While watching a very interesting talk about Onion services from 32C3, I got the urge to access my home server via the Tor network. The service I want to access is ssh (listening at home on port 22) but you can also access a web browser by chosing port 80 (or similar) instead of 22.
On the one side, I get high security (authentication, encryption, untraceable connection) to access a computer behind my firewall without even having to expose ports on my internet-router. On the other side, I get the neat bonus of having a unique address despite the fact that my home IP is constantly changing (by DHCP). Therefore, independent of my IP address, my home server can be accessed via Tor by an address which looks like
1y8oybr42aun85pw.onion. So by gaining additional security, I don't have to pay a service like http://dyn.com/dns/ to get a fixed address. This sound neat, isn't it?
First, you have to get Tor on your home computer. Just visit https://www.torproject.org/ and click on the big green download button.
If you're running a decent GNU/Linux distribution, Tor might be installed via your package manager like:
sudo apt-get install tor torbrowser-launcher
After the installation, start the Tor browser and check, if everything is working fine. If you can access The Hidden Wiki within Tor browser, you are fine.
When you're accessing your home server from the internet via Tor, you are running a so called "Hidden Service". That is the old name for "something which can be reached only within the Tor network". This is nothing fishy: even Facebook can be reached via a "Hidden Service" in Tor.
I followed this description on configuring a Hidden Service.
As root, I created the directory
/var/lib/tor/hidden_ssh_service and changed its user/group to the same user, my Debian system is using for running Tor:
/etc/tor/torrc I added following lines:
HiddenServiceDir /var/lib/tor/hidden_ssh_service/ HiddenServicePort 22 127.0.0.1:22
This tells your Tor client to provide your port 22 (ssh) as a hidden service.
After re-starting your Tor daemon, you will find two files in the folder:
private_key. If not, check the log files for error messages.
hostname you'll find your public onion address you have to use to access your service.
Congrats, your Tor service is up and running.
If you are providing access to your local home web server, you just have to enter your onion address into any Tor browser.
However, if you are connecting to ssh (like me), you have to get your ssh client to use the Tor proxy instead of a direct connection.
With a standard ssh command-line client (I was using Cygwin/zsh), you can use following command to access (any) ssh server over Tor:
ssh -o ProxyCommand='nc -x localhost:9150 %h %p' example.com
If you replace
example.com with your onion address, you will end up at your home server. From anywhere, over Tor, as long as your Tor client is running at home and on the client computer infront of you.