Onion addresses for anything.

Overview

onionpipe

Onion addresses for anything.

onionpipe forwards ports on the local host to remote Onion addresses as Tor hidden services and vice-versa.

Why would I want to use this?

onionpipe is a decentralized way to create virtually unstoppable global network tunnels.

For example, you might want to securely publish and access a personal service from anywhere in the world, across all sorts of network obstructions -- your ISP doesn't allow ingress traffic to your home lab, your clients might be in heavily firewalled environments (public WiFi, mobile tether), etc.

With onionpipe, that service doesn't need a public IPv4 or IPv6 ingress. You can publish services with a globally-unique persistent onion address, and share access securely and privately to your own allowlist of authorized keys.

You don't need to rely on, and share your personal data with for-profit services (like Tailscale, ZeroTier, etc.) to get to it.

What can I do with it right now?

onionpipe sets up socket forwarding tunnels. It's like socat(1), for onions.

Export services on local networks to onion addresses

Export localhost port 8000 to a temporary, one-time remote onion address.

onionpipe 8000

Export localhost port 8000 to temporary remote onion port 80. ~ is shorthand for the forward between source~destination.

onionpipe 8000~80

Export localhost port 8000 to a persistent remote onion address nicknamed 'my-app'.

onionpipe [email protected]

Nicknames can be re-used in multiple forwarding expressions to reference the same onion address. Let's set up a little web forum for our Minecraft server.

All the forwards without nicknames use the same temporary address.

onionpipe 192.168.1.100:8000~80,8080,9000 9090

Export a UNIX socket to an onion address.

onionpipe /run/server.sock~80

Export to a non-anonymous remote onion service, trading network privacy for possibly reduced latency.

onionpipe --anonymous=false 8000

Import onion services to local network interfaces.

Import a remote onion's port 80 to localhost port 80.

onionpipe xxx.onion:80

Import remote onion port 80 to local port 80 on all interfaces. This can be used for creating an ingress to the onion on public networks.

onionpipe xxx.onion:80~0.0.0.0:80

Running with Docker is simple and easy, the only caveat is that its the container forwarding, so adjust local addresses accordingly.

Forward port 80 on Docker host.

docker run --rm ghcr.io/cmars/onionpipe:main host.docker.internal:80

If you're using Podman, exposing the local host network is another option.

podman run --network=host --rm ghcr.io/cmars/onionpipe:main 8000 

Because local forwarding addresses are DNS resolved, it's very easy to publish hidden services from within Docker Compose or K8s. Check out this nextcloud example (watch the log for the onion address)!

Client auth

Client auth is great for securing personal services over Tor. How to use it:

Alice creates a new client auth public key pair.

onionpipe client new alice
{
  "alice": {
    "identity": "p2pof7vumwsrqqavtovfwqqaw6cqzvtqqe7cjvxt754k6j7blufa"
  }
}

Alice shares this public key with Bob, who forwards an onion service that only Alice can use.

onionpipe --require-auth p2pof7vumwsrqqavtovfwqqaw6cqzvtqqe7cjvxt754k6j7blufa [email protected]
2022/02/13 21:25:46 starting tor...
127.0.0.1:8000 => sd6aq2r6jvuoeisrudq7jbqufjh6nck5buuzjmgalicgwrobgfj4lkqd.onion:80

Alice can use her client private key to connect to this onion and forward to a local port.

onionpipe --auth alice sd6aq2r6jvuoeisrudq7jbqufjh6nck5buuzjmgalicgwrobgfj4lkqd.onion:80~7000
2022/02/13 21:29:17 starting tor...
sd6aq2r6jvuoeisrudq7jbqufjh6nck5buuzjmgalicgwrobgfj4lkqd.onion:80 => 127.0.0.1:7000

How do I install it?

Each commit into main triggers an automated release, which publishes a Homebrew tap and Docker image.

Homebrew

brew tap cmars/onionpipe
brew install onionpipe

Docker

The provided Dockerfile builds a minimal image that can run onionpipe in a container with the latest Tor release from the Tor Project. Build and runtime is Debian-based.

Local build

In a local clone of this project,

make onionpipe

The built binary onionpipe will require a tor daemon executable to be in your $PATH.

Static standalone binary with libtor

Should theoretically work on: Linux, Darwin, Android (gomobile) according to the berty.tech/go-libtor README. There are some quirks; see comments in tor/init_libtor.go for details.

In a local clone of this project,

make onionpipe_libtor

This will take a long time the first time you build, because it compiles CGO wrappers for Tor and its dependencies.

You'll need to have C library dependencies installed for the build to work:

  • tor
  • openssl
  • libevent
  • zlib

If you're on NixOS, you can run nix-shell in this directory to get these dependencies installed into your shell context.

What features are planned?

Declare forwards and operate from a yaml file rather than CLI arguments.

onionpipe --config config.yaml

Considering a fancy TUI.

Considering a control plane for onionpipe SDN orchestration.

Stay tuned.

How can I contribute?

Donate to the Tor project with your dollar, or by hosting honest proxies and exit nodes. If you like and use this project, support the public infrastructure that benefits us all and makes this wonderful magic possible.

Issues
  • SyncThing web GUI

    SyncThing web GUI

    Great project, thanks.

    Doesn't work with WEB GUI Syncthing (8384) - "Host check error". However, python -m http.server works as it should.

    Client site - Win10 + TorBrowser. Second site - Ubuntu 20.04.

    opened by kibernaut 3
  • [Snyk] Security upgrade debian from bullseye to 11

    [Snyk] Security upgrade debian from bullseye to 11

    This PR was automatically created by Snyk using the credentials of a real user.


    Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.

    Changes included in this PR

    • build/Dockerfile

    We recommend upgrading to debian:11, as this image has only 43 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.

    Some of the most important vulnerabilities in your base image include:

    | Severity | Priority Score / 1000 | Issue | Exploit Maturity | | :------: | :-------------------- | :---- | :--------------- | | low severity | **** | CVE-2022-1664
    SNYK-DEBIAN11-DPKG-2847942 | No Known Exploit | | critical severity | **** | OS Command Injection
    SNYK-DEBIAN11-OPENSSL-2807596 | No Known Exploit | | critical severity | 500 | Out-of-bounds Read
    SNYK-DEBIAN11-PCRE2-2808697 | No Known Exploit | | critical severity | 500 | Out-of-bounds Read
    SNYK-DEBIAN11-PCRE2-2808704 | No Known Exploit | | low severity | 150 | Information Exposure
    SNYK-DEBIAN11-UTILLINUX-2401081 | No Known Exploit |


    Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

    For more information: 🧐 View latest project report

    🛠 Adjust project settings


    Learn how to fix vulnerabilities with free interactive lessons:

    🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

    opened by cmars 0
  • [Snyk] Security upgrade debian from bullseye to 11

    [Snyk] Security upgrade debian from bullseye to 11

    This PR was automatically created by Snyk using the credentials of a real user.


    Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.

    Changes included in this PR

    • Dockerfile

    We recommend upgrading to debian:11, as this image has only 43 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.

    Some of the most important vulnerabilities in your base image include:

    | Severity | Priority Score / 1000 | Issue | Exploit Maturity | | :------: | :-------------------- | :---- | :--------------- | | low severity | 436 | CVE-2022-1664
    SNYK-DEBIAN11-DPKG-2847942 | No Known Exploit | | critical severity | 500 | OS Command Injection
    SNYK-DEBIAN11-OPENSSL-2807596 | No Known Exploit | | critical severity | 500 | Out-of-bounds Read
    SNYK-DEBIAN11-PCRE2-2808697 | No Known Exploit | | critical severity | 500 | Out-of-bounds Read
    SNYK-DEBIAN11-PCRE2-2808704 | No Known Exploit | | low severity | 150 | Information Exposure
    SNYK-DEBIAN11-UTILLINUX-2401081 | No Known Exploit |


    Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

    For more information: 🧐 View latest project report

    🛠 Adjust project settings


    Learn how to fix vulnerabilities with free interactive lessons:

    🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

    opened by cmars 0
  • [Snyk] Security upgrade debian from bullseye to 11

    [Snyk] Security upgrade debian from bullseye to 11

    This PR was automatically created by Snyk using the credentials of a real user.


    Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.

    Changes included in this PR

    • build/Dockerfile

    We recommend upgrading to debian:11, as this image has only 43 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.

    Some of the most important vulnerabilities in your base image include:

    | Severity | Issue | Exploit Maturity | | :------: | :---- | :--------------- | | low severity | CVE-2022-1271
    SNYK-DEBIAN11-GZIP-2444256 | No Known Exploit | | low severity | CVE-2022-1292
    SNYK-DEBIAN11-OPENSSL-2807596 | No Known Exploit | | low severity | CVE-2022-1587
    SNYK-DEBIAN11-PCRE2-2808697 | No Known Exploit | | low severity | CVE-2022-1586
    SNYK-DEBIAN11-PCRE2-2808704 | No Known Exploit | | low severity | CVE-2022-1271
    SNYK-DEBIAN11-XZUTILS-2444276 | No Known Exploit |


    Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

    For more information: 🧐 View latest project report

    🛠 Adjust project settings


    Learn how to fix vulnerabilities with free interactive lessons:

    🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

    opened by cmars 0
  • [Snyk] Security upgrade debian from bullseye to 11

    [Snyk] Security upgrade debian from bullseye to 11

    This PR was automatically created by Snyk using the credentials of a real user.


    Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.

    Changes included in this PR

    • Dockerfile

    We recommend upgrading to debian:11, as this image has only 43 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.

    Some of the most important vulnerabilities in your base image include:

    | Severity | Priority Score / 1000 | Issue | Exploit Maturity | | :------: | :-------------------- | :---- | :--------------- | | low severity | 364 | CVE-2022-1271
    SNYK-DEBIAN11-GZIP-2444256 | No Known Exploit | | low severity | 221 | CVE-2022-1292
    SNYK-DEBIAN11-OPENSSL-2807596 | No Known Exploit | | low severity | 221 | CVE-2022-1587
    SNYK-DEBIAN11-PCRE2-2808697 | No Known Exploit | | low severity | 221 | CVE-2022-1586
    SNYK-DEBIAN11-PCRE2-2808704 | No Known Exploit | | low severity | 150 | CVE-2022-1271
    SNYK-DEBIAN11-XZUTILS-2444276 | No Known Exploit |


    Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

    For more information: 🧐 View latest project report

    🛠 Adjust project settings


    Learn how to fix vulnerabilities with free interactive lessons:

    🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

    opened by cmars 0
  • fix: improve embedded Tor static build

    fix: improve embedded Tor static build

    Replace go-libtor with local static build of latest Tor stable release.

    Linux build uses Docker for distro-independence; other OSes will likely run directly on a $GOOS VM.

    opened by cmars 0
  • chore!: rebrand as onionpipe

    chore!: rebrand as onionpipe

    Trademark disputes can leave a project like this one vulnerable to seizure and takeover by well-funded parties.

    Even though "onion" is a vegetable and "grok" is jargon-speak, best to steer clear. Those who have the most gold will write the rules.

    So this project is rebranding as onionpipe. Which is probably a better name and brand for what this is anyway.

    BREAKING CHANGE: rename of all packages & artifacts.

    opened by cmars 0
  • feat: preliminary client auth and local identity management

    feat: preliminary client auth and local identity management

    Add client subcommands for managing local client public key identities, and backend support for requiring and providing client authorization for secure, private onion access.

    New flags added to oniongrok [forward]:

    --require-auth <public key1>[,public key2,...] requires client public key authorization for remote onions being exported in a forward. The list is a list of client public x25519 keys, base32 encoded with no padding.

    --auth <private key or name> specifies the client authorization to use when importing remote onions to a local address.

    opened by cmars 0
  • Example docker-compose.yml

    Example docker-compose.yml

    Dunno if you'd find this useful anywhere in your documentation but this works for me.

    version: "3.7"
    services:
      oniongrok:
        image: ghcr.io/cmars/oniongrok:main
        ## You will need to consider changing the command.
        command: "--secrets /data/.local/share/oniongrok/secrets.json sign:[email protected]"
        volumes:
          - ./data/:/data/.local/share/oniongrok/
    
    ## Demo App, Could be anything.
      sign:
        image: 'eerotal/libresignage:latest'
        volumes:
          - ./data/sign:/var/www/html/data'
    

    At some point, I think it might not be a horrible idea to potentially look at making one of these examples that use the Traefik reverse proxy for fun and research. Especially if that example just uses docker labels.

    opened by Leopere 2
Releases(v1.0.11)
Owner
Casey Marshall
Casey Marshall
oniongrok forwards ports on the local host to remote Onion addresses as Tor hidden services and vice-versa

oniongrok Onion addresses for anything. oniongrok forwards ports on the local host to remote Onion addresses as Tor hidden services and vice-versa. Wh

Casey Marshall 254 Jul 30, 2022
Shrek is a vanity .onion address generator written in Go.

Shrek Shrek is a vanity .onion address generator written in Go. Usage (CLI) Shrek compiles to a single binary that can be used on the CLI. To build an

null 10 Jun 1, 2022
serve a static website as a .onion hidden service

hidden service server A CLI that will host a static website as a .onion hidden service. Comes with an additional binary that can be used to generate v

null 9 Apr 27, 2022
A library for working with IP addresses and networks in Go

IPLib I really enjoy Python's ipaddress library and Ruby's ipaddr, I think you can write a lot of neat software if some of the little problems around

Chad Robinson 86 Jul 19, 2022
Verify IP addresses of respectful crawlers like Googlebot by reverse dns and forward dns lookups

goodbots - trust but verify goodbots verifies the IP addresses of respectful crawlers like Googlebot by performing reverse dns and forward dns lookups

Eric Wu 29 Jun 21, 2022
Given a list of domains, you resolve them and get the IP addresses.

resolveDomains Given a list of domains, you resolve them and get the IP addresses. Installation If you want to make modifications locally and compile

Josué Encinar 31 Aug 1, 2022
A little tool to test IP addresses quickly against a geolocation and a reputation API

iptester A little tool to test IP addresses quickly against a geolocation and a

Axel Vanzaghi 2 May 19, 2022
Vanitytorgen - Vanity Tor keys/onion addresses generator

Vanity Tor keys/onion addresses generator Assumptions You know what you are doing. You know where to copy the output files. You know how to set up a H

kexkey 2 May 12, 2022
oniongrok forwards ports on the local host to remote Onion addresses as Tor hidden services and vice-versa

oniongrok Onion addresses for anything. oniongrok forwards ports on the local host to remote Onion addresses as Tor hidden services and vice-versa. Wh

Casey Marshall 254 Jul 30, 2022
Shrek is a vanity .onion address generator written in Go.

Shrek Shrek is a vanity .onion address generator written in Go. Usage (CLI) Shrek compiles to a single binary that can be used on the CLI. To build an

null 10 Jun 1, 2022
Run Tor onion services on Kubernetes (actively maintained)

tor-controller This project started as an exercise to update kragniz's https://github.com/kragniz/tor-controller version Important!! This project is n

BugFest 40 Jul 22, 2022
garlicshare is an open source tool that lets you securely and anonymously share files on a hosted onion service using the Tor network.

garlicshare is an open source tool that lets you securely and anonymously share files on a hosted onion service using the Tor network.

0xR4yan 101 Aug 2, 2022
Onion-Layer-Golang - A web application boilerplate built with go and clean architecture

go-clean-architecture-web-application-boilerplate A web application boilerplate

Endy Gigih Pratama 1 May 4, 2022
serve a static website as a .onion hidden service

hidden service server A CLI that will host a static website as a .onion hidden service. Comes with an additional binary that can be used to generate v

null 9 Apr 27, 2022
Take control of your data, connect with anything, and expose it anywhere through protocols such as HTTP, GraphQL, and gRPC.

Semaphore Chat: Discord Documentation: Github pages Go package documentation: GoDev Take control of your data, connect with anything, and expose it an

Jexia.com 74 May 22, 2022
A library for working with IP addresses and networks in Go

IPLib I really enjoy Python's ipaddress library and Ruby's ipaddr, I think you can write a lot of neat software if some of the little problems around

Chad Robinson 86 Jul 19, 2022
DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)

Minify and Secure Docker containers (free and open source!) Don't change anything in your Docker container image and minify it by up to 30x making it

docker-slim 14.7k Aug 8, 2022
Async management of servers, containers, workstations...basically anything that runs an operating system.

steward What is it ? Command And Control anything asynchronously. Send shell commands to control your servers by passing a message that will have guar

RaaLabs 41 Aug 5, 2022
How to systematically secure anything: a repository about security engineering

How to Secure Anything Security engineering is the discipline of building secure systems. Its lessons are not just applicable to computer security. In

Veeral Patel 9.3k Aug 8, 2022
A library for generating fake data such as names, addresses, and phone numbers.

faker Faker is a library for generating fake data such as names, addresses, and phone numbers. It is a (mostly) API-compatible port of Ruby Faker gem

Dmitri Goutnik 299 Jul 20, 2022
Secret - Encrypt anything with a password

Secret - Encrypt anything with a password Ever wanted to hide a file? Now you can do it really easily! Usage secret {-e/--encrypt | -d/--decrypt} <sou

Ishan Goel 31 Jan 31, 2022
Verify IP addresses of respectful crawlers like Googlebot by reverse dns and forward dns lookups

goodbots - trust but verify goodbots verifies the IP addresses of respectful crawlers like Googlebot by performing reverse dns and forward dns lookups

Eric Wu 29 Jun 21, 2022
Given a list of domains, you resolve them and get the IP addresses.

resolveDomains Given a list of domains, you resolve them and get the IP addresses. Installation If you want to make modifications locally and compile

Josué Encinar 31 Aug 1, 2022
Federated Lightning addresses server.

Satdress Federated Lightning Address Server How to run Download the binary from the releases page (or compile with go build or go get) Set the followi

fiatjaf 83 Aug 4, 2022
Azanul Haque 7 Oct 1, 2021
Application to save log of anything you want

Logbook Application to save log of anything you want. SSL Gen Key openssl genrsa -out logbook.key 4096 Gen PEM file openssl req -x509 -new -days 365 -

null 0 Dec 2, 2021
Assigns floating ip addresses to Rancher Guest clusters.

kube-fip-operator The kube-fip-operator application manages the FloatingIP and FloatingIPRange Custom Resource Definition objects in a Rancher environ

null 0 Dec 6, 2021
A little tool to test IP addresses quickly against a geolocation and a reputation API

iptester A little tool to test IP addresses quickly against a geolocation and a

Axel Vanzaghi 2 May 19, 2022
A project that addresses the creation of RPC (Server-Client) and execute a CRUD in database

RPC - Server/Client A project that addresses the creation of RPC (Server-Client)

null 0 Dec 24, 2021