Creating Onion Services on OpenBSD

OpenBSD is a new beast for me. I’m still learning, experimenting, and trying out new things. Yesterday I was able to create 3 onion services on it quite easily but it takes time to learn the correct order of operations and to learn how to find out why things don’t work when you think they should.

A word about OpenBSD

OpenBSD isn’t friendly to newbies. The developers, users, and management work to make the best and most secure OS that they can. When you work with OpenBSD, it is assumed that you have at least a moderate to advanced amount of Linux or Unix knowledge and experience before starting and that you know how to read documentation, man pages, etc. Don’t bother asking for help unless you’ve done your homework first. Here’s an unedited quote from a recent mailing list post:

> I never read

Please stop wasting our time then.

Setting up Tor

It will become obvious in a minute, but it’s important to set up your Tor onion services first and your web server later. We will be setting up 3 onion services with 3 completely different addresses that have completely different websites associated with them.

First install Tor:

pkg_add tor

Enable the tor service:

rcctl enable tor

Here is my torrc file. It can be a little hard to see, but I enabled separate logging and debugging for Tor when I was working through this. If you don’t, it can be hard to see why something isn’t working. For example, mine kept failing but I couldn’t get a good error as to why until I did this. The reason was because I hand’t actually created the /var/tor/ directories nor set them to the correct permissions. I didn’t see that until I starting watching those logs.

Here is how I set up the configuration for each site. These are the directories that I forgot to create. They contain the public and private keys and the hostname for each onion service.

HiddenServiceDir /var/tor/site1
HiddenServicePort 80 127.0.0.1:8080

HiddenServiceDir /var/tor/site2
HiddenServicePort 80 127.0.0.1:8081

HiddenServiceDir /var/tor/site3
HiddenServicePort 80 127.0.0.1:8082

Each onion service is running internally on port 8080, 8081, or 8082, etc. This is the port that the actual OpenBSD OS will see running. However, tor will be expecting traffic to come in on the standard http port 80. You might be wondering how this works. Tor will be advertising my onion service on port 80. That traffic will come in via tor and get translated to the internal port that the OS will use.

Once I had this running correctly, I finally started tor.

rcctl start tor

Once tor is up an running, check each HiddenServiceDir for the hostname of each onion service. You will need them to test the web server.

Setting up httpd

OpenBSD has it’s own web server that comes with the standard installation called httpd. This is not the same as the Apache httpd that comes with Redhat or Ubuntu. This is a secure minimalist webserver which might actually be ideal for Onion services.

By default, you can’t just start the httpd service and have it running with a default configuration like you can with Apache or Nginx. You actually need to create an /etc/httpd.conf file first. Here is mine.

## Site 1

server "tpsh5cb4zl73pwymkkuopl4roibk4envf6k3ybdcdzuhuztrytsnxxqd.onion" {
listen on * port 8080
root "/htdocs/tpsh5cb4zl73pwymkkuopl4roibk4envf6k3ybdcdzuhuztrytsnxxqd.onion"
}

# Include additional MIME types
types {
include "/usr/share/misc/mime.types"
}

## Site 2

server "ueaireabdst7uqupz5dlrt5vhltgid3wyz4esgwd7buug7nc2absawyd.onion" {
listen on * port 8081
root "/htdocs/ueaireabdst7uqupz5dlrt5vhltgid3wyz4esgwd7buug7nc2absawyd.onion"
}

## Site 3

server "r6udfh5el5bigkpnh7twtsx3j6w6cxmyexlaa23vacqugq7jo6hxlryd.onion" {
listen on * port 8082
root "/htdocs/r6udfh5el5bigkpnh7twtsx3j6w6cxmyexlaa23vacqugq7jo6hxlryd.onion"
}

The first things is the define the name of the url that traffic will be coming in on. I got this from the onion hostname that was generated by tor. Secondly, that hostname needs to be matched with the internal port number that tor will be sending traffic to. Finally you need to tell the web server where to find the actual html that make up that website. I used the complete onion name for that directory. That’s not actually necessary but to me it is helpful. Be careful: although the line of code says “root” it is not the compete directory. htdocs is actually under /var/www/.

You can test your web server’s configuration without actually starting it by running:

httpd -n

Once you get a “configuration OK” status, you can enable and start it

rcctl enable httpd

rcctl start httpd

A really great resource for starting to work with this web server is here. I would suggest waiting 30 seconds or so after starting the web server to check the urls with the Tor Browser or you can check them directly using the internal ports with curl.

Final thoughts:

OpenBSD put security before performance.

OpenBSD believes in strong security. Our aspiration is to be NUMBER ONE in the industry for security (if we are not already there). Our open software development model permits us to take a more uncompromising view towards increased security than most vendors are able to. We can make changes the vendors would not make. Also, since OpenBSD is exported with cryptography, we are able to take cryptographic approaches towards fixing security problems.

Security is not privacy and it is certainly not anonymity and yet these things work well together. This focus makes OpenBSD the right match for those who want to use Tor and why I will always suggest that people avoid Windows or Macs for those who are serious about privacy because they put those platforms put user experience and sales before anything else on top of being closed source.

Posted in Tor

Let’s Talk About Anonymity Online

Let me show you what it looks like from the internet’s point of view when I go to a simple website using a normal Browser (Brave):

111.222.333.444 – – [18/Dec/2019:16:29:05 +0000] “GET / HTTP/1.1” 200 7094 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36”

The 111.222.333.444 would be my IP address. With that, anyone can get a lot of information about. With just a simple google search, you can actually see in the general vicinity where an IP address originates from. For example, the public IP address for Google is 172.217.23.238. You can use services like https://whatismyipaddress.com/ to what company owns an IP and a map to where it is located. In this case, the IP for Google is probably in a datacenter in Kansas. When I look up my personal IP, the website shows a map of Prague and the company that I use for my internet provider.

What does this mean? To any website that I visit and I don’t say who I am, I am anonymous but I am trackable. My IP address and many other things about my computer and my browser give me an unique fingerprint. From the website that I run, if I wanted, I could see a list of every IP address that ever visited, where they come from, what kind of computer they use, what browser they use, what resolution their screen is, and a lot more. A law enforcement or legal organization can easily find out who I am personally by contacting my internet service provider and then I am no longer anonymous at all. Anonymity is a very tenuous concept online. It really isn’t difficult to find out who someone is in real life if you have the means to do so.

Now let’s change gears. You’re probably heard about Tor. I know I’ve written about it a lot here. Tor is a way to make yourself both anonymous and untrackable. Furthermore it makes your true IP address a secret so even law enforcement have a very hard time tracking down someone using it. Your ISP doesn’t know what you do online.

Let’s see what it looks like when visit my website using the Tor Browser:

45.66.35.35 – – [18/Dec/2019:16:49:41 +0000] “GET / HTTP/1.1” 200 7094 “-” “Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0”

The IP address is not mine. It belongs to an exit node which is run by a Tor volunteer. These IP addresses are publicly known and are often banned from many websites (we’ll talk about that later). Even though I am still running Linux, Tor Browser says that I am running Firefox on Windows 10. In fact every Tor Browser user appears to be running Windows 10 and they all have fake IP addresses.

If I do something that people don’t like, the best they could do it to contact and possibly ban the exit node but it is no simple feat to find someone using Tor. It takes a lot of big-government level money and resources to do so and even then it takes a lot of work.

Why is this important? Isn’t the amount of privacy that I have online enough? After all, if I log into Twitter or Reddit, I can create a new account and never tell anyone my real name. I am anonymous aren’t I?

To a point, you are anonymous but only on the most basic level. Again, it takes very little to pinpoint who you are in real life. Do one of these types of people sound like you? This list was written from a specific point of view. The thing that gets me most of all is that there are people in this world and perhaps in your country who are willing to use violence to keep opinions that they don’t like quiet. It is easy to keep quiet and hope not to get caught up. It is difficult to speak what you believe where the consequence could be loss of employment, injury, imprisonment, or even death. Anonymity isn’t cowardice. Sometimes it’s the only safe way to be heard.

Before I finish up, I have to talk about the negatives of anonymity. First and most obvious is that many online companies do not want you to be anonymous. They make money from giving you ads and tracking what you do. Do not be surprised if many website, including Google, stop working when using Tor. They have no reason to allow you to use their services if they can’t make money off of you and every reason to discourage it.

Secondly, bad people also use Tor. Not nearly as many as there are on the open internet, but they are there. Some are criminals. Some are merely trolls. A few do terrible things under the cover of anonymity online. Those are probably the stories that you have heard in the media and not about those who live under repressive regimes.

Not everyone agrees with me, but I believe that anonymity is important and it is crucial for safety online.

Posted in Tor

Onion Services in Windows 10

Notes:

The following is a proof of concept tutorial on how to create a Tor onion service on Windows 10 using Ubuntu in Windows Subsystem for Linux. This has not been security tested by anyone in the Tor project. It is also not exactly the same directions that I would give someone who wants create an onion service in Linux. Namely that WSfL doesn’t use systemd the way it is meant to be used natively. Instead you have to start system daemons using the old SysV method with /etc/init.d/ Also, services do not continue running after the window has been closed. If someone can find a workaround for that, I’ll gladly update this tutorial.

As for Apache and Tor, they seem to be working normally as long as the Ubuntu window is not closed. The default path for the Apache web server is: /var/www/html/index.html. More info on how to build a website with Apache can be found all over the web.

On with the tutorial!

First, open powershell 64-bit as administrator:

Enable Windows Subsystem for Linux and reboot:

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux

After rebooting, go to the Microsoft Store and search for Ubuntu 18.04 LTS

Install the App but beware that you will be forced to sign in with a Microsoft account.

Open the new app. You will be prompted to create a local Linux account. This will not be tied to anything else. It is only for your computer.

Update the packages in Ubuntu to the latest versions:

sudo apt update -y && sudo apt upgrade -y

Install Tor and Apache:

sudo apt install apache2 tor -y

Edit the tor configuration:

sudo nano /etc/tor/torrc

Remove the # signs from before the following lines:

DataDirectory /var/lib/tor
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:80

The result should look something like this:

Save by hitting CTRL-x

Start apache and then tor:

sudo /etc/init.d/apache2 start && sudo /etc/init.d/tor start

Get your new .onion site url:

sudo cat /var/lib/tor/hidden_service/hostname

Try your new onion service in Tor Browser!

Posted in Tor

Installing The Tor Browser

We’ll do this in four parts for Windows, Linux, Mac, and Android users.

Windows

  1. Go to: https://www.torproject.org/projects/torbrowser.html.en
  2. Download the latest version for Windows
  3. Run the installer
  4. You will now see a new folder on your Desktop. Open that and run Tor Browser.
  5. Click Connect
  6. Congrats, you are on Tor!
  7. Go to https://check.torproject.org/ in the Tor Browser

Linux

  1. Go to: https://www.torproject.org/projects/torbrowser.html.en
  2. Download the latest version for Linux
  3. Open a command line
  4. Unzip the application. Replace xxxxxx with the current version that you downloaded

tar -xvJf tor-browser-linux64-xxxxxx.tar.xz

  1. You will now see a new folder. Open that and run Tor Browser.

cd tor-browser_en

  1. Run the application

./start-tor-browser.desktop

  1. Click Connect
  2. Congrats, you are on Tor!
  3. Go to https://check.torproject.org/ in the Tor Browser

Mac

  1. Go to: https://www.torproject.org/projects/torbrowser.html.en
  2. Download the latest version for Mac
  3. Run the installer
  4. You will now see a new folder on your Desktop. Open that and run Tor Browser.
  5. Click Connect
  6. Congrats, you are on Tor!
  7. Go to https://check.torproject.org/ in the Tor Browser

Android

  1. Go to the app store and download the following two apps: Orfox and Orbot. Both are from The Tor Project. Orbot is the Tor service. Orfox is the Android implementation of the Tor Browser. There are many “Dark Web” and “Onion” android apps and many of them are bogus and may steal your data or are just scams.
  2. Start Orbot and connect to the Tor network.
  3. Start Orfox
  4. Go to https://check.torproject.org/ in Orfox.

 

 

Posted in Tor

My SSH Trick

10 hours of jetlag and rainy afternoon naps don’t mix. It’s 2 minutes to 2AM here in Provo, UT and I can’t sleep so I’m blogging.

I want to ssh into a machine that doesn’t have any external IP. In the case of my situation at home, I get a 192.168… IP from my ISP because of a shared connection. In other cases, I have VM’s with natted IP’s that also have no direct way in.

I could pay for a VPN service and vpn into these machines, but instead I’m using a free way of doing it. I use Tor.

Here’s how it works, the Tor service reaches out to the Tor network and is listening on port 22 (or whatever port I choose for ssh) for incoming requests. I use “torsocks ssh zzzzzzzzz.onion” from my laptop and I am in. This bypasses the external internet and gives me a pretty secure route from my laptop to my home machine only via Tor.

Here’s how I set it up with OpenSUSE

On your remote or inaccessible server:

$ sudo zypper in tor

This installs the tor service and the torsocks proxy app.

$ sudo vim /etc/tor/torrc

Uncomment the following lines:

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 22 127.0.0.1:22
$sudo systemctl start tor

The service is now started and you should have a new .onion address

$ cat /var/lib/tor/hidden_service/hostname

On your local machine/laptop/etc:

$ sudo zypper in tor
$ sudo systemctl start tor
$ torsocks ssh xxxxxxxxx.onion

This is a cool trick. Of course you can use it on any server/VM/etc even if they do have accessible IP’s. In those cases, I suggest that you close the firewall on port 22 and allow it to be only accessible via Tor. There is no need to have extra ports open to the internet.

Using Tor is a great way to add security to your network communication. In addition to the SSH encryption, the packets have additional encryption due to the nature of how Tor works.

About privacy. You also benefit from the inherent privacy of the Tor network which you might not get if you believe that your ISP, etc is gathering data on it’s users. If they are monitoring packets are that interested, they can probably see that you are using Tor but they can’t see what you are doing or where you are connecting. Is it more or less private that using the Tor Browser? I don’t know. It’s worth looking into. My feeling is that since ssh is low-bandwidth, has no possible extra problems that browsers have such as javascript, vulnerabilities, etc. it probably is as safe or safer.

Anyway, I hope this helps people out if you’re like me and have to make do with an ISP that makes using the web just a little harder.

One last thing. Tor is more laggy than a straight connection. You’re not doing anything wrong, it’s just a side-effect of how this all works.