Nextcloud client app on Windows doesn't work with Start9 .onion addresses

My Nextcloud server on StartOS appears to be working fine locally. I can access files and do the normal things either through a Tor/onion browser window or through the Windows Nextcloud client with the Windows File Manager. I created an account for a friend and asked him to try things out on his end.

He can upload files to the server over Tor/.onion with the server address that I gave him. But he cannot use the Nextcloud Windows client app because it does not want to accept the .onion address of my server.

Does that all make sense to you? I recall someone saying that StartOS only works with onion addresses at the moment and will work with clearnet URLs sometime next year. Will my friend be able to use the NC Windows client and the Windows file manager to access my NC server next year? Thank you.

Were you following the guide (under the Tor section) for the Windows setup? The client needs to use the Windows Tor daemon as a proxy (which must be set up as well).

Keep in mind that you probably want to set your friend up with a separate user, rather than giving him your login credentials. You can then share directories, files, etc amongst each other on the server.

Hi Dave, you are correct. I apologize. I did not read that far down the page (I was using the .local address), and I did not tell my friend how to set up the Tor daemon on his Windows machine. That might be what he needs. I will start that process and report back here.

And yes, I did create a separate account for him on the server. I only shared the onion address of the server with him and would never share my login credentials. For example, I just spent two months (sigh) hardening up my hundreds of passwords, adding 2FA everywhere I could, and setting up YubiKeys. And sharing my credentials with an offsite friend would not be much of a test of the utility of a StartOS server. I’m feeling these days that I have a much better understanding of the current limitations of a sovereign server that runs over Tor vs the normal clear net. Thank you for replying to my posts.

PS. As I was thinking last night, I realized that I could try using the server onion address on my own Nextcloud client. I was using Bonjour and a .local address per the documentation, but I never thought of trying a Tor server and an onion address on my local net. I will look into that to see what happens. If I can get it to work, then my friend should be able to do the same thing.

I also realized that I should be able to set up a clear net Nextcloud instance that my friend could test out. And maybe we could test out DDNS at the same time, too, if we didn’t want to type in the dynamic ISP address of my public router.

Several clearnet options (and other arbitrary networking types) will be available with StartOS v040 (no ETA at this time). You can check out / post in the DIY/Hacking section here in regard to using DDNS, but be aware that we do not officially support this, and you are likely to need to do serious surgery to accomplish what you want. Let me know how your testing goes.

I did more research on Nextcloud and am posting here in case other newbies can use the info. Hopefully, I will get the technicals correct.

Nextcloud servers do not run on Windows, so forget that idea. Nextcloud can run on StartOS because StartOS is Linux under the hood. The Nextcloud client can run on Windows. Its job is to act as a middleman between Windows and the NC server on Linux. The NC client associates a folder on the server with a local folder visible in the Windows file manager. The folder is typically called “Nextcloud” like OneDrive or Dropbox.

The NC client requires a normal (non-onion, non-Tor) https://NC-server address to connect to the server. Here is where things diverge into different scenarios because StartOS is Linux and runs on Tor using onion addresses.

StartOS on the Local Network

If your StartOS box is on your local network (mine is), then you can give the NC client a .local Tor address like “https://gibberish.local.” But that works ONLY if you have installed on your Windows machine the ancient Bonjour printer address software from Apple. The NC client passes the .local address to the system, the system calls the Bonjour server to resolves the gibberish.local address into an IP address on the local net, and the system hands the local IP address (like 192.168.1.25) back to the NC client. The NC client then contacts the StartOS NC server and starts synchronizing files.

StartOS on a Remote Network (with my friend’s Windows machine and NC client calling)

When my non-local friend tries to contact the NC server on my StartOS box, he configures his web browser to use Tor onion addresses. Then the browser runs over Tor, contacts my NC server, and logs in. No problem. He is using Tor, and my StartOS box is using Tor. But my friend must use the web interface to NC, which is clunky.

If my friend tries to use the NC client on his Windows machine, what address can he give to the client for the http address of the server? If he gives the client “https://gibberish.onion,” the NC client hands .onion to his Windows OS, and Windows cannot resolve the onion address. Failure. If he gives “https://gibberish.local” to the client, that fails too. My friend does not have Bonjour installed on his machine and does not have my NC server on his local network. So, there would be no point in having Bonjour installed on his machine unless he had his own NC server running on a StartOS box on his home network.

If the Nextcloud Client was smart about Tor

The NC client on my friend’s machine needs some way to convert my server’s onion address into an IP address that resolves to the NC server on my StartOS box. The nearest thing (which does not work) would be if the NC client allowed a software proxy to be used in its network settings. Then perhaps the NC client could use a Tor proxy Windows service (available in the expert package from TorProject.org) to connect to my onion StartOS box.

The Tor service is an application-level proxy for socket connections, and socket proxies are used by specific applications. They are not systems-level interfaces used for all socket communications from the computer. That is why you can (must) set up each one of your individual browsers to use Tor proxies instead of setting up your whole computer to use only Tor connections (which would be a bad thing, obviously - you want the flexibility at the application level to use Tor or not).

In the case of the Nextcloud client, it is not yet smart enough to offer configuration options to use Tor for some folder-server associations. It might never be that smart.

The bottom line is that non-local Windows users will probably never be able to use a Nextcloud client to integrate with the Windows file manager. They will always be forced to use the web interface to reach a Nextcloud server running on a Tor-only StartOS machine until StartOS offers clearnet (non-Tor) support (maybe sometime next year).

I do not know enough to opine on whether it would be possible to run some software servers on StartOS over Tor (onion addresses) while running other services using normal .com URLs. Maybe the whole StartOS machine must run Tor or clearnet addresses. Maybe someone else can comment on this issue.

I think I got the technicals correct here, but if I did not, I can fix the errors if someone points them out.

Your Windows friend will need to both trust your root CA, which you’ll need to provide him, AND be running the tor daemon. Then they must proxy the NC client via the tor daemon as shown in the guide.

Onion addresses are not converted to IPs, they are public keys that are only accessible via tor. You absolutely DO want to set up the system-level tor daemon, which then routes ONLY onion traffic that is proxied through it. Yes, the NC client DOES allow socks proxy config, as described in our guide. These guides are heavily tested and absolutely do work.

It sounds like you are way overthinking this. StartOS is designed to be generally point and click, or follow these “x” exact directions. If following the guide did not work for the windows setup, then either a step was missed/done incorrectly, or we have an error in the guide. Either way, the troubleshooting needs to begin with slowly following the guide to the letter, and then reporting on exactly what step a problem occurs, in order for me to help diagnose.

Hi Dave, thank you for the clarity provided in your last couple of posts. I had no idea that my friend should trust my root cert. When I read the doc, I thought it was only required if I wanted to encrypt traffic between my local hosts and the server over the LAN.

I will go back to the doc to find out how to proxy the NC client. My comments were based on installing the NC client on a fresh machine and looking for a place to define a proxy connection to a server. On the first startup of the client, there was nothing obvious on the login dialog where it asked for the server address.

I apologize if you are thinking I should RTFM. I did, but obviously not enough times. I want to believe that at some point I can transition away from reading the doc and see configuration options in the software UI. But I guess not in this case. It is definitely possible that I am overthinking things.

No worries Kevin. Our docs are living documents, and if they are not as clear as they can be, we would sincerely appreciate any suggestions. The best place to do this is on the documentation git repository. That said, if you don’t want to make a github account, feel free to post the portion of the guide that may need improving and we can take a look at it.