By default, circuit servers and clients communicate over plaintext TCP. A HMAC-based symmetric authentication, followed by an asymmetric RC4 stream cipher is supported.
To enable encryption, use the -hmac
command-line option to point
the circuit executable to a file containing the private key for your circuit.
For instance:
circuit start -a 10.0.0.1 -hmac .hmac
Or, if you are invoking the tool:
circuit ls -hmac .hmac /...
Alternatively, you can set the environment CIRCUIT_HMAC
to
point to the private key file.
To generate a new private key for your circuit, use the command
circuit keygen
From a networking and protocol standpoint, circuit servers and clients are peers: All communications (server-server and server-client) use a common RPC framework which often entails a server being able to reverse-dial into a client.
For this reason, circuit clients (the circuit tool or your apps) CANNOT be behind a firewall with respect to the servers they are dialing into.