Skip to content

Instantly share code, notes, and snippets.

@dustyfresh

dustyfresh/tor_ssh_tunnel.md

Last active January 9, 2019 15:45
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dustyfresh/4d73f7476364ac82743945f1c2d11651 to your computer and use it in GitHub Desktop.
Save dustyfresh/4d73f7476364ac82743945f1c2d11651 to your computer and use it in GitHub Desktop.
Download ZIP
tunnel remote services to localhost with SSH & Tor
Raw
tor_ssh_tunnel.md

Architecture

Sometimes you need to access a service that is behind a firewall that you do not have permissions to influence. You can get around your inability to modify the firewall policies by tunneling your service over a Tor hidden service with SSH.

Requirements

  • Tor must be installed on both the firewalled host, as well as the client server the tunnel will be initiated from.
  • Ncat is used to proxy SSH over SOCKS to Tor. The ncat binary ships with the nmap package.
  • client must have a public key in the authorized_keys SSH file for the hidden service

Setup hidden service

Create a torrc configuration file with the following configuration on the server you will be tunneling to.

HiddenServiceDir /opt/hidden_service/
HiddenServicePort 22 127.0.0.1:22
HiddenServiceAuthorizeClient stealth clientname
  • You should change clientname to the name of the service you would like to identify in the logs on the hiddenservice

Start Tor on the hidden service host

$ tor -f ./torrc

Once Tor startup is complete you should be able to view the auth details for our hidden service in the hostname file.

$ cat /opt/hidden_service/hostname
changeme.onion descriptor-cookie-secret # client: clientname

You will need to put this information in the torrc file on the clientname server so you can authorize to the Tor hidden service.

Setup the client to connect to hidden service

Add this to the bottom of the torrc file for the client who will be tunneling through the hidden service.

HidServAuth changeme.onion descriptor-cookie-secret

Configure client ssh

  • Add client's ssh key to the hidden service's authorized_keys file
  • Add the following to the ~/.ssh/config file for the client
$ cat ~/.ssh/config
 Host *.onion
   proxyCommand ncat --proxy 127.0.0.1:9050 --proxy-type socks5 %h %p

This will tell our SSH client to connect to all .onion domains over our Tor SOCKS proxy.

Start tunnel

We start an tunnel to our service to tunnel port 3306 to localhost on our client. This starts the tunnel as a background process so that we do not need to have an shell session open.

$ ssh -f -N -i id_rsa -o StrictHostKeyChecking=no -L 3306:127.0.0.1:3306 user@changeme.onion
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment