{{Header}} {{Title| title=Connecting to SSH before Tor }} {{#seo: |description=Instructions on how to connect to SSH before Tor. (User → SSH → Tor → Internet) |image=Norman-79860640.jpg }} [[File:Norman-79860640.jpg|thumb]] {{intro| Instructions on how to connect to SSH before Tor. '''<code>User</code> → <code>SSH</code> → <code>Tor</code> → <code>Internet</code>''' }} = Introduction = {{Tunnels_Introduction}} Connecting to SSH before Tor might enhance privacy and security in certain use cases. This setup is particularly useful for bypassing restrictive firewalls or for situations where Tor is blocked but SSH is allowed. The SSH tunnel can be configured on the host {{os}} (outside any {{VM}}) or inside {{project_name_gateway_long}}. = Prerequisites = * <u>SSH server:</u> The user needs an already existing SSH server where the user is able to successfully login using <code>ssh</code> on the command line. * <u>Prerequisite knowledge:</u> ** <u>How to setup a SSH server:</u> Setting up an SSH server is currently out-of-scope for this wiki page. The process of setting up an SSH server is [[unspecific|unspecific to {{project_name_short}}]]. The SSH server can be set up as usual as if {{project_name_short}} is not involved. [[Please Use Search Engines And See Documentation First|Please use search engines first.]] ** <u>How to bypass Tor</u>: [[Dev/Test#The_clearnet_User|The clearnet User]] * <u>Platform specific:</u> ** Non-Qubes-Whonix: No special notice. ** Qubes-Whonix: It is required to know about how to apply [[Qubes#Qubes_Template_Modifications|Qubes Template Modifications]]. = Install SSH Client = {{Install Package|package= openssh-client }} = Make Clearnet home persistent = There is no persistent home for the <code>clearnet</code> user by default. Therefore make it persistent so SSH user data (keys, known_hosts file) can be saved there. Follow instructions to [[Dev/Test#Make_Clearnet_home_persistent|make the clearnet home persistent]]. This will most likely be simplified in a future {{project_name_short}} version, where user <code>clearnet</code> will have a persistent home folder by default. = DNS Setup = There are two options for accessing the SSH server. Choose one. {{Tab |type=controller |content= {{Tab |type=section |linkid=os-nonqubes |active=true |addToClass=info-box |title= {{Headline|h=2|content=By IP Address}} |content= Recommended. Connecting to your SSH server by IP address is easier. In this case, no DNS setup is required. Most SSH servers have static IP addresses. Static here means that these do not change. Do you already know the IP address of your SSH server? * '''A)''' <u>Yes, known:</u> Great. No further action required. * '''B)''' <u>No, unknown:</u> Resolve the SSH server domain name to IP address. This command can be run on any Linux system such as on your SSH server. {{CodeSelect2|code= dig +short example.com }} }} <!-- end tab --> {{Tab |type=section |linkid=ip-vs-dns |addToClass=info-box |title= {{Headline|h=2|content=By Domain Name}} |content= Connecting to your SSH server by domain name is possible but a bit more difficult. DNS setup is required. Allow user <code>clearnet</code> on {{project_name_gateway_short}} to use clearnet DNS. '''1.''' DNS setup. See [[Whonix-Gateway_System_DNS#Whonix-Gateway_System_DNS_Configuration|Whonix-Gateway System DNS over Clearnet]]. '''2.''' Test. Check if the <code>clearnet</code> user can resolve DNS: {{CodeSelect2|code= sudo -u clearnet curl.anondist-orig --tlsv1.3 --proto =https https://check.torproject.org/api/ip }} Expected output: <u>Note:</u> The following output would not contain <code>YOUR_SSH_SERVER_PUBLIC_IP</code> but the actual public IP address of your SSH server. <pre> {"IsTor":false,"IP":"YOUR_SSH_SERVER_PUBLIC_IP"} </pre> '''3.''' Done. Whonix-Gateway System DNS over Clearnet setup is complete. }} <!-- end tab --> }} <!-- End Tab Controller --> = Configure Remote SSH Server = <u>Note:</u> Every key generation and installation must be made with the <code>clearnet</code> user. '''1.''' Notice. {{mbox | type = critical | image = [[File:Ambox_warning_pn.svg.png|40px]] | text = Be cautious: When using the <code>clearnet</code> user account on {{project_name_gateway_short}}, traffic will bypass Tor and use the standard internet, compromising anonymity! In the context of setting up <code>User</code> → <code>SSH</code> → <code>Tor</code> → <code>Internet</code> this is OK. }} '''2.''' Start a shell as user <code>clearnet</code>. {{CodeSelect2|code= sudo -u clearnet bash }} '''3.''' SSH key setup. Folder <code>/home/clearnet/.ssh</code> needs to be populated. In practice, this means that the following files (or similar) need to exist: * <code>/home/clearnet/.ssh/id_ed25519</code> * <code>/home/clearnet/.ssh/id_ed25519.pub</code> * <code>/home/clearnet/.ssh/known_hosts</code> How to get these files? There are two options. Choose one. * '''A)''' <u>Use existing files:</u> The user could copy these files over from an existing SSH client setup. <u>Or,</u> * '''B)''' <u>Create a new SSH keypair:</u> See also {{kicksecure_wiki |wikipage=SSH#Key_Generation |text=Generate SSH keys }} and {{kicksecure_wiki |wikipage=SSH#Key_Installation |text=Install keys to the SSH server }}. '''4.''' Test login to the SSH server: Notes: * <u>User name:</u> Replace <code>ssh-user</code> with the actual SSH user name. * <u>IP:</u> Replace <code>example.com</code> with the actual IP address or hostname of your server. {{CodeSelect2|code= ssh.anondist-orig ssh-user@example.com }} '''5.''' SSH server configuration. * '''A)''' <u>SSH default configuration:</u> SSH daemon defaults to <code>AllowTcpForwarding yes</code> in <code>/etc/ssh/sshd_config</code>. * '''B)''' <u>User hardened SSH configuration:</u> If the user has configured <code>AllowTcpForwarding no</code> in <code>/etc/ssh/sshd_config</code>, then see footnote. <ref> You can change it on a per-user basis. For example, to allow TCP forwarding only for user <code>ssh-user</code>, append to the following file: {{CodeSelect2|code= Match User ssh-user AllowTcpForwarding yes }} </ref> '''6.''' Restart the <code>ssh</code> daemon service in case you have modified its settings in the item above: {{CodeSelect2|code= sudo systemctl restart sshd }} '''7.''' Exit the SSH session after the connection has succeeded: {{CodeSelect2|code= exit }} '''8.''' Exit from the <code>clearnet</code> user back to the <code>user</code> user: {{CodeSelect2|code= exit }} '''9.''' Done. = Test SSH Socks Proxy = '''1.''' Create a local SOCKS proxy. Open a localhost SOCKS proxy listening on port <code>1080</code> connected to your SSH server. Notes: * <u>User name:</u> Replace <code>ssh-user</code> with the actual SSH user name. * <u>IP:</u> Replace <code>example.com</code> with the actual IP address or hostname of your server. * <u>Port:</u> Replace <code>22</code> with the actual SSH server port. If you have not changed the SSH server port, it will be the default <code>22</code> and no port change will be required. {{CodeSelect2|code= sudo -u clearnet ssh.anondist-orig -N -D 127.0.0.1:1080 ssh://ssh-user@example.com:22 }} Expected output: None. '''2.''' Test. Check if the <code>clearnet</code> user can use the SOCKS5 proxy created by the SSH connection. Open another terminal tab. {{CodeSelect2|code= sudo -u clearnet curl.anondist-orig --proxy socks5h://127.0.0.1:1080 --tlsv1.3 --proto =https https://check.torproject.org/api/ip }} Expected output: <u>Note:</u> The following output would not contain <code>YOUR_SSH_SERVER_PUBLIC_IP</code> but the actual public IP address of your SSH server. <pre> {"IsTor":false,"IP":"YOUR_SSH_SERVER_PUBLIC_IP"} </pre> '''3.''' Close SSH proxy. Terminate the local SSH proxy created in step 1 by using the keyboard and entering CTRL + C or by closing the terminal tab. This is required because for automating the above command, the port must not be in use. To ensure the port is closed, the SSH client needs to be terminated. '''4.''' Done. The SSH SOCKS proxy test has been completed. = Configure Proxy Autostart = After all of the above tests have been completed successfully, you should configure the SSH connection to start on boot. '''1.''' Apply the following changes to {{project_name_gateway_long}} or the host. * [[Non-Qubes-Whonix]]: On {{project_name_gateway_short}}. * [[Qubes-Whonix]]: On <code>{{project_name_gateway_vm}}</code> App Qube. {{Open with root rights |filename=/usr/lib/systemd/system/socks-before-tor.service }} '''2.''' Add the following to the file: Notes: * <u>User name:</u> Replace <code>ssh-user</code> with the actual SSH user name. * <u>IP:</u> Replace <code>example.com</code> with the actual IP address or hostname of your server. * <u>Port:</u> Replace <code>22</code> with the actual SSH server port. If you have not changed the SSH server port, it will be the default <code>22</code> and no change is required. {{CodeSelect2|code= [Unit] Description=SOCKS5 Proxy for Tor OR connections After=network-online.target nss-lookup.target qubes-sysinit.service Before=tor.service ConditionPathExists=!/var/run/qubes/this-is-templatevm [Service] ExecStart=ssh.anondist-orig -vv -N -D 127.0.0.1:1080 ssh://ssh-user@example.com:22 Restart=on-failure RestartSec=5 User=clearnet Group=clearnet [Install] WantedBy=multi-user.target }} '''3.''' Reload the systemd system daemon: {{CodeSelect2|code= sudo systemctl daemon-reload }} '''4.''' Enable the systemd system service <code>socks-before-tor</code>: {{CodeSelect2|code= sudo systemctl enable socks-before-tor }} '''5.''' Platform specific. {{Tab |type=controller |content= {{Tab |type=section |linkid=os-nonqubes |active=true |addToClass=info-box |image=[[File:Kicksecure-icon-logo.svg]] |title= {{Headline|h=2|content={{non_q_project_name_short}}}} |content= '''1.''' Start the service <code>socks-before-tor</code>: {{CodeSelect2|code= sudo systemctl restart socks-before-tor }} '''2.''' Watch the journal of <code>socks-before-tor</code> service: {{CodeSelect2|code= sudo journalctl -fu socks-before-tor }} }} <!-- end tab --> {{Tab |type=section |linkid=os-qubes-template |addToClass=info-box |image=[[File:Qubes-logo-blue.png]] |title= {{Headline|h=2|content={{q_project_name_short}}}} |content= '''1.''' Shut down <code>{{project_name_gateway_template}}</code> Template. '''2.''' Restart <code>{{project_name_gateway_vm}}</code> App Qube. '''3.''' Watch the journal of <code>socks-before-tor</code> service: On <code>{{project_name_gateway_vm}}</code> App Qube. {{CodeSelect2|code= sudo journalctl -fu socks-before-tor }} }} <!-- end tab --> }} <!-- End Tab Controller --> = Configure Tor = Tor needs to be configured to make use of the locally running SOCKS interface. Use either Option 1 <u>or</u> Option 2. ==== Option 1: Use {{Code2|Anon Connection Wizard}} ==== <div class="toccolours mw-collapsible mw-collapsed"> A proxy can be configured easily using [[Anon_Connection_Wizard|Anon Connection Wizard]]. <div class="mw-collapsible-content"> ===== Step 1: Start Anon Connection Wizard ===== {{Start_Anon_Connection_Wizard}} ===== Step 2: Use Proxy Configuration Page ===== {{box|text= * '''<u>Proxy type:</u>''' <code>SOCKS5</code> * '''<u>IP:</u>''' <code>127.0.0.1</code> * '''<u>Port:</u>''' <code>1080</code> }} {{Anon_Connection_Wizard_Use_Proxy}} </div> </div> ==== Option 2: Manually Configure Proxy ==== <div class="toccolours mw-collapsible mw-collapsed"> Manual Tor configuration is an alternative. <div class="mw-collapsible-content"> '''1.''' {{Open /usr/local/etc/torrc.d/50_user.conf}} '''2.''' Paste. <u>Note:</u> Change <code>IP:PORT</code> as needed. * '''A)''' If SSH tunnel was set up from {{project_name_gateway_short}}: {{CodeSelect2|inline=true|code= Socks5Proxy 127.0.0.1:1080 }} * '''B)''' If SSH tunnel was set up from host operating system: {{CodeSelect2|inline=true|code= Socks5Proxy IP:PORT }} '''3.''' {{Reload_Tor}} '''4.''' Done. </div> </div> = Footnotes = {{reflist|close=1}} {{Footer}} [[Category:Documentation]]