Home

Awesome

ocat(1) - OnionCat creates a transparent IPv6 layer on top of Tor's or I2P hidden

ocat, 2023-10-25

services.

<a name="synopsis"></a>

Synopsis

ocat -i onion_id                      (1st form)
ocat -o IPv6_address                  (2nd form)
ocat [OPTION] onion_id                (3rd form)
ocat -R [OPTION]                      (4th form)
ocat -I [OPTION] i2p_id                  (5th form)

<a name="description"></a>

Description

OnionCat creates a transparent IPv6 layer on top of Tor's hidden services or I2P's tunnels. It transmits any kind of IP-based data transparently through the Tor/I2P network on a location hidden basis. You can think of it as a peer-to-peer VPN between hidden services.

OnionCat is a stand-alone application which runs in userland and is a connector between Tor/I2P and the local OS. Any protocol which is based on IP can be transmitted. Of course, UDP and TCP (and probably ICMP) are the most important ones but all other protocols can also be forwarded through it.

OnionCat opens a TUN device and assigns an IPv6 address to it. All packets forwarded to the TUN device by the kernel are forwarded by OnionCat to other OnionCats listening on Tor's hidden service ports or I2P's server tunnels. The IPv6 address depends on the onion_id or the i2p_id, respectively. The onion_id is the hostname of the locally configured hidden service (see tor(8)). Depending on the configuration of Tor the onion_id usually can be found at /var/lib/tor/hidden_service/hostname or similar location. The i2p_id is the 80 bit long Base32 encoded hostname of the I2P server tunnel.

OnionCat has two implemented loopback responders for easier network debugging. Ping responses from loopback address fd87:d87e:eb43::dead:beef indicate correct network setup between the kernel and OnionCat. Ping responses from fd87:d87e:eb43::feed:beef indicate that connection between OnionCat and Tor itself works, hidden service correctly configured and enabled.

<a name="options"></a>

OPTIONS

In the following is a description of all options. Typically you won't need any of them except specifying your OnionCat's .onion hostname. Depending on your setup you may use options -g and -A.

<a name="tap-device"></a>

TAP DEVICE

Usually OnionCat opens a TUN device which is a layer 3 interface. With option -p OnionCat opens a TAP device instead which is a virtual ethernet (layer 2) interface.

<a name="examples"></a>

Examples

A typical ifup script for OnionCat for a modern Linux distribution using the `ip` command for configuring network related stuff could look like the following:

.in +3n #!/bin/sh

ip address add $OCAT_ADDRESS/$OCAT_PREFIXLEN dev $OCAT_IFNAME
ip link set $OCAT_IFNAME up 

<a name="onioncat-and-v3-hidden-services"></a>

Onioncat and V3 Hidden Services

For a detailed explaination about the interaction between OnionCat4 and HSv3 have a look at the document doc/INTRO_TO_ONIONCAT4.txt found in the source folder or on GIthub at https://github.com/rahra/onioncat/blob/master/doc/INTRO_TO_ONIONCAT4.txt .

Originially Tor's v2 hidden service addresses had a binary length of 80 bits. This made it possible to let OnionCat map hidden service addresses to IPv6 addresses and vice versa. The development of OnionCat started in 2008, and this held for a very long time until recently Tor came up with version 3 of hidden services. To comply with ongoing development in the field of cryptography the new hidden service addresses of Tor (since version 0.3.2) are much bigger, meaning 336 bits. This obviously does not fit into an IPv6 address, hence, OnionCat is not able any more to translate back and forth between IPv6 and v3 onion addresses.

As a solution OnionCat offers the possibility to do an external hostname lookup within /etc/hosts instead. Please note that for security reasons, OnionCat does not use the system resolver, it definitely just reads the local hosts file. The big drawback for OnionCat is that with v3 hidden services OnionCat does not work out of the box any more. It requires that the destionations are configured manually beforehand.

To connect to a v3 hidden service, on the client side add a line to your /etc/hosts with the IPv6 address and the v3 hostname and run OnionCat with the additional option -H. The hosts entry could look like this (in one line!):

fd87:d87e:eb43:45g6:3bbb:9fxf:5877:4319 tulqpcvf7Oeuxzjod6odrpO77ryujc7o0g7kw6c76q9cbnbi7rqskxid.onion

If this client also has a v3 hidden service, you have to enter its IPv6/hostname pair to the hosts file on the opposite site as well, except you use -U option.

Please note that you could pick any IPv6 address in this case, although I suggest to truncate the long hostname just to the last 16 characters for use with OnionCat, e.g. truncate "tulqpcvf7Oeuxzjod6odrpO77ryujc7o0g7kw6c76q9cbnbi7rqskxid.onion" to "6q9cbnbi7rqskxid.onion" and use it as parameter for OnionCat.

<a name="notes"></a>

Notes

In the versions of OnionCat up to 0.3.7 a symlink named gcat was created. OnionCat internally handled this as GarliCat which is equal to running ocat with the option -I. The symlink was removed due to a name conflict with a different binary (see BSD coreutils).
The default settings changed since OnionCat4 (versions >= 0.4.0). Actually hosts-lookup is now on by default and the meaning of option -H was inverted. This is because OnionCat4 is specifically configured to better match the necessities for Tor's hidden services V3.

<a name="files"></a>

Files

$HOME/.ocat/connect_log

<a name="author"></a>

Author

Concepts, software, and man page written by Bernhard R. Fischer <bf@abenteuerland.at>.

<a name="credits"></a>

Credits

Credits go to Ferdinand Haselbacher, Daniel Haslinger, Wim Gaethofs, Marshalbanana, all package maintainers of several Linux and BSD distros, and many others who have contributed and reported bugs.

<a name="see-also"></a>

See Also

Onioncat source code https://github.com/rahra/onioncat

Further docs and howtos are found at https://github.com/rahra/onioncat/tree/master/doc

OnionCat source packages are also found at https://www.abenteuerland.at/ocat/download/Source/

Tor project homepage https://www.torproject.org/

I2P project homepage https://geti2p.net/

<a name="copyright"></a>

Copyright

Copyright 2008-2023 Bernhard R. Fischer.

This file is part of OnionCat.

OnionCat is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.

OnionCat is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with OnionCat. If not, see <http://www.gnu.org/licenses/>.