21 Nov 2022 [CT] [guides]

CT-006: Setting up a public Onion Service

This is the 6th report in the new Cypherpunk Transmission series.

Motivation

Onion Services offer solid privacy and security benefits to Tor users: the traffic is E2E encrypted and TLS is unnecessary, IP addresses are irrelevant, open ports are not required, and impersonation is impossible.

Despite the stigma associated with their previous name, Hidden Services can indeed be used for publically offered services, which are not intended to be hidden.

This guide shows how easy it actually is to, permissionlessly, set up an Onion Service for a website.

Assumptions

you have ssh access to a secured¹ VPS (Debian/-based) from a GNU/Linux machine
basic terminal knowledge
~20 mins free time

1. Install Tor

SSH into your server and updgrade the packages first:

sudo apt update && sudo apt upgrade -y

Verify the CPU architecture with:

sudo dpkg --print-architecture

If the ouptut is amd64, arm64, or i386, proceed. Otherwise, you probably need to build Tor from source².

Install apt-transport-https:

sudo apt install apt-transport-https

Create a new file tor.list in /etc/apt/sources.list.d/ by running:

sudo nano /etc/apt/sources.list.d/tor.list

Check your OS codename:

lsb_release -c

Paste these two lines inside the new file to add the most stable packages:

deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org <DISTRIBUTION> main
deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org <DISTRIBUTION> main

Replace <DISTRIBUTION> with your OS codename (ie. bullseye).

Add the GPG key that was used to sign the packages:

wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | sudo tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null

It is time to install tor and the tor Debian keyring package:

sudo apt update && sudo apt install tor deb.torproject.org-keyring

Note: if you don’t have nano or wget, install them with sudo apt install nano wget.

Finally, make sure tor is up and running correctly:

sudo systemctl status tor

If the tor.service status is active, we are good to go.

2. Install a web server

You can choose any web server, but I will use Nginx:

sudo apt install nginx -y

Check the status with sudo systemctl status nginx and point a browser to your VPS IP address.

If the Welcome to Nginx page doesn’t load, try checking your firewall settings and allow the default 80 port (ie. sudo ufw allow 80).

By default, Nginx should serve the website from /var/www/html. Feel free to edit the index.html or index.nginx-debian.html.

You can restart the web server with:

sudo sytemctl restart nginx

3. Configure the Onion Service

Open the torrc config file:

sudo nano /etc/tor/torrc

Uncomment the following two lines under the This section is just for location-hidden services by removing the # sign:

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:80

Replace hidden_service with your hidden service name (ie. my-onion-blog) and restart Tor:

sudo systemctl restart tor.service

4. Access and backup the Onion Service

Display your onion v3 service hostname with:

cat /var/lib/tor/hidden_service/hostname

You should now be able to access the .onion with the Tor browser.

Make a backup of the /var/lib/tor/hidden_service directory containing hostname and private_key. That’s all you need to move the Onion Service to a new server.

Observations

keep your private_key private and set properly restrictive user permissions for that file
keep Tor up-to-date so that critical security flaws are fixed
it is possible to create custom vanity onion addresses³ (ie. mysitenameyx4fi3l6x2gyzmtmgxjyqyorj9qsb5r543izcwymle.onion)
advertise your onion site using the Onion-Location Header⁴
for advanced threat models, look into the Vanguards Add-On⁵
to learn how the hidden service protocol works, read the Tor v3 rendezvous spec⁶

Done. You are now in full control of your own domain, which is invulnerable to malicious takeovers from any authority.

Feedback

Let me know if you find this helpful and, depending on interest, I will do my best to post a new Cypherpunk Transmission report every (other?) Monday.

Questions, edits and suggestions are always appreciated @ /about/.

-3RA

Credit goes to gnuteardrops from monero.graphics for the amazing xkcd graphic. Work and xkcd Script font licensed under CC BY-NC 3.0.

/cypherpunk-transmission-003-basic-server-security/ ↩
https://community.torproject.org/onion-services/setup/install/#installing-tor-from-source/ ↩
https://community.torproject.org/onion-services/advanced/vanity-addresses/ ↩
https://community.torproject.org/onion-services/advanced/onion-location/ ↩
https://github.com/mikeperry-tor/vanguards/ ↩
https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt/ ↩