reinstall TorBox using one of our installation scripts.

Main Menu TorBox v.0.5.1
Main Menu TorBox v.0.5.1
Changelog: v.0.5.0 –> v.0.5.1 (19.07.2022)
  • Update: The system is based on Raspberry Pi OS “Bullseye” lite (64 bit) with Linux Kernel 5.15.32 and Tor version 0.4.7.8. This version fixes several bug fixes, including a high severity security issue categorised as a Denial of Service. Everyone running an earlier version should upgrade to this version. Also, congestion control should improve traffic speed and stability on the network once most exit nodes upgrade. You can find more details about it in proposal 324 in the torspec.git repository. All installation scripts are updated to work with Raspberry Pi OS “Bullseye”, Debian 11 and Ubuntu Server 22.04 LTS. Additionally, we also updated TorBox’s internal list of OBFS4 bridges.
  • Update: The installation script for Raspberry Pi OS had to be updated to work with the new Raspberry Pi OS images released in April. Also, starting with this version, TorBox will be only tested on the 64 bit version of the respective OS (Raspberry Pi OS, Debian and Ubuntu).
  • Update: vitor from nyxnor’s onionwash repository
  • Update: the additional network driver so that they work with the new Linux kernel (unfortunately, Fars-Robotics didn’t update their network driver since October 2021).
  • New: webssh replaces shellinabox, which seems it is not maintained anymore. With webssh, users don’t need a ssh client because every web browser can now jump in as a ssh client. A user on a wifi-client can type 192.168.42.1, someone on a cable-client 192.168.43.1. This functionality comes with a certain risk because webssh is not encrypted (this would need a self-signed certificate, which the browser doesn’t support easily). However, this shouldn’t cause any problems because the TorBox AP and its wlan or the connection cable should be controlled by you. By default, webssh cannot be accessed from the Internet. If you seek maximum security, you still can keep using an ssh client and even deactivate the webssh functionality in the Configuration sub-menu (entry 11). 
  • New: There is a new way to pass through captive portals by SPOOFING the MAC address of a device that passed the captive portal successfully. Tests showed that some captive portals could be better overcome with the old method (TUNNELLING), some function better with SPOOFING and some need combined both ways. See here for more information.
  • New: Starting with this version, TorBox randomises the MAC addresses on wlan0, wlan1, eth0 and eth1 by default. You can change that behaviour and set your own MAC address in the Configuration sub-menu (entry 8).
  • Fixed: TorBox will not try to back up the OBFS4 Bridge Relay configuration if there is no such configuration.
  • Fixed: It is impossible to simultaneously run the countermeasure against tightly configured firewalls and Snowflake, Meek and the OBFS4 Bridge Relay. This fix will prevent such a setting.
  • Fixed: A bug broke the functionality on ppp0 and usb0. Also, before executing pon, TorBox will check if pppd is already working and shut it down.
  • Fixed: Due to a little bug in the script, The menu entry, which should only activate OBFS4 bridges, which are ONLINE, fails to activate the OBFS4 mode properly. This bug prevents TorBox from deactivating the OBFS4 lines in the tor configuration file. Both are fixed.
  • Fixed: Onion Service name bug (fixed by nyxnor).
  • Improved: To prevent future bugs in the releases, a shellcheck Github action will be triggered with every pushed commit on the master repository.
  • Improved: Local DNS resolution will be solely resolved through tor. This means that TorBox will not be able to resolve DNS requests from the local terminal if tor is not running. However, some functions, like Snowflake, Meek and time synchronisation, need clearnet DNS resolution to work without a running tor, but in this case, clearnet DNS resolution is explicitly activated for that purpose, and the user is asked or informed beforehand. DNS resolution from clients will always be made through tor, regardless of the settings. With the following commands in the terminal, local clearnet resolution can be set on/off (we will add that later in a “toxic “menu):
# Turn local clearnet DNS resolution on
sudo iptables -t nat -D OUTPUT -p udp --dport 53 -j DNAT --to 127.0.0.1:9053
sudo iptables -t nat -D OUTPUT -p tcp --dport 53 -j DNAT --to 127.0.0.1:9053
sudo systemctl restart dnsmasq
# Turn local clearnet DNS resolution off
sudo systemctl stop dnsmasq
sudo iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to 127.0.0.1:9053
sudo iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to 127.0.0.1:9053

  • Improved: The use of Onion Services, sharing folder and TFS. For example, the sharing folder functionality and TFS can use every folder inside /var/www regardless of the name of the Onion Service. This gives the possibility that an Onion domain named x.onion can share the folder /var/www/to_be_shared, and at the same time, TFS can control up- and/or downloads to/from the same folder using the Onion domain y.onion.
  • Improved: TFS can be started multiple times with different Onion domains. The file list is now alphabetically sorted. The message below the top banner can now display multiple lines (separated by a \n). You can go into a sub-folder if you click on them, and if you start an upload in such a sub-folder, the uploaded files are placed there. Selecting multiple files and folders is now supported – they will be downloaded and compressed in a .zip file to the local client.
  • Improved: Resetting Tor and enforcing a change of the permanent entry node in the update and maintenance sub-menu doesn’t deactivate the bridge and bridge relay mode anymore.
  • Improved: Turning systemd-journald.service off by default to further reduce the logs.

• • •

We need your feedback!!

We hope this version pleases you. However, we are dependent on feedback. It is not just about fixing bugs and improving usability, but also about supporting additional interfaces and hardware in future releases:

  • What do you like?
  • What should be improved (why and how)?
  • What would you like to see next? Which features do you request?

With the TorBox GitHub repository, it is straightforward for everyone to report issues or change the code and propose it in a pull request. Because we continue to travel around, it sometimes needs more time to address the issues and proposals. 

For future versions, it is essential that we know what you need and want to see from the Onion Services implementation. Please feel free to use the discussion forum to tell us your needs.

• • •

Known problems and bugs
  • BUG: TorBox will not automatically add a bridge when that option is chosen in the Countermeasure sub-menu. There are two reasons:
    .
    • It seems that version 0.4.8 of mechanize will not be correctly installed –> we had to switch back to version 0.4.7
      You can fix that bug manually with the following commands:
      sudo pip3 uninstall mechanize
      sudo pip3 install mechanize==0.4.7

    • The script bridges_get.py started to fail because the HTML generated by https://bridges.torproject.org/bridges?transport=obfs4 has changed –> we added the patch from lockcda (see issue #173 on GitHub). You can replace the old script with the patched one by updating the TorBox menu with the Update and Maintenance sub-menu. BUG FIXED✔︎
  • PROBLEM: Installing TorBox using one of the installation scripts or updating tor using the Update and Maintenance sub-menu fails or installs an older version of tor. The problem lies in how GitHub reports to the script’s question about which versions of tor are available. We changed all affected scripts. New installations with the installation scripts are not affected by this problem anymore. For updating tor on a running system, please fix the problem by updating the TorBox menu with the Update and Maintenance sub-menu. BUG FIXED✔︎

Update your TorBox

Six months have passed since the initial release of TorBox v.0.5.0. Version 0.5.1 will probably be released at the end of this year. Nevertheless, it was time to fix some bugs in version v.0.5.0 (especially concerning using OBFS4 bridges). If you re-install TorBox (using the image file or one of the installation scripts), in the case of Raspberry Pi OS, you will find the 64bit version with the Linux kernel 5.15.32 and Tor version 0.4.7.8.

Also new in the update: The MAC addresses of the network interfaces are now randomized. At the same time, a new way of overcoming captive portals is introduced, which is based on manipulating the MAC address of the Raspi network interface that is connected to the Internet (we have already reported on this in the blog here; however, details about the implementation and use can be found here).

TorBox provides two approaches to passing through a captive portal: SPOOFING or TUNNELLING. The new and preferred method is SPOOFING.

Here are the links to the new updated TorBox v.0.5.0 version (Update 001):

TorBox Image (~1 GB) : v.0.5.0 (03.07.2022) – SHA-256 values
TorBox Menu only: v.0.5.0 (03.07.2022) – SHA-256 values

How to update an old TorBox v.0.5.0 (02.01.2022) installation?

You can perform the following tasks to update an older TorBox v.0.5.0 (02.01.2022) installation. This shouldn’t alter your custom-made configurations – however, I don’t promise anything (if needed, make a backup!).

  1. Please, make sure that TorBox has Internet connectivity.
  2. First, update the TorBox menu in the Update and Maintenance sub-menu (entry 5) to immediately benefit from the bug fixes.
  3. Update the base system, the additional network drivers and the Tor version: Go to the Update and Maintenance sub-menu and use entries 1, 2 and 4.
  4. Press ESC until you have left the Torbox menu and find yourself back at the command line. Here use the following commands:
    sudo apt-get -y install macchanger
    cd; cd torbox; sudo cp etc/rc.local /etc
  5. Reboot TorBox.
We need your feedback!!

We hope this version pleases you. However, we are dependent on feedback. It is not just about fixing bugs and improving usability but also about supporting additional interfaces and hardware in future releases:

  • What do you like?
  • What should be improved (why and how)?
  • What would you like to see next? Which features do you request?

With the TorBox GitHub repository, it is straightforward for everyone to report issues or change the code and propose it in a pull request. Because we continue to travel around, it sometimes needs more time to address the problems and proposals.

For future versions, it is essential that we know what you need and want to see from the Onion Services implementation. Please feel free to use the discussion forum to tell us your needs.

Known problems and bugs
  • BUG: The latest official version (4.0.x) of the Python module Django will break the upload functionality. The bug can be fixed with the following command:
    sudo pip3 install Django==3.2.14
    The installation scripts are already fixed. However, the image file is not fixed yet — PENDING! 
  • BUG: The SPOOFING method to pass through captive portal is broken due to a bug. Also the example in the dialog suggests that the elements of the MAC address is seprated by a “-” instead of an “:”, which leads to an error message. You can fix the bug by updating the TorBox menu (update and maintenance sub-menu entry 5). However, the image file is not fixed yet — PENDING! 
  • BUG: Using bridges, following error is appearing: line 118+119: online_check: command not found" (no connection to bridge database). This is because of a change of the path of the torbox library (torbox.lib), which uses a ~ . This wasn’t a good idea – we changed to the absolute path. You can fix the bug by updating the TorBox menu (update and maintenance sub-menu entry 5). However, the image file is not fixed yet — PENDING! 

TorBox v.0.5.0 released — juggling with Onions

TorBox v.0.5.0 is a major upgrade because starting with this version, it not only can be used to help clients to access the Internet safely and circumvent censorship, it also allows to bring your content in a safe and uncensored way to the Internet. Again, nyxnor, with his OnionJuggler project, was a key driver behind the Onion Services implementation into TorBox. With this version, TorBox introduces Onion Service support to share a simple website or/and files through Onion Services. However, this is only the start; in subsequent versions, we plan to support Onion Service access management on TorBox itself, and also a secure chat module is already programmed by Zotil but not yet implemented due to a lack of time. The support of Onion Services has much potential for developing TorBox further, but because our time is limited, it is essential that you give us feedback, what you need and want to see in the next version. Please feel free to use the discussion forum to tell us your needs.

TorBox Image (about 985 MB): v.0.5.0 (02.01.2022) – SHA-256 values
TorBox Menu only: v.0.5.0 (02.01.2022) – SHA-256 values

Since we had to install additional software packages and update the configuration files, it is necessary to use the new image or to reinstall TorBox using one of our installation scripts.

The new Onion Service sub-menu of TorBox v.0.5.0, which can be found in the “defend the open internet” sub-menu.

Besides the support of Onion Services, TorBox brings additional updates, improvements and fixes:

  • Update: The system is based on Raspberry Pi OS “Bullseye” lite with Linux Kernel 5.10.63 and Tor version 0.4.6.9. This version fixes several bugs from earlier versions of Tor. One important fix is the removal of DNS timeout metric from the overload general signal. During our test, we had the feeling that Tor version 0.4.6.9 works more stable and reliable than the versions before. All installation scripts are updated to work with Raspberry Pi OS “Bullseye”, Debian 11 and Ubuntu Server 20.04.3 LTS / 21.10. Additionally, we also updated TorBox’s internal list of OBFS4 bridges.
  • New: The introduction of an Onion Services implementation allows the creation of Onion Services for public use or only for selected clients using client access restrictions. With the Onion Services sub-menu (found in the “defend the open Internet” sub-menu), it is easy to share a folder with a static webpage, files etc. on an .onion domain with our without client access control, even if the TorBox is located behind a firewall, a network translator or placed in a censoring country. With TorBox File Sharing (TFS), upload and/or download files can be allowed to the public or specific clients. 
  • New: Since 2021, the TorBox team observed more and more providers (especially in connection with open hotspots) blocking ports needed for tor to work properly (tor commonly uses ports 80, 443, 9001 and 9030 for network traffic and directory information). Therefore, TorBox uses by default countermeasures against a tightly configured firewall taking care that tor uses only ports 80 and 443 for its data stream. We didn’t observe any negative impact (nevertheless, probably this feature should be deactivated if a bridge relay is run on the TorBox).
  • New: torrc is now edited by nyxnor’s vitor, which checks the accuracy of tor configuration inside torrc before saving the new configuration file. This should avoid a broken tor configuration by using the advanced tor configuration editor. Vitor is part of the OnionJuggler project. Also, after changing tor’s configuration, TorBox is asking to restart tor.
  • New: The team has been working hard to improve the code’s quality and introduced some basic coding guidelines, which we will implement step by step in the coming up versions. Also, we started to check the code with ShellCheck. Thanks to nyxnor for the inspiration!
  • Improved: The “first-use” script introduced in TorBox’s last version had some major shortcomings, expecting the Internet is connected to the Ethernet interface. With TorBox v0.5.0, the “first-use” script was extensively rewritten. It supports now all the usual connection types. Additionally, if the countermeasures against a tightly configured firewall setting should stay activated, what we highly recommend.
  • Improved: As part of our new basic coding guidelines, we rewrote the “Update and Reset” sub-menu, now called “Update and Maintenance”. At the same time, we improved the update routines, which also updates the installed Python modules and Snowflake (if tor is updated). The ability to remove all OBFS4 Bridge Relay Data was moved into the OBFS4 Bridge Relay sub-menu.
  • Improved: The TorBox Wireless Manager (TWM) is now sorting the list of available wifi along with the signal strength. Hidden networks are only displayed after pushing the H key to declutter the main screen.  Also, the code under the hut was again optimized (for example, a timeout was added if the AP doesn’t respond after sending a wrong password, optimizations for small screens and more).
  • Improved: If TorBox’s WLAN is permanently disabled, the TWM tries to reconnect to a Wireless Network on wlan0, not only on wlan1. However, if wlan0 and wlan1 are available,  TWM will prioritize wlan1 (in this case, we think there is a reason why an USB wifi adapter is connected to the TorBox ?). This also fixed an issue mentioned by connected201.
  • Improved: TorBox’s Automatic Counter Measures (TACA) checks after reconnecting with a wifi network if the interface got an IP address from the remote DHCP server. If this is not the case, it restarts the interface, triggering the request for a new IP. Also, TACA will detect if the system time is out of sync and re-synchronize it with ntpdate.
  • Improved: Captive Portals are a pain in the ass! If the login page cannot be reached for whatever reason, TorBox provides a direct way back into the TWM (network reset included) to try it again. We have the experience that Captive Portals are getting harder to pass. However, currently, we are experimenting with another alternative way to deal with Captive Portals. If successful, we will add it immediately to TorBox v.0.5.0, which will be available after updating the TorBox menu in the “Update and Maintenance” sub-menu.
  • Improved: Cable support is easier to accomplish now. We reviewed and simplified the code to achieve this goal. Consequently, we merged set_interface and set_captive into set_interface_2 and set_captive_2 and removed the older files. This also fixed an issue mentioned by connected201.
  • Improved: Usability of the Countermeasure against a disconnection when idle feature.
  • Improved: The tor log file is now shown with a filter to declutter the output, and “Bootstrapped 100% (done): Done” message is highlighted in white.
  • Improved: The Bridge Relay backup file is placed into ~/backup.
  • Fixed: In the expert mode of the tor install scripts and the “Update and Maintenance” sub-menu, a hiccup due to a broken sort algorithm prevented the showing up of tor x.x.10 versions.
  • Fixed: Even TorBox’s WLAN was permanently disabled, it was activated again when using wlan0 as an Internet source. This bug was reported by connected201.
  • Fixed: Snowflake is running again.
  • Security: We must mask both tor services to ensure no use of tor connections before configuring TorBox with the “first use” routine.
  • Security: Since the last TorBox version, all access to a tor related URL (for example, torproject.org) directly from the TorBox have been done through tor for security reasons. Thanks to an advice from nyxnor, we switched to a more secure curl SOCKS5 method (curl -x socks5h://127.0.0.1:9050).
  • Removed: Display of the Vanguards log because there is nothing interesting to see.
We need your feedback!!

We hope this version pleases you. However, we are dependent on feedback. It is not just about fixing bugs and improving usability, but also about supporting additional interfaces and hardware in future releases:

  • What do you like?
  • What should be improved (why and how)?
  • What would you like to see next? Which features do you request?

With the TorBox GitHub repository, it is straightforward for everyone to report issues or change the code and propose it in a pull request. Because we continue to travel around, it sometimes needs more time to address the issues and proposals. 

For future versions, it is essential that we know what you need and want to see from the Onion Services implementation. Please feel free to use the discussion forum to tell us your needs.

Known problems and bugs
  • BUG: Due to a little bug in the script, The menu entry, which should only activate OBFS4 bridges, which are ONLINE, fails to activate the OBFS4 mode properly. This bug also prevents TorBox to deactivate the OBFS4 lines in the tor configuration file. It can be fixed by updating the TorBox menu in the Update & Maintenance sub-menu (entry 5) and by choosing “Force to deactivate the OBFS4 mode” in the same sub-menu (entry 10). The image file is not fixed yet — PENDING!

Should we change the way how TorBox is dealing with captive portals?

Please participate on our Github discussion board. I need as much input as necessary to decide if we should permanently change how TorBox is dealing with captive portals.

Current situation

When the user changes the connection settings in the main menu, he is confronted with a dialogue asking if it is a direct connection or a captive portal. So far, the master branch and the v.0.5.0 release open a tunnel between a client and the captive portal to make it possible to deal with the login page of the captive portal. The idea behind it is that the captive portal put the MAC address of the TorBox in a whitelist so that we can connect the TorBox with the Internet. I call that method “TUNNELING”.

Problem

For whatever reason, it seems that the “TUNNELING” method will not always work, and it appears that the number of captive portals blocking this approach is increasing. However, due to a small sample, I’m not entirely sure if this observation can be generalized or I was only the “lucky one” with this problem.

Solution

With the new_captive_portal_pass_through branch, I introduced an alternative way to deal with captive portals, called “SPOOFING”. The idea is that a client directly connects a captive portal and opens it. When TorBox connects the captive portal, it asks for a MAC address. The user can enter the MAC address of the client, which is already whitelisted from the captive portal and connect to the Internet. So far, I only tested a handful of captive portals, and it worked not only well but better than the “TUNNELING” method. Currently, the new_captive_portal_pass_through branch offers both methods.

new_captive_portal_pass_through

To install the new_captive_portal_pass_through branch is easy by using the expert mode of entry 5 of the Update & Maintenance sub-menu. Additionally, you have to copy the updated rc.local file to /etcsudo cp etc/rc.local /etc

Questions

The next step in the new_captive_portal_pass_through branch is to allow users to list, change and reset the MAC addresses on every available interface. This questions the current approach to deal with captive portals:

  • Should we still offer both methods or depreciate the “TUNNELING” method? Did you test the new “SPOOFING” method and fail to access a captive portal with this new method? –> we will keep offering both methods because SPOOFING, too, is not always working.
  • Should we even differentiate between a direct connection and a connection through captive portals anymore? What could a better approach look like?
  • In which sub-menu should I place the entry to list, change and reset the MAC addresses? Configuration or Countermeasure sub-menu or somewhere else

Please join our discussion on our Github discussion board.

Update your TorBox

We have good and bad news…

Bad News
The next TorBox release (v.0.5.0) will not be published before the end of the year. We will not update the image file befor, because we need the time to properly implement Onion Service support and to intensively test the new version.

Good News
We updated our installation script so that it works with the latest Raspberry Pi OS version, which is based on Debian 11 (Bullseye). We also updated some installation paths to the unofficial Tor Repository, a new Go version, to update additional network drivers. We also added some new options to the installation script:

Syntax : run_install.sh [-h|--help] [--select-tor] [--select-branch branch_name] [--step_by_step]
Options: -h, --help     : Shows this help screen ;-)
         --select-tor   : Let select a specific tor version (default: newest stable version)
         --select-fork fork_owner_name
			            : Let select a specific fork from a GitHub user (fork_owner_name)
         --select-branch branch_name
                        : Let select a specific TorBox branch (default: master)
         --step_by_step : Executes the installation step by step

With the --select-branch v.0.5.0 option, adventurous fellas have the option to install TorBox v.0.5.0 ALPHA (the menus are still labelled as v.0.4.2). For more information on v.0.5.0, see our discussion page on Github.

By the way, if you want to help with the project, please look for our Job Postings

TorBox v.0.4.2 released — hardening

Again, thanks to several approaches by nyxnor, the core changes in TorBox v.0.4.2 is about hardening it (see also our discussion here). Our goal is to offer users in authoritarian countries the safest possible way to install and use TorBox. That said, I want to remind you once more that it is strongly advised not to use TorBox if your well-being depends on your anonymity. In such a situation, it is advisable to use Tails.

The hardening of TorBox also slightly changes the first time start procedure. After finishing the installation with the installation script or with flashing the image file of the SD Card (at least 8 Gb are necessary), login to the TorBox by using a  SSH client (192.168.42.1 on a WiFi client and 192.168.43.1 on a cable client) or a web browser (https://192.168.42.1:9000 on a WiFi client and https://192.168.43.1:9000 on a cable client) is mandatory, because TorBox will ask the user during its first start if he wants to activate OBFS4 bridges for hiding the use of tor. The integrated OBFS4 bridges should help with that, although patience is necessary because that process could easily take 5 minutes to be successful. Also, activating OBFS4 bridges can be problematic behind a tightly configured (see more here). However, if you cannot connect to the Tor network yet, don’t panic – your selection is saved, and you can choose safely entry 5-10 in the main menu (we will improve the usability with the next version). This is only necessary during the first start after flashing the TorBox image on the SD cards. However, you can change your decision and configure the use of bridges later in the Countermeasure sub-menu.

After finishing the installation with the installation script or with flashing the image file during the first start-up, TorBox will ask the user, if he wants to activate OBFS4 bridges (remark: the dialogue box will slightly differ if installed with the installation script).

TorBox Image (about 910 MB): v.0.4.2 (02.08.2021) – SHA-256 values
TorBox Menu only: v.0.4.2 (02.08.2021) – SHA-256 values

Since we had to install additional software packages and update the configuration files, we recommend using the new image rather than updating an existing system. However, we have added a short guide at the end of this post for those who absolutely must update from the previous version (not older!).

Changelog: v.0.4.1 (13.06.2021) –> v.0.4.2 (02.08.2021)
  • IMPORTANT: Installing TorBox requires at least an 8 GB SD Card.
  • Update: The system is based on Raspberry Pi OS “Buster” Lite with a Linux Kernel 5.10.49 and Tor version 0.4.6.6. Tor version 0.4.6.6 fixes several security issues, including a denial-of-service attack against onion service clients and another denial-of-service attack against relays. The 0.4.6.x series includes numerous features and bugfixes, including a significant improvement to our circuit timeout algorithm that should improve observed client performance and a way for relays to report when they are overloaded. 
  • Update: Internal list of OBFS4 bridges is actualized, and the Meek-Azure, as well as the Snowflake configurations are updated in torrc based on the Tor Browser 10.5.2.
  • Update: The Adafruit’s PiTFT display installer.
  • New: The install scripts were extensively rewritten to be more reliable and secure in highly authoritarian countries. Tor will only be activated after a restart and a login by SSH or a web browser. This gives the user the possibility to start pluggable transports and bridges from the beginning to hide the use of tor in a better way and improve the user’s security. These improvements were proposed and highly influenced by nyxnor. Also, the installation script is more configurable, and these configurations will be stored into run/torbox.run after the installation.
  • New: Optional but highly recommended, automatic counteractions on log related events can be activated in the Countermeasure sub-menu. These counteractions should avoid the downtime of the connection to the tor network and give a better user experience, especially on connections with lower bandwidth. Most likely, this feature will be implemented as default in the next TorBox version. However, we are dependent on your feedback on this new feature. For more information, see under “Test and play with the ‘automatization’ feature“.
  • New: Wifi driver for RTL8812bu for Raspberry Pi OS added and for Debian/Ubuntu updated.
  • Fixed: Access on the Tor Control port from the clients produces a warning message in the tor log. Even if we don’t assess this as a security risk, to avoid the warning message, access on the Tor Control Port from the clients is disabled by default but can be activated in the Configuration sub-menu
  • Improved: By default, all access to a tor related URL (torproject.org) will be done through tor for security reasons of users in highly authoritarian countries. This includes tor and Torbox menu updates as well as bridge fetching and checking. If a connection through tor is not possible, the user is asked if it is safe to access the URL directly. If the user agrees, the local DNS resolution will be made through public name servers to avoid cheap censorship mechanisms (for more information, see here); if the user disagrees, the access on the tor related URL is blocked.
  • Improved: The file run/torbox.run is modified to a configuration file. The public name servers and the connectivity-check URL can be changed there and are used by every script (for more information, see here).
  • Improved: Configuring the TorBox bridge relay allows to set the bridge distribution method (requested by DEC-entralized, see details in the commit d5b0045eec2e79c60dfd33b0239a5d1e4291597f).
  • Improved: The configuration of the TorBox bridge relay can also be changed when the OBFS4 bridge relay is running. No deactivation before and activation after the changes are necessary anymore.
  • Improved: Pressing ENTER in the TorBox bridge relay configuration dialogue doesn’t set the default values but the latest used ones.
  • Improved: The installations scripts and the compatibility for Debian and Ubuntu systems as well as for 64 bit systems.
  • Improved: We have a new way to set the hostname, which should avoid error messages.
  • Removed: We don’t install tor from the Torproject repository anymore. As a fallback, a LTS version of tor is installed from the Raspberry Pi OS and the Debian repository (depending on your system), which is replaced from the latest stable version from the Tor’s Github Repository. This gives us a fallback – if someone uses the installation script and Tor’s Github Repository is blocked, the LTS version of tor is still installed, and the user can update to a newer version later through tor. So far, this is the best way to solve the „chicken or the egg“ problem.
  • Removed: The new_ident script is replaced by tor-prompt commands in the menu script (SIGNAL NEWNYM).
  • Experimental: Vanguards – Guard discovery and related traffic analysis protection – added (mentioned by nyxnor, see details in issue #72). Vanguards are optional and have to be activated in the Countermeasure sub-menu.
How to update from TorBox v.0.4.1 (13.06.2021)?

To update a TorBox v.0.4.1 (13.06.2021) installation, you can perform the following tasks. This deletes all your custom made configurations but does not alter your bridge relay keys. Nevertheless, we recommend, if possible, using the new image.

  1. Please, make sure that TorBox has Internet connectivity.
  2. Update the system: Go to the Update and Reset sub-menu, update the base system and the TorBox menu (entries 1 and 5).
  3. To ensure that all necessary packages are installed, execute the following commands (please, make sure that you copy the entire line!):
    sudo apt-get -y install hostapd isc-dhcp-server usbmuxd dnsmasq dnsutils tcpdump iftop vnstat debian-goodies apt-transport-https dirmngr python3-pip python3-pil imagemagick tesseract-ocr ntpdate screen git openvpn ppp shellinabox python3-stem raspberrypi-kernel-headers dkms nyx obfs4proxy apt-transport-tor build-essential automake libevent-dev libssl-dev asciidoc bc devscripts dh-apparmor libcap-dev liblzma-dev libsystemd-dev libzstd-dev quilt zlib1g-dev
  4. Update tor: Go to the Update and Reset sub-menu again and actualize the the TorBox menu (entry 4).
  5. Install Vanguards, if you want to use it:
    sudo bash install/install_vanguards.sh
  6. Replace the changed configuration files:
    # Backup in case
    sudo cp /etc/tor/torrc /etc/tor/torrc.bak
    # ATTENTION: This will overwrite your modifications as well as the configuration for the OBFS4 bridge relay
    # If you run a bridge relay use "backup/restore the Bridge Relay configuration"
    sudo cp etc/tor/torrc /etc/tor/
    cp etc/system/system.d/rc.local /etc/system/system.d/
    The commands above should work. Alternatively, you could also go to the Update and Reset sub-menu and reset the entire TorBox configuration from there (entry 8).
  7. Reboot TorBox.
Your feedback is welcome!!

We hope this version pleases you. However, we are dependent on feedback. It is not just about fixing bugs and improving usability, but also about supporting additional interfaces and hardware in future releases:

  • What do you like?
  • What should be improved (why and how)?
  • What would you like to see next? Which features do you request?

With the TorBox GitHub repository, it is straightforward for everyone to report issues or to change the code and to propose it in a pull request. Because we continue to travel around, it sometimes needs a little more time to address the issues and proposals. 

Known problems and bugs
  • BUG: The current image file is built with Linux Kernel 5.10.52. Unfortunately, we didn’t realize that all the additional network drivers (Realtek 8188eu, 8188fu, 8192eu, 8812au, 8812bu, 8814au, 8821au, 8821cu, and 8822bu) are not yet available for this Linux Kernel Version. The latest supported Linux Kernel is version 5.10.49. Those already working with the current image file or who have updated the system and need one of these network drivers can fix the bug by updating the TorBox menu (update and reset sub-menu entry 5) and executing the following command on TorBox’s command prompt:
    cd ~/torbox
    bash install/step_back_to_kernel_5.10.49

    Afterwards, rerun menu entry 2 in the Update and Reset sub-menu.
    The current image is updated. BUG FIXED✔︎
    .
  • BUG: The integration of TorBox’s automatic counteractions into rc.local resulted in some nasty bugs, which we didn’t see before: rc.local needs absolute paths, not relative ones; there was also an error in getting the name of the internet interface from the run-file, which broke the execution of the automat script. We also put the logs of TorBox’s automatic counteractions into a separate file (/var/log/tor/automat.log) so that it is easier to see if automatic counteractions were activated or not. You can fix the bug by updating the TorBox menu (update and reset sub-menu entry 5). The current image is updated. BUG FIXED✔︎
    .
  • BUG: Due to a little bug in the script, TorBox tells during the activation of the Meek-Azure bridge that the bridge is offline, which is not the case. However, you can continue, and the bridge will work without any problem. You can fix the bug by updating the TorBox menu (update and reset sub-menu entry 5). The current image is updated. BUG FIXED✔︎
    .
  • BUG: Pressing the enter key in the OBFS4 port definition (“port number of the OBFS4”) during the OBFS4 Bridge Relay configuration will not automatically take the latest used or the default number. This will result to a faulty torrc entry (ServerTransportListenAddr obfs4 0.0.0.0: instead of, for example, ServerTransportListenAddr obfs4 0.0.0.0:443). This will prevent tor from starting until the ServerTransportListenAddr line is fixed or deactivated. The workaround is easy: don’t press the enter key during the OBFS4 Bridge Relay configuration, but write the number into the dialogue. However, you can fix the bug by updating the TorBox menu (update and reset sub-menu entry 5). The current image is updated. BUG FIXED✔︎

TorBox v.0.4.1 released — easier than ever

We are very dependent on your feedback! In this release, we have made an effort to implement more of your requests and, again, to improve the usability of TorBox based on your feedback. In this journey to the TorBox v.0.4.1, nyxnor has been a huge support, rewriting the OBFS4 bridge support of TorBox, which is now easier than ever to use. We also implemented experimentally “Shellinabox“, which gives clients to access the TorBox menu through a web browser so that the installation of a SSH client would not anymore be necessary. You can try it out by using https://192.168.42.1:9000 on a WiFi client and https://192.168.43.1:9000 on a cable client. Unfortunately, with the self-signed certificate for its secure connections, browsers will show a warning message during the first connection, which has to be ignored. We are eager to hear your feedback on “Shellinabox”. Do you know better alternatives? Let us know!

With the TorBox GitHub repository, it is straightforward for everyone to report issues or to change the code and to propose it in a pull request. Because we continue to travel around, it sometimes needs a little more time to address the issues and proposals. This is especially true for the TorBox website:

Over the following weeks, we will update the TorBox website to reflect all the changes introduced with TorBox v.0.4.1. Until then, some information could be outdated and refer to the older version.

TorBox Image (about 940 MB): v.0.4.1 (13.06.2021) – SHA-256 values
TorBox Menu only: v.0.4.1 (13.06.2021) – SHA-256 values

Since we had to install additional software packages and update the configuration files, we recommend using the new image rather than updating an existing system. However, we have added a short guide at the end of this post for those who absolutely must update from the previous version (not older!).

Changelog: v.0.4.0 (10.04.2021) –> v.0.4.1 (13.06.2021)
  • Update: The system is based on Raspberry Pi OS “Buster” Lite with a Linux Kernel 5.10.17 and Tor version
  • 0.4.5.8.
  • Update: Internal list of bridges updated.
  • New: Installed with one of the installation scripts and using the option “–select-tor” makes it possible to chose the to be installed tor version.
  • New: The installed tor version can be updated or changed with entry 4 in the Update and Reset sub-menu, where “DEFAULT” installs the latest stable version and “EXPERT” gives access to a variety of TorBox versions, including the -rc and -alpha versions.
  • New: A new script was added to the torbox folder but not yet included in the TorBox menu, which should automatically react to log-related events. The idea behind it is that, with the next version, TorBox can automatically handle a disconnection from a WiFi network or the tor network. For example, if the tor log file indicates that the entry guard is failing, TorBox should choose a new entry guard in the background. If successfully tested, the necessary rules will follow later and are expected to be integrated into the Countermeasure sub-menu.
The "EXPERT" button showing up with choosing entry 4 in the Update and Reset sub-menu gives a list of possible tor versions.
The “EXPERT” button showing up with choosing entry 4 in the Update and Reset sub-menu gives a list of possible tor versions.
  • Fixed: Using entry 10 in the Configuration sub-menu to enable the SSH access to TorBox from the Internet was not permanent when chosen so, but was permanent when chosen temporary (mentioned by bhafer, see details in issue #46).
  • Fixed: SOCKS v5 port for destination address stream isolation was falsely set on port 9051 used for the Tor Control Port. The port is now changed to 9052.
  • Fixed: The Tor Control Port (9051) is now accessible from clients (mentioned by bhafer, see details in issue #46).
  • Fixed: OBFS4 bridges with IPv6 addresses are now handled correctly (see details in issue #55).
  • Fixed: After the installation, the go source package wasn’t removed from the home directory.
  • Fixed: All known problems and bugs listed in the Blog entry to TorBox v.0.4.0.
  • Improved: The use and handling of OBFS4 bridges are now more intuitive and in line with the use of the Meek-Azure and Snowflake bridges. There is no need anymore to activate OBFS4 bridge functionality in two steps. Also, the explanation about the functionality of bridges, pluggable transports and their use was completely rewritten. This amazing work was done by nyxnor – thank you very much!
The cleaned-up Countermeasure sub-menu of TorBox v.0.4.1.
The cleaned-up Countermeasure sub-menu of TorBox v.0.4.1.
  • Improved: If one of the pluggable transports (OBFS4, MEEK, SNOWFLAKE) will be activated, another already running pluggable transport will be automatically deactivated.
  • Improved: When installed from the image file, with the first start of the TorBox menu, the SSH server keys will be replaced by new ones. (mentioned by rsaxvc, see details in issue #40).
  • Improved: All installation script can be run several times, for example, if the first installation attempt was not successful or when the system has to be reinstalled.
  • Improved: The support for Ubuntu 20.04 /  21.04 and Debian 10/11 systems.
  • Improved: Clean up the code of the TorBox Wireless Manager.
  • Improved: We removed the first blank line to use the maximum available space for the entries in all menus. Also, the sub-menu to set up an OBFS4 relay server on the TorBox looks now more similar than the Countermeasure sub-menu.
  • Improved: Restarting tor is now accessible from the Main menu.
  • Improved: The slack space of the TorBox image is now overwritten by zeros (with the program zerorfree). This probably is why the compressed image of TorBox v.0.4.1 is almost 220 MB smaller than the image of TorBox v.0.4.0 (thanks goes to rsaxvc for the suggestion, see details in issue #39).
  • Experimental:Shellinabox” added to the TorBox and setup on port 9000. With “Shellinabox”, users can access the TorBox main menu through a web browser using https://192.168.42.1:9000 on a WiFi client and https://192.168.43.1:9000 on a cable client. Unfortunately, with the self-signed certificate for its secure connections, browsers will show a warning message during the first connection, which has to be ignored. To use a secure connection between the web browser and Shellinabox, the user must accept this certificate. We are eager to hear your feedback on “Shellinabox”. Do you know better alternatives? Let us know!
How to update from TorBox v.0.4.0 (10.04.2021)?

To update a TorBox v.0.4.0 (10.04.2021) installation, you can perform the following tasks. This deletes all your custom made configuration but not alter your bridge relay keys. Nevertheless, we recommend, if possible, using the new image.

  1. Please, make sure that TorBox has Internet connectivity.
  2. Update the system: Go to the Update and Reset sub-menu, update the base system, the TorBox menu (entry 1 and 5) and after that, update to the newest version of tor (entry 4).
  3. To ensure that all necessary packages are installed, execute the following commands (please, make sure that you copy the entire line!):
sudo apt-get -y install hostapd isc-dhcp-server obfs4proxy usbmuxd dnsmasq dnsutils tcpdump iftop vnstat links2 debian-goodies apt-transport-https dirmngr python3-pip python3-pil imagemagick tesseract-ocr ntpdate screen nyx git openvpn ppp tor-geoipdb build-essential shellinabox
  1. Replace the changed configuration files:
# Backup in case
sudo cp /etc/tor/torrc /etc/tor/torrc.bak
# ATTENTION: This will overwrite your modifications as well as the configuration for the OBFS4 bridge relay
# If you run a bridge relay use "backup/restore the Bridge Relay configuration"
sudo cp etc/tor/torrc /etc/tor/
sudo cp etc/motd /etc/
sudo cp etc/hostapd/hostapd.conf /etc/hostapd/
sudo cp etc/default/shellinabox /etc/default/shellinabox
sudo mv /etc/shellinabox/options-enabled/00+Black\ on\ White.css /etc/shellinabox/options-enabled/00_Black\ on\ White.css
sudo mv /etc/shellinabox/options-enabled/00_White\ On\ Black.css /etc/shellinabox/options-enabled/00+White\ On\ Black.css
sudo systemctl restart shellinabox.service
sudo cp torbox/etc/hostname /etc/
sudo cp torbox/etc/hosts /etc/

The commands above should work. Alternatively, you could also go to the Update and Reset sub-menu and reset the entire TorBox configuration from there (entry 8).

  1. Reboot TorBox.
Known problems and bugs
  • BUG: Using the installation scripts with the option –select-torbox or using the EXPERT option in changing/updating tor with the Update and Reset sub-menu doesn’t show all relevant recent tor versions. You can fix these bug by updating the TorBox menu (update and reset sub-menu entry 5). BUG FIXED✔︎
    .
  • LOOK&FEEL: Tor displays the following warning: “You have a ControlPort set to accept connections from a non-local address. This means that programs not running on your computer can reconfigure your Tor. That’s pretty bad, since the controller protocol isn’t encrypted! Maybe you should just listen on 127.0.0.1 and use a tool like stunnel or ssh to encrypt remote connections to your control port.” This warning is generated because the Tor Control Port (9051) is now accessible from clients (see details in issue #46). However, if you control the clients and/or if you change the password of the Tor Control Port (entry 3 in the Configuration sub-menu), it doesn’t constitute a security risk. If this is not acceptable, the following entries can be removed from /etc/tor/torrc:
    ControlPort 192.168.42.1:9051
    ControlPort 192.168.43.1:9051

    Don’t remove ControlPort 9051!! Our plan for TorBox v.0.4.2 is to disable the accessibility of the Tor Control Port from clients again as default but to integrate into the Configuration sub-menu an option to enable/disable the accessibility.
Your feedback is welcome!!

We hope this version pleases you. However, we are dependent on feedback. It is not just about fixing bugs and improving usability, but also about supporting additional interfaces and hardware in future releases:

  • What do you like?
  • What should be improved (why and how)?
  • What would you like to see next? Which features do you request?

TorBox v.0.4.0 released — welcome TorBox Wireless Manager!

In the last months, we travelled around, and with this release, we tried to implement some improvements based on our experience with the daily application of the TorBox. The most significant improvement is abolishing wicd and introducing our new TorBox Wireless Manager (TWM). Not only is the TWM much easier to use, but it also doesn’t need so much power. Another pleasant novelty is the support of Azur-Meek and Snowflake, which should also work in China. During our travels, we have noticed incorrect DNS resolution regarding torproject.org in some countries. Probably, this is a kind of cheap censorship mechanism. For this reason, during the installation and updates, local DNS resolutions are made through Google’s and Cloudflare’s Domain Name Servers instead of using the Internet Providers presetting delivered by DHCPImportant: these settings are only for TorBox local traffic; all data from the clients are routed through Tor (including DNS requests). Nevertheless, some user complained about using Google’s and Cloudflare’s DNS servers and requested to implement other DNS servers. In the FAQ, we explain our decision in detail and how someone, who cannot live with it, has the possibility to change these settings.

TorBox Image (about 1 GB): v.0.4.0 (10.04.2021) – SHA-256 values
TorBox Menu only: v.0.4.0 (10.04.2021) – SHA-256 values

We strongly recommend using the new image rather than updating an existing system. 

The new TorBox Wireless Manager, which replaces wicd.
Changelog:v.0.3.2 (24.08.2020) –> v.0.4.0 (10.04.2021)
  • Update: The system is based on Raspberry Pi OS “Buster” Lite with a Linux Kernel 5.10.17 and Tor version 0.4.5.7. The Tor Project fixed in this latest version two critical denial-of-service bugs: TROVE-2021-001 and TROVE-2021-002, of which only the first one is relevant for clients.
  • New: wicd has been replaced by the TorBox Wireless Manager (TWM). We like to hear your feedback.
  • New: Support for Meek-Azure and Snowflake implemented, which should also work in China. Meek uses a technique called “domain fronting” to send a message to a Tor relay in a way that is hard to block. Meek-Azure makes it look like you are browsing to Microsoft’s Azure server  instead of using Tor. Snowflake is an improvement upon Flashproxy. It sends your traffic through WebRTC, a peer-to-peer protocol with built-in NAT punching. However, because Meek-Azure and Snowflake are slower, OBFS4 bridges should be used first. If not needed, the best is not to use bridges in the first place. Please, tell us about your experiences with the use of bridges to circumvent censorship.
  • New: Based on several user requests, the configuration sub-menu (entry 11) comprises now an option to block all HTTP plain text traffic through Tor. This should avoid unencrypted data traffic at the Exit Node, which could break your anonymity (see here). However, it is possible that not only http-requests but also other tools, such as VPN clients, will no longer work. Where possible, we recommend installing HTTPS Everywhere in the Browser. We like to hear your feedback on your experiences about that feature so that we can decide if we should block all HTTP plain text traffic by default, starting with one of the next releases.
  • New: Based on several user requests, TorBox can be configured to be accessed with SSH from the Internet.
  • New: Based on several user requests, support for additional network driver were added: Realtek 8188eu, 8188fu, 8192eu, 8812au, 8814au, 8821au, 8821cu, and 8822bu.
  • New: It is now possible to connect/disconnect the TorBox from a VPN using the countermeasure sub-menu without changing Tor’s primary interface to the Internet. With this feature, the user can influence the route of the local network data from the command line and, for example, circumvent censorship measures that don’t allow updating TorBox. Additionally, it gives the possibility to completely disconnect the TorBox from a VPN after finishing using main menu entry 9, which enables TorBox to use route Tor over VPN (for more information about Tor over VPN / VPN over Tor, see here).
  • New: In the main menu, in the top of the right corner, a message shows not only if Tor is working (meaning https://check.torproject.org returns a positive result), but also if the TorBox is connected to a VPN (meaning that local network data from the command prompt is routed through VPN).
  • New: Installation script for Debian 10 (Buster) and Debian 11 (Bullseye) – for more information, see here.
  • Fixed: The user “torbox” was not a member of the group “netdev”, which causes a display error in the entry 1 and 3 in the update and reset sub-menu.
  • Fixed: During the installation of TorBox with the installation script, Tor will be compiled because the the Tor Project doesn’t provide a binary version for the Raspberry Pi. We had this option before in the update and reset sub-menu but not in the installation script, which leads to missing tor packages.
  • Fixed: Fixed the download path for the TorBox menu in the installation as well as in the update and reset sub-menu. We also changed the GitHub download path for the Raspberry Pi Framebuffer Copy needed for AdAfruits Pi TFT installation. GitHub is suddenly changing URLs, which is a pain in the ass.
  • Fixed: Missing path to torbox.lib in some scripts, which use Bridges and prevented Tor from restarting automatically.
  • Fixed: Wrong  menu entry relating to the countermeasure against a disconnection when idle after a restart.
  • Improved: During the installation and updates, local DNS resolutions are made through Google’s and Cloudflare’s Domain Name Servers to avoid cheap censorship mechanism. Important: these settings are only for TorBox local traffic; all data from the clients are routed through Tor (including DNS requests). For more information and an explanation of how it is possible to change it, see here.
  • Improved: The support for Sixfab Shields/HATs for cellular connections can now be installed offline.
  • Improved: The script to install the Adafruit PI TFT is now locally stored and not fetched from the Adafruit Github Repository (Adafruit changed it, and it was broken). However, an Internet connection is still necessary for the installation.
  • Improved: The support for installing TorBox on a Ubuntu 20.04 / 20.10 or Debian Buster/Bullseye system. TorBox’s implementation on other systems and hardware is experimental because we do not have the resources to check all details on all different installations. You can help us with reporting errors back to us.
  • Improved: Cleaned up the code and outsourced more essential functions into the TorBox library or separate sub-scripts. This will help to maintain the code in future releases properly.
  • Improved: The appearance of all menus has been streamlined, and in the files, we fixed some minor errors.
The Countermeasure sub-menu of TorBox v.0.4.0.
The countermeasure sub-menu of TorBox v.0.4.0 with Snowflake and Meek-Azure.
Known problems and bugs
  • LIMITATION: If HTTP plain text traffic is blocked (configuration sub-menu entry 11), .onion addresses, which use “http://”doesn’t work anymore directly with Chrome and Chromium. Both browsers will behave like all other browsers by default, because based on IETF RFC 7686, applications that do not implement the Tor protocol generate an error upon the use of .onion and do not perform a DNS lookup. However, .onion addresses using “http://” can be used through SOCKS 5 even if the HTTP plain text traffic is blocked. Onion addresses using “http://” can also be used with the Tor Browser – with or without its own Tor instance – running on a client. ? In other words, blocking HTTP plain text traffic does not work if SOCKS 5 proxy functionality or Tor Browser is used on a client. ? WARNING MESSAGE ADDED✔︎
    .
  • PROBLEM: People running an OBFS4 bridge relay will probably encounter the following hourly error message: “Unable to find IPv6 address for ORPort xxxx.” It seems that with Tor version 0.4.5.* the Tor Project focuses on improving the IPv6 support (until now, a Tor relay needs a public IPv4 address). At the same time, they changed the address auto-discovery behaviour (see here, here and here), which probably leads to this hourly error message. Even, the Tor Project writes in the Changelog for 0.4.5.7 that they removed “a spammy log notice falsely claiming that the IPv4/v6 address was missing”, it doesn’t seem to work completely. However, this error message has no negative on the operation and the status on Metrics. PROBLEM SOLVED✔︎
    .
  • BUG: Entry 5 in the update and reset sub-menu, which should update the TorBox menu fails to remove the old lib/__pycache__ directory. Even if saying yes to remove it, the update will be incompleted because it cannot replace the old lib directory. Unfortunatelly, all files in that directory except lib/__pycache__ are deleted, so that the TorBox menu will not properly work anymore. It can be fixed with the following procedure:
    – Leave the TorBox menu by pressing ESC
    – Type sudo chmod a+w -R lib
    – Start TorBox menu again by typing ./menu
    – Start the update and reset sub-menu and execute entry 5
    .
    After this procedure and the successful update, the bug is fixed. The current image is updated.  BUG FIXED✔︎
    .
  • BUG: This affects only Bridge Relay operators: due to a bug in the main menu script, every second time when the main menu was started, the OBFS4 and ORPort was blocked, which set the Bridge Relay offline. You can fix these bug by updating the TorBox menu (update and reset sub-menu entry 5). The current image is updated.  BUG FIXED✔︎
    .
  • BUG: Already in TorBox v.0.3.2, main menu’s start-up can be stuck on the message “Checking connectivity to the Internet – please wait…” for an annoying amount of time if TorBox has no Internet connection. In TorBox v.0.4.0, the introduced timeout had no effect because we did it in a wrong way. You can fix these bug by updating the TorBox menu (update and reset sub-menu entry 5). The current image is updated. BUG FIXED✔︎.
    .
  • BUG: Using entry 10 in the configuration sub-menu to enable the SSH access to TorBox from the Internet was not permanent when chosen so, but was permanent when chosen temporary (for a description and a quick fix, see issue #46). You can fix these bug by updating the TorBox menu (update and reset sub-menu entry 5). BUG FIXED✔︎
    .
  • BUG: Entry 7 in the update and reset sub-menu did not erase all passwords in the TorBox Wireless Manager. To take effect, a reboot is needed. You can fix these bug by updating the TorBox menu (update and reset sub-menu entry 5). BUG FIXED✔︎

    BUG: Because of a wrong variable name, the Snowflake and the Meek-Azure bridges got in the way (for details see issue #48). Nyxnor fixed the bug with the pull request #49 and #51. You can fix these bug by updating the TorBox menu (update and reset sub-menu entry 5). BUG FIXED✔︎
    .
  • BUG: Since TorBox v.0.3.2, we introduced a new SOCKS v5, which supports destination address stream isolation. Unfortunately, we used the port number, which is reserved for the Tor control port. So far, this didn’t have any adverse side effects. However, this is not the way it supposed to be. For that reason, we changed the SOCKS v5 port for destination address stream isolation to 9052. You can fix these bug by changing in /etc/tor/torrc the following lines: SocksPort 192.168.42.1:9051 IsolateDestAddr -> SocksPort 192.168.42.1:9052 IsolateDestAddr and SocksPort 192.168.43.1:9052 IsolateDestAddr -> SocksPort 192.168.42.1:9052 IsolateDestAdd (with or without #) or by updating the TorBox menu (update and reset sub-menu entry 5) and than copying the default torrc to /etc (cp etc/tor/torrc /etc/tor/torrc). The proposed fix will most likely break tor because the menu script must also be adapted to the new port. For that reason, the fix will be included in TorBox v.0.4.1. BUG NOT FIXED IN v.0.4.0?
    .
  • LOOK&FEEL: Because we offer several install scripts, which dependent on the operating system, install Tor in different ways, we decided to put the repository for Tor’s binaries and sources, knowing that, for example, on Raspberry Pi OS with apt-get update an error message is shown, which does not affect. However, inexperienced users might be discouraged by the error message. See also issue #36. You can fix these bug by updating the TorBox menu (update and reset sub-menu entry 5). The current image is updated. CLOSED✔︎

Update your TorBox

We have good and bad news…

Bad News
The next TorBox release (v.0.3.3 or v.0.4.0) will probably not be published before the end of March 2021. The reason is that, currently, we travel around and test TorBox in real-world use. The drawn lessons learned will be implemented in the next releases. At the same time, as bandwidth spoiled freaks, we realized that in some places in the world the Internet connections are suicidally slow. This makes a release during our trip pretty much impossible.

Good News
If you have TorBox 0.3.2, you don’t need to wait to update the base system or the Tor version on your TorBox. First, choose entry 1 in the Update and Reset submenu to update your base system (to Linux Kernel 5.4.83). However, this will not update Tor because, for whatever reason, the Tor Project repository doesn’t support armhf anymore. To update Tor, choose entry 3 in the Update and Reset submenu. This will update Tor to the version 0.4.4.6. This version has an improved guard selection algorithms, adds v3 onion balance support and includes fixes for TROVE-2020-005.

The status message seen under entry 3 in the Update and Reset submenu after the update to the newest Tor version.

Travelling around, we expired in some countries a wrong DNS resolution regarding torproject.org. Probably, this is a kind of cheap censorship mechanism. This is why we added to our update script a set of open name servers. In other words, if entry 3 in the Update and Reset submenu produce an error and refuse to update Tor, try first entry 4, leave the Update and Reset submenu (it has to be reloaded) and try entry 3 again. In the next TorBox version, these set of open name servers will be installed as default. Important: these open name servers are only used for the DNS requests directly from the command prompt of the TorBox (during installations, updates, administrative work etc.), but not by the clients. Clients DNS requests are resolved through Tor.

We are working hard to replace wicd with our own lightweight wireless manager for TorBox v.0.4.0. The main reason is that it seems that wicd is not developed further. Several attempts to contact the developers went unanswered. The current version of wicd doesn’t support Python version 3, which produces some headaches under Ubuntu. At the same time, however, it is also an opportunity to significantly simplify the handling of wireless networks in TorBox.

Test version of the new TorBox Wireless Manager, which is replacing wicd in the next major release of TorBox.

TorBox v.0.3.2 released — all about user wishes

We are very dependent on your feedback! In this release, we have made an effort to implement your requests and improve the usability of TorBox based on your feedback.

If you download the new TorBox image or install it with our TorBox installer, it is important to notice that for security reasons, we locked/removed the user “pi”. To log into TorBox, you have to use the username: torbox / password: CHANGE-IT. Please, do not forget to change the default passwords as soon as possible (the associated entries are placed in the configuration sub-menu). Since we had to install additional software packages and update the configuration files, we recommend using the new image rather than updating an existing system. However, we have added a short guide at the end of this post for those who absolutely must update from the previous version (not older!).

TorBox Image (about 1.2 GB): v.0.3.2 (24.08.2020) – SHA-256 values
27.08.2020: the image has been updated with Tor version 0.4.3.6

TorBox Menu only: v.0.3.2 (24.08.2020) – SHA-256 values

Main Menu TorBox v.0.3.2
Main Menu TorBox v.0.3.2

• • •

Changelog: v.0.3.1 (30.05.2020) –> v.0.3.2 (24.08.2020)
  • Update: The system is based on Raspberry Pi OS “Buster” Lite with a Linux Kernel 5.4.51 and Tor version 0.4.3.6.
  • New: Based on several user requests, TorBox supports now internet connectivity over a VPN. Nevertheless, we do NOT recommend using a VPN. If Tor entry guards cannot be reached for censorship reasons, we recommend using OBFS4 bridges. Nevertheless, we consider the additional risk of this “Tor over VPN” situation  to be proportionate.
  • New: Also, based on user requests, we added in the configuration sub-menu the possibility to deactivate the TorBox access point functionality. In other words: you can now disable TorBox’s WiFi, which only makes sense, and is only possible, with (a) cable-connected client(s). 
  • New: Based on another user request, we added a new SOCKS v5 port to support destination address stream isolation. It can be chosen, if the old port 9050 without stream isolation or the new port 9051 9052 with stream isolation should be used. We consider the implementation as “experimental” because we are worried about a possible negative impact on performance when using stream isolation. We like to hear your feedback on your experiences about that feature so that we can decide if we go to enable it for the entire data streams, not only for that particular socket.
  • New: Support for 3.5“ no-name TFT displays. Please let us know if you wish to have support for additional displays.
  • New: A new feature enables the functionality to add a new OBFS4 bridge automatically. Because we do not want to overload the Tor Bridge database unnecessarily with requests, this function only returns one bridge every 24 hours.
  • New: Slowly but steady, TorBox is becoming more system and hardware independent. For that reason, the login to administer the TorBox is new „torbox“ (with the default password „CHANGE-IT“). For security reasons, on the Raspberry Pi OS, the user „pi“ is locked (TorBox installer) or even removed (TorBox image).
  • Improved: Based on several user feedback, we changed again how TorBox reconfigures its network settings. Honestly, the rewriting and fixing of the  involved scripts was a real pain in the ass, and extremely time-consuming. Hopefully, the changes will smooth the user experience once more. Additionally, we also implemented a new failsafe mechanism, which should avoid lockout events. Before this update, that mechanism was implemented in the configuration script. Now, we moved it into the rc.local, so that TorBox can fix itself at startup.
  • Improved: Also, based on user requests, we improved the way how the completion of the various operations in the update and reset sub-menu is communicated to the user. We also improved the way TorBox’s configuration files are being updated / reset. Finally, we added a time synchronization feature in the update and reset sub-menu under the entry 10 “Just fixing and cleaning”. In case of a time synchronization problem, just open the sub-menu, mark entry 10 with the space key, and press “Enter” to fix it.
  • Improved: We also improved the DHCP server capabilities, which should minimize cases in which TorBox has to be restarted when switching from one connectivity setting to another.
  • Improved: To make TorBox more hardware and system independent, we modified how the user password get changed.
  • Improved: The indicators in the configuration sub-menu are now updated after each change. This prevents incorrect entries after changing the configuration.
  • Improved: The reboot and shutdown functions have been combined in one single menu entry to save space on the main menu. 
  • Improved: The installation scripts.
  • Fixed: There was an error in the Internet indicator. When wlan1 was chosen as a source, the indicator was set to eth1 and vice versa.
  • Fixed: There was another error in the INTERNET <-> WLAN0  <-> ETH0 <-> CLIENT configuration, which could prevent a trouble-free operation.
  • Fixed: We forgot to update the package lists before  we started to update to the newest version of Tor in the update and reset sub-menu. That was not very smart and, finally, broke the update functionality. We also forgot to inform the user to which version we would update Tor, which gave the whole operation a “Russian roulette” feeling.  We now also check if we could successfully download the Tor source files and display a message if something went wrong. Moreover, because of a typo, the folder “~/debian-packages” was not removed after the operation.
  • Fixed: By choosing iOS Tethering or an USB adapter using the eth1 interface (main menu entry 8), a wrong info-screen was displayed.
  • Fixed: We switched from “service rsyslog stop” to “systemctl stop rsyslog” to change logging from high to low in the configuration sub-menu. The former worked under Raspberry Pi OS, but not under Ubuntu.
  • Fixed: An error in the installation script for the Raspberry Pi OS  prevented to set the hostname to TorBox031. Because we use the installation script to build our image, this error was also on the image.
  • Experimental: A new installation script for installing TorBox on a hardware-independent Ubuntu-system (Ubuntu 20.04 LTS 32/64 Bit) is available. 
With TorBox version 0.3.2 no-name 3.5" TFT displays will be supported.
Starting with TorBox version 0.3.2, no-name 3.5″ TFT displays will be supported (the image is from the 0.3.2 pre-version).
How to update from TorBox v.0.3.1 (30.05.2020)?

To update a TorBox v.0.3.1 (30.05.2020) installation, you can perform the following tasks. This deletes all your custom made configuration, but not alter your bridge relay keys. Nevertheless, we recommend, if possible, to use the new image.

  1. Please, make sure that TorBox has Internet connectivity.
  2. Update the system: Go to the TorBox update and reset sub-menu (main menu entry 12) and update the base system and also the TorBox menu (entry 1 and 4). This will update TorBox’s packages and the Linux kernel to version 5.4.51.
  3. To ensure that all necessary packages are installed, execute the following commands (please, make sure that you copy the entire line!):
sudo apt-get -y update
sudo apt-get -y install hostapd isc-dhcp-server obfs4proxy usbmuxd wicd-curses dnsmasq dnsutils tcpdump iftop vnstat links2 debian-goodies apt-transport-https dirmngr python3-setuptools python3-pip python3-pil imagemagick tesseract-ocr ntpdate screen nyx git openvpn
sudo pip3 install pytesseract
sudo pip3 install mechanize

  1. Replace the changed configuration files:
sudo cp etc/tor/torrc /etc/tor/
sudo cp etc/dhcp/dhcpd.conf /etc/dhcp/
sudo cp etc/rc.local /etc/

The three commands above should work. Alternatively, you could also go to the TorBox update and reset sub-menu (main menu entry 12) and reset the entire TorBox configuration from there (entry 6).

  1. Restart TorBox
New: Automatically add a new OBFS4 bridge (the image is from the 0.3.2 pre-version).
Your feedback is welcome!!

We hope this version pleases you. However, we are dependent on feedback. It is not just about fixing bugs and improving usability, but also about supporting additional interfaces and hardware in future releases:

  • What do you like?
  • What should be improved (and how)?
  • What would you like to see next? Which features do you request?
Known problems and bugs
  • BUG – Entry 1 and 3 in the update and reset sub-menu should display the version of the installed Kernel, Tor, and Wicd. At the place of the wicd version, the following message is displayed: ERROR: wicd-curses was denied access to the wicd daemon: please check that your user is in the "^[[1;34mnetdev^[[0m" group. This bug has no consequences on the update procedure, but can be easily fixed with the following command at the command prompt: sudo adduser torbox netdev. To take effect, you have to reboot the TorBox. The installation scripts are already fixed – the current image is updated. BUG FIXED ✔︎
  • BUG – Additionally to the bug above, entry 3 in the update and reset sub-menu does not display the correct version of the newly available Tor version. This bug has no consequences on the update procedure. We fixed the script, which can be updated with the entry 4 in the update and reset sub-menu. The current image is updated. BUG FIXED ✔︎
  • BUG -Another little bug (actually, it was only a typo), prevented installing the newly available self-compiled Tor version (menu entry 3). We fixed the script, which can be updated with the entry 4 in the update and reset sub-menu. The current image is updated. BUG FIXED ✔︎
  • BUG – The Adafruit’s PiTFT installer script (entry 12 in the configuration sub-menu) aborts because it tries to work with the /home/pi directory, which does not exist anymore. We fixed the script, which can be updated with the entry 4 in the update and reset sub-menu. The current image is updated. BUG FIXED ✔︎
  • BUG – We discovered in the script, which is responsible for restoring the bridge relay configuration an error, which, in some situations, prevent the restoring of the values in the torrc file. We fixed the script, which can be updated with the entry 4 in the update and reset sub-menu. The current image is updated. BUG FIXED ✔︎
  • PROBLEM – Even if there is a *.ovpn file in the ~/openvpn directory and openvpn seems to run, TorBox still reports that there is neither a connection to a VPN nor a *.ovpn file available. Various factors are responsible for this:
    .
    • Currently, TorBox supports only tun0 as a valid VPN interface. Some VPN provider uses tun1, tun2, tun3, et.c in their *.ovpn files, which can be easily fixed. We modified the script, which checks the *.ovpn file and changes tun* to tun0. The fact that we only support tun0 is already mentioned in the respective information displays, but the wording has been adjusted slightly. The responsible script can be updated with the entry 4 in the update and reset sub-menu. The current image is updated. PROBLEM SOLVED ✔︎
    • Additionally, it seems that our time-out of 10 seconds for establishing a VPN connection was a little bit optimistic. Therefore we increased the time-out to 15 seconds. The responsible script can be updated with the entry 4 in the update and reset sub-menu. The current image is updated. PROBLEM SOLVED ✔︎
  • OPEN ISSUE – Why is Tor version 0.4.2.7 installed and not the newer stable version 0.4.2.8 / 0.4.3.6? For the Raspberry Pi OS, only Tor version 0.4.2.7 is available. However, after an updated TorBox menu (entry 4 in the update and reset sub-menu), Tor version 0.4.3.6 can be installed with entry 3 in the update and reset sub-menu. As of August 27, the available image file includes Tor version 0.4.3.6. We also installed the tor-geoipdb package. ISSUE CLOSED✔︎

Using a 5 GHz WiFi USB adapter (WiFi 5, 802.11ac)

If you’re using a Raspberry Pi and need a WiFi USB adapter, it’s important to note that most 2.4 GHz adapters work “out of the box.” However, this is not necessarily the case with 5 GHz WiFi USB adapters. Therefore, this article provides insights into the compatibility of three 5 GHz WiFi USB adapters with Raspberry Pi. We’ll also discuss the availability of driver software and the performance of these adapters based on our long-term observation.

Remark: Since TorBox v.0.4.0, the additional needed network drivers have already been installed on the provided TorBox image. There is also the possibility of (re)installing the drivers using the Update and Maintenance sub-menu, which may be necessary with a Raspberry Pi 5.

We want to focus mainly on the nano-sized adapters because they usually have a lower power consumption. Nevertheless, as an alternative, we tested the AC1300 from TP-Link. It is a modern adapter that is relatively large and has two internal antennas. The tests were performed mainly on a Raspberry Pi 4 Model B. The following adapters were (by chance) available for the test (more adapters may be tested on request – let me know):

The Netgear AC1200

The Netgear AC1200 is not supported “out of the box” by the Raspberry Pi. To make it work, we need to install the Realtek RTL8812BU driver. The installation is straightforward:

# Updating the kernel headers and installing essential tools
sudo apt-get install -y raspberrypi-kernel-headers bc build-essential dkms
# Clone the driver to the Raspberry Pi
git clone https://github.com/morrownr/88x2bu-20210702.git
cd 88x2bu-20210702
# Install the driver
sudo ./install-driver.sh NoPrompt
# Revome the cloned repository
cd
sudo rm -r 88x2bu-20210702

After the driver’s installation and a reboot, the Netgear AC 12000 adapter is discovered by the Raspberry Pi and is ready to use. In the TorBox main menu, using entry 6, we get into Torbox’s Wireless Manager (TWM) and see all available 2,4 GHz and 5 GHz networks. During our test, the adapter lost the connection to the Internet after a few hours. A possible root of the problem could be a too-high power consumption or a too-big accumulation at the USB interface or the adapter. It may be a combination of both factors because both the USB interface of the Raspberry Pi and the adapter are heated a lot during operation. Maybe because of that, we didn’t see any speed advantages: the network performance on the 5 GHz network was not higher than a simple 2,4 GHz USB WiFi adapter.

The TP-Link Archer T2U Nano AC600

Also, the TP-Link Archer T2U Nano AC600 does not work “out of the box”. To make it work, we need to install the Realtek RTL8812au driver. The installation is straight forward:

# Updating the kernel headers and installing essential tools
sudo apt-get install -y raspberrypi-kernel-headers bc build-essential dkms
# Clone the driver to the Raspberry Pi
git clone https://github.com/morrownr/8812au-20210820.git
cd 8812au-20210820
# Install the driver
sudo ./install-driver.sh NoPrompt
# Revome the cloned repository
cd
sudo rm -r 8812au-20210820

After successfully installing the driver and a reboot, the TP-Link Archer T2U Nano AC600 adapter is discovered by the Raspberry Pi and is ready to use. In contrast to the Netgear AC1200, the TP-Link Archer T2U Nano AC600 showed stable operation during the tests. The adapter did not lose connection to the network even during hours of operation. However, the heat development on the USB interface and the adapter was comparable to the Netgear AC1200. It seems that this is a general problem of nano-sized adapters, which have a lack of surface to dissipate heat. Again, no higher network performance than simple 2,4 GHz WiFi USB adapters could be observed.

The TP-Link Archer T4U AC1300

AC1200 (Realtek RTL8812BU), which can be installed as described above. After installing the driver, our surprise was enormous. The TP-Link Archer T4U AC1300 showed higher stability than the Netgear AC1200. The adapter showed stable operation during the tests – at 2.4 GHz and 5 GHz, and even operated with battery power. It did not lose connection to the network even during hours of operation. As expected, connected with a 5GHz network, the TP-Link Archer T4U AC1300 shows a significantly higher network performance. Random influxes cannot be excluded, but when downloading the LibreOffice package, constant data rates could be detected, which were at least twice as high as with the other two adapters or with simple 2,4 GHz USB WiFi adapters. Possibly, the two available antennas with the multi-user MIMO technology will come into play here. Interestingly, the adapter only slightly warms itself and the USB interface, probably due to the significantly larger surface of the adapter and the ventilation holes.

A Raspberry Pi 4 Model B with the "giant" TP-Link Archer T4U AC1300.
A Raspberry Pi 4 Model B with the “giant” TP-Link Archer T4U AC1300.
Conclusion

In general, simple, low-powered USB WiFi adapters lead to fewer problems. 5 GHz WiFi USB adapters don’t work “out of the box” with a Raspberry Pi. Searching and installing the necessary network drivers can be challenging. Unfortunately, nano-sized adapters don’t deliver what they promise – it is more or less throwing money out of the window. In contrast, the excellent test results of the TP-Link Archer T4U AC1300 surprised us positively. The purchase of this adapter could be worthwhile because of the availability of the 5 GHz networks and because of the higher throughput due to the multi-user MIMO technology. The TP-Link Archer T2U AC600 also ran reliably, impressed with its stability. Although it opens up the world of 5 GHz networks, higher throughput rates are not to be expected with this adapter. In contrast, the Netgear AC1200 left somewhat mixed feelings. It also allows docking to 5 GHz networks without providing higher throughput rates. However, this adapter makes a much less stable impression in daily use. Regularly, after a few hours, it loses its connection to the network, which is unacceptable. The biggest problem with all these more complex adapters is that they are not supported out of the box by the Raspberry Pi OS.

Update in Spring 2024: I used the TP-Link Archer T4U AC1300 for the last 3,5 years on my TorBox, which I use for daily operations. It is still remarkable how reliable and fast this adapter is working. Although the adapter is still being sold, we will soon test two new WiFi 6 USB adapters.

The Raspberry Pi 4 and the trouble with its USB-C connector

A look at the underside of the Raspberry
Pi 4 reveals the board revision. If there is
a transistor directly next to the “MICRO”
lettering of the MicroSD card slot (below),
then it is the new board revision 1.2
without the USB-C bug. With an old
Raspberry Pi 4 (above), the transistor is
still located at the edge of the board
(Source: Thomas Koch and Mirko Dölle,
“Voll aufgebort: USB-C-Anschluss des
Raspberry Pi 4 ausnutzen”, C’T Heft 10,
2020, p. 136ff).

With the Raspberry Pi 4, the USB Micro-B connector has been replaced by a USB-C connector for the power supply. This was also necessary because, so far, no other Raspberry Pi model has drawn that much power. USB-C supports an electrical supply of at least 20V / 3A / 60W up to a maximum of 20V / 5A / 100W. This would be enough for a Raspberry Pi 4 under full load and additional USB devices, even if the official Raspberry Pi 4 Power Supply Unit (PSU) provides “only” 15.3W. In contrast, the sold USB Micro-B to USB-C adapter is not a long-lasting solution because the maximum power delivery of such an adapter is 12.5W. Especially in the beginning, when the Raspberry Pi 4 was new on the market, there were power supply problems if the official PSU of the Raspberry Pi Foundation was not used. 

Even if the overall power consumption of the Raspberry Pi 4 was significantly improved with the firmware updates in late autumn 2019, this has not been the only problem with the USB-C connector. Due to a faulty circuit, many existing USB-C power supplies and cables cannot power the Raspberry Pi 4. Only “dumb” cables without a SOP controller are working. 

Actually, the bug was fixed with board revision 1.2, which theoretically should be available in stores starting from the end of February. However, since this is not visible on the labeling, buying a Raspberry Pi 4 is like playing Russian Roulette. By looking at the packaging, the revision of the board inside is not recognizable. If the board finally ends up in your hands, you can tell by a transistor right next to the “MICRO” lettering of the MicroSD card slot that this is board revision 1.2 or not (see image on the right side). If the board is already in operation, there are several commands to check the board revision:

# Variant 1
cat /sys/firmware/devicetree/base/model

# Variant 2
cat /proc/cpuinfo | grep Model

EXPERIMENTAL: TorBox on Ubuntu Server 20.04 LTS (32/64 bit) and other hardware platforms

We recommend running TorBox on a Raspberry Pi 3 (Model B / Model B+) or a Raspberry Pi 4 Model B under Raspberry Pi OS “Buster” Lite. However, we created a new installation script that installs TorBox on Ubuntu Server 20.04 LTS (32/64 bit) and, therefore, might run on other hardware platforms (this script is currently in an experimental state).

Please give us feedback if you are using other hardware than the Raspberry Pi and have tried this installation script under Ubuntu.

The Coronavirus Pandemic and the Technological Progress

It is not surprising that technology is playing an essential role in the fight against the coronavirus pandemic. However, this pandemic is the first of its kind to use modern technologies such as artificial intelligence (AI) for almost real-time responses. This can be seen, for example, with Nextstrain, where the geographic spread and mutation of the virus can be tracked by examining its genetic code. Sequencing is an important, fundamental technology here that makes a detailed understanding of the virus and insights into combating the pandemic possible. It has been possible to identify the nucleotide sequence of a DNA or RNA molecule since 1995. However, there has since been breathtaking progress that has revolutionized the biological sciences.

The ways of spreading the coronavirus are convoluted. It has spread across the entire planet from its start in China. The colors represent different geographic regions. (Source: Nextstrain).

The progress of the past 25 years can be seen in the speed with which the coronavirus could be sequenced entirely. While the SARS (SARS-CoV) virus took about three months to sequence, the novel coronavirus was sequenced within a month, with the results published January 10, 2020, by Professor Zhang Yong-Zhen of the Shanghai Public Health Clinical Center. While globalization made it possible for the virus to spread worldwide quickly, global networking is helping to investigate the virus with its unique scope and nature. Specialized laboratories that have acquired the necessary molecules for a few thousand dollars can use the published genome sequence to assemble a copy of the virus, inject it into a cell, and activate it. Of course, there is also a certain risk associated with this ability, as was demonstrated 20 years ago when a deadly virus was produced from an emailed genome sequence. In order to prevent this technology from falling into the wrong hands and being used for the wrong purpose, orders placed in the United States for specific pieces of DNA are recorded in a database and are only delivered to authorized laboratories. Besides, the technological hurdles for the laboratories remain quite high (for now). The big advantage of this technology is that specialized laboratories around the world can research a virus without the need for a live sample from a contaminated area. Ralph S. Baric, a US coronavirus expert, sees this technology as the future of how the medical research community will respond to new viral threats. In 2008, his laboratory at the University of North Carolina had synthesized a coronavirus for study purposes that have been not existing in nature.

We are at the point where the best of the best can start to synthesize this new virus contemporaneously with the outbreak. But that is just a few labs. Fortunately, we are still far from the point when lots of people can synthesize anything.

Nicholas G. Evans, cited in Antonio Regalado, “Biologists Rush to Re-Create the China Coronavirus from Its DNA Code“, MIT Technology Review, 15.02.2020.

Technologies based on AI not only accelerate the sequencing and analysis of genomes but are also used to support diagnostics and research. Although the analysis of a nasopharyngeal swab is the most common method of a COVID-19 diagnosis, if there is a lack of test kits or if the patient population is very high, AI techniques can use CT scans of the lungs on a triage basis to identify those patients that are most likely to be infected. However, it is rather questionable whether this technique alone can also be used to diagnose an infection. Besides, the diagnosis of a nasopharyngeal swab is more reliable and cheaper if there are enough test kits. By contrast, the use of AI makes more sense when searching for and developing effective treatment and vaccination options. For example, Insilico Medicine used AI techniques to identify thousands of molecules for potential drugs in just four days and published the results on its website. Nevertheless, AI cannot solve every problem: before new treatment methods, or vaccination options can be used, they have to pass time-consuming clinical tests, which cannot be accelerated with modern technologies. It is, therefore, still unlikely that vaccination will be available on the market before the third quarter of 2021. An overview of all the currently researched treatment methods and vaccination options can be found here.

At the beginning of the coronavirus pandemic, there was not only a shortage of test kits in some countries, but with the high number of patients in intensive care units, there were also not enough valves and face masks needed to support the breathing of patients. There was also an inadequate supply of personal protective equipment for medical personnel. In part, such supply issues could be alleviated by using 3-D printers. For example, the Italian start-up Isinnova reverse-engineered a valve that is important for patient ventilation with the permission of its manufacturer Intersurgical3-D printed it, and made it available to hospitals in northern Italy. Isinnova has also manufactured a valve that can be used together with the Decathlon Easybreath snorkel mask as an oxygen mask in hospitals. The company Materialise, in turn, is offering a wide range of different products from its 3-D printers: face mask holders, face shield holdersrespiratory masksdoor openers, and shopping cart holders. In a comprehensive article that he is continuously updatingMichael Petch is tracking the wealth of 3-D printed products being created in response to the coronavirus pandemic.

Encrypting ransomware lurks in the background of this 
alleged corona tracking app.

Networking plays a central role in all of these technological approaches. However, this networking can have negative consequences when the widespread fear and high demand for information are exploited. In the early stages of the coronavirus pandemic in Europe in particular, false information that spread via WhatsApp and Telegram encouraged panic buying. Since the retailers were unable to replenish their shelves quickly enough for logistical and personnel reasons, the gaps suggested a non-existent supply problem, which only exacerbated the hoarding.

In the area of cybercrime, attacks using phishing emails are increasingly being used. These emails usually pretend to contain important information or offer behind a link or a document that presents itself as time-sensitive, but then download malicious and spy software or steal data, as was the case with the two alleged emails from the German bank Sparkasse and the WHO. However, even the mere dissemination of false information can cause physical damage, as demonstrated, for example, by the probable 2,850 methanol poisonings and the resulting 480 deaths in Iran. In this case, it was claimed that drinking industrial alcohol would kill the virus. As another example, in the UK, 5G cell towers were set alight because conspiracy theories claimed that the coronavirus pandemic and 5G were relatedRansomware is a particular type of malware that encrypts the contents of data carriers and only decrypts them once a “ransom” has been paid. For example, ransomware for smartphones lurked in an alleged corona tracking app. Computers in hospitals and medical laboratories are also being targeted by ransomware. In mid-March, for example, the Champaign-Urbana Public Health District in Illinois paid a $350,000 ransom to get its decrypted data.

How a contact tracing app works.

The threats to society that arise from the expansion and increasing use of surveillance options are at a more strategic level. Already end of April, 23 countries had introduced digital contact tracing, and 43 apps existed worldwide that enabled contact tracing. However, not all of these apps are effective or secure. The apps, all of which only use GPS, fail to provide enough precision to prevent false reports. Ten countries have gone even further and have been using facial recognition cameras (in Russia, for example); others have been added heat sensors (for example, China and Singapore), surveillance drones (for example, AustraliaChina, and India), and networked video surveillance systems (for example, Singapore). Censorship measures have been tightened in at least twelve countries (for example, in ChinaCambodia, and Singapore), and internet access has been restricted in at least four countries.

The Swiss École polytechnique fédérale de Lausanne is testing its decentralized contact tracing app, with members of the Swiss armed forces helping as test subjects.

If data is to be recorded, collected, and evaluated using a contact tracing app, for example, to combat the coronavirus pandemic, certain basic conditions must be observed from an ethical perspective. Proportionality must be the first priority, i.e., data collection must be proportionate to the seriousness of the threat to public health or the restriction of public life. The consequences that the restrictive measures designed to contain the pandemic will have on other freedoms and the health consequences in the absence of such restrictive measures fundamentally affirm an ethically justifiable use of contact tracing apps. However, such apps, as well as the data collected and evaluated by them, must be restricted in such a way that they are used only for this one goal, i.e., to warn someone that has come into contact with a person diagnosed as infected. The app and data must not be misused for other purposes, lawful or otherwise, such as criminal investigations, anti-terrorism efforts, etc. In addition, there needs to be scientific proof that the solution delivers the intended added value, which is why contact tracing apps based exclusively on GPS are ethically questionable due to their inaccuracy. Besides, the data collected should be anonymized effectively and stored as decentrally as possible. Information on the recording, collection, and evaluation of data must be provided transparently; this also includes keeping the source code for such apps open. The purpose of the transfer of data to third parties must be clear to the data subjects, and they must be able to rescind permission to such data collection in the future. The use of such apps, as well as the provision of the data, must be voluntary and only for a limited time. When an effective vaccine becomes available, the data collection must be stopped, the app and existing data have to be deleted.

TorBox v.0.3.1 released — all about bridges

Our goal with TorBox is not only to simplify the use of Tor as an anonymizing router but also to bring the use of bridges closer to those who want to get around censorship easily — with all their network traffic, not just their browser traffic.

TorBox v.0.3.1 comes one step closer to this goal. Not only has the management of OBFS4 bridges been improved once again, but it’s also now possible to check the status of bridges (online, offline, or doesn’t exist anymore) and based on that to enable, disable and delete them. For operators of a bridge relay, the possibility to backup and restore the relay data has been implemented. Also, other smaller improvements and wishes have been taken into account, which are listed in detail below.

Since we also had to update the configuration files, we recommend using the new image rather than updating an existing system. We have added a short guide at the end of this post for those who absolutely must update from the previous version (not older!).

TorBox Image (about 675 MB): v.0.3.1 (30.05.2020) – SHA-256 values
TorBox Menu only: v.0.3.1 (30.05.2020) – SHA-256 values

We would appreciate feedback so that we can make further improvements. The three most valuable feedbacks will get a ProtonMail $100 Gift Card (sent as a PDF). Additionally, we have still one Raspberry Pi 3 Model B to give away — of course, installed with the latest TorBox version. If you are interested, just send us an email.

Changelog: v.0.3.0 (12.01.2020) –> v.0.3.1 (30.05.2020)
  • Update: The system is based on Raspberry Pi OS “Buster” Lite with Linux Kernel 4.19.118 and Tor version 0.4.2.7.
  • New: The list of OBFS4 bridges displays now the status of the bridge (online, offline, or doesn’t exist anymore – see image below). The bridge management is rewritten. You can now easily activate, deactivate, and remove bridges in three ways: all, based on a specific status of the bridge or only selected. For example, you could activate all bridges, deactivate only the offline ones, and remove bridge #3 and #5.
  • New: The ability to backup and restore your bridge relay configuration, including your identity keys. This is important because when upgrading your bridge relay or moving it on a different computer, the important part is to keep the same identity keys. Keeping backups of the identity keys so you can restore a relay in the future is the recommended way to ensure the reputation of the relay won’t be wasted. The backup is stored / can be placed in the home directory, in which you can download / upload it with an SFTP client (using the same login / password as the SSH client).
  • New: An arrow in the main menu indicates from where you get the Internet.
  • New: USB Tethering with Android devices should now work (main menu entry 7). As I do not have an Android test device, this point needs to be tested further, and I rely on your feedback. I want to thank everyone who has been in active email correspondence with me on this point over the past weeks.
  • New: Added “Just fixing and cleaning” into TorBox’s Update & Reset sub-menu.
  • Improved: The countermeasure against a disconnect when idle feature (entry 10 in the Countermeasure sub-menu)shows now its status and can be deactivated.
  • Improved: Before Tor is compiled  (option 3 in the Update & Reset sub-menu), the current version is checked, compared with the one in the repository, and the user can decide if he wants to aboard before wasting time if no new version is available. Important: Currently, Tor can be updated with option 1 “Update the base system” in the Update & Reset sub-menu (main menu entry 12), and it is not necessary to compile Tor fresh.
  • Improved: The overall reliability of the update script.
  • Improved: The overall reliability of the installation script. It is adapted to the new Raspberry Pi OS, and we hope that this is the beginning of a platform-independent use of TorBox .
  • Improved: Cleaned up the code and outsourced more essential functions into a library. This helps to maintain the code in future releases properly.
  • Fixed: After shutting down the Bridge Relay, the two ports remained open (at least in some instances).
  • Fixed: If the Bridge Relay is deactivated and Tor is freshly started, the message appears that the ports are opened to the outside, even if this is not the case.
  • Fixed: An error in changing the password of the Tor control port broke the enforcing of a new exit node with a new IP (main menu entry 2).
  • Fixed (post-release): rfkill blocks the Raspberry Pi’s onboard WiFi chip and impossibles to create TorBox’s WiFi (it seems to be newly activated with Raspberry Pi OS) – we set rfkill unblock all in /etc/rc.local and had to rebuild the image again on Sunday, Mai 31, 2020 (we kept the same filenames).
How to update from TorBox v.0.3.0 (12.01.2020)?

Important: You cannot automatically update on TorBox installations, which are older then v.0.3.0 (12.01.2020)! If you need help, then please contact us.

With a TorBox v.0.3.0 (12.01.2020) installation, you can perform the following tasks. This deletes all your custom made configuration, but not alter your bridge relay keys. Nevertheless, we recommend, if possible, to use the new image.

Your feedback is welcome!!

We hope this version pleases you. However, we are dependent on feedback. It’s not just about fixing bugs and improving usability, but also about supporting additional interfaces and hardware in future releases:

  • What do you like?
  • What should be improved (and how)?
  • What would you like to see next? Which features do you request?