Feature #5688
Tails Server: Self-hosted services behind Tails-powered onion services
29%
Description
team: segfault, anonym
Development repositories:
https://gitlab.com/segfault3/onionkit
https://gitlab.com/segfault3/onionservices
https://gitlab.com/segfault3/onionclient
Subtasks
Feature #11313: Design the GUI of Tails Server | Resolved | segfault | 100 |
||
Feature #11314: Implement a Tails Server prototype | Resolved | segfault | 100 |
||
Feature #11551: Install the mumble VoIP client | Confirmed | segfault | 0 |
||
Feature #12230: Release Tails Server Beta | In Progress | anonym | 70 |
||
Feature #12231: Write Tails Server Design Documentation | Confirmed | segfault | 60 |
||
Bug #12253: Use persistence.conf in Tails Server | Confirmed | segfault | 0 |
||
Feature #12255: Use polkit with Tails Server | Confirmed | segfault | 0 |
||
Bug #12297: Make Tails Server compatible with Wayland | Confirmed | segfault | 0 |
||
Feature #14456: Finish documenting Tails Server | Confirmed | spriver | 0 |
||
Feature #15034: Create apparmor rules for Tails Server services | Confirmed | segfault | 0 |
||
Feature #15299: Restrict access to onionkit via D-Bus | Confirmed | segfault | 0 |
||
Feature #15300: Redesign Tails Server GUI | Confirmed | 80 |
|||
Feature #15301: Run Tails Server services in containers | In Progress | segfault | 50 |
||
Feature #15343: Add schleuder list to Tails Server | Confirmed | segfault | 0 |
||
Feature #15348: Have an icon for the Tais Server GUI | Confirmed | 0 |
|||
Feature #15899: Rethink goals of Tails Server | Confirmed | segfault | 0 |
Related issues
Related to Tails - |
Rejected | 2014-09-07 | |
Related to Tails - Feature #12236: Add more services to Tails Server | Confirmed | 2018-01-16 | |
Related to Tails - Feature #15035: Use systemd security features for Tails Server services | Confirmed | 2017-12-10 | |
Related to Tails - Feature #15181: Help create Debian packages for Tails Server | Confirmed | 2018-01-17 | |
Related to Tails - Feature #6333: firewall exceptions for user-run local services | Confirmed | 2013-10-04 | |
Related to Tails - |
Resolved | 2016-03-15 |
History
#2 Updated by segfault 2015-03-19 17:48:59
I wrote a script to start a hidden web server on Tails. This is a very simple solution without any of the many features planned in the blueprint. It just installs apache (could be any other web server), binds the persistent hidden_service directory to /var/lib/tor, configures Tor to use the hidden service and adds a rule to iptables allowing Tor to access the webserver.
I can try to figure out how to integrate this into Tails if you think this is useful in any way.
#3 Updated by segfault 2015-03-19 17:52:39
Attaching the files doesn’t work, progress bar just states ‘error’, so I’ll just paste them here:
setup.sh:
#!/bin/bash
echo "Installing apache."
apt-get install apache2
echo "Configuring tor hidden service."
./configure_hidden_service.sh
echo "Adding iptables rules."
./add_iptables_rules.sh
configure_hidden_service.sh::
#!/bin/bash
# bind hidden service dir
sudo mount --bind ./hidden_service /var/lib/tor/hidden_service
# add hidden service to torrc
TORRC=/usr/share/tor/tor-service-defaults-torrc
echo HiddenServiceDir /var/lib/tor/hidden_service >> $TORRC
echo HiddenServicePort 80 127.0.0.1:80 >> $TORRC
# reload tor
sudo service tor restart
add_iptables_rules.sh:
#!/bin/bash
### Allow access to web server on lo ###
# allow user tor (hidden service)
iptables -I OUTPUT -d 127.0.0.1/32 -o lo -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m owner --uid-owner debian-tor -j ACCEPT
# allow user root
#iptables -I OUTPUT -d 127.0.0.1/32 -o lo -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m owner --uid-owner root -j ACCEPT
# allow unsafe browser
#iptables -I OUTPUT -d 127.0.0.1/32 -o lo -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m owner --uid-owner clearnet -j ACCEPT
#4 Updated by intrigeri 2015-03-19 18:17:41
- related to
Feature #7879: Document how to serve files over HTTP behind a Tor Hidden Service added
#5 Updated by intrigeri 2015-03-19 18:17:57
> I wrote a script to start a hidden web server on Tails.
Great! It’s work in progress on Feature #7879 => please report about your own version there.
#6 Updated by anonym 2016-06-29 03:23:30
- related to Feature #11551: Install the mumble VoIP client added
#7 Updated by anonym 2016-06-29 05:22:16
- related to deleted (
Feature #11551: Install the mumble VoIP client)
#8 Updated by anonym 2016-06-29 05:22:28
- blocks Feature #11551: Install the mumble VoIP client added
#9 Updated by Dr_Whax 2016-08-20 12:36:01
- Description updated
- Assignee set to segfault
- Target version set to 2017
#10 Updated by segfault 2017-02-14 17:12:53
- Blueprint changed from https://tails.boum.org/blueprint/server_edition to https://tails.boum.org/blueprint/tails_server
#11 Updated by segfault 2017-02-14 17:47:28
- related to
Feature #12237: Reduce apt update time during first start of Tails Server added
#12 Updated by segfault 2017-02-14 17:47:39
- related to Feature #12236: Add more services to Tails Server added
#13 Updated by segfault 2017-02-14 17:47:47
- related to
Bug #12232: Base feature/5688-tails-server on feature/stretch added
#14 Updated by segfault 2017-02-14 17:47:52
- related to Feature #12231: Write Tails Server Design Documentation added
#15 Updated by segfault 2017-02-14 17:48:02
- related to Feature #12230: Release Tails Server Beta added
#16 Updated by segfault 2017-02-14 17:49:31
- Target version changed from 2017 to Tails_3.2
- Feature Branch set to feature/5688-tails-server
We plan to release Tails Server with the first point release after the release of the next-generation onion services (scheduled for August 2017). This will be Tails 3.2, scheduled for 10/03/2017.
#17 Updated by segfault 2017-02-14 17:51:30
- related to deleted (
)Bug #12232: Base feature/5688-tails-server on feature/stretch
#18 Updated by segfault 2017-02-14 17:51:32
- blocked by
Bug #12232: Base feature/5688-tails-server on feature/stretch added
#19 Updated by segfault 2017-02-14 17:51:44
- related to deleted (
Feature #12231: Write Tails Server Design Documentation)
#20 Updated by segfault 2017-02-14 17:51:53
- blocked by Feature #12231: Write Tails Server Design Documentation added
#21 Updated by segfault 2017-02-14 17:52:07
- related to deleted (
Feature #12230: Release Tails Server Beta)
#22 Updated by segfault 2017-02-14 17:52:19
- blocked by Feature #12230: Release Tails Server Beta added
#23 Updated by segfault 2017-03-08 18:51:47
- Affected tool set to Server
#24 Updated by segfault 2017-03-08 18:54:17
- Subject changed from Tails server: Self-hosted services behind Tails-powered Tor hidden services to Tails Server: Self-hosted services behind Tails-powered onion services
#25 Updated by segfault 2017-04-25 19:38:44
- blocks deleted (
Feature #12230: Release Tails Server Beta)
#26 Updated by segfault 2017-04-25 19:40:07
- blocks deleted (
)Bug #12232: Base feature/5688-tails-server on feature/stretch
#27 Updated by segfault 2017-04-25 19:41:23
- blocks deleted (
Feature #12231: Write Tails Server Design Documentation)
#28 Updated by segfault 2017-04-25 19:44:10
- blocked by Feature #12230: Release Tails Server Beta added
#29 Updated by BitingBird 2017-08-28 18:56:17
- Description updated
#30 Updated by intrigeri 2017-09-15 18:06:00
- Target version changed from Tails_3.2 to Tails_3.5
It didn’t make it into 3.2 so best case it’ll be for 3.4, if your new job (VeraCrypt! :) leaves you enough spare time.
#31 Updated by segfault 2017-12-10 11:08:56
- related to Feature #15035: Use systemd security features for Tails Server services added
#32 Updated by segfault 2017-12-10 11:09:07
- related to Feature #15034: Create apparmor rules for Tails Server services added
#33 Updated by Anonymous 2018-01-15 15:22:45
What’s the current release plan? You said that you are waiting for next-generation onion services, and Torproject said they released a beta in November 2017: https://blog.torproject.org/tors-fall-harvest-next-generation-onion-services. Do we know more about their release schedule (just so that we can track this on this ticket / on our side)?
#34 Updated by segfault 2018-01-15 17:06:01
- Target version changed from Tails_3.5 to Tails_3.8
> What’s the current release plan?
Ok, a little overdue update: I worked a lot on this in the last months. I redesigned and rewrote a lot of code, and plan to make Debian packages with the names onionkit for the backend and onionservices (if I don’t find something better) for the GUI. It’s not finished yet, I still have quite some work to do, and I would also like to redesign the GUI to fit the new GNOME Settings design. But I have to focus on other projects with hard deadlines in the next weeks, so this will have to wait some more. I will set the target version 3.8 for now, as I don’t think 3.6 is realistic.
> You said that you are waiting for next-generation onion services, and Torproject said they released a beta in November 2017: https://blog.torproject.org/tors-fall-harvest-next-generation-onion-services. Do we know more about their release schedule (just so that we can track this on this ticket / on our side)?
The next-gen onions were the main blocker before the redesign, but they actually already got released in the latest stable release, so they are not a blocker anymore. And I hope that they will also be supported in Stem by the time I finished everything else.
#35 Updated by Anonymous 2018-01-17 13:49:07
- Target version changed from Tails_3.8 to Tails_3.9
I’m setting 3.9 as target as this will be the next major release (3.9~rc1 is planned for 2018-08-17).
#36 Updated by Anonymous 2018-01-17 13:53:00
segfault wrote:
> > What’s the current release plan?
>
> Ok, a little overdue update: I worked a lot on this in the last months. I redesigned and rewrote a lot of code, and plan to make Debian packages with the names onionkit for the backend and onionservices (if I don’t find something better) for the GUI.
Wow, that’s really awesome!
I’d like to help with debianizing these two pieces of code: Will add a ticket for this.
Concerning the names, I think you might want to send an email to tails-dev (?) and ask for comments. I’m unsure if these names correctly reflect what the software does.
Maybe: onionservices & onionservices-gui would be more appropriate? or onionservices-client or something.
#37 Updated by Anonymous 2018-01-17 13:55:34
- related to Feature #15181: Help create Debian packages for Tails Server added
#38 Updated by segfault 2018-02-10 09:32:57
- related to Bug #12297: Make Tails Server compatible with Wayland added
#39 Updated by segfault 2018-03-06 10:22:10
- Description updated
#40 Updated by bertagaz 2018-03-13 22:00:36
It would be great to update the FAQ once this is out
#41 Updated by segfault 2018-08-05 19:23:46
- Target version deleted (
Tails_3.9)
It’s unclear when Tails Server will get its review, so I’m unsetting the target version.
#42 Updated by Anonymous 2018-08-19 08:30:12
- related to Feature #6333: firewall exceptions for user-run local services added
#43 Updated by syster 2020-05-06 13:30:53
- related to
Feature #11241: Consider including mumble-server and mumble in Tails added