Tor Hidden Service Howto

Posted on 2020-01-29 by inj4n
Send us your comments.

Tor is a software that establishes a proxy-network through which communication is relayed in a manner that makes it difficult to trace. Effectively it hides the relation between client and server in a TCP-connection. For example, it hides your computer from the web-server you are connecting and prevents anybody observing your communication on the local network from knowing which web-page you are browsing. Another function of it, is to provide “hidden services”, which it allows to provide a server-endpoint in the so-called “darknet”, identified by an onion-address, invisible in the normal internet.

The Tor-based “Darknet” is mostly known for drug-web-shops and assasination services. Privacy advocates sometimes have a hard time explaining that all this dark machinations are a price to be paid for the really important anonymity needed by whistleblowers and dissidents in their fight for a just world. And truth, that is the case. But there also are other benign reasons to use and support the Tor network. Herein I explain howto be able to connect to your computers whereever they are, while being protected from port scanners.

I am a notorious user of Tor proxy services. Foremost, it protects my communication from nosy local network administrators. I could do that using a a proxy service, but that would only exchange the local network with the proxy service and actually would make it even easier to spy on my local connection. I don’t think I have much to hide, but I also think that I don’t have to let strangers peek into a digital equivalent of my bedroom. I can, at least make it slightly harder to do so while practically sitting beside me.

But there is another reason, why a Tor proxy should be in every computer’s basic setup. If you only add two lines to your Tor configuration you can akquire a “darknet” address and redirect it to address and port

#HiddenServiceDir /var/lib/tor/hidden_<service>/
#HiddenServicePort <ext_port> <redirect_address>:<redirect_port>

What is happening here? Essentially you create a unique onion-address locally and your local Tor-proxy registers this address anonymously through the Tor proxy-network with a specific Tor-directory system. Everything that is now connecting your onion-address at the configured ext_port will now be forwarded by your computer to the redirect_port on the redirect_address as if your computer tries to establish a connection. But, if the redirect_address happens to be your local computer, the connection is established with the service running locally at the ext_port.

I am using this very commonly to have a backup access to my computers. Because one interesting attribute of onion-addresses is, that it stays the same, no matter where my computer is connected to the Internet. Thus, I am always able to find my computers, whether I leave them in the office for the night, back at home for the day or a hotel room. As long as they are connected to the Internet, I have a address to find them, remotely log in and find out where there are.

One way I am using this is to deal with the dynamic addresses that you normally get with any consumer-grade, dial-up access to the Internet. We’ve all heard that the stock of free IPv4 addresses is running low. IPv6 is only slowly catching up and, at least some Internet providers still find it better to only provide dynamic addresses.

There also is one added bonus to using Tor hidden services? Because the proxy network adds substantial latency to the whole communication, and the onion-address-space is substantially larger than the IPv4 space, it is much less efficient to scan for open services. Thus, much less people will find your open ports as compared to using a normal static IPv4-address. You are actually somewhat hidden unless you know which onion-address to look for. But you also can use a different onion-address for each open port, which means that, even if someone finds your service, he is still not aware of the other services you might be running.

The basic setup for me is to run a secure shell server for remote access on my computers. I can start any other service that way remotely. But I have configured a few other services on a dedicated server that I want to access frequently and which normally have limited need of bandwith or low latency. Most synchronisation tasks are structured that way.