My ISP is called bredband2. I didn't pick it, my homeowner association did. Recently they decided to migrate all their customers to private IPs using CGNET (ie putting us behind NAT). That explains why I've suddenly been getting warnings about suspicious traffic from my IP when I hadn't seen anything like since I first began using Bredband2. The major issue is that I VPN to my home connection on the regular to get sensitive files, code and in general manage things. That suddenly became impossible since I can no longer forward ports of any kind due to my router's public now being a private one. Well, at least not in the usual way.

The TOR / ONION network operates on a different layer than regular internet traffic and fundamentally reverses the logic. Instead of having your server simply open a port and wait for connections your tor server actively opens a connection to the tor network using one of the many nodes that are already online. Thus you do not need to forward a port to have incoming connections, you simply run the tor router, it connects to the tor network and boom, you're online with the ability to open ports despite no ports being open on your physical router.

In my case I don't actually need a VPN, I only used it so I could easily access the SSH service. So what we're going to do is open a so called hidden service on the tor network that points to the SSH service of the same computer running the tor router. First install the tor router. Be that through "zypper install tor", "apt-get install tor" or whichever is appropriate for your distribution. Edit the /etc/tor/torrc. Specifically you want the following two lines. HiddenServiceDir /var/lib/tor/hiddenservice/ HiddenServicePort 22 127.0.0.1:22 chown tor:tor /var/lib/tor/hiddenservice/ chmod 700 /var/lib/tor/hiddenservice/ systemctl restart tor This will generate the certificates and hostname / onion address for your hidden service in the specified directory. cat /var/lib/tor/hiddenservice/hostname jdfikdfkmdjfk3k34mfdknjmdkmffdm.onion (not an actual address) systemctl enable tor (to have the tor router start at boot) Believe it or not that's it. Your service is now accessible to everyone on the tor network despite not a single port being forwarded from your router. You can of course change this to open a port for a wireguard vpn, http server or whatever you require by simply changing the port number above.

Connecting with an android client is completely seamless. Install the application "orbot". It can either function as a generic VPN client on android, shuttling all your traffic through the tor network, or you can use split tunneling. In my case I'm only using tor for connecting to my SSH server so I click "more" -> "choose apps" and select the excellent connectbot SSH client. Then whenever I connect with orbot only that application's traffic is routed through tor. In connectbot I only change the ip for my SSH server to my newly generated 3kl34kl3kl34kl3lk34.onion address. Orbot will handle the rest.

There's several benefits that ought to be mentioned. You know all those portscans hitting you from american, russian and chinese IPs? Yeah, those will stop immediately. There's no sequential address scanning on tor since every onion address will be wildly different from the rest. If you ever do get a random connection, or post your address somewhere by accident. Simply delete the hiddenservice directory and re-generate a new one. Boom, you're gone. Your connections are now under an additional layer of encryption making eavesdropping even less feasible. Whoever is routing your packets will have no idea what server, port or service you're actually connecting to. Besides the minimal amount of additional latency that is added there's really no drawbacks to using the tor network. The only reason I haven't is that I've been darn lazy, I mean, if I could just forward a port on my router.. why wouldn't I? Lazy lazy.