Honestly, TorBox v.0.5.0 was not one of our finest. When I started to fix some known problems and bugs almost a month ago, I found so much more. It was time to go into details and especially to fix to code added with version 0.5.0 – row by row. This version should run more reliable and stable than the versions before. Nevertheless, we also added and updated some of the features. However, once again, it shows also the importance of user feedback. Please report to us your problems and found bugs. We also need to know what you would like to see next and which features you request? With the TorBox GitHub repository, it is straightforward for everyone to report issues or change the code and propose it in a pull request.
Since we had to install additional software packages and update the configuration files, it is necessary to use the new image or reinstall TorBox using one of our installation scripts.
• • •
Changelog: v.0.5.0 –> v.0.4.0 (19.07.2022)
- Update: The system is based on Raspberry Pi OS “Bullseye” lite (64 bit) with Linux Kernel 5.15.32 and Tor version 0.4.7.8. This version fixes several bug fixes, including a high severity security issue categorised as a Denial of Service. Everyone running an earlier version should upgrade to this version. Also, congestion control should improve traffic speed and stability on the network once most exit nodes upgrade. You can find more details about it in proposal 324 in the torspec.git repository. All installation scripts are updated to work with Raspberry Pi OS “Bullseye”, Debian 11 and Ubuntu Server 22.04 LTS. Additionally, we also updated TorBox’s internal list of OBFS4 bridges.
- Update: The installation script for Raspberry Pi OS had to be updated to work with the new Raspberry Pi OS images released in April. Also, starting with this version, TorBox will be only tested on the 64 bit version of the respective OS (Raspberry Pi OS, Debian and Ubuntu).
vitorfrom nyxnor’s onionwash repository.
- Update: the additional network driver so that they work with the new Linux kernel (unfortunately, Fars-Robotics didn’t update their network driver since October 2021).
shellinabox, which seems it is not maintained anymore. With
webssh, users don’t need a ssh client because every web browser can now jump in as a ssh client. A user on a wifi-client can type 192.168.42.1, someone on a cable-client 192.168.43.1. This functionality comes with a certain risk because
websshis not encrypted (this would need a self-signed certificate, which the browser doesn’t support easily). However, this shouldn’t cause any problems because the TorBox AP and its wlan or the connection cable should be controlled by you. By default,
websshcannot be accessed from the Internet. If you seek maximum security, you still can keep using an ssh client and even deactivate the
websshfunctionality in the Configuration sub-menu (entry 11).
- New: There is a new way to pass through captive portals by SPOOFING the MAC address of a device that passed the captive portal successfully. Tests showed that some captive portals could be better overcome with the old method (TUNNELLING), some function better with SPOOFING and some need combined both ways. See here for more information.
- New: Starting with this version, TorBox randomises the MAC addresses on
eth1by default. You can change that behaviour and set your own MAC address in the Configuration sub-menu (entry 8).
- Fixed: TorBox will not try to back up the OBFS4 Bridge Relay configuration if there is no such configuration.
- Fixed: It is impossible to simultaneously run the countermeasure against tightly configured firewalls and Snowflake, Meek and the OBFS4 Bridge Relay. This fix will prevent such a setting.
- Fixed: A bug broke the functionality on
ppp0and usb0. Also, before executing
pon, TorBox will check if
pppdis already working and shut it down.
- Fixed: Due to a little bug in the script, The menu entry, which should only activate OBFS4 bridges, which are ONLINE, fails to activate the OBFS4 mode properly. This bug prevents TorBox from deactivating the OBFS4 lines in the tor configuration file. Both are fixed.
- Fixed: Onion Service name bug (fixed by nyxnor).
- Improved: To prevent future bugs in the releases, a shellcheck Github action will be triggered with every pushed commit on the master repository.
- Improved: Local DNS resolution will be solely resolved through tor. This means that TorBox will not be able to resolve DNS requests from the local terminal if tor is not running. However, some functions, like Snowflake, Meek and time synchronisation, need clearnet DNS resolution to work without a running tor, but in this case, clearnet DNS resolution is explicitly activated for that purpose, and the user is asked or informed beforehand. DNS resolution from clients will always be made through tor, regardless of the settings. With the following commands in the terminal, local clearnet resolution can be set on/off (we will add that later in a “toxic “menu):
# Turn local clearnet DNS resolution on sudo iptables -t nat -D OUTPUT -p udp --dport 53 -j DNAT --to 127.0.0.1:9053 sudo iptables -t nat -D OUTPUT -p tcp --dport 53 -j DNAT --to 127.0.0.1:9053 sudo systemctl restart dnsmasq
# Turn local clearnet DNS resolution off sudo systemctl stop dnsmasq sudo iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to 127.0.0.1:9053 sudo iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to 127.0.0.1:9053
- Improved: The use of Onion Services, sharing folder and TFS. For example, the sharing folder functionality and TFS can use every folder inside
/var/wwwregardless of the name of the Onion Service. This gives the possibility that an Onion domain named
x.onioncan share the folder
/var/www/to_be_shared, and at the same time, TFS can control up- and/or downloads to/from the same folder using the Onion domain
- Improved: TFS can be started multiple times with different Onion domains. The file list is now alphabetically sorted. The message below the top banner can now display multiple lines (separated by a
\n). You can go into a sub-folder if you click on them, and if you start an upload in such a sub-folder, the uploaded files are placed there. Selecting multiple files and folders is now supported – they will be downloaded and compressed in a
.zipfile to the local client.
- Improved: Resetting Tor and enforcing a change of the permanent entry node in the update and maintenance sub-menu doesn’t deactivate the bridge and bridge relay mode anymore.
- Improved: Turning
systemd-journald.serviceoff by default to further reduce the logs.
TorBox v.0.5.0 is a major upgrade because starting with this version, it not only can be used to help clients to access the Internet safely and circumvent censorship, it also allows to bring your content in a safe and uncensored way to the Internet. Again, nyxnor, with his OnionJuggler project, was a key driver behind the Onion Services implementation into TorBox. With this version, TorBox introduces Onion Service support to share a simple website or/and files through Onion Services. However, this is only the start; in subsequent versions, we plan to support Onion Service access management on TorBox itself, and also a secure chat module is already programmed by Zotil but not yet implemented due to a lack of time. The support of Onion Services has much potential for developing TorBox further, but because our time is limited, it is essential that you give us feedback, what you need and want to see in the next version. Please feel free to use the discussion forum to tell us your needs.
Since we had to install additional software packages and update the configuration files, it is necessary to use the new image or to reinstall TorBox using one of our installation scripts.
Besides the support of Onion Services, TorBox brings additional updates, improvements and fixes:
- Update: The system is based on Raspberry Pi OS “Bullseye” lite with Linux Kernel 5.10.63 and Tor version 0.4.6.9. This version fixes several bugs from earlier versions of Tor. One important fix is the removal of DNS timeout metric from the overload general signal. During our test, we had the feeling that Tor version 0.4.6.9 works more stable and reliable than the versions before. All installation scripts are updated to work with Raspberry Pi OS “Bullseye”, Debian 11 and Ubuntu Server 20.04.3 LTS / 21.10. Additionally, we also updated TorBox’s internal list of OBFS4 bridges.
- New: The introduction of an Onion Services implementation allows the creation of Onion Services for public use or only for selected clients using client access restrictions. With the Onion Services sub-menu (found in the “defend the open Internet” sub-menu), it is easy to share a folder with a static webpage, files etc. on an .onion domain with our without client access control, even if the TorBox is located behind a firewall, a network translator or placed in a censoring country. With TorBox File Sharing (TFS), upload and/or download files can be allowed to the public or specific clients.
- New: Since 2021, the TorBox team observed more and more providers (especially in connection with open hotspots) blocking ports needed for tor to work properly (tor commonly uses ports 80, 443, 9001 and 9030 for network traffic and directory information). Therefore, TorBox uses by default countermeasures against a tightly configured firewall taking care that tor uses only ports 80 and 443 for its data stream. We didn’t observe any negative impact (nevertheless, probably this feature should be deactivated if a bridge relay is run on the TorBox).
- New: torrc is now edited by nyxnor’s vitor, which checks the accuracy of tor configuration inside torrc before saving the new configuration file. This should avoid a broken tor configuration by using the advanced tor configuration editor. Vitor is part of the OnionJuggler project. Also, after changing tor’s configuration, TorBox is asking to restart tor.
- New: The team has been working hard to improve the code’s quality and introduced some basic coding guidelines, which we will implement step by step in the coming up versions. Also, we started to check the code with ShellCheck. Thanks to nyxnor for the inspiration!
- Improved: The “first-use” script introduced in TorBox’s last version had some major shortcomings, expecting the Internet is connected to the Ethernet interface. With TorBox v0.5.0, the “first-use” script was extensively rewritten. It supports now all the usual connection types. Additionally, if the countermeasures against a tightly configured firewall setting should stay activated, what we highly recommend.
- Improved: As part of our new basic coding guidelines, we rewrote the “Update and Reset” sub-menu, now called “Update and Maintenance”. At the same time, we improved the update routines, which also updates the installed Python modules and Snowflake (if tor is updated). The ability to remove all OBFS4 Bridge Relay Data was moved into the OBFS4 Bridge Relay sub-menu.
- Improved: The TorBox Wireless Manager (TWM) is now sorting the list of available wifi along with the signal strength. Hidden networks are only displayed after pushing the H key to declutter the main screen. Also, the code under the hut was again optimized (for example, a timeout was added if the AP doesn’t respond after sending a wrong password, optimizations for small screens and more).
- Improved: If TorBox’s WLAN is permanently disabled, the TWM tries to reconnect to a Wireless Network on
wlan0, not only on
wlan1. However, if
wlan1are available, TWM will prioritize
wlan1(in this case, we think there is a reason why an USB wifi adapter is connected to the TorBox 😉). This also fixed an issue mentioned by connected201.
- Improved: TorBox’s Automatic Counter Measures (TACA) checks after reconnecting with a wifi network if the interface got an IP address from the remote DHCP server. If this is not the case, it restarts the interface, triggering the request for a new IP. Also, TACA will detect if the system time is out of sync and re-synchronize it with ntpdate.
- Improved: Captive Portals are a pain in the ass! If the login page cannot be reached for whatever reason, TorBox provides a direct way back into the TWM (network reset included) to try it again. We have the experience that Captive Portals are getting harder to pass. However, currently, we are experimenting with another alternative way to deal with Captive Portals. If successful, we will add it immediately to TorBox v.0.5.0, which will be available after updating the TorBox menu in the “Update and Maintenance” sub-menu.
- Improved: Cable support is easier to accomplish now. We reviewed and simplified the code to achieve this goal. Consequently, we merged
set_captive_2and removed the older files. This also fixed an issue mentioned by connected201.
- Improved: Usability of the Countermeasure against a disconnection when idle feature.
- Improved: The tor log file is now shown with a filter to declutter the output, and “Bootstrapped 100% (done): Done” message is highlighted in white.
- Improved: The Bridge Relay backup file is placed into
- Fixed: In the expert mode of the tor install scripts and the “Update and Maintenance” sub-menu, a hiccup due to a broken sort algorithm prevented the showing up of tor x.x.10 versions.
- Fixed: Even TorBox’s WLAN was permanently disabled, it was activated again when using
wlan0as an Internet source. This bug was reported by connected201.
- Fixed: Snowflake is running again.
- Security: We must mask both tor services to ensure no use of tor connections before configuring TorBox with the “first use” routine.
- Security: Since the last TorBox version, all access to a tor related URL (for example,
torproject.org) directly from the TorBox have been done through tor for security reasons. Thanks to an advice from nyxnor, we switched to a more secure curl SOCKS5 method (
curl -x socks5h://127.0.0.1:9050).
- Removed: Display of the Vanguards log because there is nothing interesting to see.
• • •
We need your feedback!!
We hope this version pleases you. However, we are dependent on feedback. It is not just about fixing bugs and improving usability, but also about supporting additional interfaces and hardware in future releases:
- What do you like?
- What should be improved (why and how)?
- What would you like to see next? Which features do you request?
With the TorBox GitHub repository, it is straightforward for everyone to report issues or change the code and propose it in a pull request. Because we continue to travel around, it sometimes needs more time to address the issues and proposals.
For future versions, it is essential that we know what you need and want to see from the Onion Services implementation. Please feel free to use the discussion forum to tell us your needs.
• • •
Known problems and bugs
- BUG: TorBox will not automatically add a bridge when that option is chosen in the Countermeasure sub-menu. There are two reasons:
- It seems that version 0.4.8 of mechanize will not be correctly installed –> we had to switch back to version 0.4.7
You can fix that bug manually with the following commands:
sudo pip3 uninstall mechanize
sudo pip3 install mechanize==0.4.7
- The script
bridges_get.pystarted to fail because the HTML generated by https://bridges.torproject.org/bridges?transport=obfs4%27 has changed –> we added the patch from lockcda (see issue #173 on GitHub). You can replace the old script with the patched one by updating the TorBox menu with the Update and Maintenance sub-menu. The image file is not fixed yet — PENDING! ⏳
- It seems that version 0.4.8 of mechanize will not be correctly installed –> we had to switch back to version 0.4.7