Tor-to-IP tunnel service for HTTPS

Use the public IP address of a Virtual Private Server (VPS) to make Tor Hidden Services reachable on the clearnet.

Advantages:

• hides the IP of the host from the public and from the VPS
• no port forwarding needed on the LAN of the host
• additional encryption by Tor between the host and the VPS

Requirements:

• SSH access to a Virtual Private Server (VPS) - eg. a minimal package on Lunanode for ~3.5$/month
  • Example Lightning Payable VPS services:
    • host4coins.net
    • bitclouds.sh or lntxbot /bitclouds
• Note that only the root user can forward to ports below 1000.
• Tor should not be the only encryption layer of the service as the traffic exposed on the VPS is meant to be for the localhost
• Always check the terms and rules of the VPS provider to avoid bans and don’t do anything causing them trouble to keep these services going.

On the VPS

• Login with ssh to the root user
  ssh root@VPS_IP_ADDRESS
• Install tor (leave on default settings) and socat
# apt install tor socat

Set up a systemd service

• make a separate process for every connected Hidden Service to avoid restarting every connection when a service added or removed.
  Suggestion for naming the service is to put the VPS_PORT used on the VPS into the name: tor2ip<VPS_PORT>

• create the service file:
  # nano /etc/systemd/system/tor2ip443.service
  • Paste the following and fill in:
    • the VPS_PORT you want to use (facing the public) - in this example: 443.
    • the TOR_HIDDEN_SERVICE_ADDRESS.onion
      • generate the address with:
        • config.scripts/internet.hidden.service.sh HTTPS 443 443
        • this will expose the local port 443 on the .onion:443
    • The TOR_PORT the Hidden Service is using - in this example: 443

    [Unit]
    Description=Tor2IP Tunnel Service
    After=network.target
  
    [Service]
    User=root
    Group=root
    ExecStart=/usr/bin/socat TCP4-LISTEN:443,bind=0.0.0.0,fork SOCKS4A:localhost:TOR_HIDDEN_SERVICE_ADDRESS.onion:443,socksport=9050
    StandardOutput=journal
  
    [Install]
    WantedBy=multi-user.target
  

• Enable and start the service:
  # systemctl enable tor2ip443
# systemctl start tor2ip443

Setting up this Tor-to-IP tunnel service is now complete. You can carry on adding other services using different ports on the VPS.
You should be able access the ports/services of the host computer through: VPS_IP_ADDRESS:VPS_PORT. To connect to the HTTPS website served from the node in the example:
https://VPS_IP_ADDRESS

Monitoring on the VPS

• To check if tunnel is active on the VPS:
  # netstat -tulpn

  • Look for the lines: ``` Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

  tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 13684/socat
  ```

• Monitor the service with:
  # systemctl status tor2ip443 ``` ● tor2ip443.service - Tor2IP Tunnel Service Loaded: loaded (/etc/systemd/system/tor2ip443.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2020-04-05 14:58:43 BST; 2min 23s ago Main PID: 13684 (socat) Tasks: 1 (limit: 1078) Memory: 540.0K CGroup: /system.slice/tor2ip443.service └─13684 /usr/bin/socat TCP4-LISTEN:443,bind=0.0.0.0,fork SOCKS4A:localhost:TOR_HIDDEN_SERVICE_ADDRESS.onion:443,socksport=9050

Apr 05 14:58:43 VPS_hostname systemd[1]: Started Tor2IP Tunnel Service. ```

Resources

• socat manpage: https://linux.die.net/man/1/socat
• Thanks to @emzy for the original socat syntax.
• Produced at the #LightningHackSprint.