If for some reasons you need to share a file anonymously, this can be done
through Tor using the port net/onionshare. Onionshare will start a web server
displaying an unique page with a list of shared files and a Download Files
button leading to a zip file.
While waiting for a download, onionshare will display HTTP logs. By default,
onionshare will exit upon successful download of the files but this can be
changed with the flag –stay-open.
Its usage is very simple, execute onionshare with the list of files to
share, as you can see in the following example:
solene@computer ~ $ onionshare Epictetus-The_Enchiridion.txt
Onionshare 1.3 | https://onionshare.org/
Connecting to the Tor network: 100% - Done
Configuring onion service on port 17616.
Starting ephemeral Tor onion service and awaiting publication
Settings saved to /home/solene/.config/onionshare/onionshare.json
Preparing files to share.
* Running on http://127.0.0.1:17616/ (Press CTRL+C to quit)
Give this address to the person you're sending the file to:
http://3ngjewzijwb4znjf.onion/hybrid-marbled
Press Ctrl-C to stop server
Now, I need to give the address http://3ngjewzijwb4znjf.onion/hybrid-marbled
to the receiver who will need a web browser with Tor to download it.
This article is about a software named onioncat, it is available as a
package on most Unix and Linux systems. This software allows to create an IPv6
VPN over Tor, with no restrictions on network usage.
First, we need to install onioncat, on OpenBSD:
$ doas pkg_add onioncat
Run a tor hidden service, as explained in one of my previous article, and get
the hostname value. If you run multiples hidden services, pick one hostname.
# cat /var/tor/ssh_hidden_service/hostname
g6adq2w15j1eakzr.onion
Now that we have the hostname, we just need to run ocat
.
# ocat g6adq2w15j1eakzr.onion
If everything works as expected, a tun interface
will be created. With a fe80:: IPv6 address assigned to it, and a fd87::
address.
Your system is now reachable, via Tor, through its IPv6 address starting with
fd87:: . It supports every IP protocol. Instead of using torsocks wrapper
and .onion hostname, you can use the IPv6 address with any software.
In this fourth Tor article, I will quickly cover how to run a Tor relay, the
Tor project already have a very nice and up-to-date Guide for setting a relay.
Those relays are what make Tor usable, with more relay, Tor gets more bandwidth
and it makes you harder to trace, because that would mean more traffic to
analyze.
A relay server can be an exit node, which will relay Tor traffic to the
outside. This implies a lot of legal issues, the Tor project foundation offers
to help you if your exit node gets you in trouble.
Remember that being an exit node is optional. Most relays are not exit
nodes. They will either relay traffic between relays, or become a guard
which is an entry point to the Tor network. The guard gets the request over
non-tor network and send it to the next relay of the user circuit.
Running a relay requires a lot of CPU (capable of some crypto) and a huge
amount of bandwidth. Running a relay requires at least a bandwidth of 10Mb/s,
this is a minimal requirement. If you have less, you can still run a bridge
with obfs4 but I won’t cover it here.
When running a relay, you will be able to set a daily/weekly/monthly traffic
limit, so your relay will stop relaying when it reach the quota. It’s quiet
useful if you don’t have unmeasured bandwidth, you can also limit the bandwidth
allowed to Tor.
To get real-time information about your relay, the software Nyx (net/nyx) is a
Tor top-like front end which show Tor CPU usage, bandwidth, connections, log in
real time.
The awesome Official Tor guide
In this third Tor article, we will discover the web browser Tor
Browser.
The Tor Browser is an official Tor project. It is a modified
Firefox, including some defaults settings changes and some extensions.
The default changes are all related to privacy and anonymity. It has
been made to be easy to browse the Internet through Tor without
leaving behing any information which could help identify you, because
there are much more informations than your public IP address which
could be used against you.
It requires tor daemon to be installed and running, as I covered in my
first Tor article.
Using it is really straightforward.
How to install tor-browser
$ pkg_add tor-browser
How to start tor-browser
$ tor-browser
It will create a ~/TorBrowser-Data folder at launch. You can remove it
as you want, it doesn’t contain anything sensitive but is required for
it to work.
In this second Tor article, I will present an interesting Tor feature
named hidden service. The principle of this hidden service is to
make available a network service from anywhere, with only
prerequisites that the computer must be powered on, tor not blocked
and it has network access.
This service will be available through an address not disclosing
anything about the server internet provider or its IP, instead, a
hostname ending by .onion will be provided by tor for
connecting. This hidden service will be only accessible through Tor.
There are a few advantages of using hidden services:
- privacy, hostname doesn’t contain any hint
- security, secure access to a remote service not using SSL/TLS
- no need for running some kind of dynamic dns updater
The drawback is that it’s quite slow and it only work for TCP
services.
From here, we assume that Tor is installed and working.
Running an hidden service require to modify the Tor daemon
configuration file, located in /etc/tor/torrc on OpenBSD.
Add the following lines in the configuration file to enable a hidden
service for SSH:
HiddenServiceDir /var/tor/ssh_service
HiddenServicePort 22 127.0.0.1:22
The directory /var/tor/ssh_service will be be created. The
directory /var/tor is owned by user _tor and not readable by
other users. The hidden service directory can be named as you want,
but it should be owned by user _tor with restricted
permissions. Tor daemon will take care at creating the directory with
correct permissions once you reload it.
Now you can reload the tor daemon to make the hidden service
available.
$ doas rcctl reload tor
In the /var/tor/ssh_service directory, two files are created. What
we want is the content of the file hostname which contains the
hostname to reach our hidden service.
$ doas cat /var/tor/ssh_service/hostname
piosdnzecmbijclc.onion
Now, we can use the following command to connect to the hidden service
from anywhere.
$ torsocks ssh piosdnzecmbijclc.onion
In Tor network, this feature doesn’t use an exit node. Hidden services
can be used for various services like http, imap, ssh, gopher etc…
Using hidden service isn’t illegal nor it makes the computer to relay
tor network, as previously, just check if you can use Tor on your
network.
Note: it is possible to have a version 3 .onion address which will
prevent hostname collapsing, but this produce very long
hostnames. This can be done like in the following example:
HiddenServiceDir /var/tor/ssh_service
HiddenServicePort 22 127.0.0.1:22
HiddenServiceVersion 3
This will produce a really long hostname like
tgoyfyp023zikceql5njds65ryzvwei5xvzyeubu2i6am5r5uzxfscad.onion
If you want to have the short and long hostnames, you need to specify
twice the hidden service, with differents folders.
Take care, if you run a ssh service on your website and using this
same ssh daemon on the hidden service, the host keys will be the same,
implying that someone could theoricaly associate both and know that
this public IP runs this hidden service, breaking anonymity.
Tor is a network service allowing to hide your traffic. People
sniffing your network will not be able to know what server you reach
and people on the remote side (like the administrator of a web
service) will not know where you are from. Tor helps keeping your
anonymity and privacy.
To make it quick, tor make use of an entry point that you reach
directly, then servers acting as relay not able to decrypt the data
relayed, and up to an exit node which will do the real request for
you, and the network response will do the opposite way.
You can find more details on the
Tor project homepage.
Installing tor is really easy on OpenBSD. We need to install it,
and start its daemon. The daemon will listen by default on localhost
on port 9050. On others systems, it may be quite similar, install the
tor package and enable the daemon if not enabled by default.
# pkg_add tor
# rcctl enable tor
# rcctl start tor
Now, you can use your favorite program, look at the proxy settings and
choose “SOCKS” proxy, v5 if possible (it manage the DNS queries) and
use the default address: 127.0.0.1
with port 9050
.
If you need to use tor with a program that doesn’t support setting a
SOCKS proxy, it’s still possible to use torsocks to wrap it, that
will work with most programs. It is very easy to use.
# pkg_add torsocks
$ torsocks ssh remoteserver
This will make ssh going through tor network.
Using tor won’t make you relaying anything, and is legal in most
countries. Tor is like a VPN, some countries has laws about VPN, check
for your country laws if you plan to use tor. Also, note that using
tor may be forbidden in some networks (companies, schools etc..)
because this allows to escape filtering which may be against some kind
of “Agreement usage” of the network.
I will cover later the relaying part, which can lead to legal
uncertainty.
Note: as torsocks is a bit of a hack, because it uses LD_PRELOAD to
wrap network system calls, there is a way to do it more cleanly with
ssh (or any program supporting a custom command for initialize the
connection) using netcat.
ssh -o ProxyCommand='/usr/bin/nc -X 5 -x 127.0.0.1:9050 %h %p' address.onion
This can be simplified by adding the following lines to your
~/.ssh/config file, in order to automatically use the proxy
command when you connect to a .onion hostname:
Host *.onion
ProxyCommand='/usr/bin/nc -X 5 -x 127.0.0.1:9050 %h %p'
This netcat command is tested under OpenBSD, there are differents
netcat implementations, the flags may be differents or may not even
exist.