wiki:doc/NextGenOnions

Intro to Next Gen Onion Services (aka prop224)

Welcome to the next level in overlay networks: Tor's Next Generation Onion Services!

Tor as of version 0.3.2.1-alpha supports the next-gen onion services protocol for clients and services! As part of this release, the core of proposal 224 has been implemented and is available for experimentation and testing by our users. This newer version of onion services ("v3") features many improvements over the legacy system, including:

  1. Better crypto (replaced SHA1/DH/RSA1024 with SHA3/ed25519/curve25519)
  2. Improved directory protocol, leaking much less information to directory servers.
  3. Improved directory protocol, with smaller surface for targeted attacks.
  4. Better onion address security against impersonation.
  5. More extensible introduction/rendezvous protocol.
  6. A cleaner and more modular codebase.

You can identify a next-generation onion address by its length: they are 56 characters long, as in 4acth47i6kxnvkewtm6q7ib2s3ufpo5sqbsnzjpbi7utijcltosqemad.onion.

The specification for next gen onion services can be found here: https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt

[This page will remain read-only for the next few days. Please contact asn for any additions.]

Current state

Initial client/service support introduced in tor-0.3.2.1-alpha. Project currently in testing and bugfixing phase.

See this blog post for a Tor Browser alpha release with v3 onion support!

In the future, we plan to release more features for v3 onion services, but we first need a testing period for the current codebase to mature and become more robust. Planned features include: offline keys, advanced client authorization, improved guard algorithms, and statistics. For full details, see rend-spec-v3.txt.

Example prop224 services

You will need a Tor browser running at least tor-0.3.2.1-alpha (e.g. Tor Browser 7.5a5) to visit these:

(Also NEVER trust onions you read on a wiki :) )

How to connect to the test hub for next gen onion services

We've setup a small test hub in a friendly IRC network which you are welcome to join if you want us to help test next gen onion services. The address is gff4ixq3takworeuhkubzz4xh2ulytoct4xrpazkiykhupalqlo53ryd.onion:6697. You will need an IRC client and socat to follow this guide:

1) Compile Tor from source:

Let's start by cloning the upstream git repository:

$ git clone https://git.torproject.org/tor.git

and then build tor using $ ./autogen.sh && ./configure --disable-asciidoc && make.

2) Setup a basic torrc for your Tor client

Try this torrc for your Tor client (adapt it to your filesystem):

SocksPort 9008
RunAsDaemon 0
SafeLogging 0
DataDirectory /home/user/tmp/tor
Log notice stdout
Log notice file /home/user/tmp/hsclient/tor.log
Log info file  /home/user/tmp/hsclient/torinfo.log

3) Setup a socat tunnel to the prop224 testing hub

I use the socat tool to setup a tor tunnel between my computer and the onion service:

$ socat TCP4-LISTEN:4250,bind=localhost,fork,reuseaddr SOCKS4A:localhost:gff4ixq3takworeuhkubzz4xh2ulytoct4xrpazkiykhupalqlo53ryd.onion:6697,socksport=9008

4) Connect to the testing hub IRC channel

We are almost done. Now start your IRC client and point it to the tunnel we opened above. Here are instructions for irssi:

/server -4 -ssl localhost 4250

/join #prop224

5) Sit back and enjoy!

If you made it this far the next step is to relax and enjoy this new Internet experience. Also monitor your log files to see if any warnings or bugs appeared. If we see your client misbehaving we might ask you to give us some logs etc. If any other tests are required we will notify you through the IRC testing hub.

How to setup your own prop224 service

It's easy! Just use your regular onion service torrc and add HiddenServiceVersion 3 in your hidden service torrc block.

Here is an example torrc designed for testing:

SocksPort auto

HiddenServiceDir /home/user/tmp/hsv3
HiddenServiceVersion 3
HiddenServicePort 6667 127.0.0.1:6667

SafeLogging 0
Log notice stdout
Log notice file /home/user/tmp/hs/hs.log
Log info file /home/user/tmp/hs/hsinfo.log

You can then find your onion address at /home/user/tmp/hsv3/hostname.

You can also host both a v2 and a v3 service using two hidden service torrc blocks:

HiddenServiceDir /home/user/tmp/hsv2
HiddenServicePort 6667 127.0.0.1:6667

HiddenServiceDir /home/user/tmp/hsv3
HiddenServiceVersion 3
HiddenServicePort 6668 127.0.0.1:6667

Please let us know if you find any bugs!!!

How to help the next-gen onion development

We are still in testing & development stage so things are very liquid and in active development.

if you want to help with development, check out the list of open prop224 bugs.

Otherwise, if you are more of the bug hunting type, please check our code and spec for errors and inaccuracies. We would be thrilled to know about them :)

Last modified 2 weeks ago Last modified on Oct 5, 2017, 3:48:17 AM

Attachments (3)

Download all attachments as: .zip