Hi!
this is a post with the steps I needed to be able to access my TrueNAS interface from outside of my local area network without exposing any ports through the firewall, using the TOR network. The service will only expose the TrueNAS interface to those with the
Exposing a service to the internet is not secure: All sorts of hackers and bots move around looking for vulnerable services to grow their attack networks. Because of this, and thanks to the feedback provided, I've edited this runbook to include a second step to require client authentication to access the server.
This steps can be used to expose any kind of service through onion, not just the TrueNAS interface. For example, you could expose your media gallery or a backup service.
Install the service:
Test the service:
Disable the service:
Generate the client authentication. This steps will generate a public and a private tokens for one customer. The public token will be saved in the server, the private token will be used by the client to authenticate and shouldn't be shared by any other client. You'll need to repeat this steps for every client you want to connect to the service:
Add client authorization to the onion service:
Test the service:
As an additional test, I repeated the test with the Tor browser (from the first part) and it shouldn't be able to access anymore.
Finally, enable the service:
this is a post with the steps I needed to be able to access my TrueNAS interface from outside of my local area network without exposing any ports through the firewall, using the TOR network. The service will only expose the TrueNAS interface to those with the
onion
address and will not act as a tor relay.Exposing a service to the internet is not secure: All sorts of hackers and bots move around looking for vulnerable services to grow their attack networks. Because of this, and thanks to the feedback provided, I've edited this runbook to include a second step to require client authentication to access the server.
This steps can be used to expose any kind of service through onion, not just the TrueNAS interface. For example, you could expose your media gallery or a backup service.
First Step: Set up the onion service
What do you need to follow this instructions?
- To be comfortable with the command line
- SSH access to your TrueNAS server.
- Smart phone with 4g access and a TOR browser, to do the testing.
Instructions
Install the service:
- Create a jail with the usual defaults.
- Open an SSH session to the TrueNAS server.
jexec
into the new jail- Install the editor of choice (mine is vim) and tor
pkg install vim tor
- Edit the tor config file
/usr/local/etc/tor/torrc
. I recomend reviewing the whole file, it's quite interesting and well written, but if you want to go to the point, here's what I changed:- Change logs to save to file: remove
#
beforeLog notice syslog
- Run as daemon: remove
#
beforeRunAsDaemon 1
- Save certificates and addresses under
/var/db/tor
. This can allow us to save that information in our main pools if you mount that folder using the TrueNAS interface. remove#
beforeDataDirectory /var/db/tor
- in the section for location-hidden services, leave the default values and add the following lines. Replace
<IP_ADDR>
with the IP of the TrueNAS web interface inside of the local area network
Code:HiddenServiceDir /var/db/tor/hidden_truenas/ HiddenServicePort 80 <IP_ADDR>:80
- save
- Change logs to save to file: remove
- Manually start the service
service tor onestart
- Now, search the onion address automatically generated: Code:
cat /var/db/tor/hidden_truenas/hostname ONION_SERVICE_URL
Test the service:
- Open the tor browser inside the phone. It's important that you disable the wifi so I really test that I can access from outside the local network.
- Go to ONION_SERVICE_URL
- Get the home or login page
- Voilà!
Disable the service:
- Now, go back to the terminal and stop the service until it's secured:
service tor onestop
Second Step: Secure the onion service with Client Authorization
What do you need to follow this instructions?
- Smart phone with 4g access and a TOR browser that support client authentication. I have android, and unfortunately the default Tor Browser doesn't implement client authentication yet, so I use Orbot and DuckDucGo browser (I tested with Firefox and couldn't manage to make it work with Orbot in VPN mode).
- A python installation to generate the client authentication. I opted to run the commands in my local machine instead of the container, but you could probably do it as well, I just haven't tested that.
Instructions
Generate the client authentication. This steps will generate a public and a private tokens for one customer. The public token will be saved in the server, the private token will be used by the client to authenticate and shouldn't be shared by any other client. You'll need to repeat this steps for every client you want to connect to the service:
- In a system with python, download the python snippet https://github.com/pastly/python-snippits/blob/master/src/tor/x25519-gen.py provided in the tor documentation regarding client authorization
- Install the required library
PyNaCl
:pip install PyNaCl
- Run the script, it will print a public and a private tokens Code:
$ python3 x25519-gen.py public: PUBLIC_TOKEN private: PRIVATE_TOKEN
- Save these values for later
Add client authorization to the onion service:
- In the jail with tor, go to
HiddenServiceDir
:cd /var/db/tor/hidden_truenas/
- There should be a folder called
authorized_clients
. If it doesn't exist, create it and assign it to the_tor
user and group. Go to that foldercd authorized_clients/
- Create a text file with the auth line of the first customer.
- The auth line is built from 3 fields separated by
:
. - The first two fields are fixed:
descriptor
andx25519
. - The third one is the public token.
- It should look like
descriptor:x25519:PUBLIC_TOKEN
- Save the file with a name that identifies the client that it identifies and the
auth
extension. In my case,juanman80.auth
- The auth line is built from 3 fields separated by
- Manually start the service
service tor onestart
Test the service:
- In the android smartphone, open Orbot
- In the three dot menu, go to Onion services -> Client Authorization -> Add
.onion Domain
: ONION_SERVICE_URLx25519 Private Key in Base32
: PRIVATE_TOKEN- Save
- Now, Orbot prompts to restart the application, but that wasn't enough for me, or I didn't manage to do it properly. It worked after restarting the whole phone.
- Connect Orbot to the Tor network and enable VPN mode (it should work also in SOCKS mode, I didn't try that)
- Set the browser as a tor-enabled app and open the browser
- Go to ONION_SERVICE_URL
- Get the home or login page
- Voilà!
As an additional test, I repeated the test with the Tor browser (from the first part) and it shouldn't be able to access anymore.
Finally, enable the service:
- Set the tor service to start when the jail starts:
sysrc tor_enable="YES"
Last edited: