Non Anonymous Onion Encryption and NAT Traversal
Using Tor for Onion Encryption / Authentication and NAT Traversal Only - Without Anonymity!
Introduction[edit]
It is possible to make Tor on a server using a single Tor hop (only one Tor relay instead of three) by using Tor configuration options HiddenServiceNonAnonymousMode 1
, HiddenServiceSingleHopMode 1
. This is non-anonymous but faster. Server should use Onions Services Authentication. The advantage of this is to have a server which is:
- reachable (for users having access to Tor) for NAT traversal, i.e. it works behind common NAT routers.
- capable to secure inherently insecure protocols (such as VNC) by using the encryption / authentication provided by Tor Onion Services
Independently, if clients prefer speed over anonymity, they can configure Tor in Tor2Web mode, which means outgoing Tor circuits will have a length of one rather than three.
These two options combined reduce a 6 hop Tor connection to a 2 hop Tor connection. It's not anonymous, but providing NAT traversal as well as onion encryption / authentication.
https://forums.whonix.org/t/should-we-use-hiddenservicesinglehopmode-for-whonix-org-server
Server Side[edit]
Open /usr/local/etc/torrc.d/50_user.conf
.
If you are using Kicksecure inside Qubes, complete the following steps.
Qubes App Launcher (blue/grey "Q")
→ Kicksecure ProxyVM (commonly named kicksecure)
→ Tor User Config (Torrc)
If you are using a graphical Kicksecure, complete the following steps.
Start Menu
→ Applications
→ Settings
→ /usr/local/etc/torrc.d/50_user.conf
If you are using a terminal-only Kicksecure, complete the following steps. sudo nano /usr/local/etc/torrc.d/50_user.conf
Add.
HiddenServiceNonAnonymousMode 1 HiddenServiceSingleHopMode 1 SocksPort 0 HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 22 127.0.0.1:22 HiddenServicePort 5900 127.0.0.1:5900 HiddenServiceVersion 3 ## syntax: ## HiddenServiceAuthorizeClient auth-type client-name,client-name,… ## The auth-type can either be 'basic' for a general-purpose authorization protocol or 'stealth' for a less scalable protocol that also hides service activity from unauthorized clients. ## Valid client names are 1 to 16 characters long and only use characters in A-Za-z0-9+-_ (no spaces). HiddenServiceAuthorizeClient stealth 1234567890123456
Save and exit.
Client Side[edit]
Update the package lists.
sudo apt update
Install Tor's build dependencies.
sudo apt build-dep tor
Create directory ~/tor-src
.
mkdir ~/tor-src
Change directory to ~/tor-src
.
cd tor-src
Download the Tor source package.
apt source tor
Change directory to Tor source directory.
cd tor-*/
Open file debian/rules
in a text editor of your choice as a regular, non-root user.
If you are using a graphical environment, run. mousepad debian/rules
If you are using a terminal, run. nano debian/rules
Change:
dh_auto_configure \ $(confflags) \ --prefix=/usr \ --mandir=\$${prefix}/share/man \ --infodir=\$${prefix}/share/info \ --localstatedir=/var \ --sysconfdir=/etc \ --disable-silent-rules \ --enable-gcc-warnings-advisory
To:
dh_auto_configure \ $(confflags) \ --prefix=/usr \ --mandir=\$${prefix}/share/man \ --infodir=\$${prefix}/share/info \ --localstatedir=/var \ --sysconfdir=/etc \ --disable-silent-rules \ --enable-gcc-warnings-advisory \ --enable-tor2web-mode
Open file src/or/config.c
in a text editor of your choice as a regular, non-root user.
If you are using a graphical environment, run. mousepad src/or/config.c
If you are using a terminal, run. nano src/or/config.c
Change
V(Tor2webMode, BOOL, "0"),
To
V(Tor2webMode, BOOL, "1"),
Build the Tor package.
debuild
Footnotes[edit]
We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!