20240831 - A Gemini Tor Hidden Service (GTHS) Experiment...

Home

Sw4mp_Sl0th's Random Thoughts

Why?

For family, for friends, for freedom, for fun, for grins and giggles or just because. It does not matter the reason, you just want to own and operate a Gemini server, but after reading the beautiful Project Gemini FAQ page(s) and diving into the various capsules, which are chuck full of information, you discover that you will have to spend money (argent, деньги, dinero, Geld, penger, rahaa, soldi, ... you get the point). You are on a super tight budget and are barely able to afford your home's internet connection (maybe you're a student in middle school, high school or college), so paying for a domain name's registration fee is out of the question (for some people it's not much, but for a poor college student that registration fee can buy a few boxes of fake Pop-Tarts). "Sl0th, is there any hope?" Perhaps there is. You and those who will use your server will have to break with tradition, walk on the wild side and endure a bit of "hackyness" though.

Note: I did a quick search and could not find information about hosting a Gemini capsule from an Onion hidden service, so I figured what the hey, lets give it a go. If this has already been done, then I apologize for the redundancy. In my mind I'm thinking this is like finding a wormhole that traverses Onion space and drops you into a newly discovered pocket/sector of Gemini space. 😁

Get to the point Sl0th!

Two words, you exuberantly motivated capsuleer... onion address. Yes, I am talking about acquiring a free .onion domain for your Gemini capsule. That ancient laptop that has been sitting under your bed for the last decade will serve you well (after some IT "necromancing" of course... 'Arise! Arise from the beyond ye old laptop'). Just install a light-weight GNU/Linux server on it (search "normal space," there are loads of tutorials out there on how to do it). Then install a Gemini server and setup a Tor Onion Service (hidden service). Those who wish to access your Gemini capsule will have to install the Tor service (not the Tor Browser) and then route the Gemini client through the Tor service.

Note: I have only tested client connection under GNU/Linux and Android, but it could also work under Windows by using Proxychains or Resistal along with Tor Expert Bundle. Also, this worked with Orbot and the deedum client on Android (by far the easiest way to connect to your .onion Gemini capsule).

My GTHS Experiment Setup (not a detailed guide)

For the server hardware I used an old Z83-F mini computer and for the OS I installed Ubuntu Server 22.04.4 LTS. The Gemini server is Agate version 3.3.8 (Hoek has a nice guide that can help you install Agate [link below]) and the Tor version is 0.4.8.12 (available on the Ubuntu repository at the time of the experiment).

For the clients I used the Lagrange-1.17.6-x86_64.AppImage and the Kristall-nightly-linux-x86_64.AppImage running on a Linux Mint 22 virtual machine (VirtualBox) with Tor version 0.4.8.10 and Torsocks 2.3.0 (Tor and Torsocks were available on the Mint 22 repository). I also used Orbot 17.2.1-RC-1-tor-0.4.8.7 and deedum 2022.0406.0502 client on Android 8.1.0.

"Hoek's Agate Tutorial" (link below) helps you setup a Gemini server for your capsule using a registered domain (we substitute this with the .onion domain), while the "Set up Your Onion Service" guide (link below), written by the lovely people at the Tor Project, helps you setup a "normal space" (HTTP[S]) web server (we replace this with Agate) as a hidden Tor service. I took both Hoek's guide and the Onion Service guide and mashed them together (hence the "hackyness").

First, I started on the Ubuntu server with Hoek's guide and followed it until I reached the "Certificate" section, where I stopped. I then switched to the Onion Service guide and followed Step 0, skipped Step 1 and continued with Step 2 (use port 1965 instead of 80 for HiddenServicePort and your public/LAN IP instead of localhost), Steps 3 and 4 (don't do the testing yet in 4). Now that I had my ".onion" address (from Step 4) I went back to Hoek's guide and continued with the "Certificate" section (use the .onion address instead of "capsule.example.com"), skipped the "Nginx configuration" section and followed the "Firewall" section (don't forget about the firewall on your router) and the "Service" section (use the .onion address here as well). I went back to Step 4 of the Onion guide and instead of using the Tor Browser I used the Lagrange client with torsocks to perform the test by typing in "torsocks ./Lagrange-1.17.6-x86_64.AppImage" in the Linux Mint 22 terminal and using the .onion address (you can use Kristall AppImage instead if you prefer). After a few seconds (the Tor network can be very slow at times)... voila! There was my Gemini capsule index page, being hosted by my humble mini computer (using my home internet connection), with the address "gemini://goszj4uq73inr7wopq6zgcjgmjcudakmq3ac24yyfv25tqcqkkhextad.onion/" being displayed by the Lagrange client.

Home IP obfuscation could be another possible benefit

When using the Tor service, not only do you get a free .onion address, but you also get to obfuscate/hide your home server's IP address, as well as the IP address of the clients connecting to it. Granted, I am not a penetration testing expert, so I am not entirely sure if this experimental setup is leaking like an old faucet or not. At least the Agate logs show the server's IP when a client makes a connection and not the client's IP (like it does when not using the Tor service). Maybe a pen-testing enthusiast can take a closer look and determine if this experimental method can truly add "anonymity" to Gemini servers.

You need a girlfriend Sl0th

I tried that and discovered I was NOT very good at it, so no thanks. I rather keep what's left of my sanity. 😅

More importantly, you now (hopefully) have a less expensive way to host your very own Gemini capsule from your very own hardware using your home's internet connection, while maybe (great emphasis on maybe) keeping your home IP address hidden from potential bad actors roaming Gemini space.

Hoek's Agate Tutorial

Agate server for the Gemini network protocol

Set up Your Onion Service

Lagrange Client (browser)

Creator's (xq) Kristall GUI Client/Browser Website

deedum Client/Browser for Smartphones

Orbot - Tor for Smartphones

Tox Expert Bundle

Discussion about using unix sockets instead of localhost for Tor Hidden Services

How does Tor resolve .onion domains?

Question re: tor/torify/torsocks and Windows OS

Proxychains is a proxifier for Windows

Resistal allows Windows to connect to Tor's Socks5 proxy