Jump to menu and information about this site.


Backup over Tor with BackupPC //at 04:37 //by abe

I have a Raspberry Pi at my parents home. They have internet access via some ISP using Carrier Grade NAT (CGN). Hence their home router is not reachable via IPv4 from the outside, they do have IPv6 and the devices can also be made accessible via IPv6 via the local router.

Did that, was able to access my Raspberry Pi over IPv6 and SSH from the outside. So doing backup of that Raspberry Pi with BackupPC from the outside was a walk in the park.

Unfortunately the IPv6 prefix seems to change occasionally and the router only allows to configure explicit IPv6 addresses in firewall rules — so after a prefix change the configured rules no more match the devices IPv6 addresses. Meh.

So there were multiple possibilities to work around these restrictions and access a devices behind the router:

  • Using a permanent VPN connection, e.g. OpenVPN.
  • Using a software defined network (SDN), e.g. ZeroTier.
  • Enabling a Tor Hidden Service to access the device via SSH and Tor.

Enabling a Tor Hidden Service for port 22 is a no-brainer and was done most quickly (actually it already was in place as I already suspected that an IPv6 prefix change might happen) and I so far was too lazy to replace it with something more proper.

But my backup was relying on direct SSH access via IPv6. So I needed to get that working over Tor, too.

Here’s what was needed for the host named “sherpa” (named after the Fiberfab Sherpa) to be backed up via Tor:

  • Make sure the folloing packages are installed on the BackupPC server:
    • netcat-openbsd (netcat-traditional might work, too, but then needs different commandline options)
    • ssh-tools for ssh-ping
    • tor (of course :-)
  • Add these lines to ~backuppc/.ssh/config:
    Host sherpa_via_tor
            Hostname abcdefghijklmnop.onion
            ProxyCommand /bin/nc.openbsd -X 5 -x localhost:9050 %h %p
    These lines basically configure an alias hostname for ssh which then connects via SOCKS5 to the Tor daemon instead of doing DNS lookup and connection itself. It also configures the actual hostname (a Tor “.onion” hostname) to connect to.
  • Add the following lines to /etc/backuppc/sherpa.pl:
    $Conf{ClientNameAlias} = 'sherpa_via_tor';
    $Conf{PingCmd} = '/usr/bin/ssh-ping -c 1 $host';
    $Conf{NmbLookupFindHostCmd} = "";
    These lines configure a few things in BackupPC:
    • Use the hostname alias declared in .ssh/config.
    • Use ssh-ping instead of standard ping as command to test connectivity. (ICMP neither works over SOCKS5 nor over Tor. And we configured the connection only for SSH anyways.)
    • Don’t try to do any DNS lookups on the given hostnames. (Otherwise you’ll get error messages like “Can’t find host sherpa_via_tor via netbios” in BackupPC’s per-host log files.)

That’s it basically.

Of course you also need to have the SSH public host key in the .ssh/known_hosts file also for the .onion hostname. And the Tor Hidden Service needs to be configured on the target device.

But that’s left as exercise for the reader. There’s a lot of documentation about that on the internet, including slides and video recordings of talks and live demos I gave about this topic in German.

Ah, and in case you might think that’s unfair and misuse of the resources of the Tor Project: No, I explicitly asked and they said more or less any additional traffic helps to make it more difficult to analyse Tor traffic or to track Tor users — and is hence welcome.

Addendum: The last direct full backup of that Raspberry Pi (5.5 GB) took around 32 minutes. The first full backup over Tor (8.7 GB) took 341 minutes. Seems much slower, but there might be other factors as well: Most backups which ran last night were running at only 0.85 MB/s to 1 MB/s, probably because too many backups were running in parallel after a recent backup server downtime with file system check — the backup server was probably the bottleneck. The backup of the Raspberry Pi over Tor ran at 0.42 MB/s, so about half the speed of the other backups. (Will probably add some more notes if I have more statistics over time.)

Tag Cloud

2CV, aha, Apache, APT, aptitude, ASUS, Automobiles, autossh, Berlin, bijou, Blogging, Blosxom, Blosxom Plugin, Browser, BSD, CDU, Chemnitz, Citroën, CLI, CLT, Conkeror, CSS, CX, deb, Debian, Doofe Parteien, E-Mail, eBay, EeePC, Emacs, Epiphany, Etch, ETH Zürich, Events, Experimental, Firefox, Fläsch, FreeBSD, Freitagstexter, FVWM, Galeon, Gecko, git, GitHub, GNOME, GNU, GNU Coreutils, GNU Screen, Google, GPL, grep, grml, gzip, Hackerfunk, Hacks, Hardware, Heise, HTML, identi.ca, IRC, irssi, Jabber, JavaShit, Kazehakase, Lenny, Liferea, Linux, LinuxTag, LUGS, Lynx, maol, Meme, Microsoft, Mozilla, Music, mutt, Myon, München, nemo, Nokia, nuggets, Open Source, OpenSSH, Opera, packaging, Pentium I, Perl, Planet Debian, Planet Symlink, Quiz, Rant, ratpoison, Religion, RIP, Sarcasm, Sarge, Schweiz, screen, Shell, Sid, Spam, Squeeze, SSH, Stoeckchen, Stöckchen, SuSE, Symlink, Symlink-Artikel, Tagging, Talk, taz, Text Mode, ThinkPad, Ubuntu, USA, USB, UUUCO, UUUT, VCFe, Ventilator, Vintage, Wahlen, WAP, Wheezy, Wikipedia, Windows, WML, Woody, WTF, X, Xen, zsh, Zürich, ÖPNV


← 2020 
← March 
Mo Tu We Th Fr Sa Su

Tattletale Statistics

Blog postings by posting time
Blog posting times this month


Advanced Search


Recent Postings

0 most recent of 0 postings total shown.

Recent Comments

Hackergotchi of Axel Beckert


This is the blog or weblog of Axel Stefan Beckert (aka abe or XTaran) who thought, he would never start blogging... (He also once thought, that there is no reason to switch to this new ugly Netscape thing because Mosaïc works fine. That was about 1996.) Well, times change...

He was born 1975 at Villingen-Schwenningen, made his Abitur at Schwäbisch Hall, studied Computer Science with minor Biology at University of Saarland at Saarbrücken (Germany) and now lives in Zürich (Switzerland), working at the Network Security Group (NSG) of the Central IT Services (Informatikdienste) at ETH Zurich.

Links to internal pages are orange, links to related pages are blue, links to external resources are green and links to Wikipedia articles, Internet Movie Database (IMDb) entries or similar resources are bordeaux. Times are CET respective CEST (which means GMT +0100 respective +0200).

RSS Feeds

Identity Archipelago

Picture Gallery

Button Futility

Valid XHTML Valid CSS
Valid RSS Any Browser
This content is licensed under a Creative Commons License (SA 3.0 DE). Some rights reserved. Hacker Emblem
Get Mozilla Firefox! Powered by Linux!
Typed with GNU Emacs Listed at Tux Mobil
XFN Friendly Button Maker


People I know personally

Other blogs I like or read

Independent News

Interesting Planets

Web comics I like and read

Stalled Web comics I liked

Blogging Software

Blosxom Plugins I use

Bedside Reading

Just read

  • Bastian Sick: Der Dativ ist dem Genitiv sein Tod (Teile 1-3)
  • Neil Gaiman and Terry Pratchett: Good Omens (borrowed from Ermel)

Currently Reading

  • Douglas R. Hofstadter: Gödel, Escher, Bach
  • Neil Gaiman: Keine Panik (borrowed from Ermel)

Yet to read

  • Neil Stephenson: Cryptonomicon (borrowed from Ermel)

Always a good snack

  • Wolfgang Stoffels: Lokomotivbau und Dampftechnik (borrowed from Ermel)
  • Beverly Cole: Trains — The Early Years (getty images)