From 31eb4376ebbdfe231161755e68321df2b6469d7e Mon Sep 17 00:00:00 2001 From: openoms Date: Mon, 8 Mar 2021 11:50:39 +0000 Subject: [PATCH] add Tor-to-IP tunnel service for HTTP --- tor2IP_tunnel_80.md | 96 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 tor2IP_tunnel_80.md diff --git a/tor2IP_tunnel_80.md b/tor2IP_tunnel_80.md new file mode 100644 index 0000000..b484a63 --- /dev/null +++ b/tor2IP_tunnel_80.md @@ -0,0 +1,96 @@ +# Tor-to-IP tunnel service for HTTP + +Use the public IP address of a Virtual Private Server (VPS) to make Tor Hidden Services reachable on the clearnet. + +## Advantages: +* hides the IP of the host from the public and from the VPS +* no port forwarding needed on the LAN of the host +* additional encryption by Tor between the host and the VPS + +## Requirements: +* SSH access to a Virtual Private Server (VPS) - eg. a minimal package on Lunanode for ~3.5$/month + * Example Lightning Payable VPS services: + * [host4coins.net](https://host4coins.net) + * [bitclouds.sh](https://bitclouds.sh/) or [lntxbot](https://t.me/lntxbot) `/bitclouds` +* Note that only the root user can forward to ports below 1000. +* Tor should not be the only encryption layer of the service as the traffic exposed on the VPS is meant to be for the `localhost` +* Always check the terms and rules of the VPS provider to avoid bans and don't do anything causing them trouble to keep these services going. + +## On the VPS + +* Login with ssh to the `root` user + `ssh root@VPS_IP_ADDRESS` +* Install `tor` (leave on default settings) and `socat` +`# apt install tor socat` + +### Set up a systemd service + +* make a separate process for every connected Hidden Service to avoid restarting every connection when a service added or removed. +Suggestion for naming the service is to put the VPS_PORT used on the VPS into the name: `tor2ip` + +* create the service file: +`# nano /etc/systemd/system/tor2ip80.service` + * Paste the following and fill in: + * the `VPS_PORT` you want to use (facing the public) - in this example: 80. + * the `TOR_HIDDEN_SERVICE_ADDRESS.onion` + * generate the address with: + * `config.scripts/internet.hidden.service.sh HTTPS 80 80` + * this will expose the local port `80` on the `.onion:80` + * The `TOR_PORT` the Hidden Service is using - in this example: 80 + + ``` + [Unit] + Description=Tor2IP Tunnel Service + After=network.target + + [Service] + User=root + Group=root + ExecStart=/usr/bin/socat TCP4-LISTEN:80,bind=0.0.0.0,fork SOCKS4A:localhost:TOR_HIDDEN_SERVICE_ADDRESS.onion:80,socksport=9050 + StandardOutput=journal + + [Install] + WantedBy=multi-user.target + ``` +* Enable and start the service: +`# systemctl enable tor2ip80` +`# systemctl start tor2ip80` + +Setting up this Tor-to-IP tunnel service is now complete. You can carry on adding other services using different ports on the VPS. +You should be able access the ports/services of the host computer through: VPS_IP_ADDRESS:VPS_PORT. +To connect to the HTTP website served from the node in the example: + `http://VPS_IP_ADDRESS` + +## Monitoring on the VPS + +* To check if tunnel is active on the VPS: +`# netstat -tulpn` + + * Look for the lines: + ``` + Active Internet connections (only servers) + Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name + + tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 13684/socat + ``` + +* Monitor the service with: +`# systemctl status tor2ip80` +``` +● tor2ip80.service - Tor2IP Tunnel Service + Loaded: loaded (/etc/systemd/system/tor2ip80.service; enabled; vendor preset: enabled) + Active: active (running) since Sun 2020-04-05 14:58:43 BST; 2min 23s ago + Main PID: 13684 (socat) + Tasks: 1 (limit: 1078) + Memory: 540.0K + CGroup: /system.slice/tor2ip80.service + └─13684 /usr/bin/socat TCP4-LISTEN:80,bind=0.0.0.0,fork SOCKS4A:localhost:TOR_HIDDEN_SERVICE_ADDRESS.onion:80,socksport=9050 + +Apr 05 14:58:43 VPS_hostname systemd[1]: Started Tor2IP Tunnel Service. +``` + +## Resources + +* `socat` manpage: +* Thanks to [@emzy](https://twitter.com/emzy) for the original `socat` syntax. +* Produced at the [#LightningHackSprint](https://wiki.fulmo.org/index.php?title=Lightning_HackSprint).