Use the public IP address of a Virtual Private Server (VPS) to make Tor Hidden Services reachable on the clearnet.
- hides the IP of the host from the public and from the VPS
- no port forwarding needed on the LAN of the host
- additional encryption by Tor between the host and the VPS
- SSH access to a Virtual Private Server (VPS) - eg. a minimal package on Lunanode for ~3.5$/month
- Example Lightning Payable VPS services:
- host4coins.net
- bitclouds.sh or lntxbot
/bitclouds
- Example Lightning Payable VPS services:
- Note that only the root user can forward to ports below 1000.
- Tor should not be the only encryption layer of the service as the traffic exposed on the VPS is meant to be for the
localhost
- Always check the terms and rules of the VPS provider to avoid bans and don't do anything causing them trouble to keep these services going.
- Login with ssh to the
root
user
ssh root@VPS_IP_ADDRESS
- Install
tor
(leave on default settings) andsocat
# apt install tor socat
-
make a separate process for every connected Hidden Service to avoid restarting every connection when a service added or removed.
Suggestion for naming the service is to put the VPS_PORT used on the VPS into the name:tor2ip<VPS_PORT>
-
create the service file:
# nano /etc/systemd/system/tor2ip80.service
- Paste the following and fill in:
- the
VPS_PORT
you want to use (facing the public) - in this example: 80. - the
TOR_HIDDEN_SERVICE_ADDRESS.onion
- generate the address with:
config.scripts/internet.hidden.service.sh HTTPS 80 80
- this will expose the local port
80
on the.onion:80
- generate the address with:
- The
TOR_PORT
the Hidden Service is using - in this example: 80
- the
[Unit] Description=Tor2IP Tunnel Service After=network.target [Service] User=root Group=root ExecStart=/usr/bin/socat TCP4-LISTEN:80,bind=0.0.0.0,fork SOCKS4A:localhost:TOR_HIDDEN_SERVICE_ADDRESS.onion:80,socksport=9050 StandardOutput=journal [Install] WantedBy=multi-user.target
- Paste the following and fill in:
-
Enable and start the service:
# systemctl enable tor2ip80
# systemctl start tor2ip80
Setting up this Tor-to-IP tunnel service is now complete. You can carry on adding other services using different ports on the VPS.
You should be able access the ports/services of the host computer through: VPS_IP_ADDRESS:VPS_PORT.
To connect to the HTTP website served from the node in the example:
http://VPS_IP_ADDRESS
-
To check if tunnel is active on the VPS:
# netstat -tulpn
- Look for the lines:
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 13684/socat
-
Monitor the service with:
# systemctl status tor2ip80
● tor2ip80.service - Tor2IP Tunnel Service
Loaded: loaded (/etc/systemd/system/tor2ip80.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2020-04-05 14:58:43 BST; 2min 23s ago
Main PID: 13684 (socat)
Tasks: 1 (limit: 1078)
Memory: 540.0K
CGroup: /system.slice/tor2ip80.service
└─13684 /usr/bin/socat TCP4-LISTEN:80,bind=0.0.0.0,fork SOCKS4A:localhost:TOR_HIDDEN_SERVICE_ADDRESS.onion:80,socksport=9050
Apr 05 14:58:43 VPS_hostname systemd[1]: Started Tor2IP Tunnel Service.
socat
manpage: https://linux.die.net/man/1/socat- Thanks to @emzy for the original
socat
syntax. - Produced at the #LightningHackSprint.