Garlic and onion hosting: how to raise a web resource so that the domain is not taken away





Disclaimer: The tools described here are completely legal. It's like a knife: someone cuts cabbage into a salad, someone uses it for attacks. Therefore, the post is dedicated exclusively to tools that can be used for both good and bad purposes.



Global DNS is a wonderful thing that has survived decades. But it has a fundamental problem - your domain can simply be split if they suddenly decide that you have violated something. Or someone with money and connections will have a grudge against you. Everyone remembers the history of the same torrents.ru. If for some reason you want to remove such risks, you can look towards overlay networks that simply do not have a regulator capable of dividing a domain name. Therefore, we will raise onion and i2p web resources.



Onion rings



Let's start with the classics. I think that on Habré almost everyone used Tor in the form of the Tor-browser bundle . It helped me a lot when, in the process of hunting for Telegram, they suddenly began to abruptly break connectivity with the largest hosters in the most unexpected places. In this mode, Tor uses classic onion encryption, layer-by-layer wrapping data in such a way that it would be impossible to establish the source and destination of the packet. Nevertheless, the end point of the route is still the regular Internet, where we end up through the Exit nodes.



This solution has several problems:



  1. Exit- , , . , , , .
  2. tor , .


-



Therefore, we will raise the onion resource directly within the network, without access to the regular Internet. For example, as an additional backup entry point to your resource. Let's assume that you already have a web server with some content served by nginx. For starters, if you don't want to be on the public Internet, do not be too lazy to go to iptables and configure your firewall. You must be blocked from accessing your web server from anywhere except localhost. As a result, you got a site accessible locally at localhost : 8080 /. Additional fastening of https will be redundant here, since the tor transport will take over this task.



Expanding TOR



I will consider installation using Ubuntu as an example, but there will be no fundamental differences with other distributions. First, let's define the repository. The official documentation does not recommend using packages that are maintained by the distribution itself, as they may contain critical vulnerabilities that have already been patched upstream by developers. Moreover, the developers recommend using the unattended-upgrades mechanism for automatic updates in order to ensure their timely delivery.



Create a file for an additional repository:



# nano /etc/apt/sources.list.d/tor.list


And add the necessary addresses to it:



deb https://deb.torproject.org/torproject.org bionic main
deb-src https://deb.torproject.org/torproject.org bionic main


Now we need to take care of the gpg key, without which the server will reasonably not trust new packages.



# curl https://deb.torproject.org/torproject.org A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import
# gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -


Now you can install the main package from upstream and the keychain for automatic signature renewal.



# apt update
# apt install tor deb.torproject.org-keyring


Configuring proxying



In / etc / tor / torrc, you will find the configuration file for the daemon. After updating it, do not forget to restart it.

Just want to warn especially curious users. Do not enable relay mode on your home machine! Especially in exit node mode. They can knock. On a VPS, I would also not configure the node as a relay, since this will create a rather significant load on both the processor and traffic. On a wide channel, you can easily reach 2-3 terabytes per month.



Find a section in torrc that looks like this:



############### This section is just for location-hidden services ###


Here you need to register your localhost web resource. More or less like this:



HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:8080


Or you can use unix sockets:



HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/
HiddenServicePort 80 unix:/path/to/socket


We get the address



That's it, now we restart the tor daemon through systemctl and look at HiddenServiceDir. There will be several files - the private key and your onion hostname. It is a random 16 character identifier. For example, gjobqjj7wyczbqie.onion is the address of the Candle search resource. The address is completely random, but with a sufficiently long search, it is possible to generate a human-readable pair from the address and the private key. Of course, not all 16 characters - it would take billions of years. For example, the well-known catalog of Flibusta's books has a mirror flibustahezeous3.onion , and Facebook spent a lot of resources to choose the most euphonious from the generated options: facebookcorewwwi.onion .



That's it, after some time your resource will be announced and will become globally available. Please note that you can proxy not only the http protocol, but also any other.



Garlic



image

The second option was conceived as even more paranoid in nature. The i2p project was not originally conceived as a means for proxying traffic to the regular Internet and, by architecture, is a completely closed overlay network. Separate gates in both directions exist, but this is rather an exception. And it is potentially unsafe.



image

Red i2p reference logo and magenta i2pd implementation



I2p has several options for implementing software router nodes. The official implementation is written in Java. And it just monstrously devours all available resources both in terms of RAM and CPU. Nevertheless, it is she who is considered the reference and is regularly audited. I would recommend that you use the much lighter version, i2pd, written in C ++. It has its own nuances that may cause some i2p applications to fail, but overall it is a great alternative implementation. The project is actively being sawed at the present time.



Install the demon



The best part is that the authors have provided many deployment options, including docker and snap. You can go the way of the classic repository.



sudo add-apt-repository ppa:purplei2p/i2pd
sudo apt-get update
sudo apt-get install i2pd


But I would advise using snap. It will not only quickly and conveniently deploy the daemon, but also provide automatic updates directly from the upstream, depending on the selected distribution channel.



no_face@i2pd:~$ snap info i2pd
name:      i2pd
summary:   Distributed anonymous networking framework
publisher: Darknet Villain (supervillain)
store-url: https://snapcraft.io/i2pd
license:   BSD-3-Clause
description: |
  i2pd (I2P Daemon) is a full-featured C++ implementation of I2P client.
  I2P (Invisible Internet Protocol) is a universal anonymous network layer.
  All communications over I2P are anonymous and end-to-end encrypted,
  participants don't reveal their real IP addresses.
snap-id: clap1qoxuw4OdjJHVqEeHEqBBgIvwOTv
channels:
  latest/stable:    2.32.1 2020-06-02 (62) 16MB -
  latest/candidate: ↑
  latest/beta:      ↑
  latest/edge:      2.32.1 2020-06-02 (62) 16MB -


Install snap if you haven't already and set the default stable option:



apt install snapd
snap install i2pd


Configuring



Unlike the web-gui Java version, i2pd does not have so many settings, twists and tabs. Only the most necessary things before asceticism. However, the easiest way is to configure it directly in the config file.



In order for your web resource to become available in i2p, you need to proxy it in the same way as with onion. To do this, go to ~ / .i2pd / tunnels.conf and add your backend.



[anon-website]
type = http
host = 127.0.0.1
port = 8080
keys = anon-website.dat


After restarting the daemon, you will get a random 32-bit address. It can be viewed in the web console, which is available by default at 127.0.0.1 : 7070 /? Page = i2p_tunnels. Do not forget to allow access to it from your IP address, if necessary. By default, it is only available on the local interface. There will be something scary like ukeu3k5oycgaauneqgtnvselmt4yemvoilkln7jpvamvfx7dnkdq.b32.i2p.



The i2p network has a semblance of DNS, but it is more like a scattered list of / etc / hosts. You subscribe to specific sources in the console that tell you how to get to the conditional flibusta.i2p . Therefore, it makes sense to add a more or less beautiful name to large resources like inr.i2p.



Can i2p and onion be deployed with us?



Just want to warn RuVDS not bulletproof hosting. In the event of a motivated complaint against our client, we can terminate the contract and extinguish the virtual machine. Most hosters will do the same. However, due to the peculiarities of the tor architecture and especially i2p, it is very difficult, and often simply impossible, to determine exactly where the website is hosted.



Nevertheless, there is nothing illegal in the very use of such tools. Therefore, we will not mind if you open a mirror of your legal web resource in overlay networks. In any case, I strongly recommend again not to blindly experiment with tor on your home machine. Either the IP can get blacklisted, or the pative will arrive. Better to rent a VPS, it is inexpensive.






All Articles