[tor-dev] Using Tor Stealth HS with a home automation server

Nathan Freitas nathan at freitas.net
Fri Jul 8 22:11:02 UTC 2016

Now published here:

On Fri, Jul 8, 2016, at 12:53 PM, Nathan Freitas wrote:
> I've been working on some ideas about using Tor to secure "internet of
> things", smart devices other than phones, and other home / industrial
> automation infrastructure. Specifically, I think this could be a huge
> application for Tor Hidden Services and Onion sites configured with
> Hidden Service Authentication and "stealth" mode. 
> Earlier this year, I published some ideas on the subject here
> https://github.com/n8fr8/talks/blob/master/onion_things/Internet%20of%20Onion%20Things.pdf
> showing how you could use Orbot and IP Camera apps to build a cloud-free
> Tor-secured "Dropcam" style setup.
> Now, I've taken the first step to setup my own instance of Home
> Assistant "an open-source home automation platform running on Python 3.
> Track and control all devices at home and automate control. Installation
> in less than a minute."
> Instructions on this are below. It all seems to be working well, but I
> would love any feedback, comments, thoughts that you might have. I would
> also like to ensure that any work on next-gen HS designs includes these
> kinds of use-cases.
> ***
> Pull request for the new "Tor cookbook" example for Home Assistant:
> https://github.com/home-assistant/home-assistant.io/pull/627
> ***
> Tor Onion Service Configuration
> This is an example about how you can configure Tor to provide secure
> remote access to your home assitance instance as an Onion site, through
> Tor’s Hidden Service feature. With this enabled, you do not need to open
> your firewall ports or setup HTTPS to enable secure remote access.
> This is useful if you want to have:
> Access your HA instance remotely without opening a firewall port or
> setting up a VPN
> Don’t want to or know how to get an SSL/TLS certificate and HTTPS
> configuration setup
> Want to block attackers from even being able to access/scan your port
> and server at all
> Want to block anyone from knowing your home IP address and seeing your
> traffic to your HA
> Background and Contact
> This configuration is part of an effort to apply strong cryptography
> technologies (like Onion Routing and End-to-End Encryption) to
> technology we increasingly depend on in our day to day lives. Just like
> when WhatsApp enabled end-to-end encryption messaging for everyone,
> every home automation and IoT platform should do the same, because A)
> the technology is all there, freely licensed and open-source and B) up
> to this point, all the commercial manufacturers have been doing a
> horrific job with security.
> You can learn more about how Tor can be used to secure home automation
> and IoT platforms through this short set of slides on the Internet of
> Onion Things
> This configuration was provided by @n8fr8 (github, twitter) of Guardian
> Project and Tor Project. You can send questions, feedback and ideas to
> support at guardianproject.info.
> Hidden Services and Onion Sites
> Tor allows clients and relays to offer hidden services. That is, you can
> offer a web server, SSH server, etc., without revealing your IP address
> to its users. In fact, because you don’t use any public address, you can
> run a hidden service from behind your firewall. Learn more about Hidden
> Services on the Tor Project website.
> Onion sites are websites that run on a Tor Hidden Service node. “dot
> onion” sites are an IETF recognized special use domain name.
> Setting up Tor on your Home Assistant
> First, install Tor. On a Debain-based system, you can install the
> package easily:
> > sudo apt-get install tor
> You can find more instructions for downloading and installing Tor on
> other platforms on the Tor Project Download Page.
> Next, modify Tor’s main configuration file /etc/tor/torrc to include the
> following lines:
> ...
> HiddenServiceDir /var/lib/tor/homeassistant/
> HiddenServicePort 80
> HiddenServiceAuthorizeClient stealth haremote1
> ...
> The “sleath” entry above ensures traffic to and from your HA instance
> over Tor, is hidden even from other nodes on the Tor network. The
> “haremote1” value is a generic client name entry that you can modify as
> you please.
> Then, restart Tor: >/etc/init.d/tor restart
> Then read the new generated authentication cookie from the Tor-generated
> hostname file:
> > sudo more /var/lib/tor/homeassistant/hostname
> The output of that command should look something like this, but with
> your own unique “dot onion” domain and authentication cookie:
> abcdef1234567890.onion ABCDEF1122334455667789 # client: haremote1
> You are now done with the HA Tor server configuration. Make sure your HA
> instance is running, and now you can move to client configuration.
> Tor Client Access Setup
> Using this setup, you can access your HA instance over Tor from your
> laptop or mobile device, using Tor Browser and other software.
> Add the authentication cookie to your torrc client configuration on your
> laptop or mobile device. Using the sample values from above, it would
> look like this:
> HidServAuth abcdef1234567890.onion ABCDEF1122334455667789
> For Tor Browser on Windows, Mac or Linux, you can find the torrc file
> here:
> <tor browser install
> directory>/Browser/TorBrowser/Data/Tor/torrc-defaults
> Once you have added the entry, restart the browser, and then browse to
> the “dot onion” site address to connect to your HA instance.
> For Orbot: Tor on Android, add it in Orbot->Menu->Settings to the “Torrc
> Custom Config” entry. Restart Orbot, and then use the Orfox browser app,
> and browse to the “dot onion” site name to access your HA instance. You
> can also use Orbot’s VPN mode, to enable Tor access from any application
> on your device, such as Tasker or Owntracks.
> On iOS, we have not fully tested this yet, but you should be able to add
> custom torrc entries on Onion Browser, Red Onion or TOBY browsers, all
> available in the iTunes App Store.
> Some More Advanced Ideas
> With this configuration, only you can access your HA instance Onion site
> through Tor, and no one else. You can share the authentication cookie
> with multiple devices and users, or you can generate a unique one for
> each - up to you! If you have multiple, say for an industrial, business
> or corporate configuration, this would provide an easy way to revoke
> access to a specific user or device.
> If you always access your HA instance via Tor, you can easily run this
> on an isolated “IoT” network segment at your install site, keeping your
> internal home network traffic seperate from any potentially compromised
> devices (like cheap “smart” lightbulbs with backdoors!).
> You could also use Tor as a means to connect your HA instance to a
> remote device, sensor or other service that you do not want to or
> connect provide a direct, open IP connection to. Again, Tor provides
> authenticated and confidential routing (aka “privacy and encryption”) by
> default, without having to setup TLS/SSL or VPN. It is just important to
> secure IoT nodes within your network, as it is to secure remote access!
> As mentioned, with Orbot on Android, you can enable a “full device” VPN
> mode, that allows any app you have to tunnel through Tor, even if it is
> not Tor or proxy aware. This means you should be able to enter your “dot
> onion” Onion site address into any app you want to access to your HA
> instance, and it should work.
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

More information about the tor-dev mailing list