A collection of Onion Services features implemented for Unix-like systems following the Portable Operating System Interface standard.
WARNING: do not trust this repo yet
, backup your hs keys in another location. This project has not been released and should be considered for development only.
Quick link to this repository: <https://git.io/onionservice>
Onion Services are the Hidden Services of Tor which use onion routing as its base for stablishing private connections. They offer:
For a deeper understanding, read the Rendezvous Specification and Tor design.
Onion Routing tries to solve most of these problems but it is still centralized by the Directory Authorities, and referencing Matt Traudt’s blog post: replacing it for something more distributed is not a trivial task.
On the Tor echosystem, from TPO metrics, comparing only Free and Open Source Operating Systems, Linux
dominates on relays by platform and Tor Browser downloads by platform over BSD. Data regarding which operating system the onion service operator can not be easily acquired for obvious reasons. That was on the network level, but know on the user system, even if one chooses a Free and Open Source Operating System, GNU/Linux dominates a big share over *BSD, having a huge impact on the main software used for the kernel (Linux), shell (bash), service manager (systemd).
The goal of this project is:
Descentralization from a single point of failure:
Linux
to also BSD
.bash
to also any POSIX shell such as ksh
, (y,d)ash
and zsh
(emulating sh).systemd
to also OpenRC
.Editing the tor configuration file (torrc) is not difficult, but automation solves problem of misconfiguration and having:
<HiddenServiceDir>/authorized_clients/<client>.auth
. If any client is configured, the service will not be acessible without authentication.<ClientOnionAuthDir>/<SOME_ONION>.auth_private
.torrc
lines containing hidden service configuration, all of your directories of HiddenServiceDir
and ClientOnionAuthDir
. Guide to export the backup to a remote host with scp.torrc
and the directories HiddenServiceDir
and ClientOnionAuthDir
to your current system. This option should be used after creating a backup and importing to the current host. Guide to import backup to the current host with scp.dialog
and whiptail
.all-clients
, all-services
, [SERV1,SERV2,...]
and [CLIENT1,CLIENT2,...]
, the command will loop the variables and apply the combination.<>
(e.g. <VIRTPORT2>
)Three easy steps to fully this project:
git clone https://github.com/nyxnor/onionservice.git
cd onionservice
Edit the required variables to fit your system inside .onionrc
following the same format from the already defined variables. Note that no variable that refers to a folder end with a trailing “/”. Keep it that way, else it will break. The packages can have different names depending on the operating system, modify accordingly.
Set the default editor of your choice, else it will always fallback to Vi. This is an example using nano
, but could be any other editor:
printf "\nexport EDITOR=\"nano\"\n" >> ~/."${SHELL##*/}"rc && . ~/."${SHELL##*/}"rc
Open the mentioned configuration file:
"${EDITOR:-vi}" .onionrc
## [ EDIT REQUIRED ] (IF NOT DEBIAN)
tor_user="debian-tor" ## [debian-tor|tor]
tor_service="[email protected]" ## [[email protected]|tor.service]
pkg_mngr_install="sudo apt install -y" ## always use the 'yes' flag to be non interactive
web_server="nginx" ## [nginx|apache2]
dialog_box="dialog" ## [dialog|whiptail]
requirements="tor grep sed openssl basez git qrencode pandoc lynx gzip tar python3-stem ${dialog_box} ${web_server}" ## search pkg name for your OS
Edit with sed (use insert option -> sed -i''
):
sed "s|tor_user=.*|tor_user=\"tor\"|" .onionrc
Determine the enviromental variable ${ONIONSERVICE_PWD}
and add the directory to ${PATH}
.
For this, you have two options:
Easy: run from inside the cloned repository and it will use the same path as in${PWD}
:
./setup/setup.sh
Development: set the variable manually using the absolute path without trailing “/” at the end. Favorable for integrating into other projects. Run from any directory (need to specify the path)
./setup/setup.sh -s -p /PATH/TO/ONIONSERVICE/REPO && . ~/."${SHELL##*/}"rc
The repo is now in your $PATH
, if you have setup the environment as described above. This means you can call the scripts as if they were any other command.
There are some ways to call the scripts, evaluate the advantages and disadvantages:
| Command | Specifying shell
—|—|—
Advantages | follows the shebang, can be used from any directory | can choose the shell
Disadvantages | the scripts must be executable | ignores the shebang, needs to specify path if not in the same directory
Syntax | onionservice-cli
| sh onionservice-cli
Take a loot at the documentation inside docs
folder. Read:
any markdown file formatted on the shell:
ls docs/*.md
pandoc “${ONIONSERVICE_PWD}”/docs/CONTRIBUTING.md | lynx -stdin
the CLI manual:
man onionservice-cli
Full compatibility with any POSIX compliant shells: dash, bash, ksh, mksh, yash, ash
The default POSIX shell of your unix-like operating system may vary depending on your system (FreeBSD and NetBSD uses ash
, OpenBSD uses ksh
, Debian uses dash
), but it has a symbolic link leading to it on /usr/bin/sh
and/or /bin/sh
.
Tweak to be compatible with non-POSIX compliant shells::
zsh --emulate sh -c onionservice-tui
Works unix-like operating systems, tested by the maintainer mostly on GNU/Linux Debian 11. Work is being done for *bsd systems, sed is using this trick.
Currently only systemd is available, planning on implementing SysV, Runit, OpenRC.
General:
dash
0.5.4+, bash
2.03+, ksh
88+, mksh
R28+, zsh
3.1.9+, yash
2.29+, busybox ash
1.1.3+ etc.DataDir/services
..onionrc
(Incorrect: ~/onionservice/
, Correct: ~/onionservice
).Packages:
The packages are downloaded when setting up the environment with setup.sh, the packages that are requirements are specified on .onionrc. The absolute minimum you can go to is tor grep sed
, and you will be limited to enable, disable and renew services.
These are projects that inspires OnionService development, each with their own unique characteristic.
OnionShare CLI possibilitates ephemeral onion services that never touch the disk and can be run on Tails or Whonix easily. It provides onion authentication, focusing on running servers to send and receive files, chat and host a static website. OnionService evolved by watching the sharing capabilities of OnionShare and converting them to shellscript.
RaspiBlitz provides a ton of bitcoin related services that can be run over tor, so onion services is the choice to access your node from outside LAN. OnionService started by forking Blitz script to remove hardcoded paths.
TorBox is an easy to use, anonymizing router that creates a separate WiFi that routes the encrypted network data over the Tor network. It also helps configuring bridges and other countermeasures to bypass censorship. OnionService aims to help people on surveillance countries to communicate privately.
github.com/mikeperry-tor/vanguards
github.com/nyxnor/onionservice
github.com/nyxnor/onionservice/blob/main/.onionrc
github.com/nyxnor/onionservice/blob/main/docs/ONIONSERVICE-CLI.md
github.com/nyxnor/onionservice/blob/main/setup/setup.sh
github.com/onionshare/onionshare/tree/develop/cli
github.com/radio24/TorBox
github.com/rootzoll/raspiblitz/blob/v1.7/home.admin/config.scripts/internet.hiddenservice.sh