Actions

Non Anonymous Onion Encryption and NAT Traversal

From Whonix


Nontanonymous213132.jpg

Ambox warning pn.svg.png Not anonymous!

Ambox warning pn.svg.png Documentation for this entry is incomplete. Contributions are happily considered!

Introduction[edit]

It is possible to make Tor on a server using a single Tor hop (only one Tor relay instead of three) by using Tor configuration options HiddenServiceNonAnonymousMode 1, HiddenServiceSingleHopMode 1. This is non-anonymous but faster. Server should use Onions Services Authentication. The advantage of this is to have a server which is:

  • reachable (for users having access to Tor) for NAT traversal, i.e. it works behind common NAT routers.
  • capable to secure inherently insecure protocols (such as VNC) by using the encryption / authentication provided by Tor Onion Services

Independently, if clients prefer speed over anonymity, they can configure Tor in Tor2Web mode, which means outgoing Tor circuits will have a length of one rather than three.

These two options combined reduce a 6 hop Tor connection to a 2 hop Tor connection. It's not anonymous, but providing NAT traversal as well as onion encryption / authentication.

https://forums.whonix.org/t/should-we-use-hiddenservicesinglehopmode-for-whonix-org-server [archive]

Server Side[edit]

Open /usr/local/etc/torrc.d/50_user.conf.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSettings/usr/local/etc/torrc.d/50_user.conf

If you are using a terminal-only Whonix-Gateway ™, complete the following steps. 

sudo nano /usr/local/etc/torrc.d/50_user.conf

Add. 

HiddenServiceNonAnonymousMode 1
HiddenServiceSingleHopMode 1
SocksPort 0

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 22 127.0.0.1:22
HiddenServicePort 5900 127.0.0.1:5900
HiddenServiceVersion 3
## syntax:
## HiddenServiceAuthorizeClient auth-type client-name,client-name,…
## The auth-type can either be 'basic' for a general-purpose authorization protocol or 'stealth' for a less scalable protocol that also hides service activity from unauthorized clients.
## Valid client names are 1 to 16 characters long and only use characters in A-Za-z0-9+-_ (no spaces). 
HiddenServiceAuthorizeClient stealth 1234567890123456

Save and exit.

Client Side[edit]

Update the package lists. 

sudo apt update

Install Tor's build dependencies. 

sudo apt build-dep tor

[1]

Create directory ~/tor-src. 

mkdir ~/tor-src

Change directory to ~/tor-src. 

cd tor-src

Download the Tor source package. 

apt source tor

Change directory to Tor source directory. 

cd tor-*/

Open file debian/rules in a text editor of your choice as a regular, non-root user.

If you are using a graphical environment, run. 

mousepad debian/rules

If you are using a terminal, run. 

nano debian/rules

Change: 

dh_auto_configure \
        $(confflags) \
        --prefix=/usr \
        --mandir=\$${prefix}/share/man \
        --infodir=\$${prefix}/share/info \
        --localstatedir=/var \
        --sysconfdir=/etc \
        --disable-silent-rules \
        --enable-gcc-warnings-advisory

To: 

dh_auto_configure \
        $(confflags) \
        --prefix=/usr \
        --mandir=\$${prefix}/share/man \
        --infodir=\$${prefix}/share/info \
        --localstatedir=/var \
        --sysconfdir=/etc \
        --disable-silent-rules \
        --enable-gcc-warnings-advisory \
        --enable-tor2web-mode

Open file src/or/config.c in a text editor of your choice as a regular, non-root user.

If you are using a graphical environment, run. 

mousepad src/or/config.c

If you are using a terminal, run. 

nano src/or/config.c

Change 

V(Tor2webMode,                 BOOL,     "0"),

To 

V(Tor2webMode,                 BOOL,     "1"),

Build the Tor package. 

debuild

[2]

Footnotes[edit]

Fosshost is sponsors Kicksecure ™ stage server 100px
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: Discourse logo.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contribute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Non Anonymous Onion Encryption and NAT Traversal&body=./Non_Anonymous_Onion_Encryption_and_NAT_Traversal link=https://reddit.com/submit?url=./Non_Anonymous_Onion_Encryption_and_NAT_Traversal&title=Non Anonymous Onion Encryption and NAT Traversal link=https://news.ycombinator.com/submitlink?u=./Non_Anonymous_Onion_Encryption_and_NAT_Traversal&t=Non Anonymous Onion Encryption and NAT Traversal link=https://mastodon.technology/share?message=Non Anonymous Onion Encryption and NAT Traversal%20./Non_Anonymous_Onion_Encryption_and_NAT_Traversal&t=Non Anonymous Onion Encryption and NAT Traversal

Iconfinder Apple Mail 2697658.png Subscribe to Whonix ™ Newsletter.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole. 

  1. sudo apt install zlib1g-dev libevent-dev asciidoc xmlto libsystemd-dev
Retrieved from "https://www.whonix.org/w/index.php?title=Non_Anonymous_Onion_Encryption_and_NAT_Traversal&oldid=70264"
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.
More information