Unable to Connect to Tor via a Proxy at 127.0.0.0/8
During the initial startup, Tor Browser allows users to connect via a bridge or proxy to bypass restrictive firewalls. However, if the proxy server listens at 127.0.0.0/8, it's not possible to establish a connection to the Tor network, rendering Tor Browser useless.
It's known to affect every version of Tor Browser Bundle, TBB on Tails OS is also affected. Proxies at other private network ranges, such as 192.168.0.0/16, is not affected. Because a proxy server at 127.0.0.1 is provided by common tools (e.g. OpenSSH) and more than useful to bypass Internet censorship, this issue greatly affects the usability of Tor Browser Bundle, especially in places where Internet is censored and anonymity is urgently needed, the bug is qualified as "major" and should be fixed as soon as possible.
Currently, if users want to use a proxy at the range of 127.0.0.0/8, one can work around this issue by using a bridge and a local proxy at the same time. After connected, it's even possible to turn off the bridge afterwards via Tor Button, and use the local proxy alone.
The "torrc" files produced by Tor Browser Bundle has been inspected by the reporter, a suspicious difference is found and believed to be the cause of the bug.
== Reproduce
- Start a "SOCKS 5" proxy at 127.0.0.1, e.g. "ssh user@server -D 8080".
- Start Tor Browser Bundle.
- Choose "This computer's Internet connection is censored or proxied".
- "Does your ISP block or otherwise censor connections?" Answer "No".
- "Does this computer need to use a local proxy?" Answer "Yes".
- Enter the "SOCKS 5" proxy at 127.0.0.1 and its port, e.g. 127.0.0.1, port 8080.
- Tor Status showed Tor was trying to establishing a connection, but wait at here indefinitely.
- Tor failed to establish a Tor network connection.
See Appendix 1 and Appendix 2 for connection logs and generated "torrc" file.
== Workaround
One can workaround this issue by using a bridge and a local proxy at the same time.
- Repeat Step 1, 2, 3 in "Reproduce".
- "Does your ISP block or otherwise censor connections?" Answer "Yes".
- "Does this computer need to use a local proxy?" Answer "Yes".
- Select a builtin obfs4 transport.
- Enter the "SOCKS 5" proxy at 127.0.0.1 and its port, e.g. 127.0.0.1, port 8080.
- Tor connected to the network.
See Appendix 3 for generated "torrc" file.
== Further Workaround
After connected Tor network, it's even possible to remove the bridge, and Tor continues to work via the proxy server alone.
- Repeat all steps in "Workaround".
- Click Tor Button.
- Disable "My ISP blocks connections to the Tor network".
- Ensure "This computer goes through a firewall that only allows connections to certain ports" is not select, per default.
See Appendix 4 for generated "torrc" file.
== Further Reproduce
- Repeat Stop 1, 2.
- Enable "This computer goes through a firewall that only allows connections to certain ports".
- Ensure "Allowed ports" are "80,443" per default.
Tor Browser will stop working, and generated "torrc" is identical to the initial broken one in "Reproduce" (Appendix 2).
== Identifying the Issue
Comparing the "torrc" files generated each time, it's identified that these three lines only appears in "Reproduce".
ReachableAddresses *:80,*:443
ReachableAddresses reject *:*
ReachableAddresses reject *:*
It looks like for some reasons, These options prepared for fascist firewall can not be used with Socks5Proxy at the same time, at least for those listen on 127.0.0.1.
== Appendix 1: Logs for "Workaround".
[NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
[NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
[NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
[NOTICE] Opening Socks listener on 127.0.0.1:9150
[NOTICE] Bootstrapped 5%: Connecting to directory server
[NOTICE] Bootstrapped 10%: Finishing handshake with directory server
[NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
[NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
[NOTICE] Closing old Socks listener on 127.0.0.1:9150
[WARN] Problem bootstrapping. Stuck at 10%: Finishing handshake with directory server. (DONE; DONE; count 10; recommendation warn; host [REDACTED] at [REDACTED]:80)
[WARN] 10 connections have failed:
[WARN] 10 connections died in state handshaking (TLS) with SSL state SSLv2/v3 read server hello A in HANDSHAKE
[WARN] Problem bootstrapping. Stuck at 10%: Finishing handshake with directory server. (DONE; DONE; count 11; recommendation warn; host [REDACTED] at [REDACTED]:80)
[WARN] 11 connections have failed:
[WARN] 11 connections died in state handshaking (TLS) with SSL state SSLv2/v3 read server hello A in HANDSHAKE
[NOTICE] Delaying directory fetches: DisableNetwork is set.
== Appendix 2: Generated "torrc" for "Reproduce".
# This file was generated by Tor; if you edit it, comments will not be preserved
# The old torrc file was renamed to torrc.orig.1 or similar, and Tor will ignore it
DataDirectory [REDACTED]
GeoIPFile [REDACTED]
GeoIPv6File [REDACTED]
Socks5Proxy 127.0.0.1:[REDACTED]
ReachableAddresses *:80,*:443
ReachableAddresses reject *:*
ReachableAddresses reject *:*
== Appendix 3: Generated "torrc" for "Workaround".
# This file was generated by Tor; if you edit it, comments will not be preserved
# The old torrc file was renamed to torrc.orig.1 or similar, and Tor will ignore it
Bridge obfs4 [REDACTED]
Bridge obfs4 [REDACTED]
Bridge obfs4 [REDACTED]
Bridge obfs4 [REDACTED]
Bridge obfs4 [REDACTED]
[REDACTED ADDITIONAL LINE OF OBFS4 BRIDGES]
DataDirectory [REDACTED]
GeoIPFile [REDACTED]
GeoIPv6File [REDACTED]
Socks5Proxy 127.0.0.1:[REDACTED]
UseBridges 1
== Appendix 4: Generated "torrc" for "Further Workaround".
# This file was generated by Tor; if you edit it, comments will not be preserved
# The old torrc file was renamed to torrc.orig.1 or similar, and Tor will ignore it
DataDirectory [REDACTED]
GeoIPFile [REDACTED]
GeoIPv6File [REDACTED]
Socks5Proxy 127.0.0.1:[REDACTED]