Tor V3 Authentication
I decided to write about Tor V3 Authentication because I think it is always critical to know the best way to protect our personal servers, especially those that have #bitcoin or other cryptocurrencies, or any personal information.
Hosting a Tor website is just like hosting a website on a non-tor network (security-wise), all public websites are vulnerable to attacks; this is where Tor v3 authentication comes in and makes a difference.
Tor V3 Authentication adds an extra layer of security to access our personal website from anywhere, securely.
I’m going to be showing how I set up Tor Auth for my personal websites and services hosted on my Raspberry Pi in the next steps.
1 — If you haven’t already, install and configure Tor. Below is a link showing how I installed and configured Tor.
2 — Create a private key
SSH into your Raspberry Pi and create a private key using OpenSSL using the following command:
$ openssl genpkey -algorithm x25519 -out /tmp/k1.prv.pem
If you don’t already have basez
installed, install it before running the next commands with: $ sudo apt install basez
Format the key into a base32 format so it can easily be copied around:
$ cat /tmp/k1.prv.pem | grep -v " PRIVATE KEY" | base64pem -d | tail --bytes=32 | base32 | sed 's/=//g' > /tmp/k1.prv.key
Print the private key and store it in a secure place; you’re going to be asked for this private key when accessing your websites from Tor Browsers.
$ cat /tmp/k1.prv.key
3 — Create the public key
Once the public key is generated from the private key it needs to be installed on your newly tor onion service. The onion service is a website or service on your server that you want to be accessible through the Tor network.
$ openssl pkey -in /tmp/k1.prv.pem -pubout | grep -v " PUBLIC KEY" | base64pem -d | tail --bytes=32 | base32 | sed 's/=//g' > /tmp/k1.pub.key
Now copy the key
$ cat /tmp/k1.pub.key
4 — If you haven’t configured your website to be accessible through the Tor network follow these steps.
5 — Open the /etc/tor/torrc config file to find the path to the service you want to enable authentication, copy the path you have in HiddenServiceDir
and create a new client.auth
file as follows:
$ sudo -u debian-tor vi /path/to/hidden/service/authorized_clients/client.auth
Change client.auth
to something you’re able to identify the client easily, always leaving the .auth
extention.
Now paste the public key in client.auth
using the below format, replacing PUBLIC_KEY_HERE
with the actual public key copied above:
descriptor:x25519:PUBLIC_KEY_HERE
You can create additional auth files, each file containing only one line.
Now restart your tor service:
$ sudo systemctl restart tor
Your service is now behind Tor V3 Authentication and it can’t be accessed without the private key.
6 — When accessing the website from a desktop computer using the official Tor Browser you will see something like the following image
The picture above shows username, but when I tried it it only asked for the private key. Once you enter the private key copied in the steps above the website will load successfully.
7 — On iPhone, I’m using Onion Browser which requires Orbot to work, I use these apps because they’re recommended by Tor, there’s an official app for Android as well.
When navigating an onion service with Auth from Onion Browser on the iPhone it will throw an error and it will give options to add the private key to Orbot, it’s pretty straightforward.
And that’s it, happy and safe surfing!
Disclaimer
I copied the majority of the commands above from websites listed in the reference below, this post serves as personal notes.
References