Bypass NAT without UPnP or Port Forwarding using Tor

Have you ever needed to get applications running on a computer at home, available over the internet? I have several times, an SVN server, Chat Server, FTP server, testing HTTPd, SSH for my Raspberry Pi, just to name a few. The problem I have always face was configuring the router (or routers in most cases) to forward requests appropriately. And if I forgot to create an IP reservation for each device, come reboot time none of the configuration worked. It was a headache. Tor can actually fix this for us. While normally used for anonymity, it has some other cool features. Tor Hidden Service to be exact.

Tor Hidden Services, bypass IP Addressing Schemes

So, on the Tor network, (not the clear-net, public addressing with IP and DNS) devices are discoverable via their *.onion hostname directly. Regardless of IP Address, and NAT configurations on their LAN. The Tor service or daemon creates a SOCKS5 proxy into the Tor network, with your unique *.onion hostname, allowing any other device on the Tor Network to communicate directly to your device via this connection. While not a VPN, it sort of acts like one.

How this connection looks

Basically to make this work, you will need to install Tor on the device at home, and on the computer you want to access the service from. This is normally not a problem, however some workplaces don't like Tor on their networks. (You don't have to be a relay, you can simply just use the Proxy, to join the network)

With both devices connected you should be able to communicate easily between the two. With a little configuration you can expose services on your devices to the Tor network (remember it isn't exactly a VPN)

Step One. (RaspberryPi+Tor)

Let's install tor on the RaspberryPi (RPi), to make it part of the wonderful Tor Network.

 
sudo apt-get update
sudo apt-get install tor

Step Two. (Configure Tor)

Now that Tor is installed, we should configure it, exposing the specific service or service to Tor. Tor by default does not allow Tor Traffic to access services on your device. This is in the configuration file, mapping ports on Tor to local ports or even IP:Port of other devices on your LAN :)

Lets open up SSH on our RPi to the Tor network.

sudo nano /etc/tor/torrc

# Add the following lines
HiddenServiceDir /var/lib/tor/sshd/
HiddenServicePort 22 127.0.0.1:22

# Save and exit file
# [CTRL]+X, Y, [ENTER]

# Make the directory
sudo mkdir /var/lib/tor/sshd
sudo chmod 700 /var/lib/tor/sshd
sudo chown debian-tor.debian-tor /var/lib/tor/sshd

Step 3. (Enable and Start Tor)

With all of the configuration out of the way, we can now enable tor on boot, and start it up.

sudo systemctl enable tor
sudo systemctl start tor

Now we should be able to get the tor hostname of our device (specifically for this service?)

sudo cat /var/lib/tor/sshd/hostname

# Should output something like
# kpvz7ki2v5oujt35.onion

This is the address of your device, it can be treated as a Domain Name or IP Addess, while on the Tor Network.

Step Four. (Setup windows Desktop)

Most people using Tor for this sort of connection, I assume use linux both at work and home. I however have multiple machines running windows, and frequently SSH into my linux machines (mostly servers and RPi's). So, lets get our windows machine on Tor. There are two ways to go about this. I am choosing the easiest way for now. But it does have one limitation. To make and keep the connection open you must be running the Tor Browser (not using it, it just needs to be running).

Go download the Tor Browser: https://www.torproject.org/download/download

Just Install it following the Install Wizard, then launch it the first time. Again just follow the on-screen directions. Then Leave the browser running now, and any time you want to connect to a service on the Tor Network. This is because the Tor browser launches the needed Tor SOCKS5 Proxy in the background, but will end it as soon as you close the browser.

Step Five. (Configure Putty)

Now it is time to configure putty. This is actually super easy. Once putty is loaded, find the Connection > Proxy in the left options tree. Make the following changes:

Proxy type: SOCKS5
Proxy hostname: localhost
Proxy port: 9150

# most tutorials say 9050, but I was only able
# to get it to work on 9150.

# Maybe the Tor browser start the proxy on a
# different port than the stand alone proxy

Step Six. (Connect)

That is it, now go back to the start session tab in putty, and enter your hostname, and connect.

It is not very responsive once you are connected, but that is due to the packets routing around the globe. This should be end to end secure, you are not using any "Exit Nodes". So you shouldn't need to worry about any fake SSL certs or other known issues relating to Exit Nodes.

Conclusion.

While not the fasted setup, I have started using this for my services running on machines at home. It is laggy most of the time, but usable and really stable. Fast switching IPs from my ISP have not effected the services availability at all.

This raises a couple questions in my mind:

  • Is it feasible to use this as a real solution in applications?
    • ChatServers
    • Usage statistics gathering
    • or more?
  • Should we bundle the Tor proxy with our applications? Especially for use like this, SVN, Git, FTP availability easily.