Skip to content

Allows configuring unworkable combination of outbound port filtering + obfsproxy

Yesterday I tried to use Tails for the first time, running Tails 0.23 in a VM on a unrestricted network connection (i.e. not restricted by outbound firewalls or general censorship). I still went for a “complex” setup to get an idea of what it would look/feel like for someone impacted by censorship.

I went for a combination of outbound firewall rules, allowing me to access ports 80 and 443 (the defaults) only, and a requirement to use an obfuscated transport. It was much later, after much repeated manual fingerprint entry, and a lengthy chat with two very supportive developers / community members that I learnt that this combination is not workable. However, the UI neither warns nor prevents such configurations at all. There is also no error message. When you enter any obfs* bridge addresses (a requirement in this scenario) and submit them, the “connect” window just sits there. However, because bridges.torproject.org does not know about the outbound filtering (ports 80,443 only) in this scenario and since the bridges it provides will never connect to ports 80 or 443, none of the bridge addresses you are given will ever work in this scenario.

To reproduce:
After boot, set the keyboard layout on the bottom right corner, but keep the rest on the locale bar as is. Respond “yes” to the “welcome to tails

  • more options?” prompt and click on “forward” to proceed to the next window.

On this so-called “boot screen”, set the password to “password” twice, keep “Windows camouflage” disabled, disable MAC address spoofing (to prevent the network connectivity issues reported elsewhere), select “This computers’ Internet connection is censored, filtered, or proxied. You need to configure bridge, firewall, or proxy settings” (the alternative option would be “Internet clear of obstacles”).

Click on “login” and the session starts and it does log you in. A warning about virtual machine detection pops up, which can be closed.
When the “Tor network settings” window pops up, click on “configure”, then choose to not require a proxy, but have a restrictive firewall with ports 80 and 443 outbound only, Also choose the option that the ISP blocks or otherwise censors the Tor network. You then reach the step where you need to enter bridge addresses.

Enter any valid obfs* bridge addresses and try to connect. The “Connecting” window will sit in the first stage (progress bar as 0%) and not make any progress, even after 10 minutes. There is no warning about an error, a misconfiguration or impossible choices. There is also no hint on what else to try.

Expected behavior / how to fix:

Do not allow configurations which can not work. If incompatible combinations of configuration options cannot be prevented at this time, please make sure that warnings with references to additional information are displayed both while these are configured and by the time the connection fails. Make the connection fail after a couple minutes programmatically if this is the only way to catch the error, and provide additional information then.

Feature Branch: feature/tor-launcher-0.2.7.2

Related issues

Original created by @alster on 6985 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information