Sign in Subscribe
networking

Tor Bastion Hosts

Use a Tor bastion host to reach those hard-to-get places on your network!

Patrick Timmons

3 min read
Tor Bastion Hosts

As I've mentioned many times in the past, networking is not only a passion, it's my day job. As such, I spend a lot of time hopping around from system to system, whether it's to diagnose problems, review configuration changes, or for spot checking system health. Yeah, I'm also my household IT guy, so there's that too.

Because I bounce around quite a bit between my home network, my network at the office, and a few various lab setups, I've gotten pretty adept at maneuvering through the "SSH stepping stones" – logging into one system, from there logging into another, etc., until I reach my target machine. Bastion hosts are the blazes on the trail, of course, and having a mental map of the interconnectivity between them is growing increasingly difficult as my technodomain expands.

Recently I hit a bit of an inconvenience with a project I'm working on. There are a few systems I needed to access behind a network that's only reachable via VPN. For reasons beyond the scope of this blog post, when I'm at my desk at work, logging into a VPN is a very frustrating exercise; to connect to this particular VPN means severing the connection(s) to most of my local network resources, so I find myself constantly flipping back and forth between VPN/non-VPN.

To have more ubiquitous access to one of these cordoned off systems, I decided to do some experimentation with Tor onion services. Onion services are usually used to provide privacy/anonymity to someone that is hosting a service (typically a web site), but for me that's not the primary goal. For me, the goal is persistent access. Because the Tor network is an overlay to the public internet, if I can publish a service on a system that has outbound connectivity to the internet, I can connect to it over the Tor network – without VPN.

Step one is to get a Tor onion service running. That part is surprisingly easy. Virtually all of the systems I access are CentOS systems, so a quick dnf install tor is all that's required to get Tor onto my target machine. The only bit of configuration required to publish an onion service is the following bit:

HiddenServiceDir /var/lib/tor/ssh_service
HiddenServicePort 22 127.0.0.1:22

(There are a few sample onion services – formerly called Hidden Services – commented out in the /etc/tor/torrc file that comes with Tor. Add these two lines there.)

(Re)start Tor with systemctl restart tor and it should be live. The generated hostname for your onion service will be (for CentOS) in /var/lib/tor/ssh_service/hostname, and depending on which version of Tor you're using it'll either be 16 or 56 random characters followed by .onion. Cool, it's live! But now how do you access it?

I've got Tor installed on the CentOS system that is my home router. From its shell, I can SSH to this onion service by running torify ssh qazwsxedcrfvtgby.onion, which really just serves to push my request through a Tor SOCKS proxy local to that system and onto the Tor overlay network. This simplifies my stone-stepping process for getting to target systems: I can SSH to my home router, and use it as a bastion host/gateway to the Tor network to reach otherwise difficult-to-reach systems. (I could install Tor on my laptop, of course, but I haven't found an elegant way to do it on my trusty MacBook Air quite yet.)

Now that I've got the hosts I'm interested in anonymously advertising SSH onto the Tor network, I can use some SSH configuration to make the hop through the bastion host more convenient:

Host                microuter
    User            ptimmons
    HostName        qazwsxedcrfvtgby.onion
    ProxyCommand    ssh ptimmons@labsystem1 nc --proxy-type socks5 --proxy 127.0.0.1:9050 %h %p

This bit of SSH configuration allows me to type ssh microuter in my shell, and that gets proxied through my Tor bastion host (labsystem1), where it's sent through the SOCKS5 proxy locally on port 9050 on that machine to the crazy, incapable-of-being-remembered onion service hostname.

There you have it! Anonymously connecting systems to the internet via Tor onion services, and having a public bastion host that's capable of reaching that Tor overlay network means I seldom have to VPN-hop to reach what I need to reach.

Now if only Tor weren't so slow...

Sign up for more like this.

Enter your email
Subscribe