HMLHML - Half Moore's Law, Half Murphey's Law

exposing my pi as a tor hidden service

Written by Grant Powell on 2020-12-26

Accessing my Pi When I’m on the Go

I travel a good bit (or at least used to). I’d like to be able to admin my home network wherever I am. This is a little tough because I don’t have a static IP address at my apartment. At any point the external address of my router relative to the internet could change.

One option available to me is to use something like DYN DNS. DYN DNS allows for your network to dynamically configure it’s DNS address. The issue is that Dyn DNS is $55 a year, which is like a ¼ of a Pinebook.

Cryptography to the Rescue

One approach to providing a way to route to my server without having an static IP is to use one of the volunteer run cryptographic overlay networks.

Here are two,

  1. Tor
  2. I2P

When exposing a server to inbound connections via something like Tor, all connections from your server are outgoing to the Tor network. This means that you can make a server routable on any network that can reach the Tor network.

Overlay networks like I2P and Tor use cryptographic signatures to route within the network. Addresses look like http://bbcnewsv2vjtpsuy.onion. Addresses look weird because they’re the public keys (or just the hash in the case of the old ones) of the servers. Since routing is done with cryptographically, you don’t need something like a lease on the limited IPv4 address space.

On my Pi (I’ve named it io after Jupiter’s moon) I can expose the ssh server via Tor by using the following configuration. We tell the Tor process to forward incoming connections on port 22 to port 22 on the loopback (localhost)

After installing tor (apt install tor), I added this to my /etc/tor/torrc file

RunAsDaemon 1
DataDirectory /var/lib/tor
HiddenServiceDir /var/lib/tor/ssh_hs/
HiddenServicePort 22

IO Tor Hidden Service

Connecting my Laptop to Tor

There’s a special version of Firefox that ships configured with all the necessary software to connect to the Tor network. When you run the Tor browser, it also runs a SOCKS5 proxy on port 9150 that any other software can use.

On my laptop I can tell ssh to proxy commands through the Socks5 Proxy by editing my ~/.ssh/config like so

Host io
  Hostname <your-onion-address>.onion
  User pi
  IdentityFile ~/.ssh/id_rsa
  ProxyCommand nc -X 5 -x localhost:9150 %h %p
  VerifyHostKeyDNS no
  CheckHostIP no
  IdentitiesOnly yes

Note: I found out the hard way, currently only the BSD edition of netcat supports SOCKS5, and the GNU version does not

Most commands that deal with connecting to a server read the ~/ssh/config file. So ssh and scp work out of the box.

IO Tor ssh


One of my big use cases for is being able to fix the our router for my roomates when I’m on the go. Now that we have a way to do ssh connections over Tor, we can use ssh to tunnel to other places behind my firewall.

ssh -N -L io

This will forward all connections to port 4000 on your local machines through Io to port 80 on (relative to Io). This means I can use chrome to access my router anywhere I go.

IO Tor ssh tunnel