Delivery-Date: Mon, 14 Mar 2016 12:53:21 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id E81071E0551;
	Mon, 14 Mar 2016 12:53:12 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id F22503927C;
	Mon, 14 Mar 2016 16:53:07 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 6D69138FE7
 for <tor-talk@lists.torproject.org>; Mon, 14 Mar 2016 16:53:04 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id EbFPW9qNg_eB for <tor-talk@lists.torproject.org>;
 Mon, 14 Mar 2016 16:53:04 +0000 (UTC)
Received: from mail-ob0-x233.google.com (mail-ob0-x233.google.com
 [IPv6:2607:f8b0:4003:c01::233])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 3E19431F4B
 for <tor-talk@lists.torproject.org>; Mon, 14 Mar 2016 16:53:04 +0000 (UTC)
Received: by mail-ob0-x233.google.com with SMTP id ts10so182561331obc.1
 for <tor-talk@lists.torproject.org>; Mon, 14 Mar 2016 09:53:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=bentasker.co.uk; s=google;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to;
 bh=qXFGu1k2GMMVhvG2e67dxNk+xVbWuC+7RaVfJFhd7P8=;
 b=ZRs9zyCZ+22/ojuahetiMD8cvEPsFnDg96Ddx2UWDyGp6Auw17EVHDvl/FWaiDvMNa
 HD/TBDw0C7uICE6H/xjQ6QLby5j0Ib0g7FKpb8M84peIuRWUltxbWQ/X5oRYQtNcNVm+
 1xuvCJ+oRv3Js0RMhXmA3rb8yQrv44vKJcZjI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:in-reply-to:references:date
 :message-id:subject:from:to;
 bh=qXFGu1k2GMMVhvG2e67dxNk+xVbWuC+7RaVfJFhd7P8=;
 b=JzTLazYP5K6eq8i0W+PemStO+tFBKZGtIGxgaqNOrPsJJ3LfUiFxphwO6Vsj64oq9R
 sCPOeCJ9EryXQ9VY+T4hzBMd5gp8j7N9KSRTwAWnrKNXYJ4qJZ2IaEEU8n+xppLuNbJ3
 SG8mnD6ApYy6dtf+JUBe5skrcFEjxiYIo+4+bSHxtZsGl/2w68Y3CvT+L/jxANuJ9EXr
 8lxfDMOxKu8KJFeBuUgP72Yc8cewpj/uH0alSSEWUduPxMFt76HlpdHKVW3qlFsb1qZY
 IVSujpR3wV8fLbShi9HV+NzwiqL1LvR21QLeqxzPp/qsmfcfjwCDn8JZv53xBJCym1T8
 kB8Q==
X-Gm-Message-State: AD7BkJIgax2uv0bkDX1Z0/mzJbgfXKJVyZVHC4GLkznB1ZO3KenIm416/ZSG34e3/t9v2ut27ApUeLV9qY/jaw==
MIME-Version: 1.0
X-Received: by 10.182.105.131 with SMTP id gm3mr15860222obb.23.1457974378245; 
 Mon, 14 Mar 2016 09:52:58 -0700 (PDT)
Received: by 10.76.97.49 with HTTP; Mon, 14 Mar 2016 09:52:57 -0700 (PDT)
X-Originating-IP: [81.134.152.4]
In-Reply-To: <19b41996d03559b842bbeef89301d0a4@openmailbox.org>
References: <4fd69d7adc47e6b6601508c1e4d9ba20@openmailbox.org>
 <CABMkiz7eiCubGe=jWszT2VNy5xEFpDXWG56h-JDSUvz5NjF3fg@mail.gmail.com>
 <19b41996d03559b842bbeef89301d0a4@openmailbox.org>
Date: Mon, 14 Mar 2016 16:52:57 +0000
Message-ID: <CABMkiz70BZV8Oq1O+SGon4iDwQE7p2-E2Q3n9JfJXA9ghAesGA@mail.gmail.com>
From: Ben Tasker <ben@bentasker.co.uk>
To: tor-talk@lists.torproject.org
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: Re: [tor-talk] Torsocks plus ssh plus command line browser - does
 this idea make sense?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Hi,

> So am I running torsocks ssh to the VPS and then ssh -D to 8080 at the
same time?

As before you're using Tsocks to route your SSH connection out over Tor.
Alternatively, if you've got TransPort running (in the example on 9050) you
can pass the following to SSH to achieve the same

    -o ProxyCommand="nc -X 5 -x localhost:9050 %h %p"

You'll also want to disable verification of the Host Key via DNS (to help
prevent leakage)

   -o VerifyHostKeyDNS=no -O CheckHostIP no

I have this set up in my ssh config file (~/.ssh/config) for various hosts
that run SSH as a hidden service, e.g.

    Host myOnion
      Hostname domain # This should be your .onion
      User user # Whatever username you connect with
      IdentityFile ~/.ssh/sshhs1.rsa
      ProxyCommand nc -X 5 -x localhost:9050 %h %p
      VerifyHostKeyDNS no
      CheckHostIP no
      IdentitiesOnly yes


As a slightly shameless plug, more here -
https://www.bentasker.co.uk/documentation/linux/307-building-a-tor-hidden-service-from-scratch-part-1
- including a few bits you might want to look at setting on the VPS itself

> Why would the local SOCKS run on 8080? Tor runs, I think, on 9150?

The -D flag tells SSH to enable Dynamic port forwarding. SSH will then
create it's own SOCKS proxy, and then torsocks will divert SSH out over
Tor's connection (personally I prefer the transparent mode I mentioned
above).

If you wanted to forward a specific port to a specific host, you could
instead use -L, for example

    ssh -L 8080:example.com:443 myvps

Then when you visit https://localhost:8080 you'd get example.com (though
obviously the certificate validation would fail). I used 8080 there as 443
is a privileged port so you'd need to run your SSH command as root to bind
to it.

Incidentally, if you do decide to use Firefox, be aware that by default it
*doesn't* honour the Proxy configuration for DNS, so you'd get some
leakage. To resolve that, do the following

    about:config
    Create a new boolean called *network.proxy.socks_remote_dns* and set it
to True

Depending on what you're accessing and why, you'll want to keep your
"forwarded" browser seperate from your day-to-day clearnet browser.

Ben


On Mon, Mar 14, 2016 at 4:33 PM, <blobby@openmailbox.org> wrote:

> The reason, simply, is that I have never used the -D of ssh before!
>
> So am I running torsocks ssh to the VPS and then ssh -D to 8080 at the
> same time?
>
> Why would the local SOCKS run on 8080? Tor runs, I think, on 9150?
>
> I'm sure you're right but could you please spell it out for me. Thanks!
>
>
> On 2016-03-14 13:16, Ben Tasker wrote:
>
>> ) download a browser that allows access from the command line e.g. Lynx
>>>
>> (not TBB).
>>
>> There are potentially valid reasons for doing it this way, but is there a
>> reason you're not thinking of doing
>>
>> ssh -D 8080 myvps
>>
>> And then pointing (say) Firefox at the local socks port on 8080. (i.e. all
>> steps the same except C - so still routing to the VPS via Tor).
>>
>> You'd want to make sure you could acquire the VPS anonymously, there's
>> little point in having Tor in between if the connection appears to
>> originate from a VPS registered in your name, with your card as the
>> billing
>> details.
>>
>> On Mon, Mar 14, 2016 at 1:11 PM, <blobby@openmailbox.org> wrote:
>>
>> Let's say I want to access a website and appear to be from country X. I
>>> can't use Tor because there are no exit nodes for Country X.
>>>
>>> Can I:
>>>
>>> a) buy a VPS from a hosting company that provides an IP that is from
>>> Country X?
>>>
>>> b) use torsocks to login to my VPS via ssh.
>>>
>>> c) download a browser that allows access from the command line e.g. Lynx
>>> (not TBB).
>>>
>>> d) access the destination website.
>>>
>>> AUIU, my VPS sees the tor exit node IP but the destination site sees the
>>> VPS IP in Country X.
>>>
>>>
>>> Does this sound viable? Is there an easier way than ssh? If this idea is
>>> sensible, then the command line means I have to use a very basic browser
>>> like Lynx. Correct?
>>>
>>> All ideas / opinions / criticisms / suggestions welcomed.
>>> --
>>> tor-talk mailing list - tor-talk@lists.torproject.org
>>> To unsubscribe or change other settings go to
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>>
>>>
>>
>>
>> --
>> Ben Tasker
>> https://www.bentasker.co.uk
>>
>
> --
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>



-- 
Ben Tasker
https://www.bentasker.co.uk
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

