2022-07-25 12:42:33 +00:00
|
|
|
#! /bin/bash
|
2022-05-20 15:59:45 +00:00
|
|
|
|
2022-08-01 10:04:04 +00:00
|
|
|
CR="\e[1;31m" # red
|
|
|
|
# CG="\e[1;32m" # green
|
|
|
|
CN="\e[0m" # none
|
2022-05-20 15:59:45 +00:00
|
|
|
|
|
|
|
ERREXIT()
|
|
|
|
{
|
|
|
|
local code
|
|
|
|
code="$1"
|
2022-07-25 12:42:33 +00:00
|
|
|
# shellcheck disable=SC2181 #(style): Check exit code directly with e.g
|
2022-05-20 15:59:45 +00:00
|
|
|
[[ $? -ne 0 ]] && code="$?"
|
|
|
|
[[ -z $code ]] && code=99
|
|
|
|
|
|
|
|
shift 1
|
|
|
|
[[ -n "$1" ]] && echo -e >&2 "${CR}ERROR:${CN} $*"
|
|
|
|
|
|
|
|
exit "$code"
|
|
|
|
}
|
|
|
|
|
2022-10-31 18:10:03 +00:00
|
|
|
# add [PORT]
|
2022-09-09 14:19:46 +00:00
|
|
|
xadd()
|
|
|
|
{
|
|
|
|
cp "/var/lib/tor/hidden/service-${1}/hostname" "/config/guest/onion_hostname-${1}"
|
2022-10-31 18:10:03 +00:00
|
|
|
chmod 644 "/config/guest/onion_hostname-${1}"
|
|
|
|
}
|
|
|
|
|
2022-11-10 10:00:54 +00:00
|
|
|
# Tor has no easy way to generate keys in a script and then derive the onion address
|
|
|
|
# from the public key. This is a nightmare.
|
|
|
|
# (We need the onion address before we start TOR....)
|
|
|
|
genkey_hidden()
|
2022-10-31 18:10:03 +00:00
|
|
|
{
|
2022-11-10 10:00:54 +00:00
|
|
|
local port
|
|
|
|
local dir
|
|
|
|
port="$1"
|
|
|
|
dir="/var/lib/tor/hidden/service-$1"
|
|
|
|
|
|
|
|
[[ ! -d "${dir}/authorized_clients" ]] && mkdir -p "${dir}/authorized_clients"
|
|
|
|
[[ ! -f "${dir}/hs_ed25519_secret_key" ]] && {
|
|
|
|
mkdir /tmp/tor
|
|
|
|
chown tor /tmp/tor
|
|
|
|
chown tor "${dir}"
|
|
|
|
(sleep 1; echo -en "\r\r") | su -s /bin/ash - tor -c 'script -q -c "tor --keygen --DataDirectory /tmp/tor" /dev/null' >/dev/null
|
|
|
|
cp /tmp/tor/keys/ed25519_master_id_secret_key "${dir}/hs_ed25519_secret_key"
|
|
|
|
cp /tmp/tor/keys/ed25519_master_id_public_key "${dir}/hs_ed25519_public_key"
|
|
|
|
rm -rf /tmp/tor
|
|
|
|
rm -f "${dir}/hostname"
|
|
|
|
}
|
|
|
|
|
|
|
|
[[ ! -f "${dir}/hostname" ]] && {
|
|
|
|
# Create ./hostname from public key
|
|
|
|
pub=$(tail --bytes 32 <"${dir}/hs_ed25519_public_key")
|
|
|
|
chk=$((echo -n ".onion checksum${pub}"; echo -en "\003") | openssl sha3-256 -binary | head --bytes 2)
|
|
|
|
s=$((echo -n "${pub}${chk}"; echo -en "\003") | base32)
|
|
|
|
echo "${s,,}.onion" >"${dir}/hostname"
|
|
|
|
echo "Port ${port}: ${s,,}.onion"
|
|
|
|
}
|
|
|
|
|
|
|
|
# Always fix permission (and also when files already existed)
|
|
|
|
find "${dir}" -type d -exec chmod 700 {} \; || ERREXIT
|
|
|
|
find "${dir}" -type f -exec chmod 600 {} \; || ERREXIT
|
2022-09-09 14:19:46 +00:00
|
|
|
}
|
|
|
|
|
2022-07-27 14:26:03 +00:00
|
|
|
# Route all traffic that comes to this instance through TOR.
|
2022-09-28 09:49:46 +00:00
|
|
|
iptables -t nat -A PREROUTING -p tcp ! -d sf-tor --syn -j REDIRECT --to-ports 9040
|
2022-11-25 11:35:31 +00:00
|
|
|
|
|
|
|
if [[ -n $SF_TOR_VIA_VPN ]]; then
|
|
|
|
# Route TOR via VPN
|
|
|
|
ip route del default
|
|
|
|
ip route add default via 172.20.0.2
|
|
|
|
else
|
|
|
|
# Route TOR directly to Internet but incoming
|
|
|
|
# onion connectoins to these two (via sf-router)
|
|
|
|
ip route add 172.22.0.22/32 via 172.20.0.2
|
|
|
|
ip route add 172.20.1.80/32 via 172.20.0.2
|
|
|
|
fi
|
2022-07-27 14:26:03 +00:00
|
|
|
|
2022-11-10 10:00:54 +00:00
|
|
|
umask 0077
|
|
|
|
genkey_hidden 22
|
|
|
|
genkey_hidden 80
|
|
|
|
umask 0022
|
|
|
|
xadd 22
|
|
|
|
xadd 80
|
|
|
|
|
2022-10-31 18:10:03 +00:00
|
|
|
chmod 700 /var/lib/tor
|
2022-07-28 13:33:08 +00:00
|
|
|
chown -R tor /var/lib/tor/hidden || ERREXIT
|
2022-09-09 14:19:46 +00:00
|
|
|
|
2022-09-18 11:42:52 +00:00
|
|
|
if [[ -f /config/host/etc/tor/torrc ]]; then
|
2022-10-31 18:10:03 +00:00
|
|
|
exec su -s /bin/ash - tor -c "tor --hush -f /config/host/etc/tor/torrc"
|
2022-07-25 12:42:33 +00:00
|
|
|
else
|
2022-10-31 18:10:03 +00:00
|
|
|
exec su -s /bin/ash - tor -c "tor --hush"
|
2022-07-25 12:42:33 +00:00
|
|
|
fi
|
2022-05-20 15:59:45 +00:00
|
|
|
# NOT REACHED
|