This creates a tailscale-tor-proxy through which you can access the tor network.
cp .env.example .env
nano .env # add an auth-key from tailscale
docker compose up -dAfter the first start you will see your tor-proxy in tailnet under https://login.tailscale.com/admin/machines.
Copy the tailscale-internal-IP of your tor-proxy and add it as TAILSCALE_IP to the .env file and do a docker compose up -d again so the dns service will resolve domains to the new IP.
nano .env # add the tailscale ip of your new tor-proxy
docker compose up -dOverride your DNS server in tailscale to use your newly created node as a dns server for the carrot-domain https://tailscale.com/kb/1054/dns#override-dns-servers.
https://login.tailscale.com/admin/dns
Now you can use your new tor-proxy!
Browser actively block you from accessing .onion sites, to get around this we use .carrot. This should be totally transparent to the .onion site.
You can test it by accessing my blog http://simonja4fdp3lxdjeis5qjuugqe3wtbstlr2w7gmzsrnhhkpctmbgead.carrot/blog
Your browser might warn you that the connection is insecure because it is using http but do not worry, tor does not use https but everything is still encrypted and secure https://en.wikipedia.org/wiki/Onion_routing!
There are 4 services:
- tor - provides the access to the tor network
- tailscale - provides the access to your tailnet
- dns - resolves all .carrot domains to the IP of your tailscale tor-proxy node hosting a nginx reverse proxy
- nginx - the reverse proxy that replaces .carrot with .onion in the header and sends the request to tor, in the response from tor occurrences of .onion get replaced with .carrot
Some hidden service do use https, like
- internet archive https://archivep75mbjunhxc6x4j5mwjmomyxb573v42baldlqu56ruil2oiad.onion/
- reddit https://www.reddittorjg6rue252oqsxryoxengawnmo46qy4kyii5wtqnwfj4ooad.onion/
For this nginx also listens to port 443 with a self signed wildcard certificate for *.carrot.
TODO does not work yet, HTTP 307 Temporary Redirect loop
openssl req -x509 -nodes -days 365 \
-newkey rsa:2048 \
-keyout carrot.key \
-out carrot.crt \
-config carrot.cnf \
-extensions extcredits to https://www.reddit.com/user/StatisticianMinute18/ for posting https://www.reddit.com/r/Tailscale/comments/1mm2mwd/access_to_tor_via_tailscale_exit_node_working_100/