{{Header}}
{{Title|
title=Connecting to SSH before Tor
}}
{{#seo:
|description=Instructions on how to connect to SSH before Tor. (User → SSH → Tor → Internet)
|image=Norman-79860640.jpg
}}
[[File:Norman-79860640.jpg|thumb]]
{{intro|
Instructions on how to connect to SSH before Tor.
'''User
→ SSH
→ Tor
→ Internet
'''
}}
= Introduction =
{{Tunnels_Introduction}}
Connecting to SSH before Tor might enhance privacy and security in certain use cases. This setup is particularly useful for bypassing restrictive firewalls or for situations where Tor is blocked but SSH is allowed.
The SSH tunnel can be configured on the host {{os}} (outside any {{VM}}) or inside {{project_name_gateway_long}}.
= Prerequisites =
* SSH server: The user needs an already existing SSH server where the user is able to successfully login using ssh
on the command line.
* Prerequisite knowledge:
** How to setup a SSH server: Setting up an SSH server is currently out-of-scope for this wiki page. The process of setting up an SSH server is [[unspecific|unspecific to {{project_name_short}}]]. The SSH server can be set up as usual as if {{project_name_short}} is not involved. [[Please Use Search Engines And See Documentation First|Please use search engines first.]]
** How to bypass Tor: [[Dev/Test#The_clearnet_User|The clearnet User]]
* Platform specific:
** Non-Qubes-Whonix: No special notice.
** Qubes-Whonix: It is required to know about how to apply [[Qubes#Qubes_Template_Modifications|Qubes Template Modifications]].
= Install SSH Client =
{{Install Package|package=
openssh-client
}}
= Make Clearnet home persistent =
There is no persistent home for the clearnet
user by default. Therefore make it persistent so SSH user data (keys, known_hosts file) can be saved there.
Follow instructions to [[Dev/Test#Make_Clearnet_home_persistent|make the clearnet home persistent]].
This will most likely be simplified in a future {{project_name_short}} version, where user clearnet
will have a persistent home folder by default.
= DNS Setup =
There are two options for accessing the SSH server. Choose one.
{{Tab
|type=controller
|content=
{{Tab
|type=section
|linkid=os-nonqubes
|active=true
|addToClass=info-box
|title= {{Headline|h=2|content=By IP Address}}
|content=
Recommended. Connecting to your SSH server by IP address is easier. In this case, no DNS setup is required.
Most SSH servers have static IP addresses. Static here means that these do not change.
Do you already know the IP address of your SSH server?
* '''A)''' Yes, known: Great. No further action required.
* '''B)''' No, unknown: Resolve the SSH server domain name to IP address. This command can be run on any Linux system such as on your SSH server.
{{CodeSelect2|code=
dig +short example.com
}}
}}
{{Tab
|type=section
|linkid=ip-vs-dns
|addToClass=info-box
|title= {{Headline|h=2|content=By Domain Name}}
|content=
Connecting to your SSH server by domain name is possible but a bit more difficult. DNS setup is required.
Allow user clearnet
on {{project_name_gateway_short}} to use clearnet DNS.
'''1.''' DNS setup.
See [[Whonix-Gateway_System_DNS#Whonix-Gateway_System_DNS_Configuration|Whonix-Gateway System DNS over Clearnet]].
'''2.''' Test.
Check if the clearnet
user can resolve DNS:
{{CodeSelect2|code=
sudo -u clearnet curl.anondist-orig --tlsv1.3 --proto =https https://check.torproject.org/api/ip
}}
Expected output:
Note: The following output would not contain YOUR_SSH_SERVER_PUBLIC_IP
but the actual public IP address of your SSH server.
{"IsTor":false,"IP":"YOUR_SSH_SERVER_PUBLIC_IP"}'''3.''' Done. Whonix-Gateway System DNS over Clearnet setup is complete. }} }} = Configure Remote SSH Server = Note: Every key generation and installation must be made with the
clearnet
user.
'''1.''' Notice.
{{mbox
| type = critical
| image = [[File:Ambox_warning_pn.svg.png|40px]]
| text = Be cautious: When using the clearnet
user account on {{project_name_gateway_short}}, traffic will bypass Tor and use the standard internet, compromising anonymity! In the context of setting up User
→ SSH
→ Tor
→ Internet
this is OK.
}}
'''2.''' Start a shell as user clearnet
.
{{CodeSelect2|code=
sudo -u clearnet bash
}}
'''3.''' SSH key setup.
Folder /home/clearnet/.ssh
needs to be populated. In practice, this means that the following files (or similar) need to exist:
* /home/clearnet/.ssh/id_ed25519
* /home/clearnet/.ssh/id_ed25519.pub
* /home/clearnet/.ssh/known_hosts
How to get these files? There are two options. Choose one.
* '''A)''' Use existing files: The user could copy these files over from an existing SSH client setup. Or,
* '''B)''' Create a new SSH keypair: See also {{kicksecure_wiki
|wikipage=SSH#Key_Generation
|text=Generate SSH keys
}} and {{kicksecure_wiki
|wikipage=SSH#Key_Installation
|text=Install keys to the SSH server
}}.
'''4.''' Test login to the SSH server:
Notes:
* User name: Replace ssh-user
with the actual SSH user name.
* IP: Replace example.com
with the actual IP address or hostname of your server.
{{CodeSelect2|code=
ssh.anondist-orig ssh-user@example.com
}}
'''5.''' SSH server configuration.
* '''A)''' SSH default configuration: SSH daemon defaults to AllowTcpForwarding yes
in /etc/ssh/sshd_config
.
* '''B)''' User hardened SSH configuration: If the user has configured AllowTcpForwarding no
in /etc/ssh/sshd_config
, then see footnote.
You can change it on a per-user basis. For example, to allow TCP forwarding only for user ssh-user
, append to the following file:
{{CodeSelect2|code=
Match User ssh-user
AllowTcpForwarding yes
}}
'''6.''' Restart the ssh
daemon service in case you have modified its settings in the item above:
{{CodeSelect2|code=
sudo systemctl restart sshd
}}
'''7.''' Exit the SSH session after the connection has succeeded:
{{CodeSelect2|code=
exit
}}
'''8.''' Exit from the clearnet
user back to the user
user:
{{CodeSelect2|code=
exit
}}
'''9.''' Done.
= Test SSH Socks Proxy =
'''1.''' Create a local SOCKS proxy.
Open a localhost SOCKS proxy listening on port 1080
connected to your SSH server.
Notes:
* User name: Replace ssh-user
with the actual SSH user name.
* IP: Replace example.com
with the actual IP address or hostname of your server.
* Port: Replace 22
with the actual SSH server port. If you have not changed the SSH server port, it will be the default 22
and no port change will be required.
{{CodeSelect2|code=
sudo -u clearnet ssh.anondist-orig -N -D 127.0.0.1:1080 ssh://ssh-user@example.com:22
}}
Expected output: None.
'''2.''' Test.
Check if the clearnet
user can use the SOCKS5 proxy created by the SSH connection.
Open another terminal tab.
{{CodeSelect2|code=
sudo -u clearnet curl.anondist-orig --proxy socks5h://127.0.0.1:1080 --tlsv1.3 --proto =https https://check.torproject.org/api/ip
}}
Expected output:
Note: The following output would not contain YOUR_SSH_SERVER_PUBLIC_IP
but the actual public IP address of your SSH server.
{"IsTor":false,"IP":"YOUR_SSH_SERVER_PUBLIC_IP"}'''3.''' Close SSH proxy. Terminate the local SSH proxy created in step 1 by using the keyboard and entering CTRL + C or by closing the terminal tab. This is required because for automating the above command, the port must not be in use. To ensure the port is closed, the SSH client needs to be terminated. '''4.''' Done. The SSH SOCKS proxy test has been completed. = Configure Proxy Autostart = After all of the above tests have been completed successfully, you should configure the SSH connection to start on boot. '''1.''' Apply the following changes to {{project_name_gateway_long}} or the host. * [[Non-Qubes-Whonix]]: On {{project_name_gateway_short}}. * [[Qubes-Whonix]]: On
{{project_name_gateway_vm}}
App Qube.
{{Open with root rights
|filename=/usr/lib/systemd/system/socks-before-tor.service
}}
'''2.''' Add the following to the file:
Notes:
* User name: Replace ssh-user
with the actual SSH user name.
* IP: Replace example.com
with the actual IP address or hostname of your server.
* Port: Replace 22
with the actual SSH server port. If you have not changed the SSH server port, it will be the default 22
and no change is required.
{{CodeSelect2|code=
[Unit]
Description=SOCKS5 Proxy for Tor OR connections
After=network-online.target nss-lookup.target qubes-sysinit.service
Before=tor.service
ConditionPathExists=!/var/run/qubes/this-is-templatevm
[Service]
ExecStart=ssh.anondist-orig -vv -N -D 127.0.0.1:1080 ssh://ssh-user@example.com:22
Restart=on-failure
RestartSec=5
User=clearnet
Group=clearnet
[Install]
WantedBy=multi-user.target
}}
'''3.''' Reload the systemd system daemon:
{{CodeSelect2|code=
sudo systemctl daemon-reload
}}
'''4.''' Enable the systemd system service socks-before-tor
:
{{CodeSelect2|code=
sudo systemctl enable socks-before-tor
}}
'''5.''' Platform specific.
{{Tab
|type=controller
|content=
{{Tab
|type=section
|linkid=os-nonqubes
|active=true
|addToClass=info-box
|image=[[File:Kicksecure-icon-logo.svg]]
|title= {{Headline|h=2|content={{non_q_project_name_short}}}}
|content=
'''1.''' Start the service socks-before-tor
:
{{CodeSelect2|code=
sudo systemctl restart socks-before-tor
}}
'''2.''' Watch the journal of socks-before-tor
service:
{{CodeSelect2|code=
sudo journalctl -fu socks-before-tor
}}
}}
{{Tab
|type=section
|linkid=os-qubes-template
|addToClass=info-box
|image=[[File:Qubes-logo-blue.png]]
|title= {{Headline|h=2|content={{q_project_name_short}}}}
|content=
'''1.''' Shut down {{project_name_gateway_template}}
Template.
'''2.''' Restart {{project_name_gateway_vm}}
App Qube.
'''3.''' Watch the journal of socks-before-tor
service:
On {{project_name_gateway_vm}}
App Qube.
{{CodeSelect2|code=
sudo journalctl -fu socks-before-tor
}}
}}
}}
= Configure Tor =
Tor needs to be configured to make use of the locally running SOCKS interface.
Use either Option 1 or Option 2.
==== Option 1: Use {{Code2|Anon Connection Wizard}} ====
SOCKS5
* '''IP:''' 127.0.0.1
* '''Port:''' 1080
}}
{{Anon_Connection_Wizard_Use_Proxy}}
IP:PORT
as needed.
* '''A)''' If SSH tunnel was set up from {{project_name_gateway_short}}:
{{CodeSelect2|inline=true|code=
Socks5Proxy 127.0.0.1:1080
}}
* '''B)''' If SSH tunnel was set up from host operating system:
{{CodeSelect2|inline=true|code=
Socks5Proxy IP:PORT
}}
'''3.''' {{Reload_Tor}}
'''4.''' Done.