How is a hidden service in a LAN reachable from the outside WAN?

I imagine web-traffic as packages routed to IP addresses which are openly available…or lets say at least discoverable. To be honest, I lack the understanding of how traffic “finds” my physical cable running into my home. But anyways, in my mental model my modem/firewall/router are the guards which shield the machines in my LAN from the outside. If properly managed, only traffic I requested comes in.

Now I see there is some magic named hidden services which allows me to reach my machines in the LAN without port forwarding or other stuff.

How is this done? I mean, it seems there is no dependence on IP addresses. There isn’t a central list in which clients can look up and see where to send packages so they reach “my home”. My modem/firewall/router somehow just lets the traffic pass into the LAN without “guarding”.

Can someone give me a high level explanation of how hidden services manage to achieve this? And maybe point me to more technical explanations where I can dig deeper?


1 Like

Hi @smuggler,
I can understand your question very well.I felt the same way many years ago.

There is only one crucial fact missing from your thoughts. Your Tor client connects to other servers on the network and shares information with them. If you run a hidden service, then the information about it will be passed on as well. And it is necessary to remember that there are also so-called direcoty services.

If someone on the network asks for your hidden service, the answer will be found out via the circuit.
Unlike, for example, via DNS, no information is transmitted that enables a direct connection to you.

The connection to your home is then established via the node to which you are currently connected.

Now this is a very, very simplified representation that still needs a lot of explanation, but it should help to explain the logic behind it.

Or, that’s how I once explained it to my wife:

Do you know the game Chinese whispers?
The one who sits next to you is a relay which is connected to you. And you hold hands, so you are connected to each other. You can exchange information in both directions.
And the one sitting next to you does the same to someone with his other hand.
When someone wants to tell you something, they don’t know where you are, but they tell whoever they know knows where you are.

The german Wikipedia has, I think, also a nice explanation.
I also like this blogpost for a bit more detailed info. After reading that you can look at the technical papers.

Thanks for your answer and the links @martln.

The picture of a chain is indeed helpful. I’m still not entirely sure if I understand the mechanisms behind though.

Is it fair to say, that my onion service establishes a permanent “listening connection” to the introductory nodes? In layman terms, my onion service punches a pipe through my modem/firewall/router, so if someone else requests e.g. a web side from my service, the introductory node is able to route this request (or more specifically the message with the secret and rendezvous point) to me, into my LAN because it looks just like a “normal” answer to a request I made from within my LAN outwards?

If that is the case the data still comes in and leaves through the fiber connection of my home. But this connection is identified by an IP address, right? So does the node directly after/before me see this IP?

And how are the data packages physically routed? I mean how is the abstract layer of “I will pass this data to this public key” translated into the physical routing and switching through cables back to my home connection?

In principle, this is true, if you put it in layman’s terms.

It’s like a VPN. Two daemons have a connection, user and server. These two daemons send data back and forth. And with Tor, the next one in the chain always knows the IP of the previous one. So that this can not be traced, there is the onion circuit that ensures that a website that you call, only knows the exit, but the exit does not know your address, and so on.

I remembered a great talk that may help you. It is about the deanonymization of tor. The nice thing about it, if you look at it from the point of view, I think it’s easier to see how everything interlocks and works together.
Tor: Hidden Services and Deanonymisation (31. Chaos Communication Congress)

From the author, Gareth Owen, there is also an easy to understand paper.
GCIG Paper No. 20

1 Like

This topic was automatically closed 2 hours after the last reply. New replies are no longer allowed.

This is a fantastic video which clarified a lot of things, thanks. I will now dig into the paper now and also see if I can find more information about the issue raised in the talk re: the seemingly high abuse content of hidden services. But will mark the question as answered here!