The dilemma
So you set up a Raspberry Pi at home, hooked up some sensors and created a beautiful dashboard. You marvel at all the useful information that is now available for you, ~especially when you’re not at home~ but sadly only from your safe network at home.
What should you do now? Was all that time spent for nothing?
The search
There are a number of free/paid services available to solve this dilemma.
But you don’t want to install some Java blob from provider xyz. You could rent a cheap VPS and create a delicate network of tunnels, reverse tunnels, ssh connections, tmux
sessions (please stop using screen
), …. Just the thought might give you a headache.
What if I told you there’s a solution that is worthy of your Hacker™ attitude but won’t leave you puzzling over which tunnel points where?
The Onion
The use of Tor allows you to make your Raspberry Pi available behind a static URL, provides security and doesn’t require you to forward any ports in your home router.
The only downside is that you will need some sort of tor
client to connect to your Raspberry Pi. Luckily, there are a number of clients available:
- Tor Browser: This should be the browser of your choice if you want to surf via Tor on your PC/Mac.
- Orbot: Tor for Android: This app can act as a VPN on your Android smartphone to allow all your apps to access the internet via Tor.
- OrFox: Browser for Orbot: Use this browser in combination with Orbot to surf via Tor on your Android smartphone.
(To learn more about mobile apps for the Tor network, visit the Guardian Project website)
Let’s play!
You start by creating a so-called Hidden Service on your Raspberry Pi.
Installing packages
The main package on Raspbian
is called tor
and can be installed like any other package via apt
:
sudo apt install tor
After a successful installation you want to configure the service to autostart on every boot:
sudo systemctl enable tor
And we want to use tor right away, right?
sudo systemctl start tor
Configure the Hidden Service
Now let’s configure Tor to make your Raspberry Pi available via ssh
. For that we have to add a few lines to the configuration file /etc/tor/torrc
:
We’re going to open the file:
sudoedit /etc/tor/torrc
Add the following lines to it1:
HiddenServiceDir /var/lib/tor/sshd/ HiddenServicePort 22 127.0.0.1:22
Now you can read your
.onion
URL from the file/var/lib/tor/sshd/hostname
:$ cat /var/lib/tor/sshd/hostname iehaunae9Eex4Hio.onion
(If the file doesn’t exist, try restarting the tor
service: sudo systemctl restart tor
)
If you already have Tor running on your client, you can now connect to your Raspberry Pi like this:
ssh pi@iehaunae9Eex4Hio.onion
If this doesn’t work, then read on.
Configure SSH on your client
There are just a few steps left before your Raspberry Pi is available for you from anywhere in the world.
PC/Mac
Install Tor, either from the package manager of your choice or from the Tor Projects Tutorials. Since you don’t want to expose any services on your client, you just have to start the
tor
service with the default configuration. Either runsystemctl start tor
(on your Linux OS) or start the Tor daemon from your Mac/Windows installation manually.Either configure
ssh
on you client to use your runningtor
service by adding the following lines to your$HOME/.ssh/config
(create the file if it doesn’t exist):# file: $HOME/.ssh/config Host raspi HostName iehaunae9Eex4Hio.onion User pi ProxyCommand /usr/bin/nc -xlocalhost:9050 -X5 %h %p # # or if you want to use socat, use the next line # ProxyCommand /usr/bin/socat STDIO SOCKS4A:localhost:%h%p,socksport=9050
or use torsocks
(install via package manager, e.g. apt
, yum
, pacman
, …):
torsocks ssh pi@iehaunae9Eex4Hio.onion
Android
If you want to use ssh
from your Android device, you need an ssh
client and/or terminal. My personal preference is Termux
, but YMMV.
Install Orbot and start it.
You want to enable the VPN Mode setting and allow your ssh
/terminal application to use the Tor proxy.
Now you can directly connect to your Raspberry Pi:
ssh pi@iehaunae9Eex4Hio.onion
For additional convenience you can add an entry to your .ssh/config
as well2:
Host raspi
HostName iehaunae9Eex4Hio.onion
User pi
Hidden Hidden Service
If you want to keep your service hidden, even from within the Tor network, add the following line:
HiddenServAuthorizeClient stealth clientname1,clientname2
There’s no restriction on the amount of clients you can specify. Each client will have its own .onion
address and password to connect to.
In this case you now have one line per specified client in your /var/lib/tor/sshd/hostname
file, e.g.:
oH7ANgeigu4roobi.onion phovoH3nuChe3ohx9oo # client: clientname1
ahrohnahushie4nu.onion Hobuv7TieFoh7niezei # client: clientname2
The first field is the address of your service, the second one is the authorization string (read: password) for this URL.
Now all that’s left is to add one line to the torrc
on the respective client. On clientname1
that would be:
HidServAuth oH7ANgeigu4roobi.onion phovoH3nuChe3ohx9oo
Restart your tor
service afterwards.
If you’re using Orbot, go to Settings->Torrc Custom Config
and add the line there.
Congratulations, you’re now using Tor to connect to your Raspberry Pi via SSH, and you don’t have to worry about firewalls, NATs, port forwarding or any of that stuff anymore.