Skip to content

WebTunnel Tor Pluggable Transport Integration, and HTTP Upgrade Transport

shelikhoo requested to merge shelikhoo/webtunnel:dev-init into main

This merge request contain the initial version of WebTunnel(HTTPT) Pluggable Transport, which includes HTTP Upgrade Transport and Tor Pluggable Transport Integration.

The client and server file below can be downloaded from here.

A temporary server was setup for easy trial. To connect to that server, use the following torrc file with tor:

UseBridges 1
DataDirectory datadir

ClientTransportPlugin webtunnel exec ./client

Bridge webtunnel tls=tls path=5m9yq0j4ghkz0fz7qmuw58cvbjon0ebnrsp0

SocksPort auto

Log info

Server setup

Install Tor

On a Debian system, first install tor normally with

apt install apt-transport-https
lsb_release -c
nano /etc/apt/sources.list.d/tor.list
wget -qO- | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null
apt update
apt install tor

Disable default instance

The default Tor configuration is not useful for this setup, so the next step will be disabling them.

systemctl stop tor@default.service
systemctl mask tor@default.service

Get Environment Ready

#copy server file to server
scp server root@$SERVER_ADDRESS:/var/lib/torwebtunnel/webtunnel

then create server torrc at /var/lib/torwebtunnel/torrc

BridgeRelay 1

ORPort 10000

ServerTransportPlugin webtunnel exec /var/lib/torwebtunnel/webtunnel

ServerTransportListenAddr webtunnel

ExtORPort auto

ContactInfo Shelikhoo email: ciissversion:2

Nickname WebTunnelTest

PublishServerDescriptor 1
BridgeDistribution none

DataDirectory /var/lib/torwebtunnel/tor-data
CacheDirectory /tmp/tor-tmp-torwebtunnel

SocksPort 0

Configure service unit file

Create a service unit file as follow

Description=Tor Web Tunnel



ExecStart=/usr/bin/tor -f /var/lib/torwebtunnel/torrc --RunAsDaemon 0


Obtain Certificate

WebTunnel Requires a valid TLS certificate, to obtain that

curl | sh -s
~/ --issue --standalone --domain $SERVER_ADDRESS

Install & Configure Nginx

To coexist with other content at a single port, it is necessary to install a reverse proxy like nginx:

apt install nginx

And then configure HTTP Upgrade forwarding at /etc/nginx/nginx.conf.

--- a/before.conf
+++ b/after.conf
@@ -60,6 +60,13 @@ http {
        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
+       #WebSocket Support
+       map $http_upgrade $connection_upgrade {
+                       default upgrade;
+                       ''      close;
+       }

Finally, add http forwarding setting to a new file at /etc/nginx/site-enabled .

server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name $SERVER_ADDRESS;
    #ssl on;

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /etc/nginx/ssl/fullchain.cer;
    ssl_certificate_key /etc/nginx/ssl/key.key;

    ssl_session_timeout 15m;

    ssl_protocols TLSv1.2 TLSv1.3;


    ssl_prefer_server_ciphers off;

    ssl_session_cache shared:MozSSL:50m;
    #ssl_ecdh_curve secp521r1,prime256v1,secp384r1;
    ssl_session_tickets off;

    add_header Strict-Transport-Security "max-age=63072000" always;
    location /$PATH {
        proxy_http_version 1.1;

        ###Set WebSocket headers ####
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;

        ### Set Proxy headers ####
        proxy_set_header        Accept-Encoding   "";
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        add_header              Front-End-Https   on;

        proxy_redirect     off;


Merge request reports