> Set Up Stealth Hidden Services on Tor

So Cats Eat Onions
Allows one to connect to onion services on local unit as though they are hosted locally.

Onion addresses can be used for non-nefarious purposes, such as having indirect access to your machine across any network topology connected to the Internet regardless of network configurations such as NAT/Firewalls, provided they don't block access to tor. It is eqivalent to having a DNS entry that works practically anywhere without needing to know an IP or perform a DNS lookup.

The privacy / anonymity features of tor hidden services are inherited, provided there are proper configurations for server and client software.

Tor hidden services do encounter a bit of network latency due to being routed over pseudorandom pathways. Nevertheless one can use them to operate VNC, execute commands via ssh, run and connect to IRC networks, sshfs mounts, and more.

Requires screen, socat, sudo, tor, psmisc
i.e. on Debian/Ubuntu
sudo apt-get install screen socat sudo tor psmisc
Example uses ssh port. You can direct any service through this means
Have to be root while editing all these things.
i.e. sudo su root

You will have to configure unit for hosting and unit for connecting to tor hidden services. There are two parts to this.


Now to configure the onion:
Add lines to /etc/tor/torrc in area where hidden services are specified:
#replace [/var/lib/tor/hidden_site] with wherever you want to store hostname/private key for your .onion address
#i.e. HiddenServiceDir /var/lib/tor/hidden_site/
#replace [port] with the port we specified in earlier configurations
#i.e. HiddenServicePort 4321
#the 22 will be the standard port for external ssh via the onion and the
#is the ssh port
HiddenServiceDir [/var/lib/tor/hidden_site/]
HiddenServicePort [onionport][port]

Now to restart tor

/etc/init.d/tor stop
/etc/init.d/tor start

After having completed editing /etc/tor/torrc + starting and stopping tor, we will need to get the onion site's newly generated hostname

#cat [/var/lib/tor/hidden_site/hostname]
#i.e. cat /var/lib/tor/hidden_site/hostname

You will need this onion address in the configuration of the unit connecting to the tor hidden service.

There may be issues with restarting tor via /etc/init.d/tor restart that causes it to fail.
We create a script to fix this issue so that you can have a successful connect after restarting tor.
screen -d -m /etc/init.d/tor stop;
screen -d -m /etc/init.d/tor start;

chmod +x /root/

In order to have access to the hidden service this command needs to be executed on the client machine:

The following command prevents outside people on WAN from connecting to your hidden service with the range directive. If you want to direct your hidden service to be connected to over WAN on the client machine, remove the fork,range= from the command.

sudo screen -d -m sudo socat TCP-LISTEN:[localport],fork,range= SOCKS4A:localhost:oniononiononiono.onion:[onionport],socksport=[tor port, typically 9050]

So if you have an ssh server running on onionport 12345 and want to connect on local machine via port 54321

sudo screen -d -m sudo socat TCP-LISTEN:54321,fork,range= SOCKS4A:localhost:oniononiononiono.onion:12345,socksport=9050

ssh -l username -p 54321 localhost

You can make it so the onion is not public except if a key is entered into a setting in client torrc file, and also keep it off of the hidden service directory listings.

This option will create a totally new onion, so back up if you have an onion you want to save by moving the directory.

You will enter it after HiddenServicedir and HiddenServicePort directives in the torrc for the hidden service server.

#HiddenServiceAuthorizeClient auth-type client-name,client-name,…
#    If configured, the hidden service is accessible for authorized clients only. The auth-type can #either be 'basic' for a general-purpose authorization protocol or 'stealth' for a less scalable #protocol that also hides service activity from unauthorized clients. Only clients that are listed #here are authorized to access the hidden service. Valid client names are 1 to 16 characters long #and only use characters in A-Za-z0-9+-_ (no spaces). If this option is set, the hidden service is #not accessible for clients without authorization any more. Generated authorization data can be #found in the hostname file. Clients need to put this authorization data in their configuration #file using HidServAuth.

#i.e. HiddenServiceAuthorizeClient stealth aaaaaaaaaaaaaaaa
#Place this line after your HiddenServiceDir and HiddenService Port
#Replace aaaaaaaaaaaaaaaa with any string of letters/capital letters/digits/+ or - sign random as possible

/etc/init.d/tor start
/etc/init.d/tor stop
cat [/var/lib/tor/hidden_site/hostname #your hidden service dir without brackets
oniononiononiono.onion zzzzzzzzzzzzzzzzzzzzzz # client: aaaaaaaaaaaaaaaa
Copy and paste the first two strings after an HidServAuth directive on the client machine's /etc/tor/torrc.

HidServAuth oniononiononiono.onion zzzzzzzzzzzzzzzzzzzzzz

Continued in client configurations.



Make sure you have added the line
HidServAuth oniononiononiono.onion zzzzzzzzzzzzzzzzzzzzzz
(with the oniononiononiono.onion and zzzzzzzzzzzzzzzzzzzzzz being the tokens that were produced as output in the hostname file for the service on the server when tor was restarted)
to the /etc/tor/torrc file on the client that will be connecting to the hidden service on the server computer that we just configured.

The following will allow continual connection to the hidden service from only the client machine at boot time via the client's local ports.

#This script's stop functionality will kill ALL socat connections.
# Provides:          tcon
# Required-Start:   
# Required-Stop:    
# Default-Start:     3 4 5
# Default-Stop:     
# Short-Description: Start daemon at boot time
# Description:       Enable service provided by daemon.

#! /bin/sh


     su root -c /root/
     killall socat

case "$1" in
    echo "Starting $DESC $NAME"
        echo "Stopping $DESC $NAME"
        #echo "Stopping $DESC $NAME"
        #echo "Starting $DESC $NAME"
        echo "Usage: $SCRIPTNAME {start|stop|restart}"

As root:
chmod +x /etc/init.d/tcon
update-rc.d tcon defaults

sudo screen -d -m sudo socat TCP-LISTEN:[localport],fork,range= SOCKS4A:localhost:oniononiononiono.onion:[onionport],socksport=[tor port, typically 9050]
(the range= acts as a firewall to protect from connections other than the local client computer to the hidden service)
(you can add as many lines as you like to the sh file to create local only ports to connect to your onion site services.)
chmod +x /root/

/etc/init.d/tcon start

Somtimes tcon will not start on some distributions even after being put into the init system, it will not load.

The solution is to run the command in rc.local at boot. This way it guarantees the load. Even after loading the script twice, it will not create any problems or run any more socat commands than if run once. Better to be safe than 'sorry' if you depend on this to load at boot.
#put before exit statements in rc.local

If you are running ssh over onion, try this:

/etc/init.d/tcon stop
/etc/init.d/tcon start
ssh -l [user of tor hidden service server] -p[localport] localhost

Should connect you to the unit you configured to work over tor stealth hidden services.