Servers generated by tornettools are currently cleartext servers, but I think that an option that generates them as hidden services instead would be a nice to have for testing purposes.

I have implemented a simple switch --hidden that should do the job.

I'm currently testing it, but I'd love to have your review and see if I have missed anything obvious.

Gonna submit a PR soon.

Done. @robgjansen any thoughts?

Ok, there's still something missing. The simulation using the --hidden flag takes forever, probably stuck after 6+ hours, and if I enable pcap files I don't see any traffic on the hiddenservice nodes. I see pcap files being created, but 0 bytes after 6+ hours of execution.

Running it without the --hidden flag works fine, simulation ends in a few hours, and pcap files populated correctly.

If you have any pointer on how to understand what's happening it's much appreciated. I'll keep digging, I'm not very familiar with shadow's logging yet.

Sorry for the delay! This would be a great feature, thanks for contributing.

Not sure that we want to change the existing cleartext servers into onion service servers, but maybe the existing hosts that are running the cleartext servers could also make them available as onion service servers too.

I'll take a look at #5 now.

Thanks for your comments @robgjansen!

There were actually two issues:

• command arguments like --HiddenServicePort 80 127.0.0.1:8080 needed to be quoted! (and actually encoded, because we're in an XML attribute, but that's taken care already by the XML libraries we use).
• permissions of the hs dir must be set to 700 in order to make Tor happy

I've fixed both, but the first issue actually highlighted another issue in shadow because of the way we handle process arguments shadow/shadow#1265

I've pushed a PR there too that should fix the issue.

Now that I think of it, I could have probably put the --HiddenServicePort param into the torrc file, given that it's common across all hidden services. I would have avoided encountering this issue. Only the --HiddenServiceDir really needs to be customized per each hidden service because it contains the node name.

Thoughts?

Also, I've seen all your other comments, they all make sense to me and I'll work on them when I have some spare time.

Thanks!

Now that I think of it, I could have probably put the --HiddenServicePort param into the torrc file, given that it's common across all hidden services. I would have avoided encountering this issue. Only the --HiddenServiceDir really needs to be customized per each hidden service because it contains the node name.

Thoughts?

Yeah, this sounds good! This way we stay consistent with the way we set up the other nodes too; i.e., we would use the --defaults-torrc tor.common.torrc and then -f tor.onionservice.torrc which contains

ORPort 0
DirPort 0
ClientOnly 1
SocksPort 9000
SocksListenAddress 127.0.0.1
HiddenServicePort 8080 127.0.0.1:80

And then only specify HiddenServiceDir shadow.data/hosts/XXX/hs in the arguments string in the shadow config file.