Currently doing some testing with tor v3 client authorization.
I have it working (which took a bit of research) and it looks like a reasonable way to manage peering over tor, but no where near as versatile and informative as i2p.
While we already do peer over tor, this step may make it easier and safer to manage.
More to come later in the week, when I have some time.
Posted on Rocksolid Light
On Fri, 28 Jun 2019 22:43:36+0000
trw <email@example.com> wrote:
I haven't been doing that with tor clients, just using another
method that I won't mention here to avoid unauthorized clients. I
still need to write up instructions on how to use it.
Well post them when you are done. Such stuff is always interesting...
Posted on def4
Matt Traudt has written nice instructions here:
Creating Private V3 Onion Services
Posted on 19 Jan 2019 by Matt Traudt
Last upated 08 Feb 2019 at 9:29 am
This post is about v3 onion services with 56 characters in their name.
For the old post for creating private v2 onion services, see here.
In that old post I talked about some of the great features of Tor onion
services. The features still apply with the new onion services: they
are still end-to-end encrypted, they still assure you that it is
impossible for anyone to modify your traffic, etc.
Regular v3 onions fix the issue that v2 onions had where a malicious
HSDir could snoop and learn about onion services that the owner
literally never advertised. This is great, you no longer have to make
your onion service regular authorization in order to avoid malicious
HSDirs. If you never tell anyone your v3 onion address, no one will
ever know it exists.
Regardless of whether you're okay with people knowing your v3 onion
address or not, what if you still wanted to require people to know a
secret key in order to be allowed to connect to your v3 onion service?
You can do that now.
Here's how you set this up.
0. Know how to set up an onion service
1. Generate a key for Alice
2. Bob tells his Tor about the public key for Alice
3. Alice tells her Tor about her private key
Alice is the client. Bob runs an onion service and wants to allow Alice
to connect to it. Everyone has Tor 0.3.5.7 or newer. 0. Know how to set
up an onion service
If you don't know how to set up a regular onion service, go figure that
out now. Don't come back until you can connect to it successfully.
Note that all the file and directory paths used her make sense for me,
but may not make sense for you on your computer. Only copy/paste things
I will assume the onion address is
Generate a key for Alice
Someone needs to generate a key for Alice to use. I don't think it
really matters if Bob generates it for her instead. I will assume it is
Alice. I would like to see Tor produce something themselves (perhaps
inside little-t tor, perhaps a script shipped with its source code,
etc.) but for now you have to figure out how to do it yourself.
I wrote a simple python3 script to generate an x25519 key pair. It
Record the base32-encoded key pair somewhere. You'll need it soon.
Here's some example output.
2. Bob tells his Tor about the public key for Alice
Assume Bob already has this torrc snippet.
He should have an authorized_clients directory inside foo_v3_onion/. If
it doesn't already exist, he should figure out what is wrong because
Tor should have made it for him.
Inside authorized_clients/, Bob should make a file ending in .auth; for
example, alice.auth. Inside that file, he should put the following
Using an example public key ...
Bob should then restart his Tor.
If Bob wants to add more users, he can repeat this process with
additional files in this directory. 3. Alice tells her Tor about her
First she should check that her torrc has a ClientOnionAuthDir option
set. These paths will be significantly different based on if she is
configuring her system's background Tor daemon or if she is configuring
Tor Browser. (T) means an example system Tor daemon path and (TB) means
an example Tor Browser path. Remember, yours may still be different.
(TB) [Tor Browser folder]/Browser/TorBrowser/Data/Tor/torrc
# In case this path ends up not making sense on your system ...
# The directory I'm aiming for onion_auth to be in is the same
# directory that contains the torrc
After restarting Tor, if this directory doesn't exist, Alice should
make it with 0700 permissions.
Inside this directory, she then should add a file ending
in .auth_private; for example, bob.auth_private. Inside that file, she
should add the following content.
Using an example onion address and private key ...
(TB) [Tor Browser
Alice should then restart her Tor.
If Alice needs keys for more onion addresses, she can repeat this
process with additional files in this directory.
The .onion suffix in the address is removed in those .auth_private
files. I haven't actually tried this on Tor Browser, I'm merely
relaying what a brave Redditor managed to figure out. Tor Browser
doesn't expect you to edit its torrc, so if you change Tor settings
graphically in Tor Browser, you may find it has generated a new
torrc without your changes.
If everyone's Tor processes are running without error, then setup
should be complete. Alice should be able to connect, but no one else
should be able to.
Bob can authorize up to about 350 clients per onion service.
Posted via novabbs