A Guide to running Onion Services on a Raspberry Pi 4

Hello!

• Onion Service v3 is used.
• Names within <tags> are arbitrary (given or created).
• Text editor of choice: Vim
• Webserver of choice: nginx
• IRC server of choice: InspIRCd
• IRC client of choice: WeeChat

Table of contents

1. Shopping List
2. Download List
3. Get the Raspberry Pi running
4. Install Tor
5. Onion Webservice
6. Onion IRCservice

Shopping List

1. Raspberry Pi 4 Model B - 4GB RAM
2. Raspberry Pi USB-C - 3A
3. Sandisk Ultra Micro-SD - 32GB
4. Ethernet cable

Download List

1. Raspbian Lite
2. Etcher
3. Angry IP Scanner

Get the Raspberry Pi running

1. Flash the Raspbian image to the Micro-SD using Etcher
2. Add an empty file named "ssh" on the boot section of the Micro-SD
3. Insert the Micro-SD into the Raspberry Pi
4. Connect a ethernet cable and the power supply
5. Use Angry IP Scanner to find it on the network

Connect via SSH

On a separate computer connected to the network:

$ ssh pi@<IP-address>

Default password is "raspberry"

Change the default password for pi:

$ sudo passwd

Change the default password for root:

$ sudo su
$ passwd
$ exit

Update the Raspberry Pi

$ sudo apt-get update
$ sudo apt-get dist-upgrade
$ sudo apt-get install rpi-update
$ sudo rpi-update
$ sudo reboot

Bonus step: SSH using keys

On a separate computer connected to the network:

$ ssh-keygen
$ echo -e "Host pi\n HostName <IP-address>\n User pi" > ~/.ssh/config
$ scp ~/.ssh/id_rsa.pub pi@<IP-address>:~/id_rsa.pub

On the Raspberry Pi

$ ssh-keygen
$ cat ~/id_rsa.pub > ~/.ssh/authorized_keys
$ rm ~/id_rsa.pub
$ sudo vim /etc/ssh/sshd_config

Add the following line:

PasswordAuthentication no

Restart SSH

$ sudo systemctl restart ssh

Install Tor and enable on startup

$ sudo apt-get update
$ sudo apt-get install tor
$ sudo systemctl enable tor

Install a webserver (nginx)

Installation

$ sudo apt-get update
$ sudo apt-get install nginx

Create a webserver:

(Additional websites: repeat process with new <website_name> and <port>)

$ sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/<website_name>
$ sudo ln -s /etc/nginx/sites-available/<website_name> /etc/nginx/sites-enabled/<website_name>
$ sudo vim /etc/nginx/sites-available/<website_name>

Change the content to:

server {
  listen 127.0.0.1:<port>;
  server_name <website_name>;
  root /usr/share/nginx/html/<website_name>;
  index index.html index.htm;
  location / {
    allow 127.0.0.1;
    deny all;
  }
}

Restart nginx

$ sudo systemctl restart nginx

Location of the index.html file:

/usr/share/nginx/html/<website_name>/index.html

Enable the onion service

$ sudo vim /etc/tor/torrc

Uncomment and change the following lines:

HiddenServiceDir /var/lib/tor/<service_name>/
HiddenServicePort 80 127.0.0.1:<port>

Restart Tor and get the URL:

$ sudo /etc/init.d/tor restart
$ cat /var/lib/tor/<service_name>/hostname

URL should consist of 56 characters followed by the suffix .onion

Install IRC server (InspIRCd)

$ sudo apt-get update
$ sudo apt-get install inspircd
$ sudo vim /etc/inspircd/inspircd.conf

Edit the following, ignore the rest:

<admin name="admin"
nick="admin"
email="root@localhost">

<bind address="127.0.0.1"
port="6667"
type="clients">

<power diepass="<password>"
restartpass="<password>">

<oper name="root"
password="<password>"
host="*@localhost"
type"NetAdmin">

<files motd="/etc/inspircd/inspircd.motd"
rules="/etc/inspircd/inpsircd.rules">

Edit the motd and rules:

$ sudo vim /etc/inspircd/inspircd.motd
$ sudo vim /etc/inspircd/inspircd.rules

Restart InspIRCd

$ sudo systemctl restart inspircd

Enable the onion service

$ sudo vim /etc/tor/torrc

Add the following two lines

HiddenServiceDir /var/lib/tor/<service_name>/
HiddenServicePort 6667 127.0.0.1:6667

Restart Tor and get the URL

$ sudo /etc/init.d/tor restart
$ cat /var/lib/tor/<service_name>/hostname

URL should consist of 56 characters followed by the suffix .onion

Install and configure IRC client (Weechat)

$ sudo apt-get update
$ sudo apt-get install tor
$ sudo apt-get install weechat-curses
$ weechat-curses

Privacy configurations

/set irc.server_default.nicks "user"
/set irc.server_default.msg_part ""
/set irc.server_default.msg_quit ""
/set irc.ctcp.clientinfo ""
/set irc.ctcp.source ""
/set irc.ctcp.time ""
/set irc.ctcp.userinfo ""
/set irc.ctcp.version ""
/set irc.ctcp.ping ""
/plugin unload xfer
/set weechat.plugin.autoload "*,!xfer"

Connect to the Tor IRC service

/proxy add tor socks5 127.0.0.1 9050
/server add <server_name> <onion-address>/6667
/set irc.server.<server_name>.proxy "tor"
/connect <server_name>

https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WeeChat

Client Authentication in Tor

TODO

https://gist.github.com/mtigas/9c2386adf65345be34045dace134140b

Public-key destination on the Raspberry Pi:

/var/lib/tor/<service_name>/authorized_clients/<key_name>.auth
$ sudo /etc/init.d/tor restart

Private-key destination on Client:

tor-browser_en-US/Browser/TorBrowser/Data/Tor/auth/<key_name>.auth_private
$ sudo vim tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc

Add the following line:

ClientOnionAuthDir TorBrowser/Data/Tor/auth

To be done

• SSH onion proxy
• CTF puzzle