Tor a hidden friend to SSH your home network

If you have a public IP on your router (and you are able to set Port forwarding), I highly encourage the use of WireGuard which is a fast, modern and secure VPN tunnel to connect to your home network. It encrypts all data and is faster than we will experience with the Tor network (and it is even faster than other alternatives such as OpenVPN and IPSec, without compromising security). And with the help of a Dynamic DNS (DDNS) you could easily connect to your home network even if you have a dynamic IP.

On the other hand, you could rent a Virtual private server (VPS), connect both your home network and client devices (e.g. your phone) to the VPS and forward, within the VPS, all the traffic from the client devices to your home network. However, this implies that you have to pay monthly fee for the rent. If you can afford it, go for it, if not keep reading.

The main reason to use of tor is user privacy, circumvent censorship and surveillance by means of encryption and layers. Therefore, it is not recommended to be implemented for other uses such as streaming, file sharing and more, due to slow speed performance (because the relays, multiple ips, blah blah).

The Tor network is a free, worldwide, volunteer overlay network, consisting of more than six thousand relays and can be accessed through the tor software and easily with the Tor browser. On android it is also available Orbot from the playstore or F-droid.

Tor websites, better known as: onion services or hidden services, can only be accessed when connected to the tor network and are not the usual .com sites, but more like duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion which is the onion site for DuckDuckGo. You can create your own onion/hidden service which will be available only through the tor network. This can be the equivalent as creating a website and then expose it to the normal internet (by the means of a VPS, DDNS, etc).

With this in mind, we will create our own onion service and we will use it to access our home network via SSH as secure as possible.

In this case we will create the onion service in a OpenWrt router and since OpenWrt is Linux, and Linux is free and open source, installing a free software like Tor is one of the simplest task. I am using the OpenWrt official guide for this matter.

1. Update the list of packages: opkg update
2. Install the needed packages: opkg install tor-hs openssl-util coreutils-base32. This will install tor and required libraries with ssl to create the authorization keys to secure access to your site.

In the OpenWrt router edit the /etc/config/tor-hs file and add the following (or uncomment it):

config hidden-service
    option Name 'sshd'
    option Description "Hidden service for ssh"
    option Enabled 'false'
    option IPv4 '127.0.0.1'
    #public port=2222, local port=22
    list PublicLocalPort '2222;22'

Edit the /etc/tor/torrc and add the following (this configuration is enough for what we want to do, you can delete other existing configurations):

Log notice syslog
RunAsDaemon 1
User tor
DataDirectory /etc/tor/data/
HiddenServiceDir /etc/tor/hidden_service/
HiddenServicePort 22 127.0.0.1:22

This will enable:

• Tor notifications on the system log of OpenWrt
• User tor tells that tor user is in charge of tor related tasks (and not the root user).
• DataDirectory will store Tor required data.
• HiddenServiceDir is the folder of our Onion service. Named here as hidden_service, but you can name the folder as you please.
• HiddenServicePort will the Tor which port to expose to the Tor network and will redirect traffic to the internal port of the router (syntax: ExposedPort LocalIP:InternalPort). We are using here port 22 which is used for SSH connections.

Alternatively you could use a socket to avoid exposing things on your server that are restricted to the local machine. To do this you need to install socat in the OpenWrt router, create the socket and change ownership to tor user

1
2

socat UNIX-LISTEN:/etc/tor/hidden.sock,fork TCP4:127.0.0.1:22
chown tor /etc/tor/hidden.sock

Then change the HiddenServicePort line to HiddenServicePort 22 unix:/etc/tor/hidden.sock in the torrc

Create the folders and change user permissions

1
2
3
4

mkdir /etc/tor/data/
mkdir /etc/tor/hidden_service
chown -R tor:tor /etc/tor/hidden_service
chown -R tor /etc/tor

And restart tor with

1

/etc/init.d/tor restart

1

openssl genpkey -algorithm x25519 -out /etc/tor/hidden_service.pem

1
2
3
4
5

TOR_KEY="$(openssl pkey \
-in /etc/tor/hidden_service.pem -outform der \
| tail -c 32 \
| base32 \
| sed -e "s/=//g")"

1
2
3
4
5

TOR_PUB="$(openssl pkey \
-in /etc/tor/hidden_service.pem -outform der -pubout \
| tail -c 32 \
| base32 \
| sed -e "s/=//g")"

1
2

cat /etc/tor/hidden_service/hostname
TOR_HOST="$(cat /etc/tor/hidden_service/hostname)"

1
2
3

cat << EOF > client.auth_private
${TOR_HOST%.onion}:descriptor:x25519:${TOR_KEY}
EOF

1
2
3

cat << EOF > /etc/tor/hidden_service/authorized_clients/client.auth
descriptor:x25519:${TOR_PUB}
EOF

By this point you might be familiar with how to SSH to your OpenWrt router and have already set a password to access. We could easily SSH connect to the Onion service using password authentication, but for more security we will disable this and configure it to just allow key authentication.

1
2

pkg upgrade
pkg install openssh

1

ssh-keygen -t ed25519 -C "$(whoami)@$(uname -n)-$(date -I)"

1
2

ssh-copy-id -i .ssh/id_ed25519.pub root@192.168.1.1 #192.168.1.1 is the gateway of yout OpenWrt router, change it if yours is different
ssh root@192.168.1.1 "tee -a /etc/dropbear/authorized_keys" < ~/.ssh/id_rsa.pub

1

cat .ssh/id_ed25519.pub

1
2
3
4

uci set dropbear.@dropbear[0].PasswordAuth="0"
uci set dropbear.@dropbear[0].RootPasswordAuth="0"
uci commit dropbear
/etc/init.d/dropbear restart

1

ssh root@192.168.1.1

Finally, we have Tor running in our router and it is running our Onion service. We just need to connect to the Tor network with our phone and then ssh to the Onion service.
Again, check that you have already set the Client Public Key in Orbot or you will not be able to reach the site. Then just run Orbot in VPN mode, open Termux and from Termux run

1

ssh root@"Your onion service/host.onion"

You should now be logged into the OpenWrt router and now you can control the services running on the router or ssh to another server inside your home network.

1

ssh root@"Your onion service/host.onion" -L 99:127.0.0.1:80

1. Jesus f*kin' Christ, it took me a week to figure out how to set correctly the Onion service with Client authentication and once I set it I was like "Dude, it's not even that hard". But I was struggling due to I was reading tutorials for setting a v2 Onion service and mixing information with the new v3 Onion service.

2. Once you set everything you have two key authentication factors:

   1. From Tor service with Client authentication (with x25519 algorithm) and
   2. From the SSH public key authentication (with ed25519 algorithm)

   This security level should be enough

3. Expect response delays, you should be aware that Tor network is a bit slow.
4. Again, if you have a public IP and/or are able to perform port forwarding, I encourage you to set a WireGuard connection (+ a free DDNS). This will be faster and secure than this Tor solution.
5. I don't think you should be afraid of using Tor, despite the bad reputation that media gave it after the Silk Road scandal. Tor is a great implementation to circumvent censorship and stay anonymous, but as it happens with many great developments, people will use it for bad practices. Tor network is not bad, people is bad.
6. You are most likely to be hacked by a phishing attack on normal internet usage than in the Tor network.
7. Also, you might take a look to OnionShare tool. It is very nice.
8. The Onion service will use around 600-700 MB per month to keep the necessary circuits open on idle. Keep in mind this if you have a metered connection.

If you found this content useful, please support me:
BTC: 1E2YjL6ysiPxRF4AEdXChpzpesRuyzgE1y