[v.0.5.3] Domain exclusion (CLEARNET/VPN) in the Expert sub-menu called "Danger Zone"

[radio24]

Discussed in #215

^{Originally posted by radio24 April 9, 2023}
We have on our to-do list several requests from TorBox users, which are reasonable for experts who precisely know what they are doing and the potential risks of these options. However, because these settings could lead to security and anonymity issues, we hesitated to include them in TorBox. With the introduction of a new sub-menu, "Danger-Zone", we will add and centralize some of these requests.

One interesting request we received was the exclusion of specific domains from routing through tor. There are use cases for such an exclusion:

• Someone in an authoritarian country wants to use tor in general but not for connections on servers stationed in the country itself, for example, a government site. Of course, it would be preferable that in such a case, two separate computers would be used, but that's not always possible.
• Someone will use streaming services (which may not work with tor), which depending on the individual threat model, are not needed to be secured and/or anonymized.
• Someone with a local VPN connection on the TorBox is using, in general, tor but sends domains that are not accessible through tor through the VPN connection.

There is no doubt that with the exclusion of domains from tor, the user has to be aware of a higher risk. He has to know his threat model and what he is doing.

The first test version of the domain exclusion feature can be tested. The following steps are necessary to install it:

• Chose entry 5 in the Maintenance and Update sub-menu. Choose "Expert" and answer "Which TorBox menu branch do you like to install?" with Danger-Zone. With the question "Which TorBox menu fork do you like to install?" press only the enter key to take the default.
• Install ipset with sudo apt-get install ipset
• Add an additional run-parameter in the run-file: cd; cd torbox; sudo printf "\n# Using an exclusion list for unprotected domains\nUNPROTECTED_DOMAIN=0\n" | sudo tee -a run/torbox.run
• Update the rc.local file: sudo sed -i 's/^exit 0/\nif grep "\^UNPROTECTED_DOMAIN=1" \/home\/torbox\/torbox\/run\/torbox.run ; then \/home\/torbox\/torbox\/set_interfaces_3 1 ; fi\n\nexit 0/g' /etc/rc.local
• Start the TorBox menu with cd; cd torbox; ./menu. Go to the Danger-Zone sub-menu and activate the Domain Exclusion feature.

Important

• Domains/IPs on the VPN list will only be excluded from tor routing if a local VPN connection on the TorBox is up and running (tor over VPN using main menu entry 10). However, the domains/IPs on the CLEARNET list will also be routed without protection.
• Please remember that domains/IPs on the exclusion lists are not protected by tor. It would be best to assume that everyone will see that you connect to these IP addresses. If not correctly encrypted (for example, by using HTTP), everyone can see the content of the communication to/from these IP addresses!
• Currently, the exclusion feature still has to be better integrated into the other TorBox functionalities. Your feedback could help with that.

Please, give feedback
Please help us to make TorBox better. We would appreciate feedback, ideas, bug reports, pull requests, etc.