You might had heard of the Dark web or the Deep web, well the first one is just a small part of the latter. The Dark web is populated with darknets which is an overlay network within the Internet that can only be accessed with specific software, configurations, or authorization.

These darknets can be small peer-to-peer networks or large as the I2P Anonymous Network, Freenet and the most popular Tor Project. In this case, we will focus in the Tor network and how to use it to connect to your home network for remote control.

Why Tor and not a safer choice: WireGuard

If you have a public IP on your router (and you are able to set Port forwarding), I highly encourage the use of WireGuard which is a fast, modern and secure VPN tunnel to connect to your home network. It encrypts all data and is faster than we will experience with the Tor network (and it is even faster than other alternatives such as OpenVPN and IPSec, without compromising security). And with the help of a Dynamic DNS (DDNS) you could easily connect to your home network even if you have a dynamic IP.

On the other hand, you could rent a Virtual private server (VPS), connect both your home network and client devices (e.g. your phone) to the VPS and forward, within the VPS, all the traffic from the client devices to your home network. However, this implies that you have to pay monthly fee for the rent. If you can afford it, go for it, if not keep reading.

Tor network

The main reason to use of tor is user privacy, circumvent censorship and surveillance by means of encryption and layers. Therefore, it is not recommended to be implemented for other uses such as streaming, file sharing and more, due to slow speed performance (because the relays, multiple ips, blah blah).

The Tor network is a free, worldwide, volunteer overlay network, consisting of more than six thousand relays and can be accessed through the tor software and easily with the Tor browser. On android it is also available Orbot from the playstore or F-droid.

Tor websites, better known as: onion services or hidden services, can only be accessed when connected to the tor network and are not the usual .com sites, but more like duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion which is the onion site for DuckDuckGo. You can create your own onion/hidden service which will be available only through the tor network. This can be the equivalent as creating a website and then expose it to the normal internet (by the means of a VPS, DDNS, etc).

With this in mind, we will create our own onion service and we will use it to access our home network via SSH as secure as possible.

OpenWrt and Tor

In this case we will create the onion service in a OpenWrt router and since OpenWrt is Linux, and Linux is free and open source, installing a free software like Tor is one of the simplest task. I am using the OpenWrt official guide for this matter.

  1. Update the list of packages: opkg update
  2. Install the needed packages: opkg install tor-hs openssl-util coreutils-base32. This will install tor and required libraries with ssl to create the authorization keys to secure access to your site.

Create the Onion service in OpenWrt

In the OpenWrt router edit the /etc/config/tor-hs file and add the following (or uncomment it):

config hidden-service
    option Name 'sshd'
    option Description "Hidden service for ssh"
    option Enabled 'false'
    option IPv4 '127.0.0.1'
    #public port=2222, local port=22
    list PublicLocalPort '2222;22'

Edit the /etc/tor/torrc and add the following (this configuration is enough for what we want to do, you can delete other existing configurations):

Log notice syslog
RunAsDaemon 1
User tor
DataDirectory /etc/tor/data/
HiddenServiceDir /etc/tor/hidden_service/
HiddenServicePort 22 127.0.0.1:22

This will enable:

  • Tor notifications on the system log of OpenWrt
  • User tor tells that tor user is in charge of tor related tasks (and not the root user).
  • DataDirectory will store Tor required data.
  • HiddenServiceDir is the folder of our Onion service. Named here as hidden_service, but you can name the folder as you please.
  • HiddenServicePort will the Tor which port to expose to the Tor network and will redirect traffic to the internal port of the router (syntax: ExposedPort LocalIP:InternalPort). We are using here port 22 which is used for SSH connections.

Alternatively you could use a socket to avoid exposing things on your server that are restricted to the local machine. To do this you need to install socat in the OpenWrt router, create the socket and change ownership to tor user

1
2
socat UNIX-LISTEN:/etc/tor/hidden.sock,fork TCP4:127.0.0.1:22
chown tor /etc/tor/hidden.sock

Then change the HiddenServicePort line to HiddenServicePort 22 unix:/etc/tor/hidden.sock in the torrc

Create the folders and change user permissions

1
2
3
4
mkdir /etc/tor/data/
mkdir /etc/tor/hidden_service
chown -R tor:tor /etc/tor/hidden_service
chown -R tor /etc/tor

And restart tor with

1
/etc/init.d/tor restart

Enabling Client Authorization

Since the Onion service will be exposed to the Tor network, it is convenient to enable Client Authorization, this way the site will require clients to provide an authentication credential in order to connect to the Onion Service. In other words, clients need to provide a their private pair key which will be checked against the public pair key (stored in the OpenWrt router) in order to access the site content. Once client authorization is enabled, more security is added to the site: No valid key, no access.

SSH to the OpenWrt router and create keys for secure connection of authorized clients

1
openssl genpkey -algorithm x25519 -out /etc/tor/hidden_service.pem

Create private key (this one is for the client)

1
2
3
4
5
TOR_KEY="$(openssl pkey \
-in /etc/tor/hidden_service.pem -outform der \
| tail -c 32 \
| base32 \
| sed -e "s/=//g")"

Create the public key (this will be stored in our router)

1
2
3
4
5
TOR_PUB="$(openssl pkey \
-in /etc/tor/hidden_service.pem -outform der -pubout \
| tail -c 32 \
| base32 \
| sed -e "s/=//g")"

Show your Onion service address (this is the address to be accessed through the tor network) and assign it to a variable:

1
2
cat /etc/tor/hidden_service/hostname
TOR_HOST="$(cat /etc/tor/hidden_service/hostname)"

Create the private key file (to be stored in your client)

1
2
3
cat << EOF > client.auth_private
${TOR_HOST%.onion}:descriptor:x25519:${TOR_KEY}
EOF

Create the public key file in the authorized clients folder (in the router)

1
2
3
cat << EOF > /etc/tor/hidden_service/authorized_clients/client.auth
descriptor:x25519:${TOR_PUB}
EOF

Configure access key on Client

Here we have three options:

  1. Tor software in a Linux machine
    You might need to be root. Add the following to the tor configuration file /etc/tor/torrc, which will point to the path where you will store your private authentication keys

    1
    
    ClientOnionAuthDir /etc/tor/onion_auth

    Create the folder

    1
    
    mkdir /etc/tor/onion_auth

    Then just simply copy the client.auth_private file inside the /etc/tor/onion_auth

  2. Tor Browser
    When trying to connect to the site, you will be asked by the browser to provide the key. Just paste the key, if you open the file client.auth_private you will see the key at the end, which was our TOR_KEY, it might look something like this: BBBEAUAO3PIFAH7SBGBI6A2QFAZBXG2NVN7HMBXFCZENJVF6C5AQ
  1. Orbot
    Tor browser on android is not able to connect to Client Authorization Onion service, but Orbot can. Enable this by going in the app to ⋮ -> Onion Services -> Client Authorization -> + and add the Onion service address and the TOR_KEY

At this point, you will be able to reach the Onion service, but will be unable to perform anything yet due to: On Tor browser connection will be refused since site is configured to expose only port 22 and this port is commonly used for SSH connections.

OpenWrt and SSH

By this point you might be familiar with how to SSH to your OpenWrt router and have already set a password to access. We could easily SSH connect to the Onion service using password authentication, but for more security we will disable this and configure it to just allow key authentication.

Create the SSH Key on client

Since I am planning to access from my Android phone these are the steps I performed. This is reproducible in a Linux machine just skipping the Termux install.

On Android install termux from F-droid, open it and the install OpenSSH

1
2
pkg upgrade
pkg install openssh

Create the ssh key with the following command (here we are using the Ed25519 algorithm for small keys without compromising security and adding a comment with the -C "..." option). Setting a pasword is optional when prompted:

1
ssh-keygen -t ed25519 -C "$(whoami)@$(uname -n)-$(date -I)"

A file /.ssh/id_ed25519.pub will be created in the phone. Then send this key to the OpenWrt and add it to dropbear to make it persistent

1
2
ssh-copy-id -i .ssh/id_ed25519.pub root@192.168.1.1 #192.168.1.1 is the gateway of yout OpenWrt router, change it if yours is different
ssh root@192.168.1.1 "tee -a /etc/dropbear/authorized_keys" < ~/.ssh/id_rsa.pub

Or print on screen the key, copy it and paste it into the Luci System -> Administration -> SSH-Keys and click add key

1
cat .ssh/id_ed25519.pub

Disable SSH password authentication on OpenWrt

This is just as simple as login to the Luci and go to System -> Administration -> SSH Access and in Interface select Unspecified and uncheck Password authentication and Allow root logins with password

Or from terminal, ssh to the router (you will still be asked for password if set) and run

1
2
3
4
uci set dropbear.@dropbear[0].PasswordAuth="0"
uci set dropbear.@dropbear[0].RootPasswordAuth="0"
uci commit dropbear
/etc/init.d/dropbear restart

et voila, test it by connecting to the router using your phone from termux by running

1
ssh root@192.168.1.1

This time you will not be asked for a password but will be logged automatically and if you or anyone attempt to login without having the authorized key (e.g. from another PC or phone), the connection will be refused.

SSH to router from the Tor network

Finally, we have Tor running in our router and it is running our Onion service. We just need to connect to the Tor network with our phone and then ssh to the Onion service.
Again, check that you have already set the Client Public Key in Orbot or you will not be able to reach the site. Then just run Orbot in VPN mode, open Termux and from Termux run

1
ssh root@"Your onion service/host.onion"

You should now be logged into the OpenWrt router and now you can control the services running on the router or ssh to another server inside your home network.

Tunnel ports

You may want to access to services running on specific ports (like the Luci interface), then you use

1
ssh root@"Your onion service/host.onion" -L 99:127.0.0.1:80

This will tunnel traffic from your server port 80 (used for websites) and will make it available in the 127.0.0.1:99 address which can be accessed with a browser from the phone. You can tunnel as many ports as you want -L 99:127.0.0.1:80 -L 100:127.0.0.1:81 ... Open Firefox go to that address and see the result.

I use this to access remotely to the WebUI-Aria2 interface to load torrents from my phone, so they will be downloaded when I am not at home and be available when I arrive. I also use it to wake-on-lan my plex server, etc, etc.

Final thoughts

  1. Jesus f*kin' Christ, it took me a week to figure out how to set correctly the Onion service with Client authentication and once I set it I was like "Dude, it's not even that hard". But I was struggling due to I was reading tutorials for setting a v2 Onion service and mixing information with the new v3 Onion service.
  2. Once you set everything you have two key authentication factors:

    1. From Tor service with Client authentication (with x25519 algorithm) and
    2. From the SSH public key authentication (with ed25519 algorithm)

    This security level should be enough

  3. Expect response delays, you should be aware that Tor network is a bit slow.
  4. Again, if you have a public IP and/or are able to perform port forwarding, I encourage you to set a WireGuard connection (+ a free DDNS). This will be faster and secure than this Tor solution.
  5. I don't think you should be afraid of using Tor, despite the bad reputation that media gave it after the Silk Road scandal. Tor is a great implementation to circumvent censorship and stay anonymous, but as it happens with many great developments, people will use it for bad practices. Tor network is not bad, people is bad.
  6. You are most likely to be hacked by a phishing attack on normal internet usage than in the Tor network.
  7. Also, you might take a look to OnionShare tool. It is very nice.
  8. The Onion service will use around 600-700 MB per month to keep the necessary circuits open on idle. Keep in mind this if you have a metered connection.
If you found this content useful, please support me:
BTC: 1E2YjL6ysiPxRF4AEdXChpzpesRuyzgE1y