From e46e443adc7ca7681639406a5fcb5815caad2e11 Mon Sep 17 00:00:00 2001
From: MDLeom <2809763-curben@users.noreply.gitlab.com>
Date: Mon, 16 Mar 2020 07:41:38 +0000
Subject: [PATCH] post(tor-nixos): mention nat traversal

---
 source/_posts/tor-hidden-onion-nixos.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/source/_posts/tor-hidden-onion-nixos.md b/source/_posts/tor-hidden-onion-nixos.md
index fda39a6..d4775e1 100644
--- a/source/_posts/tor-hidden-onion-nixos.md
+++ b/source/_posts/tor-hidden-onion-nixos.md
@@ -60,6 +60,7 @@ The first step is to bring up a Tor hidden service to get an onion address. Add
 3. Set the `version` to 3, which is a [more secure](https://trac.torproject.org/projects/tor/wiki/doc/NextGenOnions#Howtoconnecttothetesthubfornextgenonionservices) version. The most noticable difference is that the generated onion address will be 56-character long, which is much longer than v2's 16-character. Tor already defaults to v3 since 0.3.5, but I set it just to make sure.
 4. `port` is to set the port number that the hidden service binds to. Recommend to set it to port **80**.
   * If you set it to "1234", visitor needs to specify the port number to browse your site, e.g. http://foobar.onion:1234
+  * There is no need to grant CAP_NET_BIND_SERVICE capability nor open port 80. Tor has NAT traversal capability and can function without opening any inbound port.
 5. `toHost` is location of your web server. In my case, it is the IPv6 loopback **[::1]**. If your server supports IPv4 (mine doesn't), you can set it to "127.0.0.1" or "localhost". If it's an IPv6 address, you need to wrap the address with square brackets **[]**.
 6. `toPort` is the port number of your web server listens to. The [next section](#caddyTor.nix) shows how to set up the web server yet.
 7. `extraConfig` is optional. The options I use here are only applicable if the server is IPv6 only.