Say for example you have a website that you feel comfortable having online via a public domain name, but you do not feel comfortable having it hosted on the location of its clearnet IP because $reason (for example you are The Pirate Bay). Or you want to store all your e-mail in an undisclosed location. This configuration enables the transferring machine to know as little as possible about the actual hosting machine (because it's really a .onion) while using very little resources (i.e. a VPS with 128MB RAM for little $currency/$timeframe) on the transparent proxy machine and even less time to set it up.
tor2tcp attempts to:
- Have arbitrary internet facing services that actually connect you to a hidden service
- Enable TLS handshakes with a hidden service from the regular internet, enabling safe transport
- Handle connections via tiny VPS (128MB RAM) proxy machine with no access to information at all, except for configuration files and public ssh keys
I presented this project at 30c3, a recording of it is available from CCC (skip to 1:41:05) with a mirror on Youtube. Feel free to take a look at my slides as well.
See the vps folder for sample configuration files. They have inline
documentation. It's that simple, if you only want to run HTTP for example.
Say we want to receive and send e-mail, then we need more than just incoming
connections. Since we don't want to be **** SPAM ****, we need to send
all our mail via the incoming transparent proxy machine (vps). We don't want
to turn our proxy into a mail relay as we want to avoid having any data on that
machine (like a mail queue or logs).
So outgoing connections are a little more complicated and depend on torsocks,
redsocks as well as
DNS SOCKS Proxy (see
my fork to avoid automatic
writing to /etc/resolv.conf). Also, have a password-less ssh-key available
(that enables login on the vps machine), which we need for the following:
tmux new-session -d 'torsocks autossh -D 1080 mzeltner@46.246.28.219'
autossh backgrounding was broken for me for some reason, so I use tmux (or
screen) to keep our torified SOCKS tunnel on 127.0.0.1:1080 open.
Thanks to transparent proxying via redsocks and iptables, this torified
SOCKS tunnel is used for our outgoing connections with postfix. See the
onion folder for sample configuration files.
Keep in mind, this is an experimental setup, don't use this for anything important.
https://poum.niij.org/ is both proof of concept and more documentation.
Abel Luck for inspiration, ra_ for testing incoming connections, MacLemon for brain bounces.