This is stupid. You’re still “connecting directly” to the instance. Your concern is about logging and traffic from your ISP being logged. This is the dumbest way to achieve this though, and reads as overly paranoid.
Just because you’re hanging one side out on Tor, does not mean your traffic isn’t logged. I don’t want to devolve into basic network operations, but this is stupid.
Plus, just connecting to Tor is very much a huge exposure imho. I’d use a VPN. Now, if I’m having a VPN, probably wireguard, why would I need Tor? Some providers grant you the ability to interconnect devices under your account. So, just run the VPN on the server. This is why I love NordLynx. It’s just like tailscale.
using Tor is enough meta data if you were to use it to safeguard from some actors (e.g. state). I’m just saying from the perspective of some of the hypothetical personas as defined by Tor project itself. If it were to boil this down to me, I would rather live without the correlation attacks (e.g. ISP giving me seemingly random disconnects) and just do my casual reading on cracking on the clear-net.
This is not a guide to hide from the government or ISP. Just a way to tunnel to your home server without publishing the sshd for random strangers. Personally, I’d just publish the ssh and be done with it.
I would rather live without the correlation attacks
The more people using Tor, the less useful targeted disconnects become.
Not necessarily. It can be, but it all depends on which nodes you get when you connect. If I end up on slow nodes I usually just reconnect, and it’s fine.
If I understand this correctly, you’re still forwarding it a port from one network to another. It’s just in this case, instead of a port on the internet, it’s a port on the TOR network. Which is still just as open, but also a massive calling card for anyone trolling around the TOR network for things to hack.
Which is still just as open, but also a massive calling card for anyone trolling around the TOR network
Luckily, it is no longer possible to easily sniff the new v3 addresses by deploying a malicious relay. Any attack to even reveal the existence of a hidden service would require a very specialized setup. And we’re just talking discovery, not the ability to connect and attack the actual service running there.
Yea, I don’t think this is necessarily a horrible idea. It’s just that this doesn’t really provide any extra security, but even the first line of this blog is talking about security. This will absolutely provide privacy via pretty good traffic obfuscation, but you still need good security configuration of the exposed service.
you still need good security configuration of the exposed service.
In a sense that security comes in layers, yes. But in practice, this setup will prevent 100% of bots scanning the internet for exposed services, and absolute majority of possible targeted attacks as well. It’s like using any other 3rd party VPN, except there’s not a central point for the traffic to flow through.
From the attackers point of view, nothing is listening there.
I’ve used a similar setup in the past to access a device behind a NAT (possibly multiple NATs) and a dynamic IPv4. Looking back, that ISP was a pure nightmare.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
lol I would open every port on my router and route them all to wireguard before I would ever consider doing this
Why not port knocking over TOR?
This is stupid. You’re still “connecting directly” to the instance. Your concern is about logging and traffic from your ISP being logged. This is the dumbest way to achieve this though, and reads as overly paranoid.
Just because you’re hanging one side out on Tor, does not mean your traffic isn’t logged. I don’t want to devolve into basic network operations, but this is stupid.
Plus, just connecting to Tor is very much a huge exposure imho. I’d use a VPN. Now, if I’m having a VPN, probably wireguard, why would I need Tor? Some providers grant you the ability to interconnect devices under your account. So, just run the VPN on the server. This is why I love NordLynx. It’s just like tailscale.
Exposure of what, to whom?
using Tor is enough meta data if you were to use it to safeguard from some actors (e.g. state). I’m just saying from the perspective of some of the hypothetical personas as defined by Tor project itself. If it were to boil this down to me, I would rather live without the correlation attacks (e.g. ISP giving me seemingly random disconnects) and just do my casual reading on cracking on the clear-net.
This is not a guide to hide from the government or ISP. Just a way to tunnel to your home server without publishing the sshd for random strangers. Personally, I’d just publish the ssh and be done with it.
The more people using Tor, the less useful targeted disconnects become.
Isn’t it super slow to access via Tor?
Not necessarily. It can be, but it all depends on which nodes you get when you connect. If I end up on slow nodes I usually just reconnect, and it’s fine.
You’re skipping the exit nodes, which speeds things up fairly
If I understand this correctly, you’re still forwarding it a port from one network to another. It’s just in this case, instead of a port on the internet, it’s a port on the TOR network. Which is still just as open, but also a massive calling card for anyone trolling around the TOR network for things to hack.
Luckily, it is no longer possible to easily sniff the new v3 addresses by deploying a malicious relay. Any attack to even reveal the existence of a hidden service would require a very specialized setup. And we’re just talking discovery, not the ability to connect and attack the actual service running there.
Yea, I don’t think this is necessarily a horrible idea. It’s just that this doesn’t really provide any extra security, but even the first line of this blog is talking about security. This will absolutely provide privacy via pretty good traffic obfuscation, but you still need good security configuration of the exposed service.
In a sense that security comes in layers, yes. But in practice, this setup will prevent 100% of bots scanning the internet for exposed services, and absolute majority of possible targeted attacks as well. It’s like using any other 3rd party VPN, except there’s not a central point for the traffic to flow through.
From the attackers point of view, nothing is listening there.
I’ve used a similar setup in the past to access a device behind a NAT (possibly multiple NATs) and a dynamic IPv4. Looking back, that ISP was a pure nightmare.
Didn’t see your comment until after I responded, but yes. This is what is happening. It’s stupid.
Take a look at netbird or tailscale
Nebula is what I am using