So you set up a Raspberry Pi at home, hooked up some sensors and created a beautiful dashboard. You marvel at all the useful information that is now available for you, ~especially when you’re not at home~ but sadly only from your safe network at home.
What should you do now? Was all that time spent for nothing?
There are a number of free/paid services available to solve this dilemma.
But you don’t want to install some Java blob from provider xyz. You could rent a cheap VPS and create a delicate network of tunnels, reverse tunnels, ssh connections,
tmux sessions (please stop using
screen), …. Just the thought might give you a headache.
What if I told you there’s a solution that is worthy of your Hacker™ attitude but won’t leave you puzzling over which tunnel points where?
The use of Tor allows you to make your Raspberry Pi available behind a static URL, provides security and doesn’t require you to forward any ports in your home router.
The only downside is that you will need some sort of
tor client to connect to your Raspberry Pi. Luckily, there are a number of clients available:
- Tor Browser: This should be the browser of your choice if you want to surf via Tor on your PC/Mac.
- Orbot: Tor for Android: This app can act as a VPN on your Android smartphone to allow all your apps to access the internet via Tor.
- OrFox: Browser for Orbot: Use this browser in combination with Orbot to surf via Tor on your Android smartphone.
(To learn more about mobile apps for the Tor network, visit the Guardian Project website)
You start by creating a so-called Hidden Service on your Raspberry Pi.
The main package on
Raspbian is called
tor and can be installed like any other package via
sudo apt install tor
After a successful installation you want to configure the service to autostart on every boot:
sudo systemctl enable tor
And we want to use tor right away, right?
sudo systemctl start tor
Configure the Hidden Service
Now let’s configure Tor to make your Raspberry Pi available via
ssh. For that we have to add a few lines to the configuration file
We’re going to open the file:
Add the following lines to it1:
HiddenServiceDir /var/lib/tor/sshd/ HiddenServicePort 22 127.0.0.1:22
Now you can read your
.onionURL from the file
$ cat /var/lib/tor/sshd/hostname iehaunae9Eex4Hio.onion
(If the file doesn’t exist, try restarting the
sudo systemctl restart tor)
If you already have Tor running on your client, you can now connect to your Raspberry Pi like this:
If this doesn’t work, then read on.
Configure SSH on your client
There are just a few steps left before your Raspberry Pi is available for you from anywhere in the world.
Install Tor, either from the package manager of your choice or from the Tor Projects Tutorials. Since you don’t want to expose any services on your client, you just have to start the
torservice with the default configuration. Either run
systemctl start tor(on your Linux OS) or start the Tor daemon from your Mac/Windows installation manually.
sshon you client to use your running
torservice by adding the following lines to your
$HOME/.ssh/config(create the file if it doesn’t exist):
# file: $HOME/.ssh/config Host raspi HostName iehaunae9Eex4Hio.onion User pi ProxyCommand /usr/bin/nc -xlocalhost:9050 -X5 %h %p # # or if you want to use socat, use the next line # ProxyCommand /usr/bin/socat STDIO SOCKS4A:localhost:%h%p,socksport=9050
torsocks (install via package manager, e.g.
torsocks ssh pi@iehaunae9Eex4Hio.onion
If you want to use
ssh from your Android device, you need an
ssh client and/or terminal. My personal preference is
Termux, but YMMV.
Install Orbot and start it.
You want to enable the VPN Mode setting and allow your
ssh/terminal application to use the Tor proxy.
Now you can directly connect to your Raspberry Pi:
For additional convenience you can add an entry to your
.ssh/config as well2:
Host raspi HostName iehaunae9Eex4Hio.onion User pi
Hidden Hidden Service
If you want to keep your service hidden, even from within the Tor network, add the following line:
HiddenServAuthorizeClient stealth clientname1,clientname2
There’s no restriction on the amount of clients you can specify. Each client will have its own
.onion address and password to connect to.
In this case you now have one line per specified client in your
/var/lib/tor/sshd/hostname file, e.g.:
oH7ANgeigu4roobi.onion phovoH3nuChe3ohx9oo # client: clientname1 ahrohnahushie4nu.onion Hobuv7TieFoh7niezei # client: clientname2
The first field is the address of your service, the second one is the authorization string (read: password) for this URL.
Now all that’s left is to add one line to the
torrc on the respective client. On
clientname1 that would be:
HidServAuth oH7ANgeigu4roobi.onion phovoH3nuChe3ohx9oo
tor service afterwards.
If you’re using Orbot, go to
Settings->Torrc Custom Config and add the line there.
Congratulations, you’re now using Tor to connect to your Raspberry Pi via SSH, and you don’t have to worry about firewalls, NATs, port forwarding or any of that stuff anymore.