{"id":3936,"date":"2025-07-23T10:31:51","date_gmt":"2025-07-23T09:31:51","guid":{"rendered":"https:\/\/www.torbox.ch\/?p=3936"},"modified":"2026-01-01T18:17:12","modified_gmt":"2026-01-01T17:17:12","slug":"torbox-v-0-5-4-security-and-maintenance-update-20-july-2025","status":"publish","type":"post","link":"https:\/\/www.torbox.ch\/?p=3936","title":{"rendered":"TorBox v.0.5.4 \u2013 Security and Maintenance Update 20 July 2025"},"content":{"rendered":"\n<p>In this Security and Maintenance Update, our focus was on fixing a possible vulnerability when using TorBox or TorBox on a Cloud as an OpenVPN server. To circumvent possible firewalls, the default port was set to <code>443<\/code>. So far, TorBox on a Cloud has not been affected by this vulnerability. However, fixing the OpenVPN server functionality on a real TorBox needed a change in the <code>iptables<\/code> configuration. This change, in connection with port <code>443<\/code>, would allow UDP packets sent to port <code>443<\/code> to be sent directly into the Internet, bypassing the redirection through the Tor network. But, wait, <code>https<\/code> traffic is TCP and not UDP, right? Unfortunately, UDP on port <code>443<\/code> is associated with the <a href=\"https:\/\/en.wikipedia.org\/wiki\/QUIC\" data-type=\"link\" data-id=\"https:\/\/en.wikipedia.org\/wiki\/QUIC\">QUIC protocol<\/a>, which was developed by Google and is now <a href=\"https:\/\/github.com\/radio24\/TorBox\/discussions\/366\">used by several major web services and applications<\/a> to provide faster and more efficient encrypted web connections. If UDP port <code>443<\/code> is blocked, applications using QUIC will automatically fall back to standard <code>HTTPS<\/code> over TCP port <code>443<\/code>, which will be routed through the Tor Network. If selected for installation, the OpenVPN server will use UDP port <code>1194<\/code> by default. The user can still change this port during the installation, but regarding possible firewalls, the safest solution is to forward this port. <\/p>\n\n\n\n<p><strong>TorBox Image<\/strong>&nbsp;(about 1 GB):&nbsp;<a href=\"https:\/\/www.torbox.ch\/data\/torbox-20250720-v054.img.xz\">v.0.5.4 (20.07.2025)<\/a>&nbsp;\u2013&nbsp;<a href=\"https:\/\/www.torbox.ch\/?page_id=1128\">SHA-256 values<\/a><br><strong>TorBox mini Image<\/strong>&nbsp;(about 1 GB):&nbsp;<a href=\"https:\/\/www.torbox.ch\/data\/torbox-mini-20250720-v054.img.xz\">v.0.5.4 (20.07.2025)<\/a>&nbsp;\u2013&nbsp;<a href=\"https:\/\/www.torbox.ch\/?page_id=1128\">SHA-256 values<\/a><br><strong>TorBox Menu only:<\/strong>&nbsp;<a href=\"https:\/\/www.torbox.ch\/data\/torbox054-20250720.zip\">v.0.5.4 (20.07.2025)<\/a>&nbsp;\u2013&nbsp;<a href=\"https:\/\/www.torbox.ch\/?page_id=1128\">SHA-256 values<\/a><\/p>\n\n\n\n<p>Alternatively, you can download the image from&nbsp;<a href=\"http:\/\/x63xkeiw3cgczc6lcwf62aoe35rp6hfcz3mympmuha7xhj63qdf3ngid.onion\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>our TorBox&nbsp;<\/strong><\/a><a href=\"http:\/\/x63xkeiw3cgczc6lcwf62aoe35rp6hfcz3mympmuha7xhj63qdf3ngid.onion\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>cloud test installation<\/strong><\/a>.<\/p>\n\n\n\n<h1><p style=\"text-align: center;\">\u2022 \u2022 \u2022<\/p><\/h1>\n\n\n\n<h5 class=\"wp-block-heading\">Changelog<\/h5>\n\n\n\n<p>Besides the fixes and security improvements regarding the OpenVPN server functionality, the <a href=\"https:\/\/www.torbox.ch\/?page_id=3544\">TorBox Mini variant<\/a> has received substantial attention in this update, and altogether, some more issues were addressed:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Updated<\/strong>: The system is based on\u00a0<a href=\"https:\/\/www.raspberrypi.com\/software\/operating-systems\/#raspberry-pi-os-64-bit\" target=\"_blank\" rel=\"noreferrer noopener\">Raspberry Pi OS \u201cBookworm\u201d lite 64bit<\/a>\u00a0with the\u00a0<a href=\"https:\/\/kernelnewbies.org\/Linux_6.12\" target=\"_blank\" rel=\"noreferrer noopener\">Linux Kernel 6.12.34<\/a>\u00a0and\u00a0<a href=\"https:\/\/gitlab.torproject.org\/tpo\/core\/tor\/-\/raw\/release-0.4.8\/ReleaseNotes\" target=\"_blank\" rel=\"noreferrer noopener\">Tor version 0.4.8.17<\/a>\u00a0with\u00a0<a href=\"https:\/\/salsa.debian.org\/pkg-privacy-team\/obfs4proxy\/-\/blob\/master\/ChangeLog\" target=\"_blank\" rel=\"noreferrer noopener\">obfs4proxy version 0.0.14<\/a>\u00a0and\u00a0<a href=\"https:\/\/gitlab.torproject.org\/tpo\/anti-censorship\/pluggable-transports\/snowflake\/-\/blob\/main\/ChangeLog\">Snowflake 2.11.0<\/a>.<\/li>\n\n\n\n<li><strong>Security<\/strong>: TorBox provides better SSH access control mechanisms with special considerations for TorBox on a Cloud where SSH access is essential for installation and maintenance. A more comprehensive improvement regarding SSH access control is already integrated in the <a href=\"https:\/\/github.com\/radio24\/TorBox\/tree\/TorBox-v.0.5.5\">TorBox v.0.5.5 developer branch<\/a>, which allows selectively enabling\/disabling SSH access for certain types of clients, from the Internet or completely allowing\/blocking SSH access.<\/li>\n\n\n\n<li><strong>Security<\/strong>: A new feature enables administrators to enable\/disable root access.<\/li>\n\n\n\n<li><strong>Improved<\/strong>: We introduced a TorBox mini default Main Menu for users who want it to work and don&#8217;t want to have numerous options, which could brick the TorBox mini in the worst-case scenario. However, for experts, we included Multiple Client Support for TorBox mini, meaning if the expert Main Menu is enabled in the Danger Zone (this option is only available on TorBox mini), then you have all the connection possibilities in the Main Menu known from a standard TorBox. This is particularly interesting for experts who attach additional interfaces to a <a href=\"https:\/\/www.raspberrypi.com\/products\/raspberry-pi-zero-2-w\/\">Raspberry Pi Zero 2 W<\/a>. With the upcoming TorBox v.0.5.5, we are exploring the possibility of providing more flexibility regarding the cable interface. By default, TorBox will automatically detect and use clients on <code>eth0<\/code>, except when <code>eth0<\/code> is used as an Internet source; in this case, <code>eth1<\/code> is used as a potential client. However, in cases where a cable connection does not provide the Internet, we would like to use both <code>eth0<\/code> and <code>eth1<\/code> as potential client connections (see <a href=\"https:\/\/github.com\/radio24\/TorBox\/issues\/365\">issue #365<\/a>).<\/li>\n\n\n\n<li><strong>Improved<\/strong>: Documentation on how to backup\/restore domain exclusion lists is now accessible in the Danger Zone sub-menu.<\/li>\n\n\n\n<li><strong>Fixed<\/strong>: Year after year, the same issue &#8211; <a href=\"https:\/\/gitlab.torproject.org\/tpo\/core\/tor\/-\/tree\/main\">the official Tor repository on GitLab<\/a> changed the links to the different versions, leading to an error when trying to fetch the version information.<\/li>\n<\/ul>\n\n\n\n<h1><p style=\"text-align: center;\">\u2022 \u2022 \u2022<\/p><\/h1>\n\n\n\n<h5 class=\"wp-block-heading\">How to update<\/h5>\n\n\n\n<p><strong>For default installations of TorBox and TorBox mini<\/strong><\/p>\n\n\n\n<p>If you have an already running TorBox v.0.5.4 then you can manually update your system to close potential vulnerabilities and update Tor:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Eventually, use<strong> <\/strong>entry 1 in the Update &amp; Maintenance sub-menu to update the base system.<\/li>\n\n\n\n<li>Use entry 5 in the Update &amp; Maintenance sub-menu to update the TorBox menu.<\/li>\n\n\n\n<li>Use entry 4 in the Update &amp; Maintenance sub-menu to update Tor and Snowflake.<\/li>\n\n\n\n<li>Add\/change the following options in <code>run\/torbox.run<\/code> by using <code>sudo nano \/home\/torbox\/torbox\/run\/torbox.run<\/code>:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># OPENVPN access from the Internet\n# 0 - OPENVPN access from the Internet is blocked\n# 1 - OPENVPN access from the Internet is allowed (default)\nOPENVPN_FROM_INTERNET=0\n\n# NEW v.0.5.4-post: New added with default 1194\n# Default OPENVPN port\nOPENVPN_PORT=1194\n\n# Is this a TorBox Mini default installation?\n# 0 - No\n# 1 - Yes (default)\nTORBOX_MINI_DEFAULT=1<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reconfigure the firewall by using an entry between 5 and 10 in the Main menu.<\/li>\n<\/ul>\n\n\n\n<p><strong>For default installations of TorBox on a Cloud<\/strong><\/p>\n\n\n\n<p>In addition to the steps for default installations of TorBox and TorBox mini explained above, do the following additional steps:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use entry 14 in the Configuration sub-menu to enable SSH access from the Internet. This is a precautionary measure in case something goes wrong. After OpenVPN is working, and your SSH access via OpenVPN is successfully tested, you can disable the SSH access from the Internet again.<\/li>\n\n\n\n<li>Save iptables with <code>sudo iptables-save &gt; \/etc\/iptables.ipv4.nat<\/code><\/li>\n\n\n\n<li>Change all <code>--dport 443<\/code> to <code>--dport 1194<\/code> by using <code>sudo nano \/etc\/iptables.ipv4.nat<\/code> . For experts: Compare <code>\/etc\/iptables.ipv4.nat<\/code> with <code>\/home\/torbox\/torbox\/etc\/iptables.ipv4-cloud.nat<\/code> and manually correct any incorrect configurations (this shouldn&#8217;t be the case).<\/li>\n\n\n\n<li>Change in <code>\/etc\/openvpn\/server.conf<\/code> <code>port 443<\/code> to <code>port 1194<\/code> by using <code>sudo nano \/etc\/openvpn\/server.conf<\/code>.<\/li>\n\n\n\n<li>Change on your client in the <code>.ovpn<\/code>-file on the row beginning with <code>remote<\/code> <code>443<\/code> to <code>1194<\/code> by using a text editor.<\/li>\n\n\n\n<li>Load the changed <code>iptables<\/code> with <code>sudo \/sbin\/iptables-restore &lt; \/etc\/iptables.ipv4.nat<\/code><\/li>\n\n\n\n<li>Restart OpenVPN by using <code>sudo systemctl restart openvpn <\/code><\/li>\n\n\n\n<li>Test OpenVPN and SSH through OpenVPN access<\/li>\n\n\n\n<li>Disable SSH access from the Internet by using entry 14 in the Configuration sub-menu<\/li>\n<\/ul>\n\n\n\n<h1><p style=\"text-align: center;\">\u2022 \u2022 \u2022<\/p><\/h1>\n\n\n\n<h5 class=\"wp-block-heading\">We need your feedback!!<\/h5>\n\n\n\n<p>We hope this version pleases you. However, we are dependent on feedback. It is not just about fixing bugs and improving usability, but also about supporting additional interfaces and hardware in future releases:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>What do you like?<\/li>\n\n\n\n<li>What should be improved (why and how)?<\/li>\n\n\n\n<li>What would you like to see next? Which features do you request?<\/li>\n<\/ul>\n\n\n\n<p>With the&nbsp;<a href=\"https:\/\/github.com\/radio24\/TorBox\" target=\"_blank\" rel=\"noreferrer noopener\">TorBox GitHub repository<\/a>, it is straightforward for everyone to&nbsp;<a href=\"https:\/\/github.com\/radio24\/TorBox\/issues\" target=\"_blank\" rel=\"noreferrer noopener\">report issues<\/a>&nbsp;or change the code and propose it in a&nbsp;<a href=\"https:\/\/github.com\/radio24\/TorBox\/pulls\" target=\"_blank\" rel=\"noreferrer noopener\">pull request<\/a>.&nbsp;Because we continue to travel around, it sometimes takes more time to address the issues and proposals.&nbsp;<\/p>\n\n\n\n<p>For future versions, we need to understand what you require and what you would like to see from the Onion Services implementation. Please feel free to use the&nbsp;<a href=\"https:\/\/github.com\/radio24\/TorBox\/discussions\" target=\"_blank\" rel=\"noreferrer noopener\">discussion forum<\/a>&nbsp;to share your needs with us.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this Security and Maintenance Update, our focus was on fixing a possible vulnerability when using TorBox or TorBox on a Cloud as an OpenVPN server. To circumvent possible firewalls, the default port was set to 443. So far, TorBox on a Cloud has not been affected by this vulnerability. However, fixing the OpenVPN server &hellip; <a href=\"https:\/\/www.torbox.ch\/?p=3936\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;TorBox v.0.5.4 \u2013 Security and Maintenance Update 20 July 2025&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","footnotes":""},"categories":[3],"tags":[],"class_list":["post-3936","post","type-post","status-publish","format-standard","hentry","category-blog"],"uagb_featured_image_src":{"full":false,"thumbnail":false,"medium":false,"medium_large":false,"large":false,"1536x1536":false,"2048x2048":false,"post-thumbnail":false},"uagb_author_info":{"display_name":"radio_24","author_link":"https:\/\/www.torbox.ch\/?author=1"},"uagb_comment_info":3,"uagb_excerpt":"In this Security and Maintenance Update, our focus was on fixing a possible vulnerability when using TorBox or TorBox on a Cloud as an OpenVPN server. To circumvent possible firewalls, the default port was set to 443. So far, TorBox on a Cloud has not been affected by this vulnerability. However, fixing the OpenVPN server&hellip;","_links":{"self":[{"href":"https:\/\/www.torbox.ch\/index.php?rest_route=\/wp\/v2\/posts\/3936","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.torbox.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.torbox.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.torbox.ch\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.torbox.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3936"}],"version-history":[{"count":10,"href":"https:\/\/www.torbox.ch\/index.php?rest_route=\/wp\/v2\/posts\/3936\/revisions"}],"predecessor-version":[{"id":4055,"href":"https:\/\/www.torbox.ch\/index.php?rest_route=\/wp\/v2\/posts\/3936\/revisions\/4055"}],"wp:attachment":[{"href":"https:\/\/www.torbox.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3936"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.torbox.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3936"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.torbox.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3936"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}