
Ask HN: Would you use Tor to connect to your distributed servers? - merqurio
We are looking for solutions to be able to connect to our servers that will be distributed to our customers (software is the product, not the hardware). As we don&#x27;t know where they will end up, looking for possible alternatives to VPN I found out[1] that using the tor network could be a way to connect into the machines.<p>What should we consider before going with tor ? Would you do it ? 
Thanks !<p>[1]: http:&#x2F;&#x2F;gk2.sk&#x2F;running-ssh-on-a-raspberry-pi-as-a-hidden-service-with-tor&#x2F;
======
tshtf
* Tor will cause IDS and firewall alerts. This could lead to traffic being blocked.

* Tor HS are not particularly resilient and have relatively high latency.

* The addresses of Tor hidden services can be determined by an attacker (Malicious HSDir operators).

* The Tor network is already over capacity, and isn't intended or ready for commercial use. Carefully considering using a free community service for a commercial product.

* If you do ultimately use Tor, consider running Tor relays or donating to the foundation.

~~~
merqurio
Great feedback! A couple of questions as we are new to

* What are the risks of unmasking a hidden Tor

* Planning a schedule to turn on tor will be a good solution for the resiliency problem ?

Thanks !

~~~
tshtf
With the hidden service address, an attacker can access whichever ports are
exposed by the hidden service.

Turning Tor off and on is a relatively expensive operation for the Tor
network. It wouldn't particularly help resilience.

~~~
merqurio
Thanks tshtf! I will keep learning on Tor before making any decision.

Personally I think it can be great to go with Tor, having a great excuse to
support it too.

------
rendx
Yes, perfectly possible. With onion services, you get static identifiers to
connect to the machine, and Tor is pretty good at working its way through
NAT/firewalls. Bonus: You can seal that device off, and portscanning or
similar won't give away anything.

~~~
merqurio
Great ! That's a real nice bonus! Is there any security concern we should take
into account about having tor running continuously ?

We tested with the instructions in the link above and worked really smoothly.
The idea is the to orchestrate all the server with Ansible or Salt via tor SSH

