Hacker News new | past | comments | ask | show | jobs | submit login
Expose server behind NAT with Tor (hplar.ch)
85 points by marcodiego 7 days ago | hide | past | favorite | 41 comments





Another option is a VPN as a service solution like tailscale. Tailscale does a lot of work to get around NAT and has some great articles on their blog about it. https://tailscale.com/blog/how-nat-traversal-works/

Oh I love tailscale, it is so performant and just works (mostly). However, I have used Tor for many years for this use case and still have it around as a fallback for machines that can be hard to reach spatially.

Wireguard is performant, tailscale makes it convenient

Is there a way of doing NAT hole-punching with Wireguard?

There are essentially 3 ways proxy tunneling like this is done:

1. The Tor method mentioned in this article - Will probably be the worst performance but it's free and offers some privacy features.

2. VPN - WireGuard (Tailscale is popular), OpenVPN, IPsec etc. Best performance, but requires some low-level configuration on both the client and server. You'll probably need admin privileges on the client to configure network interfaces. This is usually automated in practice. If you're on network that blocks UDP, that can also be an issue. You also need a server with a public IP, which generally you'll have to pay for.

3. User-space tunnels - Solutions like SSH remote port forwarding, ngrok, etc. Convenient because on the client you don't need elevated privileges. Performance will likely be somewhere between Tor and VPN. Although note that unless you have very fast internet upload speeds, tunnel performance isn't likely to be your bottleneck. Many solutions multiplex over a single TCP connection, which can cause issues in lossy network conditions due to head-of-line blocking. You need a server with a public IP just like with a VPN.

I maintain a list of proxy tunneling solutions here:

https://github.com/anderspitman/awesome-tunneling


Nice collection of resources. Thanks for creating it.

The main downside to this is that performance will generally be quite bad. Tor trades performance for anonymity. Unless you specifically need anonymity — which is highly unlikely when you are just trying to reach back to a host of your own behind a NAT — there probably isn't any benefit in using Tor.

Suppose I've got an RPI and I want to ssh into it from anywhere in the world.

If I ssh into it through a hidden service then the hidden service address IS its canonical address, regardless of whether I'm sitting in the living room or on the international space station.

As it turns out I don't need to log in to my RPI from the ISS. But if I did need that, good luck explaining to me how to do that with impunity using a pile of brittle Linux configurations. Tell me how to do it and I bet I'll fuck it up.


That use-case is exactly what I use https://www.zerotier.com/ for — SSHing into my NAS from anywhere in the world. And there's less configuration involved than setting up a Tor hidden service.

> And there's less configuration involved than setting up a Tor hidden service.

Is there really? IIRC zerotier saves you having to fiddle around with keys, which is a pain, but you still need to set up the daemon, and zerotier requires you to go make an account instead of just generating keys and copying them to your client, which feels like rather more friction.


$ ssh 123.45.67.8

Assuming there's internet on the ISS


I didn't write it explicitly, but I was describing ssh'ing to an RPI behind a NAT as most residential U.S. internet is. In that case 123.45.67.8 won't help you.

In fact, I think the comment I was responding to understood my meaning and retroactively edited their comment to include the part between the dashes about accessing a compy behind a NAT. GP-- did you do that or am I imagining things?

Anyway, I agree with that comment as written-- if you don't ever need to care about breaking through NATs, Tor isn't a big benefit. (But there are, however, a large number of situations where users do care about NATs. GP only mentioned the one I had in mind. So I don't agree with the greater upshot of anonymity being the determining factor in Tor use.)


And IPv6?

You may underestimate how many US ISPs are behind NAT and don't give out IPv6

There is. They look like they're coming from a ground station to geoip.

I guess it would be a hassle updating geoip databases every few seconds with a new location :D

You can't say there "isn't any benefit" in using Tor without saying what you're comparing against.

OP had a problem, and solved it using Tor. Suggesting there isn't any benefit in using Tor, without offering an alternative, is to suggest that you just shouldn't solve the problem.

Of course there's a benefit in using Tor: it gets you through NAT for free! It also gets you end-to-end encryption for free.


I am not saying you shouldn't solve the problem. I am saying that Tor is probably not the best tool available for the task if you don't specifically care about anonymity and there are more efficient tools available.

Zerotier is one example, Cloudflare Argo is another, tinc is another, Yggdrasil is another, Tailscale is another. Some VPN providers (like Mullvad) will happily forward ports to you from their VPN servers. As the author linked to at the very beginning of their post, you could even set up something similar by hand with a VPS (free-tier would suffice) and off-the-shelf VPN software like Wireguard.


I'd still recommend trying it - performance is good enough for my needs.

Is there still an onion service config option to use 3 hops instead of 6? I can't find the documentation on the current tor project website.

edit: found it in the manpage: HiddenServiceSingleHopMode


Disable the SocksPort, then set two options to really convince tor that you know what you're doing, then configure your onion service as usual.

    SocksPort 0
    HiddenServiceSingleHopMode 1
    HiddenServiceNonAnonymousMode 1
    HiddenServiceDir /var/lib/tor/ssh_service
    HiddenServicePort 22
    HiddenServiceDir /var/lib/tor/http_service
    HiddenServicePort 80

why disable SocksPort?

By default it is six hops for complete circuit between client and hidden service. Three hops from client to rendezvous point, then three hops from rendezvous point to the hidden service. If you go below that you might as well host on the public internet.

If the main goal is not anonymity this should not be a problem?

hasn't Tor performance improved over the years? i mean, it still doesn't make sense to use torrents over it, but for ssh and maybe some light file transfer it should be enough, no?

Tor performance is really not that bad. Hidden services are worse because they effectively go through the network twice, but even then it's generally acceptable. People have the impression that it's like going back to a modem, but it's more like going to a laggy DSL connection.

I use Tor and it's fast.

For some reason I'm under the impression that onion services were discoverable, or partially discoverable by relay operators, or some such. IT's been quite awhile though and I think there was some talk of changing that.

Does anyone know if that has changed? Last time someone suggested to me, which was several years ago, it didn't seem to have the security properties the person suggesting the approach thought it had, specifically that tor was adding security via the onion service.

Anyone have up to date information?


I think for v2 onions (removed from Tor since this past Fall) HSDir operators could enumerate them, but v3 onions (ones in use now) should be resistant to that. I'm not sure how strongly resistant though.


The non anonymous / single hop mode makes the onion service faster:

https://blog.torproject.org/whats-new-tor-0298/


Awesome!, thank you, I needed this!

Every single tor .onion URL in this article no longer works in Tor clients. Why? Because the tor project decided to throw away 15 years of communities and interlinking and search indices just to make sure people don't accidentally use tor v2 (which is still more secure than the clear web) and force them to use the far more secure tor v3 (an entirely new network). They did this in Oct/Nov 2021 after a couple years of warning of depreciation (not deletion).

Another benefit is that Tor has built-in load balancing and failover.

You can use it with onionbalance.


How about ngrok? Works great.

If you use Tor, you should stop. I believe that it is mostly used by criminals and that it is largely ran by law enforcement agencies. I cannot prove this but I believe it is true. Simply using it makes you suspect.

Also, if you have a need to use Tor for work purposes, get written permission from your senior management and describe exactly what you will do while using Tor (scan our hosts externally, test our firewall rules, find exposed services or mis-configured systems, etc.).

If your goal is to be anonymous while surfing the Internet, find some other way, but stop using Tor for that.


If you don't use tor, you should start. I believe that it is mostly used by oppressed populations and that it is largely ran by parties that get utility from anonymity (activists, spies, law enforcement). I cannot prove this but I believe it is true. Simply using tor increases all of our security.

Also, if you have the option to use for work purposes, get your organization to consider contributing to tor. If you find utility in it, consider running additional nodes.

If your goal is for anonymity to be possible on the internet, start using tor wherever you can.

There, I fixed it for you ;)


If you use Tor, and you're not a criminal, you increase the deniability of anyone else who uses Tor. Thus, ever so slightly, you help everyone else to have an easy way to be anonymous.

Of course, for any serious anonymity (against western LEAs, not against corporations or 3rd world governments), you're most likely correct.


Guns are mostly used by criminals. You should stop.

/s


Remember, US dollars are used by criminals too. /s

Criminals drink water. You should stop drinking water right now if you don't want to turn into a criminal!

/s


Unfortunately the Tor Project agrees with you. They value privacy and security far more than a stable address. The destruction of the entire tor .onion web in Oct/Nov 2021 was pretty much the last straw. The Tor Project only cares about shady people. Anyone wanting to use it for a stable .onion address for their non-private communities should stop using tor.



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: