Repository files navigation

MASQ Node combines the benefits of VPN and Tor technology, to create superior next-generation privacy software, whereusers are rewarded for supporting an uncensored, global Web. Users gain privacy and anonymity, while helping promoteInternet Freedom.

MASQ Node forms the foundation of the MASQ Network.

The MASQ Network is an open-source decentralized mesh-network (dMN) that allows any user to allocate spare computing resources to make the Interneta free and fair place for the entire world. It is a worldwide collection of Nodes that securely delivers content withoutthe need of a VPN or Tor.

Because there's no single authority delivering or monitoring content, censorship and geo-restricted sites won't be anissue on the MASQ Network. It doesn't matter where you live or what content you're accessing, everyone in the worldsees the exact same content.

MASQ Node software is what the average user runs to earn $MASQ utility tokens and dedicate some of their computers'resources toward the Network - users can be rewarded with $MASQ for each time they serve content.

MASQ Nodes work together through the mesh network to relay digital content.When a user requests a site, Nodes use a routing algorithm to find the most expedient and secure way to get theinformation to that user. Multiple Nodes work together to route a single request in order to maintain a necessary level ofanonymity.

Important Note: Please remember that at the moment the MASQ Node is in development and is not clandestine. Yourtraffic can't be decrypted, and it is difficult to trace to you; but it is currently very easy for someone sniffingyour Internet connection to tell that you're using some form of Peer networking. Please don't use it for any kind of sensitive traffic at thisstage - MASQ Network and it's developers are not responsible for any activity, or loss incurred, while using this beta software.

The MASQ project was forked from Substratum's Node project in order to carry on development after Substratum ceasedoperations in October of 2019. In 2021, Substratum's Node repositories were removed from GitHub, so the fork linkwith MASQ was broken, but all credit for the original idea and the original design belongs to Substratum (and properly attributed through GPLv3 license)

AKnowledge Base and testing resources are being refined for users with variouslevels of technical ability.

There you can find further information, guides and configuration examples for running MASQ Node from:

• MASQ Browser
• CLI
• Docker image

If you are interested in testing stages, speak to the team in the officialDiscord channel

To help navigate the codebase, here are the README.md links for all documented components

• Blockchain-Service-URL
• sub_lib
• proxy_server
• test_utils
• ui_gateway
• accountant
• proxy_client
• entry_dns
• hopper
• neighborhood
• multinode_integration_tests

Releases will appear on our GitHub page - click on the badge above for the latest stable beta build, or go to ourReleases page

If you want to try out the latest build, go toour GitHub Actions continuous integration page to see a list of builds.Look for the latest (uppermost) successful build: it'll have a white checkmark in a green circle next to it.

Click on that link and scroll to the end of the page. You'll see a set of three artifact packages, one for each platformMASQ supports.

Click the one that matches your platform; your browser will download a.zip file. Inside the.zip file are manythings useful to developers, but you'll be interested in the executable binaries in/generated/bin.

Make a directory somewhere on your system from which you'll run MASQ. You'll want to extract one or more files from/generated/bin in the.zip file into that directory.

The most important file isMASQNode, orMASQNode.exe if you're using Windows. Definitely extract that one. Itcontains the code for both the MASQ Node and the MASQ Daemon.

If you're using a graphical user interface for MASQ, that's all you'll need. If you're not, you'll probably also wantmasq, which is a command-line user interface.

If the regular network-proxy setup doesn't work for you, you might wantdns_utility as well to make it easy tosubvert your system's DNS configuration.

Finally,automap is a test utility used to check MASQ's automatic firewall penetration functionality against yourparticular router. Unless you've volunteered to help the MASQ dev team run tests, you won't need this.

These instructions assume you have the MASQ Node executable but not the MASQ GUI. (If you do, consult the GUIdocumentation about starting the Node on ourTesting Guides) You'll want to run the MASQ programs from wherever you expanded the/generated/bin path from the.zip file you downloaded.

There are a number of ways to run the Node, but the way you'll probably want to use is to make sure the MASQ Daemonis started first. If the Daemon is not running in the background already, open a terminal window and start it by typing

$ sudo nohup ./MASQNode --initialization &

if you're working in Linux or macOS, or

$ start /b MASQNode --initialization

if you're using Windows.

The Daemon's responsibility is to configure and start the Node. When it comes up, it sets up an initialization areathat contains configuration data for the Node: some of it defaulted, some of it loaded from the environment, someloaded from a configuration file, if present, and the rest of it uninitialized. Before the Node is started, theconfiguration data in the Daemon's initialization area should be adjusted so that the Node has what it needs when itcomes up.

If you have no GUI, the simplest way to do this is with themasq command-line user interface. Once you have theDaemon running, type

$ masq

at a handy command prompt. To learn how to usemasq to set up and start the Node, typehelp at themasq> prompt,and pay special attention to thesetup andstart commands.

If this is the first time you're starting the Node, you may also be interested inset-password,create-wallets, andgenerate-wallets.

There are four ways to get configuration information into the initialization area of the MASQ Daemon on startup.In decreasing level of priority, these are:

1. masq
2. the Daemon's shell environment
3. a configuration file
4. defaults

Any piece of configuration information can be provided through any of these channels, with one exception: the path tothe configuration file cannot be taken from the configuration file. (It can be provided there, but it will never betaken from there.) Configuration information provided in the configuration file will supersede defaults, informationprovided in the environment will supersede conflicting information provided in the configuration file, and informationprovided via the UI will supersede conflicting information from all the other sources.

This is the easiest. In this file, our documentation of the configuration options shows you how to provide them tomasq on the command line, either in interactive mode or in noninteractive mode. Keep in mind, though, that commandlines tend to be preserved by the operating system for display to users who want to see process lists. Therefore, thecommand line may not be the best place to specify sensitive or secret configuration information. (Nothing prevents youfrom doing this, though, so be careful.)

If you see that the UI accepts a command such assetup --clandestine-port 1234, then you can supply that sameparameter in the environment by setting theMASQ_CLANDESTINE_PORT environment variable to1234. Note that you needto remove the initial-- prefix, convert the name to all uppercase, change hyphens to underscores, and add aMASQ_prefix to namespace the parameter against other applications that might look for a similar variable.

The configuration file, by default, resides in the data directory (see the--data-directory parameter for furtherinformation) and is namedconfig.toml. If you leave the configuration file unspecified, this is where MASQ Nodewill look for it. If it's found, it will be used; if it's not, MASQ Node will act as though it had been found but empty.But if you want to use a different file, specify it either as--config-file in the Daemon setup or asMASQ_CONFIG_FILEin the environment. If you specify a relative filename, MASQ Node will look for the configuration file in the datadirectory; if you specify an absolute filename, MASQ Node will not use the data directory to find the configurationfile.

The configuration file should be in TOML format. TOML is a competitor to other formats like JSON and YAML, but theMASQ Node uses only scalar settings, not arrays or tables. If you see that Daemon setup accepts a command suchassetup --clandestine-port 1234, then you can supply that same parameter in the configuration file by adding thefollowing line to it:

clandestine-port = "1234"

Note that you need to remove the initial-- prefix. All the configuration parameters will work if you supply theirvalues as double-quoted strings, but if they're numeric values, you can supply them numerically as well--for example,

clandestine-port = 1234

Keep in mind that a configuration file is persistent information: anyone who has or can gain read access to the filecan read whatever's in it, whether MASQ Node is running or not. Therefore, the configuration file may not be thebest place to specify sensitive or secret configuration information. (Nothing prevents you from doing this, though, sobe careful.)

In order to run decentralized, MASQ Node needs at least an earning wallet (an Ethereum wallet into which other Nodeswill make payments for the services your Node provides). If you plan to use your Node to consume data with a browseror other network application, it will also need to be configured with a funded consuming wallet (an Ethereum walletfrom which it will make payments for the services other Nodes provide). If you want, you can use the same wallet forboth earning and consuming, although this will allow an attacker to connect your network-forming Gossip traffic with yourdata traffic, if he wants.

MASQ only ever has to put money into your earning wallet, which means the Node only has to know its address. However,MASQ needs to pay money out of your consuming wallet; therefore the Node needs to know more about that one. Currently,we use the mnemonic seed, an optional "25th word" that serves the purpose of a password, and the derivation path.

If you route other people's traffic without having an earning wallet set up, a default earning wallet will beused, in which case the funds you earn will go to MASQ instead of to you: so unless you're in a philanthropic mood,you should be sure to set up or specify your earning wallet before you route data.

The Node keeps a database on disk where it stores various things, like persistent configuration data and accountinginformation. In some cases, this information is sensitive, and if an attacker confiscated your computer and foundthe sensitive data, you or others could be put at risk. Therefore, all the security-sensitive data in the database isencrypted with a symmetric key. We call that key a password, and you're required to set it before you store anysensitive data in the database. There are no rules for how long the password must be or what it must contain--securityof your data is your responsibility, not ours--but it needs to be present so that the database can be properly encryptedwith it.

MASQ never stores the password anywhere on disk, only in memory; so A) you'll need to supply the password every timethe Node starts, B) no one can tell you the password if you forget it, and C) forgetting it will mean that yourdatabase is useless, and you'll have to start it over.

Themasq command-line interface can run two ways. If you just type

$ ./masq

at a command prompt, you'll be shown amasq> prompt, and the system will await a series ofmasq commands from you.But if you type something like

$ ./masq setup --log-level debug --clandestine-port 1234

thenmasq will start up, execute the command you gave it, and immediately terminate.

This way, you can use interactivemasq to give an impromptu series of commands to the Daemon and/or the Node, or youcan write shell scripts to control the Daemon and/or the Node for special purposes, with those scripts containingnoninteractivemasq commands.

The MASQ Daemon and the MASQ Node are two different programs that share the same binary. If you start that binary withthe--initialization parameter, it will become the Daemon; if you start it without the--initialization parameter,it will become the Node.

MASQ is designed to be very difficult to hack, but it's intended to go up against government-level attackers, so there'salways the possibility that they could have the funding to do something we didn't anticipate. If an attacker figures outhow to hack into a computer running MASQ, we think it's very important that at least he doesn't find himself hackedinto a process running with administrative privilege.

Also, it's important that the user interface, whether command-line or graphical, be able to direct the Node to startwithout having administrative privilege. However, because of the network ports the Node has to initialize, it must atleast start up with administrative privilege. It drops all special privileges before it reads any data from the network,though, so any attacker who manages to hack it over the network won't see those special privileges.

These two requirements led to the development of the MASQ Daemon. The Daemon should start up with administrativeprivilege at system-boot time, and keep running--with that privilege--until the computer shuts down. In return forbeing a long-running privileged process, the Daemon is forbidden from A) accessing the network in any way, and B)communicating with the Node in any way other than starting its process. As long as these limitations are respected,even someone who successfully hacks into the Node will not be able to hack into the privileged Daemon.

When the user interface (whether command-line or graphical) starts up, it connects first to the Daemon. There is aset of commands the UI can use to communicate with the Daemon, but this set is comparatively small. As long as theUI issues commands from that set, it will stay connected to the Daemon. At some point, the UI will probably issuea command the Daemon doesn't understand - if the Node is running then the Daemon will instruct the UI todrop its Daemon connection, create a new connection to the Node instead, and re-issue the unrecognized command so thatthe Node can execute it.

Thereafter, the UI will be connected to the Node. It will not connect again to the Daemon unless the Node shuts downor crashes; then the UI will fall back to the Daemon (if it's still running) or exit (if it's not).

masq has quite a few subcommands that you can use, both interactively and noninteractively. The best way to findout about these subcommands is to type

$ ./masq --help

noninteractively at a shell-command prompt, or

masq> help

interactively at amasq prompt.

If you're starting the very first MASQ Node in a MASQ network, then you don't have to tell your Node aboutany preexisting network; instead, other people who want to join that MASQ Network will have to tell their Nodesabout your Node, which means you'll need to give them your Node descriptor.

Otherwise, you'll need to specify--neighbors as part of yourmasq setup so that your Node will know how to jointhe network that is already in place.

However, if your machine has already recently been on the MASQ Network, and you're starting the Node up again, there'sa chance that at least some of the Nodes that were recently your neighbors are still up and can be recontacted; in thatcase, the Daemon will read the Node descriptors of your former neighbors out of the database and pre-populate the--neighbors setup with them, and you might not have to enter anything manually.

In order to run decentralized, the MASQ Nodemust know the IP address others can use to contact it. Therefore,you must supply--ip.

Your home network is behind your internet provider's router and a public IP address. Other Nodes in the MASQ Networkwill contact your Node through your public IP address, requiring at least one port to be forwarded on your router. TheMASQ Node Gossip protocol "gossips" to other Nodes the clandestine port you are listening on, and it is that portyou will need to open. When your Node is started it will write its descriptor to the console and the log, giving the clandestineport it is using; you will need to forward that port from your router to your computer's IP address.

Forwarding ports on your router is somewhat technical. At a minimum, you should know how to log in to your router inorder to make changes to its configuration. The process is interchangeably called forwarding a port, opening a port,or mapping a port, and may be labeled as such in the router's interface. Assigning a static IP address for your computerwill make this process easier, as otherwise your IP address can change each time your computer restarts or you restartthe network interface. There are many guides that you can find on the Internet by searching for "Port Forwarding" or"How to Port Forwarding". Here is an example:PortForward.com

More information on the operation, care, and feeding of the Neighborhood is availablein the neighborhood_subproject.

Terminating a MASQ Node may be more of a process than you expect. There are three things to consider.

The most obvious is the MASQ Node itself. Terminating that is easy: just send it a shutdown message, with the GUI ifyou have it, or withmasq like this:

$ ./masq shutdown

noninteractively, or if you're interactive,

masq> shutdown

However, if you were using your Node to access the Internet--that is, to consume--your computer's network stack is nowmissing an important component, and it won't work anymore until you reconfigure it to operate without the Node.If you configured your proxy settings to use the Node as an HTTP proxy, you'll want to disable them, or revert themback to what they were before you started the Node. If you're using DNS subversion, you'll want to revert that:

$ sudo ./dns_utility revert

Third, you'll probably want to close the hole or holes in your router's firewall. Don't leave them open against thenext time you run: it's dangerous to leave open holes in your firewall to ports you're not actively using on purpose.

MASQ Node, like any other piece of software, can encounter obstacles it cannot overcome in the process of tryingto do what you ask it to do. It needs to be able to tell you about these insurmountable obstacles, but it lives in aplace that makes this difficult. If it were a Web browser, it would have a window on which to display error messages.If it were a Web server it could send data describing the errors to your browser to display. But it's neither of thesethings; instead, it's crowded into a place in the protocol stack where neither the browser nor the server expects itto exist.

Therefore, certain error messages are a bit awkward to display in the browser, especially if they involve TLSconnections. Let's look at how MASQ Node deals with certain kinds of errors.

An insecure HTTP connection is one that is based on a URL that begins withhttp:// (as opposed tohttps://). Thefact that it is insecure means that MASQ Node (and every other process that handles the data) can intrude on thedata stream and make your browser display whatever they want it to, which may or may not be related to what the serveron the other end of the connection intended.

When errors occur, this is very useful for MASQ Node. If you request something from an HTTP server (and for somereason MASQ Node cannot relay your request to that server) or cannot relay the response from the server back toyou, MASQ Node will instead impersonate the server and create a counterfeit response describing the error. This will be displayedto you instead of the server response it can't give you. (Don't worry: MASQ Node's impersonation of the serveris deliberately very bad, so you can easily tell that the error is not coming from the server. You won't be misled).The error message will describe the problem and suggest ways it might be alleviated.

TLS (spoken over connections based on URLs that begin withhttps://) is a much more difficult beast. Once a TLSconnection is set up between your browser and a server, MASQ Node cannot understand a single bit of the dataflow,and it cannot modify a single bit of it without your browser throwing red alerts and refusing to show you the modifieddata. This is good for you and your privacy, but it doesn't make it easy for MASQ Node to communicate with youvia the browser.

There is a small exception.

Once a TLS connection is set up, it's completely secure. Butwhile it's being set up, before the encrypted tunnel hasbeen established, there's a little MASQ Node can do. Specifically, it can inject what's called a TLS Alert into thestream of data, as long as it is injected very early. This TLS Alert has a single byte that MASQ Node can use to tellyou about problems it has relaying your data. There are a number of predefined values this byte can take on, andMASQ Node has to pick one of these values: it can't make up its own.

If your browser is trying to load a page when the error occurs, you'll see a cryptic message in its window telling youthat you're not going to get what you're after. The exact wording of the error depends on the exact type of the TLSAlert. If your browser is trying to communicate in the background when the error occurs, you probably won't see it onthe screen; but if the browser stops responding, you can open its developer tools and check the JavaScript console; ifMASQ Node sent a TLS Alert, you'll see it there.

Since the concerns of the MASQ Node aren't precisely the same as the concerns of a TLS endpoint, the correspondencecan't always be made exact, so here are some specific TLS Alert values that MASQ Node produces in specificsituations.

• Routing Failure -internal_error: If your Node is not yet "warmed up" enough in the MASQ Network to see alarge enough neighborhood to be able to create a clandestine route that meets your specifications, it will raise aTLSinternal_error Alert. This will probably be displayed by your browser as some sort of protocol error--which,strictly speaking, it is. If this happens, just wait awhile for your Node and the MASQ Network to Gossip witheach other and spread around the necessary information. Then try reloading the page.

• DNS Resolution Failure -unrecognized_name: Even though you contact websites at names likegoogle.com andtwitter.com, the real Internet operates on the basis of IP addresses (like172.217.6.14 and31.13.66.35).Before it's useful for retrieving data, your server name has to be translated into an IP address. This is the job of aDNS server. Much of Internet censorship consists of crippling the DNS servers you have available to you so that theycan't give you the correct IP address for the server name you're seeking. MASQ Node captures the DNS queries yourbrowser makes and forwards them across the MASQ Network to some other Node that hopefully has access to anon-censored DNS server thatdoes know the IP address you want. But this is a complex task and it may fail. Forexample, perhaps you typed the server name wrong, andnobody knows an IP address it matches. Or perhaps yourMASQ Node guessed wrong, and the exit Node to which it forwarded your DNS query is also handicapped by a censored DNSand can't find it either. In either case, MASQ Node will send your browser a TLSunrecognized_name alert, whichyour browser will probably present to you as some form of can't-find-host error. If you reload the page, MASQ Nodewill try to select a different exit Node, if available--one that hasn't failed to resolve a DNS query--for the nextattempt, which might bring you better fortune. Of course, if youhave typed the name wrong, just reloading the pagewill take another innocent exit Node out of circulation and make it even harder for you to get where you want to go.

We run tests on every push tomaster on these platforms:

• Ubuntu 20.04 LTS Desktop 64-bit
• MacOS High Sierra (currently testing on Big Sur)
• Windows 10 64-bit

MASQ Node doesn't reliably build on 32-bit Windows due to issues with the build tools for that platform. Werecommend using a 64-bit version to build.

We do plan to release binaries that will run on 32-bit Windows, but they will likely be built on 64-bit Windows.

Copyright (c) 2019-2024, MASQ Network