OnionCat and IPv4

Obviously, there may be demand for IPv4 packet transport. OnionCat forwards IPv6 but there are two solution to also transport IPv4.

  1. Using IPv4-in-IPv6 tunnels (which is recommended)
  2. Native IPv4 tranport of OnionCat

IPv4-in-IPv6 Tunneling

Most operating systems should support IP-IP6 tunneling. IPv6 supports encapsulation of IPv4 or IPv6, hence, tunneling is not a big deal. An IP-IP6 tunnel is a point-to-point tunnel between two IPv6 nodes. The tunnel endpoints are virtual network interfaces. IP addresses are assigned to them and routing has to be set up as usual (as if those interfaces where ethernets). Before configuring a tunnel you need to know the two IPv6 addresses of the IPv6 nodes. Those will be the IPv6 OnionCat addresses. There are a few steps necessary on Linux. First insert the IPv6 tunneling kernel module, then setup the tunnel interface by connecting it to the two IPv6 addresses. Next configure the IPv4 addresses to the tunnel endpoints, bring them up and add the necessary routes (... and don't forget to update your firewall rules).

# modprobe ip6_tunnel
# ip -6 tunnel add iptun0 mode ipip6 
   local fd87:d87e:eb43:1f53:c75:3b27:7adc:c9a5 \
   remote fd87:d87e:eb43:8733:3338:21f6:a2b8:eebf
# ifconfig iptun0 up
# route add -net dev iptun0

On the other end do the same thing except that you have to swap the two IPv6 addresses and use another IP address on the tunnel endpoint, e.g. If Tor, OnionCat, and the tunnel is up on both ends you should be able to ping the remote end.

OnionCat's Native IPv4 Forwarding

Since version 0.1.9 OnionCat also supports IPv4 but there are some additional configuration tasks necessary and it has some restrictions. On startup OnionCat additionally assigns an IP address to the tunnel interface. The IP address currently is automatically generated. It takes the private class A network and assigns the least signifficant 24 bits of the IPv6 address to the host part. E.g. the OnionCat IPv6 address fd87:d87e:eb43:1e53:c75:2a27:72 dc:c9a8 is converted to Obviously, these IP addresses are not unique any more like their IPv6 counter-parts. This leads to two problems: first, it could happen that different hidden services resolv to the same IP address and it's not possible to convert such an IP address back to an IPv6 address or an .onion URL. That's why OnionCat now needs a glue between an IP address and the corresponding hidden service. OnionCat accomplishes this by lookups in a routing table. You have to set up this routing table before. Currently, there's no kind of auto-configuration but we think about it.

Let's assume two hidden services which should be connected via OnionCat. Service A has .onion URL dzjqy5jkeaznzsni.onion and Service B has 4rbgabc56388sihe.onion. Now figure out the IP and the IPv6 address by starting OnionCat with options -4i.

serviceA% ocat -4 -i dzjqy5jke5znzsni.onion
serviceB% ocat -4i 4rbgabc563assihe.onion

Now start OnionCat on both hosts with the additional option -4. Connect to the local controller interface and add the route. On service A you have to enter the destination and gateway of service B and vice versa.

serviceA% telnet :: 8066
Trying ::...
Connected to ::.
Escape character is '^]'.
dzjqy5jke5znzsni> route fd87:d87e:eb43:e442:6004:5df6:c129:20e4
dzjqy5jke5znzsni> exit
Good bye!
Connection closed by foreign host.

Now everything is ready. try to ping the other host.

Last modified 6 years ago Last modified on Jun 23, 2014, 1:22:22 PM