stopgap for onion v2 to v3 migration

I use Tor onion services (location-hidden services) to manage a lot of my servers, since some are behind NAT or have dynamic IP addresses and onion services do excellent NAT traversal and allow access without knowing IP addresses. Alas, for security reasons the older v2-style onion addresses will deprecate in 11 days. I thought it would be trivial to generate v3 addresses for all my servers, and for most it was, but I ran into some grief.

I have a remote server running on a distant site for maintaining a dynamic DNS address and allowing me to traverse NAT to keep port forwarding and other configurations current. Alas, it’s a Raspberry Pi Zero W (0w) and the Debian Tor repos are so out-of-date that they don’t support Tor versions new enough to allow for v3 onions. Building from source on a 0w is too much for the little machine over long, fragile connections so I need — before July 15th — to allow an alternate method of NAT traversal or I’ll lose access to the server completely.

Looks like a reverse SSH proxy is in order.

First, I need to define an address for a server with a static IP address. I’ll use zara.sacdoc.org, since it’s already a router, but I’ll create a specific domain name for it, tunnel.sacdoc.org, so that it will be independent of the router name. So I create an appropriate A record so that tunnel.sacdoc.org points to the IP address for zara.sacdoc.org. I could use a cname, but I don’t like them.

Next, I need to be able to shell into tunnel.sacdoc.org from the 0w. I’ll create a user on tunnel which I’ll confusingly name tunnel. It needs a login shell and directory but can (should) have very limited privileges. Give it a good password, even though it’s only temporary.

Create an ssh key pair on the 0w and copy the public key to tunnel using the password to get access.
ssh-keygen
ssh-copy-id tunnel@tunnel.sacdoc.org

Install autossh to open a reverse tunnel and keep it open
sudo apt install autossh

Put the autossh command in /etc/rc.local using 2222 as the remote port and 2223 as the monitoring port. You might need to change the location of your private key file as well as the device names and port numbers.
autossh -M 2223 -fN -o "PubkeyAuthentication=yes" -o "StrictHostKeyChecking=false" -o "PasswordAuthentication=no" -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" -o "IdentityFile=/home/pi/.ssh/id_rsa" -R tunnel.sacdoc.org:2222:localhost:22 tunnel@tunnel.sacdoc.org

Cool! At least now I have access to the server until I can either build a modern Tor for Raspbian from source or somebody updates the Debian repositories.

EDIT 20210705@15:54

The real source of the problem here is that the 0w is running Raspbian Stretch. Were I to upgrade to Raspbian Buster, it would install a still-outdated but new enough version of Tor to support v3 onions. I’m not sure I want to do a full OS distribution update on a device that’s hundreds of miles away, on a slow and unreliable net connection. I might wait and do that when I’m better able to afford to travel or ship packages around.