Tor Hidden Service

You can enable a remote access tunnel to your device over Tor network and use it for SSH or to serve a web site. This is often used not only for privacy but also just a method of NAT traversal to device that doesn't have a static IP. You can create your own .onion domain for free but it will be accessible only with the Tor Browser or via Tor SOCKS proxy.

Introduction

Tor HS configurator

The tor-hs package provides Tor Hidden service configurator that tries to simplify creating of hidden services on OpenWrt routers.

Installation

To install the package with LUCI: in main menu select System / Software. Press Update lists.. and then type into Filter field tor-hs.

Or run in terminal: 

opkg update
opkg install tor-hs

Hidden service configuration

UCI configuration is located in /etc/config/tor-hs. You have to edit and adjust from terminal with vi /etc/config/tor-hs. If you want to create a new hidden service, you have to add a hidden-service section. For every hidden service, there should be a new hidden-service section.

Example of hidden service section for SSH server: 

config hidden-service
	option Name 'sshd'
	option Description "Hidden service for ssh"
	option Enabled 'false'
	option IPv4 '127.0.0.1'
	#public port=2222, local port=22
	list PublicLocalPort '2222;22'
Name Example value Description
Name sshd Name of hidden service. It is used as directory name in HSDir
Description Hidden service for ssh Description used in rpcd service
Enabled false Enable hidden service after running tor-hs init script
IPv4 127.0.0.1 Local IPv4 address of service. Service could run on another device, in that case OpenWrt will redirect communication.
PublicLocalPort 2222;22 List of public ports accessible via Tor network. Local port is normal port of service.
HookScript /etc/tor/nextcloud-update.php Path to script which is executed after starting tor-hs. Script is executed with parameters --update-onion hostname. The hostname is replaced with Onion v3 address for given hidden service.

Required section of configuration

There is one required section common. Example: 

config tor-hs common
	option GenConf "/etc/tor/torrc_hs"
	option HSDir "/etc/tor/hidden_service"
	option RestartTor "true"
	option UpdateTorConf "true"

Options description

Name Default Description
GenConf /etc/tor/torrc_generated Generated config by tor-hs.
HSDir /etc/tor/hidden_service Directory with meta-data for hidden services (hostname, keys, etc).
RestartTor true It will restart tor after running /etc/init.d/tor-hs start.
UpdateTorConf true Update /etc/config/tor with config from GenConf option.

Running service

To enable tor-hs service run: 

/etc/init.d/tor-hs enable
/etc/init.d/tor-hs start

In case you enabled option RestartTor and UpdateTorConf hidden service should be running. Otherwise, you should also restart tor daemon. 

/etc/init.d/tor restart

After that you should also restart rpcd daemon, so you can use tor-hs RPCD service. 

/etc/init.d/rpcd restart

RPCD

RPCD service helps users to access basic information about hidden services on router. After running HS it contains onion url for given hidden service in hostname value. Execute the command 

ubus call tor-hs-rpc list-hs

and it will return: 

{
	"hs-list": [
		{
			"name": "sshd",
			"description": "Hidden service for ssh",
			"enabled": "1",
			"ipv4": "127.0.0.1",
			"hostname": "****hidden-service-hostname****.onion",
			"ports": [
				"22;22"
			]
		}
	]
}

Client authorization

Secure access with client authorization.

  1. Generate public-private key pair using instructions from Tor client authorization.
  2. Place the generated public key in <HSDir>/<hidden-service.Name>/authorized_clients/<client-name>.auth.
    • For the example above (ssh server), and a client named someone, that will be /etc/tor/hidden_service/sshd/authorized_clients/someone.auth.
  3. Use the private key in your browser when visiting the hidden service.

Client authorization (old)

Secure access with client authorization. 

# Install packages
opkg update
opkg install openssl-util coreutils-base32
 
# Enable Tor onion service
cat << EOF >> /etc/tor/custom
HiddenServiceDir /etc/tor/onion_service
HiddenServicePort 22 127.0.0.1:22
EOF
umask go=
mkdir -p /etc/tor/onion_service
chown -R tor:tor /etc/tor/onion_service
/etc/init.d/tor restart
 
# Enable client authorization
openssl genpkey -algorithm x25519 -out /etc/tor/onion_service.pem
TOR_KEY="$(openssl pkey \
-in /etc/tor/onion_service.pem -outform der \
| tail -c 32 \
| base32 \
| sed -e "s/=//g")"
TOR_PUB="$(openssl pkey \
-in /etc/tor/onion_service.pem -outform der -pubout \
| tail -c 32 \
| base32 \
| sed -e "s/=//g")"
TOR_HOST="$(cat /etc/tor/onion_service/hostname)"
cat << EOF > client.auth_private
${TOR_HOST%.onion}:descriptor:x25519:${TOR_KEY}
EOF
cat << EOF > /etc/tor/onion_service/authorized_clients/client.auth
descriptor:x25519:${TOR_PUB}
EOF
chown -R tor:tor /etc/tor/onion_service
/etc/init.d/tor restart
 
# Fetch onion service hostname
echo ${TOR_HOST}

Configure authorization on the client using the private key. 

# Configure client authorization
cat << EOF >> /etc/tor/custom
ClientOnionAuthDir /etc/tor/onion_auth
EOF
umask go=
mkdir -p /etc/tor/onion_auth
TOR_AUTH="$(cat client.auth_private)"
cat << EOF > /etc/tor/onion_auth/client.auth_private
${TOR_AUTH}
EOF
chown -R tor:tor /etc/tor/onion_auth
/etc/init.d/tor restart
 
# Access onion service
ssh ${TOR_AUTH%%:*}.onion
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2023/03/03 07:12
  • by vgaetera