5528 OnionCat - Telecomix Crypto Munitions Bureau


From Telecomix Crypto Munitions Bureau

Jump to: navigation, search
Onioncat, VPN software for the ultra-paranoid.
OnionCat/GarliCat is a piece of software that can be used to create TUN interfaces on top of I2P/TOR. This means that you can send IPv6 traffic over I2P/TOR. There are really two programs, but they share almost all code. Garlicat is for I2P, OnionCat is for TOR.


[edit] SIMPLE explanation

Very short: OnionCat together with TOR or I2P will give you anonymous and secure VPN. It is very slow but you are able to send IPv6 packets to other people that also use OnionCat anonymously.

OnionCat lets you use TOR/I2P as a virtual network interface. You can send any type of traffic on top of these networks with the help of OnionCat :)

A TUN interface is a type of virtual network interface for unix boxes. It allows the most basic protocols to traverse the I2P/TOR networks. (It is possible to set up TAP interfaces too, in which case you can also send other types of packets, and pretend that you are on the same physical local network. Albeit, a very very slow network.)

With OnionCat on top of TOR/I2P you will see ping times between 2 to 30 seconds, default is perhaps 5-10 seconds. The delay is varies from second to second, even within the same tunnel. Interactive protocols (telnet/SSH) are much more painful than bulk sends (sending files).

[edit] TOR and OnionCat

Read the Onioncat-HOWTO.

0. Install ocat

  1. Download onioncat.
  2. Put it in a directory and untar it. (tar xvfz ./onioncat-X.X.X.rXXX.tar.gz)
  3. type ./configure
  4. type make
  5. type make install (make uninstall will remove it.)

1. Create a hidden service

  • Open /etc/tor/torrc and modify the script a bit:
HiddenServiceDir /etc/tor/ocat/
HiddenServicePort 8060

2. Create the directory /etc/tor/ocat

  1. mkdir /etc/tor/ocat
  2. chown the dir to the user that runs TOR (in debian it is debian-tor. (You can type ps aux | grep tor to find out which user is running TOR if you do not know.)

3. Find the hostname of your hidden service

  1. run or restart tor.
  2. cat /etc/tor/ocat/hostname
  3. For example: c4cryzqdjns2i3je.onion

4. Start ocat

  • ocat c4cryzqdjns2i3je.onion
  • replace c4cryzqdjns2i3je.onion with your own hidden service destination :p
  • ocat will now create a new TUN interface and let you send traffic via it. Ocat will drop its privileges after it has created the TUN interface, so there is little chance that an exploit will give it root access :)

5. Final nodes.

[edit] I2P and GarliCat

Read the Garlicat-HOWTO.

  1. Download onioncat.
  2. Put it in a directory and untar it. (tar xvfz ./onioncat-X.X.X.rXXX.tar.gz)
  3. type ./configure
  4. type make
  5. type make install (make uninstall will remove it.)
  6. Create an I2P server tunnel. See screenshot.
  7. Create an I2P client tunnel. See screenshot.
  8. Copy your b32 destination string, and truncate it.
    • Example: If it is mbtzuz7xirr6w5ai4irks7fopjyc5urkghk5ugl7mu37mplxuznq.b32.i2p then your truncated string is mbtzuz7xirr6w5ai.oc.b32.i2p. (just take the first 16 characters and add .oc.b32.i2p to it.)
  9. type gcat yourdestination.oc.b32.i2p. It will create a new interface at your computer. You need to do this as root. After it has set up the TUN interface, it will drop its privileges and become the user nobody.
  10. Configure your IPv6 firewall.
  11. Addresses to web pages inside this network will for example be: http://fd60:db4d:ddb5:6067:9a67:f744:63eb:7408


  • TORs control socket is on port 9051. You will either have to change that in the /etc/tor/torrc file, or change the port that GarliCat uses (use the -t option)
  • You need to know the destination strings of the people you want to connect to. this is a bit failed, but i guess i can accept it for a while. It needs to be changed :D

[edit] Finding others

  • gcat -i mbtzuz7xirr6w5ai.oc.b32.i2p --- returns fd60:db4d:ddb5:6067:9a67:f744:63eb:7408
  • gcat -i SOME_OC_B32_STRING --- returns the IPv6 address of SOME_OC_B32_STRING destination.
  • ask people in chat channels :)?
  • try man ocat

[edit] Networks

  • fd87:d87e:eb43::/48 is TOR
  • fd60:db4d:ddb5::/48 is I2P

(Linux does not have support for NAT with IPv6 so this is somewhat limiting, in case you wish to relay packets from TOR to I2P via OnionCat. This is what the Linux kernel/net developers say about adding this functionality --> Quote: "Only over my dead body. We will never implement ipv6-to-ipv6 network address translation..." If both the endpoints use their respective routers it will work though... meh.)

[edit] Web site

Personal tools