Need help with circumventing censorship in China

VING · April 6, 2023, 6:35am

Ladies and gentlemen, hello. I come from China, a country that is heavily censored on the internet. Yes, you read that right - this terribly oppressive country. I help those around me maintain internet freedom. Due to the various restrictions imposed by the Great Firewall (GFW), there are very few secure protocols available for us to use. Therefore, we use Tor.

My solution is as follows: I purchased a VPS in Switzerland and another in Canada. I connect to the Canadian VPS using the WireGuard protocol and deploy Tor on the Canadian VPS. My friends connect to my network in China and their traffic is directed to Tor as an exit node. However, I don’t trust the Canadian network, so I use the Swiss WireGuard as an inbound proxy for the Canadian Tor.

Now, here’s the problem: The Canadian VPS has a Debian 11 system whose default user is root. Should I create a regular user for Tor? And secondly, and most importantly, I’m not sure if my /etc/tor/torrc configuration file is secure and reasonable. This is because it concerns the safety of my friends’ lives (freedom of speech is a crime here and can land you in jail. Perhaps this is the most ridiculous age and country in human history). Therefore, I am seeking help from the community and hoping that the community management and developers can provide me with the maximum help and support. Thank you, God bless us all. Amen.
This is my configuration and I can’t be sure if it guarantees security and privacy, please review it.
cat /etc/tor/torrc

CH-WireGuard-Socks5-CA-Tor#

Socks5Proxy 10.19.6.1:10010

Tor-Socks5

SocksPort 10.9.6.1:19990 IsolateDestAddr IsolateDestPort
SocksPort 10.9.6.1:19991 IsolateDestAddr IsolateDestPort
SocksPort 10.9.6.1:19992 IsolateDestAddr IsolateDestPort
SocksPort 10.9.6.1:19993 IsolateDestAddr IsolateDestPort
SocksPort 10.9.6.1:19994 IsolateDestAddr IsolateDestPort
SocksPort 10.9.6.1:19995 IsolateDestAddr IsolateDestPort
SocksPort 10.9.6.1:19996 IsolateDestAddr IsolateDestPort
SocksPort 10.9.6.1:19997 IsolateDestAddr IsolateDestPort
SocksPort 10.9.6.1:19998 IsolateDestAddr IsolateDestPort
SocksPort 10.9.6.1:19999 IsolateDestAddr IsolateDestPort

配置网络流量策略

SOCKSPolicy accept 10.9.6.0/29
SOCKSPolicy reject *

强制加密连接

EnforceDistinctSubnets 1

其他配置

AvoidDiskWrites 1
NumEntryGuards 8
CircuitBuildTimeout 30
LearnCircuitBuildTimeout 0
MaxCircuitDirtiness 120
KeepAlivePeriod 60
NewCircuitPeriod 240
MaxClientCircuitsPending 16
UseBridges 0

排除邪恶国家

ExcludeNodes {cn},{hk},{mo},{mn},{tw},{sg},{ph},{my},{th},{vn},{jp},{kr},{pk},{ir},{ae},{sa},{ru},{cu},{br},{kz},{kw},{ci},{sy},{by},{lk},{af}

排除出口

ExcludeExitNodes {us},{gb},{ca},{au},{nz},{dk},{fr},{nl},{no},{de},{be},{it},{se},{es},{il}
StrictNodes 1

设置GeoIP信息

GeoIPFile /usr/share/tor/geoip
GeoIPv6File /usr/share/tor/geoip6
GeoIPExcludeUnknown 1

配置日志

Log notice file /var/log/tor/notices.log
SafeLogging 1

设置沙盒

Sandbox 1

VING · April 6, 2023, 6:38am

10.9.6.1，is the wireguard CA listening address. CN：10.9.6.2

Gozo · April 6, 2023, 8:38am

First of all, I would like to give you a big compliment

I’m also new to this, but I’m willing to follow you on this post!

I really hope that the experts here will help this friend solve his problem!

VING · April 6, 2023, 8:45am

Thank you for looking forward to a bright future together and working hard to achieve it.

computerscot · April 6, 2023, 12:59pm

The usual Tor user is debian-tor.

ExcludeNodes makes you less anonymous because you will be the only one in the world with the unique combination you specify.

VING · April 6, 2023, 1:42pm

“How can I make it more secure and private? I need to use WireGuard to monitor Tor and establish connections. Are you suggesting that I create a user ‘adduser debian-tor’? Or does installing Tor with ‘apt install tor’ automatically create the ‘debian-tor’ user under root?”

VING · April 6, 2023, 1:44pm

Can you help me modify a torrc configuration according to my needs?

gus · April 6, 2023, 1:57pm

I don’t understand why do you need Wireguard. AFAIK, Wireguard traffic is very easy to identify and block by the GFW. Why you don’t run a private obfs4 bridge in your VPS?

VING · April 6, 2023, 2:13pm

Because I need to use wireguard-CA and wireguard-CN, the network, by listening to the address of wireguard-CA can socks5-TOR

VING · April 6, 2023, 2:13pm

“So far, there has been no blocking of Wireguard, so we are continuing to use it. Can you configure a torrc configuration for us that we need? To answer your previous question, I don’t run a private obfs4 bridge because I don’t know how to configure it, so I purchased a human Swiss VPS to use as a CA for his Tor pre-proxy.”

computerscot · April 6, 2023, 5:38pm

I don’t understand.

You have a CN WireGuard peer 10.9.6.2.

You also have a CA WireGuard peer 10.9.6.1.

The CA WireGuard peer runs Tor, configured with SocksPort in the range 19990-19999.

So if a client browser on 10.9.6.2 talks SOCKS5 protocol to IP address 10.9.6.1 and any port 19990-19999, the browser’s traffic will go through the WireGuard tunnel to 10.9.6.1, and end up passing through Tor? Is that correct?

But where does CH come into the picture?

VING · April 7, 2023, 6:46am

You are right: the role of CH is to act as a proxy for CA’s Tor as a SOCKS5 endpoint to enter Tor, because I don’t trust the Canadian VPS. So, I use CH as a proxy for him to access Tor.

computerscot · April 7, 2023, 10:51am

So CH is running proxy software such as Squid listening on port 10010?

And CH is also a WireGuard peer with IP address 10.19.6.1 on the WireGuard network?

Your torrc seems fine to me, except I would miss out ExcludeNodes, ExcludeExitNodes, and StrictNodes, as these make you unique instead of anonymous.

VING · April 7, 2023, 3:08pm

Yes, it runs a SOCKS5 proxy in Switzerland on port 10010 and serves as the preproxy for CA-Tor’s inbound traffic. I am also considering removing the ExcludeNodes, ExcludeExitNodes, and StrictNodes options because excluding countries and exits makes Tor stand out. If I remove them, is there still enough room for further hardening? What is the purpose of IsolateDestAddr and IsolateDestPort? I have never really understood them. Should they be added? Additionally, I want to add “ClientOnly 1”. Do you think it is necessary? Are there any other features worth adding to make it more secure, reliable, and private? As I mentioned earlier, this is crucial for the safety and well-being of dissidents.

computerscot · April 8, 2023, 2:21am

I have no experience with the other settings, apart from the ones I have mentioned.

You already have a VPN plus a pre-proxy before Tor. That sounds like a good risk mitigation strategy.

Since you do not mention using the Tor Browser, consider manually disabling JavaScript and/or installing NoScript Security Suite in Firefox.

For a general security guide for activists in China, you can read 为啥朝廷总抓不到俺——十年反党活动的安全经验汇总 @ 编程随想的博客

system · April 9, 2023, 2:22am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.