Whenever possible, I typically send much of my traffic through the Tor network, including traffic to some services which I operate for myself, such as a secure shell server. When I am traveling or otherwise not on my home network, I use one of Tor’s more fun features: Onion Services (formerly known as Hidden Services). Onion Services can be identified by the *.onion top-level domain and allow the server’s location to be anonymous/concealed just like the client.

SSHing into an Onion Service is easily accomplished by adding the following line to ~/.ssh/config.

Host *.onion
    ProxyCommand /bin/nc -X 5 -T lowdelay -x %h %p

Assuming the machine is running a Tor client, configured to run its local SOCKS5 proxy on port 9050, this ProxyCommand runs SSH through nc (netcat) without the user even needing to think about any additional Tor-specific configuration.

Some applications such as Git save a hostname in their own configuration files for SSH-based connections. With my usage, saving hostnames presents a problem since I do not always want to run my traffic over Tor, especially when I’m on the local network with a gigabit of throughput between my laptop and the target machine.

To solve this, I’ve written the following tiny script which bounces traffic through Tor, or just routes it over the local network using netcat.

Since I’m using NetworkManager on Linux, the script relies on finding an active connection which appears to be on my local network. While not fool-proof, since other networks might share the same address space, it’s good enough for now:

# Positional parameters are:
#  * hostname
#  * port
#  * hidden service name if we must fall back to tor

CONNECTED_DEVICES=$(nmcli --fields=device --terse connection show --active)

for device in ${CONNECTED_DEVICES}; do
    ip addr show dev ${device} | grep "inet 192.168.42." 2>&1 > /dev/null
    if [ $? -eq 0 ]; then
        echo ">> Using the local network.."
        exec /bin/nc $1 $2

echo ">> Using Tor"
set -xe

exec /bin/nc -X 5 -T lowdelay -x ${3} ${2}

With this script, my ~/.ssh/config is slightly modified to define the local hostname and also pass the Onion Service name through to the ProxyCommand:

Host myserver
    ProxyCommand $HOME/bin/local-or-tor %h %p 0xdeadbeef.onion

With this change, all the Git remotes which reference myserver will work mostly the same regardless of whether I am on the local network, or off floating around the internet via Tor.