RESOLVED: WebTunnel - general SOCKS server failure on test client connect

3dzms · April 10, 2024, 10:55pm

Hi

Have configured a WebTunnel instance on OpenBSD 7.5 as per guide - Tor Project | WebTunnel Bridge (tor version 0.4.8.10)

On trying to connect to the webtunnel as a test tor browser (both desktop [v13.0.13] and android [v13.0.12]) gets an error:

[WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with x.x.x.x:443 ID=<none> RSA_ID=aaaaaaaaa ("general SOCKS server failure")

The webtunnel instance starts without error:

Tor[19669]: Registered server transport 'webtunnel' at '[2001:db8:6573:96ba:5fc4:7757:f425:d7dd]:443'

and is listening on port 15000:

tcp          0      0  127.0.0.1.15000        *.*                    LISTEN

Contents of torrc:

RunAsDaemon 1
BridgeRelay 1
ORPort 127.0.0.1:auto
AssumeReachable 1
ServerTransportPlugin webtunnel exec /usr/local/bin/webtunnel
ServerTransportListenAddr webtunnel 127.0.0.1:15000
ServerTransportOptions webtunnel url=https://example.com/xxxxxx
ExtORPort auto
ContactInfo  xxxxxx
Nickname xxxxx 
SocksPort 0
Log notice syslog

nginx error log (enabled for test) shows:

[error] 71247#0: *125 upstream prematurely closed connection while reading response header from upstream, client: x.x.x.x, server: a.a.a, request: "GET /xxxxx HTTP/2.0", upstream: "http://127.0.0.1:15000/xxxxx", host: "example.com"

I’d appreciate any feedback or ideas

TIA

3dzms · April 10, 2024, 11:32pm

Just noticed that bridges.torproject.org reports as dysfunctional

webtunnel: dysfunctional
Error: timed out waiting for bridge descriptor
Last tested: 2024-04-10 23:14:50.275597505 +0000 UTC (3m54.439758802s ago)

gus · April 11, 2024, 1:57am

Hi, are you compiling WebTunnel from the source, right?

Could you check your system logs if OpenBSD is stopping the webtunnel binary execution or something related to user and permission?

3dzms · April 11, 2024, 2:37am

Yes compiled from source (no errors).

/var/log/daemon shows webtunnel being started without error

328-Apr 11 04:30:52 www5 Tor[57740]: connection_handle_listener_read: New metrics connection opened from 127.0.0.1.
329:Apr 11 04:30:52 www5 Tor[57740]: handle_proxy_line: Got a line from managed proxy '/usr/local/bin/webtunnel': (VERSION 1)
330:Apr 11 04:30:52 www5 Tor[57740]: Managed proxy "/usr/local/bin/webtunnel" changed state: Launched -> Accepting methods
331:Apr 11 04:30:52 www5 Tor[57740]: handle_proxy_line: Got a line from managed proxy '/usr/local/bin/webtunnel': (SMETHOD webtunnel [2001:db8:6573:96ba:5fc4:7757:f425:d7dd]:443 ARGS:url=https://example.com/xxxxxxxxxx,ver=0.0.1)
332:Apr 11 04:30:52 www5 Tor[57740]: parse_method_line_helper: Server transport webtunnel at [2001:db8:6573:96ba:5fc4:7757:f425:d7dd]:443.
333:Apr 11 04:30:52 www5 Tor[57740]: handle_proxy_line: Got a line from managed proxy '/usr/local/bin/webtunnel': (SMETHODS DONE)
334:Apr 11 04:30:52 www5 Tor[57740]: handle_methods_done: Server managed proxy '/usr/local/bin/webtunnel' configuration completed!
335:Apr 11 04:30:52 www5 Tor[57740]: Managed proxy "/usr/local/bin/webtunnel" changed state: Accepting methods -> Configured
336-Apr 11 04:30:52 www5 Tor[57740]: save_transport_to_state: Transport seems to have spawned on its usual address:port.
337:Apr 11 04:30:52 www5 Tor[57740]: Registered server transport 'webtunnel' at '[2001:db8:6573:96ba:5fc4:7757:f425:d7dd]:443'
338:Apr 11 04:30:52 www5 Tor[57740]: Managed proxy "/usr/local/bin/webtunnel" changed state: Configured -> Completed
339-Apr 11 04:30:52 www5 Tor[57740]: metrics_connection_reached_eof: Metrics connection reached EOF. Closing.

and there is a process listening on 127.0.0.1:15000

 netstat -an | grep 15000
tcp          0      0  127.0.0.1.15000        *.*                    LISTEN

webtunnel running

$ ps -xlAU _tor
  UID   PID  PPID CPU PRI  NI   VSZ   RSS WCHAN   STAT   TT       TIME COMMAND
  566 57740     1   0   2   0 114328 188320 kqread  S      ??    0:11.40 /usr/local/bin/tor
  566   339 57740   3  10   0 44428  3584 thrslee I      ??    0:00.00 /usr/local/bin/webtunnel

3dzms · April 11, 2024, 9:11am

RESOLVED: Config error in nginx.

Using Lets Encrypt as CA and acme.sh to issue. Specified ssl_certificate in Nginx as ca.cer needed to set ssl_certificate to fullchain.cer

Noticed following error in Nginx error log

[info] 30142#0: *154 SSL_do_handshake() failed (SSL: error:1403F412:SSL routines:ACCEPT_SR_FINISHED:sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking, client: x.x.x.x, server: 0.0.0.0:443

Used curl to connect. Curl wasn’ t able to verify the server certificate unless I specified the --ca-cert as fullchain.cer (rather than ca.cer).

system · April 12, 2024, 9:11am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.