SSH with Tor Proxy Fails to Connect

heroinmonk · March 2, 2023, 4:14pm

I’ve been trying to establish an SSH connection between two devices on my local network, using Tor as a proxy. One of these fedora machines is a VM with a bridged network adapter, and ssh works fine in both directions. Well, mostly.

Tor also seems to work fine as an added proxy for things like curl and the lynx browser.

So then, how would you yourself use SSH over tor, or whatever proxy perhaps, say from a fresh install, in this situation?

I’ve tried a few netcat proxycommand thingies, a proxyjump method, and I have tried simply using

‘torsocks ssh -p somePort user@someIP’

…which gives me the following error:

ERROR torsocks[6849]: General SOCKS server failure (in socks5_recv_connect_reply() at socks5.c:527)
ssh: connect to host [IP-ADDRESS] port 22: Connection refused

while using netcat with the following stuff in the config file:

Host whatever
Hostname [IP-ADDRESS]
User user
Proxycommand socat - SOCKS4A:localhost:%h:%p,socksport=9050

brings me this error:

socat[6932] E socks: connect request rejected or failed
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535

Far as I recall at this very moment, the error messages have been the same in both directions. I’ve tried aiming at the ssh server as per usual, but also at the onion service I had set up on the one machine.

Anyway, I’m so green in the boots with regards to everything about this, and I’ve been trying so many different little methods, that I’ll leave it there for now. Might be a real easy solution anyhow, of course.

But any old tip would be much appreciated, any question welcome.

ilikelinux · March 2, 2023, 4:44pm

This error I gett when the sshd not is started on the machine I want to connect to or the default port 22 is not used. Second you would need to connect while adding the port number.

Checking the port number you can do with the app nmap IPNUMBER

vgaetera · March 2, 2023, 4:50pm

sudo dnf install tor torsocks
sudo systemctl enable tor.service 
sudo systemctl restart tor.service
torsocks ssh user@host -p port

heroinmonk · March 2, 2023, 6:01pm

I’ve made sure ssh works in both directions with sshd listening to port 22, as per default, the last few times I’ve tried, as well as with it listening to a custom port where I’ve added ‘-p portNumber’. Simply OpenSSH works fine either way.

I haven’t a clue except the VM might be causing trouble. The VM is on a Windows machine.

Sorry, I forgot to add that I’m not sure what you meant by the advice that I check the port number with ‘nmap IPNUMBER’.

heroinmonk · March 2, 2023, 6:03pm

I’ve been using this to no avail. Do you mean I should remove ‘tor’, install only ‘torsocks’, and then try again?

vgaetera · March 2, 2023, 6:31pm

Is this a typo, or did you miss the ssh command here?

Also note:

If the SSH server has no public IP, you need to configure SSH as a Tor onion service.
The firewall on the SSH server must allow incoming connections on the SSH port worldwide.
Tor exit nodes can block connections due to their own local or regional restrictions, so you may need to change the exit node to access a specific resource.

heroinmonk · March 2, 2023, 7:23pm

Typo, and thank you.

ilikelinux · March 2, 2023, 7:28pm

If you want to find out the port number of a network-service in your network you can install

sudo dnf install nmap
and after use nmap 192.168.1.1 in terminal (example IP-Address = IPNUMBER above) to see the open ports on this address.

heroinmonk · March 2, 2023, 7:50pm

Just to be clear, should I know at this point that connecting over SSH over Tor requires aiming the connection at an Onion/Hidden Service?

It has seemed to me there should be the case of simply routing a connection over Tor, and then the case of aiming the connection at an Onion/Hidden service.

I’ll be back after having tried the latest advice as given by this thread.

vgaetera · March 2, 2023, 8:33pm

Setting up SSH as a Tor onion service is not required if the server is globally reachable:

> torsocks ssh github.com
The authenticity of host 'github.com (140.82.114.4)' can't be established.
ED25519 key fingerprint is SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])?

This assumes you are running Tor on the client side:

> systemctl status tor.service 
● tor.service - Anonymizing overlay network for TCP
     Loaded: loaded (/usr/lib/systemd/system/tor.service; enabled; preset: disabled)
     Active: active (running) since Thu 2023-03-02 21:04:07 GMT; 52s ago
    Process: 21350 ExecStartPre=/usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc --verify-config (code=exited, status=0/SUCCESS)
   Main PID: 21352 (tor)
      Tasks: 1 (limit: 4627)
     Memory: 28.8M
        CPU: 920ms
     CGroup: /system.slice/tor.service
             └─21352 /usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc

Mar 02 21:04:08 fedora Tor[21352]: Bootstrapped 5% (conn): Connecting to a relay
Mar 02 21:04:08 fedora Tor[21352]: Opening Control listener on /run/tor/control
Mar 02 21:04:08 fedora Tor[21352]: Opened Control listener connection (ready) on /run/tor/control
Mar 02 21:04:09 fedora Tor[21352]: Bootstrapped 10% (conn_done): Connected to a relay
Mar 02 21:04:09 fedora Tor[21352]: Bootstrapped 14% (handshake): Handshaking with a relay
Mar 02 21:04:09 fedora Tor[21352]: Bootstrapped 15% (handshake_done): Handshake with a relay done
Mar 02 21:04:09 fedora Tor[21352]: Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
Mar 02 21:04:09 fedora Tor[21352]: Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits
Mar 02 21:04:09 fedora Tor[21352]: Bootstrapped 95% (circuit_create): Establishing a Tor circuit
Mar 02 21:04:11 fedora Tor[21352]: Bootstrapped 100% (done): Done

ilikelinux · March 2, 2023, 9:30pm

Does this really make sense (using tor network) in between a local network?
Are the ssh connections also just in the local netowork?

With a bridged adapter you work on a switch level. Why would you route your traffic thru the onion network? Use a 192.168.x.x address range to communicate in between your network. This not get routed in to the internet. Or did I miss something ?

heroinmonk · March 3, 2023, 5:11am

Does this really make sense (using tor network) in between a local network?

It does not. I had been working under the impression that even the local network IP addresses would bounce off my ISP and then get back inside.

So, now my question is all changed. I’ve also added previously thought unneeded information to it.

How do I reach my VM machine, what is online through a phone Internet Hotspot, from another device somewhere in the world, but over Tor?

vgaetera · March 3, 2023, 10:54am

Setting up SSH as a Tor onion service:

# Server
sudo dnf -y install tor openssl openssh-server
sudo tee -a /etc/tor/torrc << EOF > /dev/null
HiddenServiceDir /var/lib/tor/onion_service
HiddenServicePort 22 127.0.0.1:22
EOF
sudo systemctl enable tor.service sshd.service
sudo systemctl restart tor.service sshd.service
sudo cat /var/lib/tor/onion_service/hostname

# Client
sudo dnf -y install tor torsocks openssh-clients
sudo systemctl enable tor.service
sudo systemctl restart tor.service
torsocks ssh hostname.onion

However, be aware that SSH over Tor is quite slow.
VPN or IPv6 are much better solutions to access personal services remotely.

heroinmonk · March 4, 2023, 12:07pm

So, I was just able to connect to my onion service using ‘torsocks ssh user@.onion’.

It only works sometimes though, so why might that be? Some exit nodes being blocked by the ISP before the other end?

I went from the connection getting established successfully to it failing with

No route to host

after simply having restarted the tor and sshd services.

Update:
It seems that the one device being a VM has something to do with these issues. I will often get

No route to host

from trying to connect to the VM from somewhere else outside, only for the exact same command to work the next time I use it. Usually this problem occurs in the direction of the VM, but not in the direction out of the VM.

vgaetera · March 4, 2023, 12:54pm

That’s possible.
Exit nodes can also be configured to allow only HTTP/HTTPS connections.
In addition, the country of the exit node can subject traffic to DPI and regional restrictions.

This should only work for globally routed IPs, otherwise you need to use an onion address.

heroinmonk · March 4, 2023, 1:02pm

Right, I did mean ‘.onion’, rather than IPAddress.

So, I guess that simply restarting the tor service until I get a ‘good’ exit node might be a way of resolving the issue.

vgaetera · March 4, 2023, 1:22pm

You can actually filter problematic exit nodes by node name or country code:

heroinmonk · March 5, 2023, 5:47pm

It is slow indeed, but now it works at least. Only, often I have to retry a few times in order to not get the ‘No route to host’ error.

Next I’ll be looking at using unix sockets with regards to all this, but that’d be a different thread, I suppose, and thank you for your other tips.