It's easier to setup a Tor hidden service than it is to set up a server with a domain. You don't have to know anything about DNS or firewalls. I'm surprised that they aren't more common.
Yes, that's what I like about it, too. All of my machine got its own .onion address so I have a static name I can connect whether I am in home or Starbucks connected to their Wi-fi.
(And since I set HiddenServiceAuthorizeClient, random people just knowing the address won't be able to connect.)
It works great and I stopped port forwarding my home network while ago...
Is it? I've never been able to find a 'how to' or tutorial on starting a hidden service, but even with limited skills I could set up a domain and server in my lunch hour.
NAT traversal requires a server accessible to both parties, correct?
It would be interesting if somehow Tor could be used only to initiate the NAT traversal, then the direct connection could be used with better performance. (This article feels like it's talking about routing everything through Tor.) If there was an open-source library that managed this well I have a feeling it would be used everywhere.
> NAT traversal requires a server accessible to both parties, correct?
If both parties are behind a NAT, you need a STUN server to help set up UDP hole punching. STUN servers are cheap to run, as it is a stateless UDP protocol. I imagine a single server could handle tens of millions of concurrent users, or more if the STUN client is not aggressive.
There are enough public STUN servers that I think an open source project could ship with a big list of them and it'd be functional. (The two peers don't need to be using the same STUN server.)
There is also pwnat, which uses a neat trick to connect two parties behind a NAT without a third server necessary.
> If there was an open-source library that managed this well I have a feeling it would be used everywhere.
Check out telehash.org for one attempt to make a p2p overlay of the regular Internet as an open source library.
ZeroTier, as mentioned in the link, has all the code necessary to also provide a p2p library. (It's p2p VPN software right now, but I imagine someone could separate out the guts if that hasn't been done already.)
> This article feels like it's talking about routing everything through Tor.
That's correct. How would you use Tor to initiate the NAT traversal only, and then go direct? Perhaps using it as a way to advertise ports bound upstream from local NAT?
He acknowledges this implicitly in "Demand vs. Capacity". This is not just about a library, it is about resources: a proportional number of nodes would need to participate in the Tor network as proxies. (And it's a constant factor of nodes depending on how many bounces you want).
I like the idea! Nevertheless, one thing that I'd like to point out when deploying this kind of scheme is that it might be putting too much stress on the network that isn't necessarily in line with project goals.
Because of that, I suggest that if you build a project like this, DONATE and/or encourage users to donate to Tor project. It's not like relay traffic is an unlimited resource and Tor already does a lot to support various use cases, but it takes money. Keep that in mind.
BitTorrent is effectively a "relay" when you seed. The anonymity network I2P actually works in a way that you are both the relay and the client by default.
According to Tor, "decent" is 2Mb/sec symmetric, which most any broadband connection can do. I suspect everyone has 2MB/sec lying around. From Tor [1]:
The more people who run relays, the faster the Tor network will be. If you have at least 2 megabits/s for both upload and download, please help out Tor by configuring your Tor to be a relay too.
There are other ways to contribute to the project as well, such as running bridge relays [2]. These are often less-used but are necessary for the network to work well in places where it needs to be used for censorship circumvention.
You can also configure a browser to be a short-lived FlashProxy [3] bridge relay.
Even still, throttling bandwidth in your `torrc` means you can easily run a relay on a droplet or EC2 instance and not cost yourself a lot of money. There is also torservers.net [4] for hosting; they accept donations as well.
Perhaps in Europe and the US, but here in Australia (and many other places I suspect), 2MB/s is a luxury. We have the NBN (partially) rolling out at the moment, but anything better than 12/1mbit will be largely inaccessible to the majority.
I always hoped IPv6 would kill the NAT but it seems providers stick to it… I think the creation of Tor hidden services needs a nice UI. But also I am doubtful because only TCP is supported, UDP not.
We built ZeroTier initially for this use case, and though it's now maturing into something more powerful (SDN type features) it's still very useful for this and the WAN use case is not going away.
The difference between something like ZeroTier and Tor is a trade-off between meta-data privacy and latency/speed. (Both encrypt the actual payload.)
Efficient connectivity and anonymity are antagonistic goals. You can't provide both since optimization for one of these two goals implies violation of the other.
Tor provides meta-data privacy, but it's impossible to do this without sacrificing a lot of performance. If you allow low latency on a privacy network, latency can be used to triangulate the endpoint. Rule of thumb: latency can never be lower than about 1/2 the time it takes a photon to travel the Earth's diameter. In practice it's higher since you must also account for median router latency. Same goes for high throughput though in that case you need much more detailed intel on the physical network. Rule of thumb here: if throughput is higher than global mean it can be used to rule out and thus narrow down paths in the graph.
ZeroTier provides fast efficient low-latency direct connectivity but to do this requires that it introduce people directly, thus revealing peoples' locations (IP-wise) to each other. This is a hard requirement since the most efficient path is by definition the most direct and therefore de-anonymized (again IP-wise) path. You can't go directly A<>B without A knowing where B is and vice versa.
Edit: I speak a bit theoretically above. In practice a weaker anonymity system could be deployed closer to the last mile to hide people at e.g. city resolution. But AFIAK this is not what Tor does, would probably require either a huge critical mass or last-mile carrier participation or both, and would still have a performance impact.
