
Can NAT traversal be Tor's killer feature? (2014) - networked
https://gist.github.com/obvio171/73122ba490c864644792#file-can-nat-traversal-be-tor-s-killer-feature-md
======
atjamielittle
It's easier to setup a Tor hidden service than it is to set up a server with a
domain. You don't have to know anything about DNS or firewalls. I'm surprised
that they aren't more common.

~~~
thomasfoster96
Is it? I've never been able to find a 'how to' or tutorial on starting a
hidden service, but even with limited skills I could set up a domain and
server in my lunch hour.

~~~
iokanuon
It is.

[https://www.torproject.org/docs/tor-hidden-
service.html.en](https://www.torproject.org/docs/tor-hidden-service.html.en)

In how-to style: [http://www.makeuseof.com/tag/create-hidden-service-tor-
site-...](http://www.makeuseof.com/tag/create-hidden-service-tor-site-set-
anonymous-website-server/)

------
j_s
NAT traversal requires a server accessible to both parties, correct?

It would be interesting if somehow Tor could be used only to _initiate_ the
NAT traversal, then the direct connection could be used with better
performance. (This article feels like it's talking about routing everything
through Tor.) If there was an open-source library that managed this well I
have a feeling it would be used everywhere.

~~~
Diederich
> This article feels like it's talking about routing everything through Tor.

That's correct. How would you use Tor to initiate the NAT traversal only, and
then go direct? Perhaps using it as a way to advertise ports bound upstream
from local NAT?

~~~
acveilleux
Yes.

------
d33
I like the idea! Nevertheless, one thing that I'd like to point out when
deploying this kind of scheme is that it might be putting too much stress on
the network that isn't necessarily in line with project goals.

Because of that, I suggest that if you build a project like this, DONATE
and/or encourage users to donate to Tor project. It's not like relay traffic
is an unlimited resource and Tor already does a lot to support various use
cases, but it takes money. Keep that in mind.

~~~
c22
Doesn't more traffic strengthen the network? (More noise.)

~~~
zrm
It's both. More traffic is better for anonymization but it also consumes
finite resources.

The solution of course being for more people to run relays.

~~~
d33
The thing is that IIRC not everyone can run a relay. Don't you need some
decent bandwidth to actually be useful?

~~~
micaksica
Virtually everyone can run a relay.

BitTorrent is effectively a "relay" when you seed. The anonymity network I2P
actually works in a way that you are both the relay and the client by default.

According to Tor, "decent" is 2Mb/sec symmetric, which most any broadband
connection can do. I suspect everyone has 2MB/sec lying around. From Tor [1]:

The more people who run relays, the faster the Tor network will be. If you
have at least 2 megabits/s for both upload and download, please help out Tor
by configuring your Tor to be a relay too.

There are other ways to contribute to the project as well, such as running
bridge relays [2]. These are often less-used but are necessary for the network
to work well in places where it _needs_ to be used for censorship
circumvention.

You can also configure a browser to be a short-lived FlashProxy [3] bridge
relay.

Even still, throttling bandwidth in your `torrc` means you can easily run a
relay on a droplet or EC2 instance and not cost yourself a lot of money. There
is also torservers.net [4] for hosting; they accept donations as well.

[1] [https://www.torproject.org/docs/tor-doc-
relay.html.en](https://www.torproject.org/docs/tor-doc-relay.html.en) [2]
[https://www.torproject.org/docs/bridges.html.en](https://www.torproject.org/docs/bridges.html.en)
[3]
[https://crypto.stanford.edu/flashproxy/](https://crypto.stanford.edu/flashproxy/)
[4] [https://www.torservers.net/](https://www.torservers.net/)

~~~
vermilingua
Perhaps in Europe and the US, but here in Australia (and many other places I
suspect), 2MB/s is a luxury. We have the NBN (partially) rolling out at the
moment, but anything better than 12/1mbit will be largely inaccessible to the
majority.

------
Klasiaster
I always hoped IPv6 would kill the NAT but it seems providers stick to it… I
think the creation of Tor hidden services needs a nice UI. But also I am
doubtful because only TCP is supported, UDP not.

~~~
mbreedlove
Well, creating a hidden service is as simple as adding the following to your
torrc:

    
    
        HiddenServiceDir /usr/local/etc/tor/hidden_service/
        HiddenServicePort 80 127.0.0.1:8080
    

Then you just see /usr/local/etc/tor/hidden_service/hostname for your .onion
address.

The hardest part is setting up your web and application servers, which don't
care that they're behind a hidden service.

How would you expect a UI for that to function? I'm asking sincerely.

------
api
We built ZeroTier initially for this use case, and though it's now maturing
into something more powerful (SDN type features) it's still very useful for
this and the WAN use case is not going away.

[https://www.zerotier.com/](https://www.zerotier.com/)

[https://github.com/zerotier/ZeroTierOne](https://github.com/zerotier/ZeroTierOne)

[https://github.com/zerotier/ZeroTierSDK](https://github.com/zerotier/ZeroTierSDK)

The difference between something like ZeroTier and Tor is a trade-off between
meta-data privacy and latency/speed. (Both encrypt the actual payload.)

Efficient connectivity and anonymity are antagonistic goals. You can't provide
both since optimization for one of these two goals implies violation of the
other.

Tor provides meta-data privacy, but it's impossible to do this without
sacrificing a lot of performance. If you allow low latency on a privacy
network, latency can be used to triangulate the endpoint. Rule of thumb:
latency can never be lower than about 1/2 the time it takes a photon to travel
the Earth's diameter. In practice it's higher since you must also account for
median router latency. Same goes for high throughput though in that case you
need much more detailed intel on the physical network. Rule of thumb here: if
throughput is higher than global mean it can be used to rule out and thus
narrow down paths in the graph.

ZeroTier provides fast efficient low-latency direct connectivity but to do
this requires that it introduce people directly, thus revealing peoples'
locations (IP-wise) to each other. This is a hard requirement since the most
efficient path is by definition the most direct and therefore de-anonymized
(again IP-wise) path. You can't go directly A<>B without A knowing where B is
and vice versa.

Edit: I speak a bit theoretically above. In _practice_ a weaker anonymity
system could be deployed closer to the last mile to hide people at e.g. city
resolution. But AFIAK this is not what Tor does, would probably require either
a huge critical mass or last-mile carrier participation or both, and would
still have a performance impact.

------
xena
It's been done: [https://www.onioncat.org/](https://www.onioncat.org/)

------
snnn
[http://cc.rtmfp.net/](http://cc.rtmfp.net/) A flash for NAT Traversal
Testing, made by Adobe.

------
TazeTSchnitzel
What does Tor have to offer versus Hamachi, which is specifically designed for
this?

I suppose it's open-source.

