As being under double-NATed environment for both my locations I’m using the HS for SSH access into few machines so can avoid basically any configuration with the FW, VPS, Wireguard and VPN of any kind.
Just to check the state of some services from logs, so moreover it’s about reading in the terminal session.
Very convenient even with the lag induced by the routing.
Up until now using it with client auth and occasional scp into the ssh xyz.onion alias.
This way it works.
But when I’m in the machine, how can some file be transferred back into my actual machine?
Normally it’s the user@ip:/path part doing the job but here don’t know how to do this.
Should some HS be started also on the machine itself I’m connecting from?
But why if there is already a tunnel established?
If anyone can point me to right documentation or guide, that would be great.
A Tor HiddenService configuration is not necessary for the client side. Assuming you have authentication configured correctly on both the HiddenService side and the client side, the client side simply operates as a Tor client.
It has been a few years since I played with this configuration, and I did not use “scp”, but perhaps the following “sftp” command will help:
Have an alias invoking ssh using Tor (or LAN, depending where the device is).
This will log me in the machine - using the HS and Client authorization key pair (and the same for ssh itself).
Can send in and out if both are for example on same LAN (no difference between LAN or Tor session - because the target for scp is with lan IP, such as: client@192.168.x.y:/path/to/file).
But this doesn’t work with the remote machine as the Tor do not use IP - could (if possible) use the normal IP but that is what is to be avoided.
Don’t know how to say to the scp where, on network, copy the files. As it’s possibly some onion living only for the period of connection (my client I’m connecting from does not exist as HS).
The Tor is started: systemctl tor start/restart - only for the period it’s needed.
As watching logs with:
journalctl -u tor@default.service can see for example:
Our IP address has changed. Rotating keys… – yes because different network
and Opening Socks listener on 127.0.0.1:9050 – well this is where my traffic goes in/out.
Maybe somehow should reference it to this Socks.
What it does is allowing me log in via SSH (from my machine with the Tor to the HS in the machine) - that is what is working now already.
(.pub in authorized_clients, that is what -C -i does).
Have it for both directions (from and in to the machine). So this is already done.
Looking at the scp attempt with -v flag it does under the hood invoking the sftp (Executing: program /usr/bin/ssh host x.y.z.w, user X, command sftp) but that is just a detail.
If you are asking how to SFTP/SCP across Tor from the computer running the Tor Hidden Service to the computer running the Tor client, I am not aware of a way.
Obviously, the opposite direction works–SFTP/SCP across Tor from the computer running the Tor client to the computer running the Tor Hidden Service.
It sounds like you are attempting to SFTP ‘put’ from the server side to the client side. Maybe there is a better way, but maybe both computers could be configured as Hidden Services and clients of each other.
I have never tried this, but I have read that it is popular to route browser traffic from Tor client → Tor exit → commercial VPN allowing the user to hide from an ISP the fact that a VPN is being used.
I am just brainstorming, but perhaps you could combine a Tor HiddenService with a self-hosted VPN. WireGuard is popular.
Maybe something like the following:
WireGuard client → Tor client → Tor HiddenService → WireGuard server