Linking over Tor/I2P/<darknet>

[Mikaela]

I am not sure how much sense it would make compared to something like cjdns (which is already supported), but Tor hidden/.onion services and .b32.i2p addresses would take care of verifying authenticity and end to end encryption.

I think it would require at least allowing socks proxy in connect {} and not resolving/confirming that the .onion/.i2p/similar has matching reverse DNS as the address wouldn't get resolved.

[ccxcz]

Yes, this is an issue of networks using pseudo-hostnames that don't resolve to IPs for addressing.

SOCKS is popular interface for those because it works on non-Unix platforms too, but if that is not a constraint then there is more flexible option of using arbitrary command as a subprocess, the way OpenSSH does it with the ProxyCommand. You will get a wider range of tools:

• anything conforming to UCSPI
• tools designed for OpenSSH ProxyCommand (Corkscrew, Monkeysphere, …)
• using SSH directly instead of having to maintain a port forward
• use TLS client that offers some further verification options
• and you can use e.g. socat to connect to SOCKS4a server such as the ones provided by Tor or I2P.

All the necessary checks can be done within such command so server doesn't have to concern itself with reverse DNS at all.

That said, if you have fairly static list of hosts to connect to and no untrusted users on the server that could abuse the loopback interface then you can achieve this already by wrapping any of those above-mentioned tools with tcpserver or inetd bound to 127.0.0.1 and directing connection there. (some alternative implementations)

edit: there was some confusion around TLS fingerprint handling, removed misleading comment