raspberry pi + ubuntu + tor onions guide

If you like this content, consider sending me an anonymous tip with Zcash: zs195rfh80s5m6chxrqej57fg9vxw2ypw2p9ppv3e5f44dstcu36f59pxfukugmgzxnp2djvu6w2jd

Performed on Ubuntu 20.04 LTS on a Raspberry Pi 4. https://ubuntu.com/download/raspberry-pi

This guide ignores the default torrc and sets up two new onions dedicated to their purpose. Do this so you’re not exposing the SSH daemon or your public SSH key via your public onion address. Duplicate webinstance steps if you’re going to use Onionbalance, and duplicate ssh instance steps if you want backup circuits to get back into your Pi.

This guide also presumes certain things. This Pi is behind NAT and does not have a public IP. While you could use this guide to setup a remote VM, which I never advise unless you own the harware, I set up this Pi with a USB keyboard.

The first step is to block everything inbound. Be careful with this if you are setting up a remote system. If and when I have a public IP, I like to deny everything inbound first so that bots run by Eve cannot grab my public SSH key as soon as I make a cleartext request to install Tor.

Imagine a passive or active adversary with network visibility. This includes your ISP, maybe your government, or maybe well-funded global passive adversaries. They might create an automatic system to track the activity and behavior of any IP that initiates a clear-text (plaintext or tls-encrypted cleartext (metadata)) install of tor. Imagine that system adding your IP to a surveillance list that then automates monitoring the uptime of your system and juxtaposes that behavior to a seprate system that tracks the bahavior of known onion sites in attempts to identify the physical location of onion sites and services. Metadata privacy matters.

Another presumption is that you do not need php, sql, or other stupidly heavy and vulnerable code, and is why I use nginx-light. Further, I do not bother with TLS and adding another potentially-vulernable dependency like openssl.

block everything inbound

sudo ufw enable

delete that cloud shit

sudo dpkg-reconfigure cloud-init

…deselect all but “none”, click ok

sudo apt purge cloud-init

sudo rm -rf /etc/cloud/

sudo rm -rf /var/lib/cloud/

install tor

…only use current stable releases: https://support.torproject.org/apt/tor-deb-repo/

sudo apt update

sudo apt dist-upgrade

sudo apt install tor

sudo shutdown -r now

create onion site

sudo tor-instance-create web1

sudo vim /etc/tor/instances/web1/torrc

…delete everything and use: HiddenServiceDir /var/lib/tor-instances/web1/hidden_service/ HiddenServicePort 80 127.0.0.1:80

sudo service tor@web1 restart

sudo cat /var/lib/tor-instances/web1/hidden_service/hostname

abcdefghijklmnopqrstuvwxyz.onion

create ssh onion

sudo tor-instance-create ssh1

sudo vim /etc/tor/instances/ssh1/torrc

…delete everything and use: HiddenServiceDir /var/lib/tor-instances/ssh1/hidden_service/ HiddenServicePort 22 127.0.0.1:22

sudo service tor@ssh1 restart

sudo cat /var/lib/tor-instances/ssh1/hidden_service/hostname

zyxwvutsrqponmlkjihgfedcba.onion

install web server

sudo apt install nginx-light

sudo vim /etc/nginx/sites-available/default

listen 127.0.0.1:80 default_server;

sudo service nginx restart

ssh and scp from macOS client via tor

brew install tor torsocks

sudo vim /etc/ssh/ssh_config

…and add: UseRoaming no proxyCommand nc -x 127.0.0.1:9050 %h %p

ssh-copy-id user@zyxwvutsrqponmlkjihgfedcba.onion

ssh user@zyxwvutsrqponmlkjihgfedcba.onion

scp -r ./_site/* user@zyxwvutsrqponmlkjihgfedcba.onion:/var/www/html/.

yawnbox

copyleft 2004-2022