Using Tor with Home Assistant for extra secure+private remote access

Hi everyone. Just wanted to check-in here, and open the discussion on some of the recent work I have been leading up trying to see how Tor (aka the Onion Router aka a security privacy tool and network) could be integrated with Home Assistant.

We have a cookbook example up here: https://home-assistant.io/cookbook/tor_configuration/ that I hope is self explanatory.

We were fortunate this week to have Wired write up a story on this, thanks to their interest in IoT security:
https://www.wired. com/2016/07/now-can-hide-smart-home-darknet/

Happy to answer any questions, or hear your ideas or suggestions about what we can do next. I am actually working on both making the client access setup easier through a HA component and QR code generation system.

I am also working to access the ODB2 port in my car through a CHIP computer connected to it no matter where it happens to be, by also running Tor Hidden Services. This will show how Tor can be used to safely connect remote devices into your HA hub, be it your car, another house, remote farm equipment, and so on. Stay tuned for that!

Look forward to talking with everyone more.

10 Likes

:slight_smile:

Hi there!

I probably shouldn’t be asking for help regarding this, but here I am :blush:
I’ve really tried to make tor working on my raspberry pi 2 but with no luck… Installation went well, modifying torrc file also.
Next command > sudo /etc/init.d/tor restart, failed to execute (then I’ve restarted pi manually…).
Next one > $ sudo more /var/lib/tor/homeassistant/hostname showing folder doesn’t exist…
Tried it many times, clean install(raspbian jessie), update/upgrade, sudo pip3 install homeassistant or all-in-one script, same…

Can you please link some more “self explanatory” manuals for us(me) total noobs?

Thanks in advance.

Happy to help here!

When you do a vanilla install of tor without modifying torrc, does it start up?

Also can you share or paste here your torrc content?

There shouldn’t anything sensitive in it.

Otherwise, here is the official Tor documentation on setting up hidden services:
https://www.torproject.org/docs/tor-hidden-service.html.en

Hey, thanks for quick response!

I think i know now what was the problem…

This >


####This section is just for location-hidden services ###

Once you have configured a hidden service, you can look at the
contents of the file “…/hidden_service/hostname” for the address
to tell people.
…
HiddenServiceDir /var/lib/tor/homeassistant/
HiddenServicePort 80 127.0.0.1:8123
HiddenServiceAuthorizeClient stealth haremote1
…


This is the content of the text box in the cookbook example.
When you copy it as is, you are also copying dots in front of and at the end of the command…
So, delete the dots :blush:
That was the problem. There, maybe this can help someone else.

Thanks one more time! :vulcan:

3 Likes

I have managed to get this working on my laptop, but cannot seem to get it running on my Android phone. I followed the directions in the blog but when I connect to my HASS through OrFox, the screen shows the HASS logo, but doesn’t show where I type in my passcode. Ideas?

edit: Site works fine in Chrome when I connect directly without going through Tor.

You need to enable Javascript in Orfox. Check the menu->noscript option.

3 Likes

I mentioned that we are also working on integrating car logging data using a CHIP (or a Pi3) with an OBD2 port device. I am discussing this with the CHIP community over here:
https://bbs.nextthing.co/t/car-nerds-and-nix-afficianados/5655

We also almost have this working using the Torque application on Android tunneled over Tor using the Orbot VPN, but there is currently an issue with the data being parsed as it is posted:
http s://github.com/home-assistant/home-assistant/issues/1515

I hope we can solve this soon, so that we can more formally add the “onion car” to the mix.

1 Like

Perfect!! That solved it!

I’m hoping that someone here can weigh in on running Owntracks through Orbot. I’d like to use Owntracks for presence detection, and I’ve set up Tor to host the broker as a hidden service. The problem is that I can’t seem to route Owntracks through Orbot and get it to connect to the hidden service. The guide for setting up Tor mentions using Orbot’s VPN mode to do this, but I can’t find a guide which covers the configuration. I checked the Owntracks forum and there doesn’t seem to be an answer there either.

https://community.owntracks.org/topic/237/android-app-private-mqtt-question-connection-through-tor

Can someone please offer some guidance on this?

Sorry to bring up an old thread. With Javascript enabled the the Windows Tor browser I get through the login but when it tries to load states, it just shows a blank page. Is there any other configuration options to try?

Hey there. I am excited to get Owntracks+Orbot working for you. Which version of Android OS are you using?

There is a new beta of Orbot out that you should try:
https://lists.mayfirst.org/pipermail/guardian-dev/2016-October/004941.html

You need to enable the “Apps VPN Mode” from the left sidebar, then choose the Owntracks app.

Then you should be able to enter the onion server address into Owntracks.

Hmm, can you check the NoScript add-on menu to make sure all the scripts are being allowed?

Thanks for the quick response. After some further trial and error, I got it to work by changing the security level slider from High->Medium High. The security slider was introduced in version 4.5

I’m running Android 6.0.1 and Orbot 15.1.2. For security, I’d like to stay away from apps which are not available in the Play store.

I did come across the following link which shows one way of doing this:

but it requires a rooted phone, which mine isn’t. Is it possible to do this with the current version of Orbot without a rooted phone?

The new Orbot release will be out shortly.

Otherwise, is your HA running with the authenticated mode on? You will need to add that cookie data to the Orbot->Settings torrc custom section. This is the same as adding it to the Tor Browser’s Tor RC file.

Otherwise, you don’t need the transparent proxy and root feature outlined in that post. Instead, you should use the Orbot Apps VPN feature which routes any app through Tor.

Where you would put the server in Owntracks is where you would enter the .onion address that your HA is running on.

I have an HTTP password and am using the default settings for Mosquitto until I get everything up and running. I’ve followed the instructions set up a tor hidden service. The line in the torrc file is:

HiddenServiceDir /var/lib/tor/mosquitto/
HiddenServicePort 1883 127.0.0.1:1883
HiddenServiceAuthorizeClient stealth haremote1

I checked the cookie and entered it on my torrc file in Orbot. I went into the select apps menu in Orbot and checked the box for Owntracks. Restarted everything, and started Orbot with VPN mode on. Orbot seems to be fine, but I get an error in Owntracks saying that it’s got an Unknown Host Exception.

I used the .onion address in the host field and kept the port as 1883. For authentication details, I’ve used the same details as I have when I’m on the network. I double checked and if I connect to my wifi network and point owntracks at the server directly, it works.

So I’m not sure where the error is coming from.

Is 1883 the port that you access the HA web interface from as well?

If so, can you try installing Orfox browser, and see if you can access the web interface via the onion address?

1883 is not the port used for the web interface, it’s only used for MQTT. HTTP traffic is on port 80; my hidden service for that is a direct copy from the instructions, so the total entry for hidden services is:

HiddenServiceDir /var/lib/tor/homeassistant/
HiddenServicePort 80 127.0.0.1:8123
HiddenServiceAuthorizeClient stealth haremote1

HiddenServiceDir /var/lib/tor/mosquitto/
HiddenServicePort 1883 127.0.0.1:1883
HiddenServiceAuthorizeClient stealth haremote1

I have both cookies saved in Orbot. I checked the web interface with Orfox and it connects regardless of whether I’m connected over VPN.

Yes, Orfox directly connects to Orbot via the SOCKS proxy. It is developed to work that way.

Owntracks must connect through the Orbot VPN connection. I am wondering if the Orbot VPN has a problem resolving dot-onion addresses for some reason. I will do some testing here on the new build and let you know what I see.

Also, since Owntracks is open-source, we could submit a pull request to it to add the direct SOCKS proxying like Orfox.