Non Anonymous Onion Encryption and NAT Traversal
From Whonix
Introduction[edit]
It is possible to make Tor on a server using a single Tor hop (only one Tor relay instead of three) by using Tor configuration options HiddenServiceNonAnonymousMode 1
, HiddenServiceSingleHopMode 1
. This is non-anonymous but faster. Server should use Onions Services Authentication. The advantage of this is to have a server which is:
- reachable (for users having access to Tor) for NAT traversal, i.e. it works behind common NAT routers.
- capable to secure inherently insecure protocols (such as VNC) by using the encryption / authentication provided by Tor Onion Services
Independently, if clients prefer speed over anonymity, they can configure Tor in Tor2Web mode, which means outgoing Tor circuits will have a length of one rather than three.
These two options combined reduce a 6 hop Tor connection to a 2 hop Tor connection. It's not anonymous, but providing NAT traversal as well as onion encryption / authentication.
https://forums.whonix.org/t/should-we-use-hiddenservicesinglehopmode-for-whonix-org-server [archive]
Server Side[edit]
Open /usr/local/etc/torrc.d/50_user.conf
.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey "Q")
→ Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)
→ Tor User Config (Torrc)
If you are using a graphical Whonix-Gateway ™, complete the following steps.
Start Menu
→ Applications
→ Settings
→ /usr/local/etc/torrc.d/50_user.conf
If you are using a terminal-only Whonix-Gateway ™, complete the following steps.
sudo nano /usr/local/etc/torrc.d/50_user.conf
Add.
HiddenServiceNonAnonymousMode 1 HiddenServiceSingleHopMode 1 SocksPort 0 HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 22 127.0.0.1:22 HiddenServicePort 5900 127.0.0.1:5900 HiddenServiceVersion 3 ## syntax: ## HiddenServiceAuthorizeClient auth-type client-name,client-name,… ## The auth-type can either be 'basic' for a general-purpose authorization protocol or 'stealth' for a less scalable protocol that also hides service activity from unauthorized clients. ## Valid client names are 1 to 16 characters long and only use characters in A-Za-z0-9+-_ (no spaces). HiddenServiceAuthorizeClient stealth 1234567890123456
Save and exit.
Client Side[edit]
Update the package lists.
sudo apt-get update
Install Tor's build dependencies.
sudo apt-get build-dep tor
Create directory ~/tor-src
.
mkdir ~/tor-src
Change directory to ~/tor-src
.
cd tor-src
Download the Tor source package.
apt-get source tor
Change directory to Tor source directory.
cd tor-*/
Open debian/rules in an editor as a regular, non-root user.
If you are using a graphical environment, run.
mousepad debian/rules
If you are using a terminal, run.
nano debian/rules
Change:
dh_auto_configure \ $(confflags) \ --prefix=/usr \ --mandir=\$${prefix}/share/man \ --infodir=\$${prefix}/share/info \ --localstatedir=/var \ --sysconfdir=/etc \ --disable-silent-rules \ --enable-gcc-warnings-advisory
To:
dh_auto_configure \ $(confflags) \ --prefix=/usr \ --mandir=\$${prefix}/share/man \ --infodir=\$${prefix}/share/info \ --localstatedir=/var \ --sysconfdir=/etc \ --disable-silent-rules \ --enable-gcc-warnings-advisory \ --enable-tor2web-mode
Open src/or/config.c in an editor as a regular, non-root user.
If you are using a graphical environment, run.
mousepad src/or/config.c
If you are using a terminal, run.
nano src/or/config.c
Change
V(Tor2webMode, BOOL, "0"),
To
V(Tor2webMode, BOOL, "1"),
Build the Tor package.
debuild
Footnotes[edit]
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki
Interested in becoming an author for the Whonix ™ News Blog or writing about anonymity, privacy and security? Please get in touch!
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)
Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].
Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.