Jump to: navigation, search

Hidden Services

This page contains changes which are not marked for translation.

Other languages:
Deutsch • ‎English

Tor Hidden Services - EASY[edit]

Introduction[edit]

Be sure to read and understand Tor: Hidden Service Protocol (general information) and Configuring Hidden Services for Tor (standard setup, no isolated proxy) first. Note that hidden services are always only reachable using Tor or tunnel services, such as tor2web, (be careful).

You do not need SSL [1], because connections to Tor hidden services are end-to-end encrypted by default. [2][3] This is handy, as you do not have to bother with self signed certificates or certificate authorities.

Another interesting property is they can serve as a drop-in Global Server Load Balancing and Layer 3 DDoS-resistance solution.[4] This raises the bar to withstanding attacks that the entire Tor network can tolerate. Same with I2P Eepsties. Tor can be also considered a very simple to configure encrypted transport alternative to IPSec.[5]

An adversary can see whether the service (and presumably Tor) is up and running or not.

Below on this page is an example for a Hidden Webserver. On the Voip page is an example for a Hidden Voip Mumble Server.

Even if someone hacks your hidden server software (lighttpd, thttpd, apache, etc.), the attacker can not steal your hidden service key or bypass Tor, see Attack on Whonix. The key is stored on the Whonix-Gateway. Once you cleaned your Whonix-Workstation, no one can impersonate your hidden service anymore.

While using Whonix we're quite confident that there are no IP/DNS leaks, but hardening the server software is still left to the user. In the Security Guide and in the Advanced Security Guide you'll find pointers for hardening.

Beware of application level leaks. See Protocol-Leak-Protection and Fingerprinting-Protection for definition. For example,

  • If you are using the Apache web server, it is advised to install libapache2-mod-removeip[6] as well. A combination of Apache and mediawiki without libapache2-mod-removeip being installed, wouldn't be the optimal case, since mediawiki by default puts IPs of anonymous editors in the public accessible editor logs. The IP would be 10.152.152.10. That could not be used to identify you, because that is not your real external IP address, but it would identify the server as a hidden service behind a Whonix-Gateway.[7]

Therefore any instructions on how to hide the IP address for your specific server software should be applied. Also other hardening instructions are recommended to apply. For example,

  • If you are using the Apache web server, see the following footnotes. [8]

Hidden Webserver[edit]

Whonix-Gateway[edit]

On your Whonix-Gateway:

Step 1: open /etc/tor/torrc[edit]

Open /etc/tor/torrc.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> /etc/tor/torrc

If you are using a terminal-only Whonix-Gateway, complete the following steps:

sudo nano /etc/tor/torrc

Step 2: edit /etc/tor/torrc[edit]

(all Whonix platforms)

You need to add two settings to /etc/tor/torrc.

  • A HiddenServiceDir configuration directive declaring where hidden services files (hostname file and private key file) should be stored.
  • A HiddenServicePort configuration directive declaring,
    • the virtual port and
    • the IP and port of the Whonix-Workstation that will run a server service that processing incoming hidden service connections.


To do that, add the following two lines.

Qubes-Whonix:

You need to replace IP-of-Qubes-Whonix-Workstation-AppVM with the actual IP. To find out the IP of the Qubes-Whonix-Workstation AppVM, you could run the following command within the Qubes-Whonix-Workstation AppVM: qubesdb-read /qubes-ip

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 IP-of-Qubes-Whonix-Workstation-AppVM:80

Non-Qubes-Whonix:

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 10.152.152.11:80

(all Whonix platforms)

Save.

Step 3: make changes to /etc/tor/torrc take effect[edit]

Reload Tor.

After editing /etc/tor/torrc you must reload Tor so your changes take effect. (Note: if after completing all these steps and you are not able to connect to Tor, you have most likely done something wrong. Go back and check your /etc/tor/torrc and redo the steps outlined in the sections above. If your are able to connect to Tor, then you have completed your changes correctly.)

For Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Reload Tor

For graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> Reload Tor

For terminal-only Whonix-Gateway, press on expand on the right.

Complete the following steps:

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

Should show something like the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/etc/tor/torrc".
Configuration was valid

Step 4: get your onion hostname[edit]

To get your Tor hidden service url.

sudo cat /var/lib/tor/hidden_service/hostname

Step 5: backup your Tor hidden service private key[edit]

Reminder: Backup your hidden service key, in case you want to be able to restore it, on another machine, on a newer Whonix-Gateway, after hdd failure, etc. You can find it here and you require root to access it.

/var/lib/tor/hidden_service/private_key

Qubes-Whonix:

You can use the usual Qubes tools. The following example shows how to copy /var/lib/tor/hidden_service/private_key from your sys-whonix VM to your vault VM (should be started beforehand) using qvm-copy-to-vm.

sudo qvm-copy-to-vm vault /var/lib/tor/hidden_service/private_key

Using that exact example, you could then find the Tor hidden service private key in your vault VM in file.

/home/user/QubesIncoming/sys-whonix/private_key

Consider moving the file from QubesIncoming folder to a location of your choice.

You can then use the usual Qubes capabilities to backup your vault (and/or other) VMs. Can be conveniently done using QubesManager. Please refer to the Qubes documentation about backups on how to do that.

Non-Qubes-Whonix:

TODO document
See also, File Transfer.

Whonix-Workstation[edit]

On your Whonix-Workstation:

Step 1: Install Server Software[edit]

Run the following commands to install lighttpd.

sudo apt-get update
sudo apt-get install lighttpd

Step 2: Open Whonix-Workstation Firewall Port[edit]

Non-Qubes-Whonix: You can skip this.

Qubes-Whonix users need an additional firewall exception, please press expand on the right side.
(Non-Qubes-Whonix users can skip this.)

Open firewall port access for your app between Whonix-Gateway and Whonix-Workstation.

sudo iptables -I INPUT 5 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT

If not setting up a web server, change the port number from 80 to whatever your app requires.

To make the firewall rule persistent, add the rule to the rc.local file and make it executable.

Open /rw/config/rc.local:

kdesudo kwrite /rw/config/rc.local

Add the following in the rc.local file:

#!/bin/sh
sudo iptables -I INPUT 5 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT

Make the rc.local file executable.

sudo chmod +x /rw/config/rc.local

TODO: Update for Whonix 14 (not yet released) EXTERNAL_OPEN_PORTS.

Step 3: Final Notes[edit]

Done.

Note, that it may take up to 30 minutes (or so?) until a fresh .onion domain gets reachable.

Note, accessing 127.0.0.1 is no longer possible due to a change in Tor Browser by The Tor Project. Check Tor Browser, Local Connections for more information and a workaround..

Debugging[edit]

On Whonix-Gateway.

Check permissions.

sudo ls -la /var/lib/tor/hidden_service/

In case you manually restored your hidden_service keys as root, Tor will fail to start. The folder must be owned by debian-tor. In that case, fix the permissions.

sudo chown debian-tor:debian-tor /var/lib/tor/hidden_service/

In Whonix-Workstation.

Check if the service is available on 127.0.0.1:80.

## Circumventing Whonix curl stream isolation wrapper.
UWT_DEV_PASSTHROUGH=1 curl 127.0.0.1:80

Qubes-Whonix: In Qubes-Whonix-Workstation, check if the service is available on Qubes-Whonix-Workstation IP, port 80.

## Circumventing Whonix curl stream isolation wrapper.
UWT_DEV_PASSTHROUGH=1 curl $(qubesdb-read /qubes-ip):80

Non-Qubes-Whonix: In Whonix-Workstation, check if the service is available on 10.152.152.11:80.

## Circumventing Whonix curl stream isolation wrapper.
UWT_DEV_PASSTHROUGH=1 curl 10.152.152.11:80

Note: Tor Browser will allow connections to 127.0.0.1:80 but not to 10.152.152.11:80.

Tips settings up any hidden service[edit]

Please test the example Hidden Webserver above first. It helps understanding this in general and will ease debugging.

Quoted from the Tor manual[9]:

HiddenServiceDir DIRECTORY

Store data files for a hidden service in DIRECTORY. Every hidden service must have a separate
directory. You may use this option multiple times to specify multiple services. DIRECTORY
must be an existing directory.

Quoted from the Tor manual[10]:

HiddenServicePort VIRTPORT [TARGET]

Configure a virtual port VIRTPORT for a hidden service. You may use this option multiple
times; each time applies to the service using the most recent hiddenservicedir. By default,
this option maps the virtual port to the same port on 127.0.0.1 over TCP. You may override
the target port, address, or both by specifying a target of addr, port, or addr:port. You
may also have multiple lines with the same VIRTPORT: when a user connects to that VIRTPORT,
one of the TARGETs from those lines will be chosen at random.

Read the Security Guide.

Important Upstream Bugs[edit]

Connectivity bugs:

Tor Hidden Services - ADVANCED[edit]

Hidden Services Security[edit]

Not Whonix specific! Talking about Tor in general.

How safe are Tor Hidden Services?

This is a difficult question. Therefore state relevant facts, quotes and links here.

Hidden Service Authentication[edit]

Introduction[edit]

By default Hidden Service names are known to the public as they are broadcast to Hidden Service directories. This information becomes sequestered in search crawlers allowing anyone to try and connect and probe your Hidden Server even if this wasn't your intention.

To set up a Hidden service in a private mode, only accessible by just you or additionally your trusted associates, there is a little known feature in Tor feature known as Hidden Services Authentication. [12][13] When activated, no one (not even the Hidden Service Directories) can derive your .onion address from the descriptors nor can they know the introduction points to your server and consequently will not be able to connect to you.

This feature allows the HS operator to generate multiple shared secrets - giving access to different parties which is revocable. Configurable with the "stealth" auth type used with HiddenServiceAuthorizeClient. Meaning that clients who are banned will no longer know about the HS' introduction points anymore.

Tor manual

Server Setup[edit]

On Whonix-Gateway.

Open /etc/tor/torrc.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> /etc/tor/torrc

If you are using a terminal-only Whonix-Gateway, complete the following steps:

sudo nano /etc/tor/torrc

See the following example. Adjust it for your purposes and add it.

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 22 127.0.0.1:22
HiddenServicePort 5900 127.0.0.1:5900
## syntax:
## HiddenServiceAuthorizeClient auth-type client-name,client-name,…
## The auth-type can either be 'basic' for a general-purpose authorization protocol or 'stealth' for a less scalable protocol that also hides service activity from unauthorized clients.
## Valid client names are 1 to 16 characters long and only use characters in A-Za-z0-9+-_ (no spaces). 
HiddenServiceAuthorizeClient stealth 1234567890123456

Save.

Reload Tor.

After editing /etc/tor/torrc you must reload Tor so your changes take effect. (Note: if after completing all these steps and you are not able to connect to Tor, you have most likely done something wrong. Go back and check your /etc/tor/torrc and redo the steps outlined in the sections above. If your are able to connect to Tor, then you have completed your changes correctly.)

For Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Reload Tor

For graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> Reload Tor

For terminal-only Whonix-Gateway, press on expand on the right.

Complete the following steps:

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

Should show something like the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/etc/tor/torrc".
Configuration was valid

To get your Tor hidden service url and password, run.

sudo cat /var/lib/tor/hidden_service/hostname

Should show something like this.

xxxxxxxxxxxxxxxx.onion 0123456789012345678901 # client: 1234567890123456

This is the authentication cookie that was generated by Tor that should be shared with the one supposed being allowed to connect,

  • preferably face-to-face or,
  • or via OpenPGP encrypted e-mail or OTR encrypted chat over Tor involving both parties.

Note that you can generate a unique authentication cookie for every individual or group you grant access to. This gives you the ability to revoke access if the need arises. It is an all or none rule for granting access to a hidden service. If you want to limit that on a subdomain level you are advised to implement it by compartmentalizing your services under different Hidden service addresses running on a Multiple Workstation setup.

Client Setup[edit]

Open /etc/tor/torrc.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> /etc/tor/torrc

If you are using a terminal-only Whonix-Gateway, complete the following steps:

sudo nano /etc/tor/torrc

HidServAuth <onion-address> <auth-cookie>

Reload Tor.

After editing /etc/tor/torrc you must reload Tor so your changes take effect. (Note: if after completing all these steps and you are not able to connect to Tor, you have most likely done something wrong. Go back and check your /etc/tor/torrc and redo the steps outlined in the sections above. If your are able to connect to Tor, then you have completed your changes correctly.)

For Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Reload Tor

For graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> Reload Tor

For terminal-only Whonix-Gateway, press on expand on the right.

Complete the following steps:

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

Should show something like the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/etc/tor/torrc".
Configuration was valid

Done.

Notes about End-to-end security of Hidden Services[edit]

Hidden services are not really "end-to-end" encrypted, they encrypted only Tor to End. (or "Tor to Tor") The communication between the browser or server and Tor is sent in clear text. This doesn't really constitute a security issue, as localhost (or Workstation to Gateway on an isolated network), is supposed to be secure. But it has some security implications:

With hidden services alone, without TLS enabled, the adversary only needs to compromise Whonix-Gateway to get knowledge of the content of the connection and the clients identity/location. To compromise the content of the connection, the adversary only needs to compromise either the gateway or the workstation.

With hidden services, and TLS enabled, an adversary needs to compromise Whonix-Workstation to gain knowledge of the content of the connection. The adversary would have to compromise Whonix-Gateway as well, to gain knowledge of the client's identity/location.

It is possible to use hidden services and TLS at the same time, i.e. https://****************.onion. There are only a very few hidden services reachable over TLS. For example https://pad.riseup.net/ can be reached over https://5jp7xtmox6jyoqd5.onion/. But since this only offers benefits to users of Whonix (and other Tor gateway implementations), there is no demand. It would provide some nice defense in depth as it eliminates a single point of failure.

It would open the question, how would the certificate be verified?

That's simple for private sites, where server and clients know each other. They simply verify it over preshared secure channel, for example, a meeting.

And public hidden services? It is unlikely, that certificate authorities will give out certificates for .onion sites. Startssl.com declined, because .onion is no .gTLD, see Bug #6116: apply for .onion gTLD at IANA. Although you could try asking other certificate authorities, if they offer SSL certificates for people who can prove that they own a .onion domain. You can prove, that you have control over the domain by editing its contents on their request.

But CAs should not be relied on anyway. See chapter SSL.

Hidden Services with Whonix are still safer than running Tor and the server software on the same host, because even when misconfigured, there can be, by design, no IP or DNS leaks.

See Also[edit]

References[edit]

  1. https://en.wikipedia.org/wiki/Secure_Sockets_Layer
  2. To be exact, only tor-to-tor, see Notes about End-to-end security of Hidden Services.
  3. http://www.quora.com/Is-there-an-SSL-equivalent-for-Tor-Hidden-Services
  4. https://archive.is/Aaqsz
  5. https://lists.torproject.org/pipermail/tor-talk/2016-October/042360.html
  6. sudo apt-get install libapache2-mod-removeip
  7. Since it's easy to know that the internal LAN IP 10.152.152.10 is usually used by Whonix-Gateway.
  8. (Source: old forum) Stop Apache. In ports.conf:
    NameVirtualHost 127.0.0.1:80
    Listen 127.0.0.1:80
    ServerName localhost
    

    In sites-available/default:

    
    

    Start Apache.

    Now Apache is not listening on 10.152.152.10, but only on 127.0.0.1. So now we somehow need to redirect 10.152.152.10:80 to 127.0.0.1:80.

    It can be done with a firewall rule or netcat:

    sudo ncat -l 10.152.152.10 80 -c 'ncat 127.0.0.1 80'

  9. https://www.torproject.org/docs/tor-manual.html.en
  10. https://www.torproject.org/docs/tor-manual.html.en
  11. https://www.torproject.org/about/corepeople.html.en
  12. http://tor.stackexchange.com/questions/219/how-to-use-hidden-service-authentication How to use Hidden Service Authentication?
  13. https://gitweb.torproject.org/torspec.git/tree/proposals/121-hidden-service-authentication.txt

Random News:

We are looking for maintainers (developers).


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.