[[TOC(noheading)]] '''WARNING: The intent of this guide is to show users how to run Mumble over the Tor network; we are not vouching for the security of Mumble itself.''' For chat, some type of XMPP client supporting OTR would likely be a more secure solution, due to many of the properties that OTR offers that Mumble does not (End-To-End Encryption, Deniability, Forward Secrecy, etc). = Mumble = Mumble is an open source low-latency VoIP (Voice over IP) chat software primarily intended for use while gaming. It is distributed under the New BSD License. Users can use Mumble to connect to the public server or set up their own server to connect to with Murmur, allowing one to communicate with multiple parties at once by voice-over chat. Mumble connects to a server via a TLS/TCP control channel. While it normally uses a UDP audio channel, using Mumble over Tor forces traffic entirely over the control channel, and uses the ciphers that it supports. This is due to Tors inability to handle UDP packets. Mumble is end-to-server encrypted with AES in OCB mode to increase user privacy. OCB is used to provide both secrecy and authentication while maintaining low latency. In 1.2.0 Mumble implemented [https://wiki.mumble.info/wiki/Features#Authentication certificate authentication], eliminating the need for passwords and providing a significantly more secure form of verification. Many servers now require such certificate authentication to connect. As of [http://blog.mumble.info/mumble-1-2-9/ 1.2.9], Mumble also supports forward secrecy. == Acquiring Mumble == * Linux: Mumble is available via standard PPA (Personal Package Archive) installation. * FreeBSD: Mumble is available in the FreeBSD ports collection. * Windows: Download Mumble from https://mumble.info/ * OSX: Download Mumble from https://mumble.info/ * iOS: Download Mumble from iTunes. There are other third-party clients available for Mumble: * Plumble(Android): Download from Google Play Store. * Mumblefy(iOS): Download from iTunes. == Torifying Mumble == === Mumble's Proxy Settings === The easiest way to use Mumble via Tor is using the internal proxy settings. This method was previously discouraged due to DNS leaks caused by QHostAddress resolving addresses ahead of time in a few processes, thus causing the DNS request to not go through the configured proxy. However, as of [https://github.com/unascribed/mumble/commit/e7762b58804e9bfbf8af314454c626da2e447d96 this patch], that issue has been officially resolved and the internal settings have become the recommended choice for Torifying Mumble. The patch also implemented support for {{{.onion}}} addresses. Please read the commit note for a detailed outline of all the features implemented. === Torsocks Method === Mumble can be used with [https://trac.torproject.org/projects/tor/wiki/doc/torsocks Torsocks] by starting it from the command line with the command {{{torsocks mumble}}}. By default, Mumble uses UDP for its voice channel and TCP for its control channel. Since Tor doesn't transport UDP, you will need to tick the 'Force TCP mode' box in the network settings so that voice and chat are both sent over Mumble's TCP control channel. Alternatively, if you are running your own Murmur server, you can block UDP at the server with iptables (see below). There are a number of other settings here you may also want to enable/disable, based on your preference. It's advised to go through the settings to their entirety to see which ones are useful for your purposes. If you use Mumble on Tails, you must start Mumble with the command `torify mumble` or the Tails firewall will prevent you from connecting. Mumble does not ship with Tails by default. To use it you will need to install it using {{{ sudo apt-get update && sudo apt-get -y install mumble }}} [[br]] = Murmur = Murmur is the server software for Mumble. It is packaged as '''mumble-server''' in Debian, Ubuntu, and their derivatives. == Murmur configuration == ''' Note: The instructions below were written for use with the official Murmur implementation. For further details regarding Murmur setup/configuration, please see the official Murmur setup guide on the [https://wiki.mumble.info/wiki/Murmurguide Mumble Wiki]. === Firewall rules === "64738" is currently the default port for Murmur. If you have changed the port that Murmur uses, please adjust the rules below to reflect your changes. Iptables rules: {{{ -A INPUT -p tcp -m tcp --dport 64738 -j ACCEPT -A INPUT -p udp -m udp --dport 64738 -j ACCEPT -A INPUT -j DROP }}} pf rules: {{{ pass in quick inet proto tcp from any to $ext_if port 64738 keep state pass in quick inet proto udp from any to $ext_if port 64738 keep state }}} If you want to force TCP at the server, drop the iptables/pf rule for UDP. === Hidden Service configuration === It is possible to set up a Murmur server as hidden service. To do this you need to edit /etc/mumble-server.ini, which is the default Murmur configuration file. Add (or uncomment and edit) this line: {{{ host=127.0.0.1 }}} You may also want to add the line to add a password to your server or to change the port your server will listen on, you may want to edit these lines as well {{{ serverpassword=neitherwordsnorsilence port=64738 }}} You will need to restart mumble-server/murmurd for the changes to take effect. You also need to edit your [https://www.torproject.org/docs/faq.html.en#torrc torrc file]. Add (or uncomment and edit) these lines: {{{ HiddenServiceDir /var/lib/tor/hidden_service HiddenServicePort 64738 127.0.0.1:64738 # Adjust port to match Murmur configuration }}} Restart Tor to get your hidden service address from /var/lib/tor/hidden_service/hostname. === Latency === Latency for tor-server connections seem to be mostly between 200 and 600 ms. Latency for tor-hidden service connections seems to be mostly between 900 and 1300 ms. You can check your latency by right clicking on your profile name in the chat window and clicking 'Information'. Look for 'Average ping' and 'Ping deviation'. If your connection is especially slow, get a new circuit from Tor and reconnect.