Tor Hidden Service Integration

Overview

This guide provides comprehensive instructions for integrating INN2 with Tor hidden services, enabling anonymous Usenet access with network-layer privacy protection.

Architecture: Tor daemon creates a hidden service that forwards connections to INN on localhost:119, providing end-to-end anonymity for clients without exposing the server's IP address.

Tor User → Tor Network → Hidden Service → Tor Daemon → 127.0.0.1:119 → INN2 (encrypted) (3 hops) (.onion) (localhost) (NNTP)

Benefits of Tor Integration

Client Anonymity: Users' IP addresses never reach the INN server
Server Location Privacy: .onion address doesn't reveal server location
Censorship Resistance: Tor network bypasses network-level blocks
End-to-End Encryption: Traffic encrypted through Tor network
No DNS Leaks: .onion addresses resolve internally in Tor

Prerequisites

# Verify INN is running and listening
sudo systemctl status innd
sudo netstat -tulpn | grep :119

# Check INN accepts localhost connections
telnet 127.0.0.1 119

If INN responds with 200 InterNetNews server INN ready, proceed to Tor installation.

Step 1: Install Tor

sudo apt update
sudo apt install tor -y

Verify Tor installation:

tor --version
sudo systemctl status tor

Step 2: Configure Tor Hidden Service

Edit Tor configuration file:

sudo nano /etc/tor/torrc

Basic Hidden Service Configuration

# INN2 Hidden Service
HiddenServiceDir /var/lib/tor/inn_hidden_service/
HiddenServicePort 119 127.0.0.1:119

Configuration Explained:

HiddenServiceDir: Directory where Tor stores hidden service keys and hostname
HiddenServicePort: External port 119 (NNTP) maps to localhost:119 (INN)

Advanced Security Configuration

Add these hardening options to torrc:

# Security hardening
HiddenServiceVersion 3
HiddenServiceMaxStreams 100
HiddenServiceMaxStreamsCloseCircuit 1

# Performance tuning
NumCPUs 2
MaxMemInQueues 4096 MB

# Logging (minimal for privacy)
Log notice file /var/log/tor/notices.log
SafeLogging 1

Step 3: Restart Tor and Get Onion Address

sudo systemctl restart tor
sudo systemctl status tor

Retrieve your hidden service address:

sudo cat /var/lib/tor/inn_hidden_service/hostname

Your Onion Address: Save this address (e.g., abc123...xyz.onion). This is your server's anonymous NNTP address.

Step 4: Configure INN for Localhost Access

Ensure INN accepts connections from localhost (Tor daemon):

sudo nano /etc/news/inn.conf

# Critical: bind to all interfaces including localhost
bindaddress: 0.0.0.0
port: 119

Configure readers.conf

sudo nano /etc/news/readers.conf

# Localhost access (for Tor hidden service)
auth "localhost" {
    hosts: "localhost, 127.0.0.1, ::1"
    default: "<localhost>"
}

access "localhost" {
    users: "<localhost>"
    newsgroups: "*"
    access: RPA
}

Reload INN configuration:

sudo systemctl reload innd

Step 5: Test Hidden Service

Test from Server (Using torsocks)

# Install torsocks
sudo apt install torsocks -y

# Test connection through Tor
torsocks telnet YOUR_ONION_ADDRESS.onion 119

Test from External Client

Configure newsreader with Tor SOCKS5 proxy:

Server: YOUR_ONION_ADDRESS.onion
Port: 119
Proxy: SOCKS5
Proxy Host: 127.0.0.1
Proxy Port: 9050

First Connection: Initial connection may take 30-60 seconds as Tor establishes circuits. Subsequent connections are faster.

Troubleshooting Common Issues

Issue: Hidden Service Not Reachable

# Check Tor is running
sudo systemctl status tor

# Verify hidden service directory exists
ls -la /var/lib/tor/inn_hidden_service/

# Check Tor logs
sudo tail -f /var/log/tor/notices.log

# Verify INN listens on localhost
sudo netstat -tulpn | grep 127.0.0.1:119

Issue: Tor Can't Connect to INN

# Test INN directly on localhost
telnet 127.0.0.1 119

# Check INN configuration
sudo /usr/lib/news/bin/inncheck

# Verify bindaddress in inn.conf
grep bindaddress /etc/news/inn.conf

# Check firewall allows localhost
sudo iptables -L INPUT -v -n | grep lo

Issue: Permission Denied

# Fix Tor hidden service permissions
sudo chown -R debian-tor:debian-tor /var/lib/tor/inn_hidden_service/
sudo chmod 700 /var/lib/tor/inn_hidden_service/

Security Hardening

Disable Clearnet Access (Tor-Only Server)

If you want ONLY Tor access, block external port 119:

# Block external NNTP, allow only localhost
sudo iptables -A INPUT -p tcp --dport 119 ! -s 127.0.0.1 -j DROP
sudo netfilter-persistent save

Result: INN only accessible via Tor hidden service, completely blocking direct clearnet connections.

Rate Limiting for Hidden Service

Prevent abuse via Tor:

sudo nano /etc/tor/torrc

# Add rate limiting
HiddenServiceMaxStreams 50
HiddenServiceMaxStreamsCloseCircuit 1

# Connection throttling
HiddenServiceNumIntroductionPoints 3

Monitoring Hidden Service

Check Tor Circuit Status

# View Tor status
sudo systemctl status tor

# Monitor Tor logs
sudo journalctl -u tor -f

# Check hidden service statistics
sudo cat /var/lib/tor/inn_hidden_service/hostname
sudo ls -la /var/lib/tor/inn_hidden_service/

Monitor INN Connections

# View active NNTP connections
sudo netstat -an | grep :119

# Check INN logs for localhost connections
sudo tail -f /var/log/news/news.notice | grep 127.0.0.1

Multi-Layer Anonymity Architecture

Layer 1: Tor User → Tor Entry Guard Layer 2: Entry Guard → Middle Relay Layer 3: Middle Relay → Exit/RP (Rendezvous Point) Layer 4: RP → Hidden Service (Your Server) Layer 5: Tor Daemon → INN2 (localhost)

Architecture Benefits

No IP Exposure: Neither user nor server IP revealed
3-Hop Anonymity: Tor's standard circuit provides strong anonymity
No Exit Node Risk: Hidden services don't use exit nodes
End-to-End Encrypted: Traffic encrypted throughout Tor network

Performance Optimization

Increase Tor Circuit Capacity

sudo nano /etc/tor/torrc

# Performance tuning
NumEntryGuards 8
NumCPUs 4
MaxMemInQueues 8192 MB
CircuitBuildTimeout 60

# Hidden service optimization
HiddenServiceNumIntroductionPoints 5

INN Optimization for Tor

sudo nano /etc/news/inn.conf

# Increase connection timeout for Tor latency
peertimeout: 1800
readtimeout: 600

# Optimize for slower Tor connections
maxconnections: 100

Backup and Recovery

Backup Hidden Service Keys

# Backup hidden service directory (CRITICAL)
sudo tar -czf inn_hs_backup_$(date +%Y%m%d).tar.gz -C /var/lib/tor inn_hidden_service/

# Store backup securely (encrypted)
gpg -c inn_hs_backup_*.tar.gz

Important: Loss of hidden service keys means loss of .onion address permanently. Always backup /var/lib/tor/inn_hidden_service/.

Restore Hidden Service

# Stop Tor
sudo systemctl stop tor

# Restore backup
sudo tar -xzf inn_hs_backup_*.tar.gz -C /var/lib/tor/

# Fix permissions
sudo chown -R debian-tor:debian-tor /var/lib/tor/inn_hidden_service/
sudo chmod 700 /var/lib/tor/inn_hidden_service/

# Restart Tor
sudo systemctl start tor

Client Configuration Guide

Using torsocks with telnet

torsocks telnet YOUR_ONION.onion 119

Using Newsreader (tin example)

torsocks tin -r -g YOUR_ONION.onion

Using slrn with Tor

# Add to ~/.slrnrc
server YOUR_ONION.onion
port 119

# Use torsocks
torsocks slrn

Security Best Practices

Never expose Tor keys: Keep /var/lib/tor/inn_hidden_service/ secure
Regular backups: Backup hidden service keys weekly
Monitor access: Watch for unusual connection patterns
Update regularly: Keep Tor and INN updated for security patches
Separate Tor identity: Don't link .onion address to clearnet identity
Use HTTPS for web: If running web server, always use HTTPS

Advanced: Multiple Hidden Services

Run multiple hidden services on same server:

sudo nano /etc/tor/torrc

# INN Hidden Service
HiddenServiceDir /var/lib/tor/inn_hidden_service/
HiddenServicePort 119 127.0.0.1:119

# Web Interface Hidden Service
HiddenServiceDir /var/lib/tor/web_hidden_service/
HiddenServicePort 80 127.0.0.1:80
HiddenServicePort 443 127.0.0.1:443

Next Steps

Restricted Access Guide - Firewall configuration
Privacy Guide - Metadata minimization
Complete Setup Guide - Basic configuration