Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updated instructions for TOR and SSL (Debian based distros) #630

Merged
merged 3 commits into from
Aug 14, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 14 additions & 10 deletions docs/RTL_SSL_setup.md
Original file line number Diff line number Diff line change
@@ -1,23 +1,25 @@
### Setup https access for RTL

Forward the ports 80 and 3002 on the router to the device running RTL.
Forward the ports 80 and 3002 on the router to the device running RTL.
Allow the ports through the firewall of the device.

Install Nginx:
https://www.nginx.com/resources/wiki/start/topics/tutorials/install/
On Debian based distros:
$> sudo apt install nginx

Install certbot to acquire the ssl certificate:
https://certbot.eff.org
nginx default config file is at /etc/nginx/nginx.conf. You will need it.

Install, if needed, openssl
On Debian based distros:
$> sudo apt install openssl

Add the following line at the very top of nginx.conf:
load_module /usr/lib/nginx/modules/ngx_stream_module.so;
Create a self certificate with openssl
$> openssl req -newkey rsa:4096 -x509 -sha512 -days 365 -nodes -out /path/to/some/folder/rtl-cert.crt -keyout /path/to/some/folder/rtl-cert.key


Sample configuration to be inserted in the nginx.conf (adjust the path and filename of your certificate and key):



stream {
upstream RTL {
server 127.0.0.1:3000;
Expand All @@ -27,13 +29,15 @@ Sample configuration to be inserted in the nginx.conf (adjust the path and filen
listen 3002 ssl;
proxy_pass RTL;

ssl_certificate /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem;
ssl_certificate /path/to/some/folder/rtl-cert.crt;
ssl_certificate_key /path/to/some/folder/rtl-cert.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 4h;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # this line works for me with only TLSv1.2
ssl_prefer_server_ciphers on;
}
}

Restart Nginx with the new configuration and connect to RTL over https on the port 3002.
On Debian based distros:
$> sudo systemctl restart nginx
43 changes: 18 additions & 25 deletions docs/RTL_TOR_setup.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,39 +4,34 @@ This guide will allow you to remotely connect to RTL over Tor. This can work on

#### Server Setup
Install Tor on the same local machine as RTL. see the tor project wiki [here](https://trac.torproject.org/projects/tor/wiki)
On Debian based distros:
$> sudo apt install tor

Edit the `torrc` configuration file, and add the following lines:
Edit `/etc/tor/torrc` (Debian based distro) configuration file, and add the following lines:
```
HiddenServiceDir /var/db/tor/rtl/
HiddenServiceVersion 2
HiddenServiceAuthorizeClient stealth mydevice
HiddenServiceDir /var/lib/tor/rtl-service-v3/
HiddenServiceVersion 3
HiddenServicePort 3000 127.0.0.1:3000
```
Change `/var/db/tor/rtl/` to any directory you want to store the hidden service credentials.
Change `mydevice` to anything you want.
Change `/var/lib/tor/rtl-service-v3/` to any directory you want to store the hidden service credentials.

Save the changes to the `torrc` file and restart tor.

View the contents of the file `/var/db/tor/rtl/hostname`. It will show an onion address, an authentication password(cookie), and the associated `mydevice` label.

$> sudo systemctl restart tor
or sometimes:
$> sudo systemctl daemon-reload

View the contents of the file `/var/lib/tor/rtl-service-v3/hostname`. You need to be root. It will show an onion address. This is your address.
On Debian based distro:
$> su -c "cat /var/lib/tor/rtl-service-v3/hostname"

#### Client setup: Android

Download Orbot for android (add their repos to F-Droid here: https://guardianproject.info/fdroid/

Open orbot. Click the `⋮`, select `hidden services ˃`, select `Client cookies`.

Press the + button on the lower right. Type in the the onion address and secret cookie you revealed in file `/var/lnd/tor/rtl/hostname`.
Install Tor browser (or any other compatible browser) for Android from the app store

Go back to orbot's main screen, and select the gear icon under `tor enabled apps`.
Add your favorite tor compatible browser (I use brave) `Brave`, then press back.
Click `stop` on the big onion logo. Exit orbot and reopen it.
Turn on `VPN Mode`. Start your connection to the tor network by clicking on the big onion (if it has not automatically connected already)
Open the tor enabled browser and type in the onion address (example `z1234567890abc.onion:3000`)
Only you have access to this website! All traffic in the tor enabled browser will go over Tor (which is slower than clearnet).

Now open the tor enabled browser and type in the onion address (example `z1234567890abc.onion:3000`)
Only you have access to this website! All traffic in the brave browser will go over Tor (which is slower than clearnet).
To go back to clearnet browsing, turn off VPN mode in Orbot.

#### Client setup: Windows Tor Browser
#### Client setup: Windows Tor Browser (not updated)

Download and install Tor Browser for windows: https://www.torproject.org/download/

Expand All @@ -50,5 +45,3 @@ HidServAuth 1234567890abcdefg.onion abcdef01234567890+/K mydevice
Save and exit.

Now open Tor Browser, type in the `1234567890abcdefg.onion:3000` address!