SSH into your Raspberry Pi using TOR

2019/02/14

The dilemma

So you set up a Raspberry Pi at home, hooked up some sensors and created a beautiful dashboard. You marvel at all the useful information that is now available for you, ~especially when you’re not at home~ but sadly only from your safe network at home.

What should you do now? Was all that time spent for nothing?

There are a number of free/paid services available to solve this dilemma. But you don’t want to install some Java blob from provider xyz. You could rent a cheap VPS and create a delicate network of tunnels, reverse tunnels, ssh connections, tmux sessions (please stop using screen), …. Just the thought might give you a headache.

What if I told you there’s a solution that is worthy of your Hacker™ attitude but won’t leave you puzzling over which tunnel points where?

The Onion

The use of Tor allows you to make your Raspberry Pi available behind a static URL, provides security and doesn’t require you to forward any ports in your home router.

The only downside is that you will need some sort of tor client to connect to your Raspberry Pi. Luckily, there are a number of clients available:

(To learn more about mobile apps for the Tor network, visit the Guardian Project website)

Let’s play!

You start by creating a so-called Hidden Service on your Raspberry Pi.

Installing packages

The main package on Raspbian is called tor and can be installed like any other package via apt:

sudo apt install tor

After a successful installation you want to configure the service to autostart on every boot:

sudo systemctl enable tor

And we want to use tor right away, right?

sudo systemctl start tor

Configure the Hidden Service

Now let’s configure Tor to make your Raspberry Pi available via ssh. For that we have to add a few lines to the configuration file /etc/tor/torrc:

  1. We’re going to open the file:

    sudoedit /etc/tor/torrc
    
  2. Add the following lines to it1:

    HiddenServiceDir /var/lib/tor/sshd/
    HiddenServicePort 22 127.0.0.1:22
    
  3. Now you can read your .onion URL from the file /var/lib/tor/sshd/hostname:

    $ cat /var/lib/tor/sshd/hostname
    iehaunae9Eex4Hio.onion
    

(If the file doesn’t exist, try restarting the tor service: sudo systemctl restart tor)

If you already have Tor running on your client, you can now connect to your Raspberry Pi like this:

ssh pi@iehaunae9Eex4Hio.onion

If this doesn’t work, then read on.

Configure SSH on your client

There are just a few steps left before your Raspberry Pi is available for you from anywhere in the world.

PC/Mac

  1. Install Tor, either from the package manager of your choice or from the Tor Projects Tutorials. Since you don’t want to expose any services on your client, you just have to start the tor service with the default configuration. Either run systemctl start tor (on your Linux OS) or start the Tor daemon from your Mac/Windows installation manually.

  2. Either configure ssh on you client to use your running tor service by adding the following lines to your $HOME/.ssh/config (create the file if it doesn’t exist):

    # file: $HOME/.ssh/config
    Host raspi
      HostName iehaunae9Eex4Hio.onion
      User pi
      ProxyCommand /usr/bin/nc -xlocalhost:9050 -X5 %h %p
      # # or if you want to use socat, use the next line
      # ProxyCommand /usr/bin/socat STDIO SOCKS4A:localhost:%h%p,socksport=9050
    

or use torsocks (install via package manager, e.g. apt, yum, pacman, …):

torsocks ssh pi@iehaunae9Eex4Hio.onion

Android

If you want to use ssh from your Android device, you need an ssh client and/or terminal. My personal preference is Termux, but YMMV.

Install Orbot and start it. You want to enable the VPN Mode setting and allow your ssh/terminal application to use the Tor proxy.

Now you can directly connect to your Raspberry Pi:

ssh pi@iehaunae9Eex4Hio.onion

For additional convenience you can add an entry to your .ssh/config as well2:

Host raspi
  HostName iehaunae9Eex4Hio.onion
  User pi

Hidden Hidden Service

If you want to keep your service hidden, even from within the Tor network, add the following line:

HiddenServAuthorizeClient stealth clientname1,clientname2

There’s no restriction on the amount of clients you can specify. Each client will have its own .onion address and password to connect to.

In this case you now have one line per specified client in your /var/lib/tor/sshd/hostname file, e.g.:

oH7ANgeigu4roobi.onion phovoH3nuChe3ohx9oo # client: clientname1
ahrohnahushie4nu.onion Hobuv7TieFoh7niezei # client: clientname2

The first field is the address of your service, the second one is the authorization string (read: password) for this URL.

Now all that’s left is to add one line to the torrc on the respective client. On clientname1 that would be:

HidServAuth oH7ANgeigu4roobi.onion phovoH3nuChe3ohx9oo

Restart your tor service afterwards.

If you’re using Orbot, go to Settings->Torrc Custom Config and add the line there.

Congratulations, you’re now using Tor to connect to your Raspberry Pi via SSH, and you don’t have to worry about firewalls, NATs, port forwarding or any of that stuff anymore.


  1. For better readability you might want to add them in the section for location-hidden services. Just scroll down a bit, that section should start around line 63.
  2. As you are using Orbot for the Tor connection, you don’t have to specify a proxycommand here.