CT-006: Setting up a public Onion Service
This is the 6th report in the new Cypherpunk Transmission series.
Onion Services offer solid privacy and security benefits to Tor users: the traffic is E2E encrypted and TLS is unnecessary, IP addresses are irrelevant, open ports are not required, and impersonation is impossible.
Despite the stigma associated with their previous name, Hidden Services can indeed be used for publically offered services, which are not intended to be hidden.
This guide shows how easy it actually is to, permissionlessly, set up an Onion Service for a website.
- you have ssh access to a secured1 VPS (Debian/-based) from a GNU/Linux machine
- basic terminal knowledge
- ~20 mins free time
1. Install Tor
SSH into your server and updgrade the packages first:
sudo apt update && sudo apt upgrade -y
Verify the CPU architecture with:
sudo dpkg --print-architecture
If the ouptut is amd64, arm64, or i386, proceed. Otherwise, you probably need to build Tor from source2.
sudo apt install apt-transport-https
Create a new file tor.list in
/etc/apt/sources.list.d/ by running:
sudo nano /etc/apt/sources.list.d/tor.list
Check your OS codename:
Paste these two lines inside the new file to add the most stable packages:
deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org <DISTRIBUTION> main deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org <DISTRIBUTION> main
<DISTRIBUTION> with your OS codename (ie. bullseye).
Add the GPG key that was used to sign the packages:
wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | sudo tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null
It is time to install tor and the tor Debian keyring package:
sudo apt update && sudo apt install tor deb.torproject.org-keyring
Note: if you don’t have nano or wget, install them with
sudo apt install nano wget.
Finally, make sure tor is up and running correctly:
sudo systemctl status tor
If the tor.service status is active, we are good to go.
2. Install a web server
You can choose any web server, but I will use Nginx:
sudo apt install nginx -y
Check the status with
sudo systemctl status nginx and point a browser to your VPS IP address.
If the Welcome to Nginx page doesn’t load, try checking your firewall settings and allow the default 80 port (ie.
sudo ufw allow 80).
By default, Nginx should serve the website from
/var/www/html. Feel free to edit the index.html or index.nginx-debian.html.
You can restart the web server with:
sudo sytemctl restart nginx
3. Configure the Onion Service
Open the torrc config file:
sudo nano /etc/tor/torrc
Uncomment the following two lines under the This section is just for location-hidden services by removing the
HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 80 127.0.0.1:80
Replace hidden_service with your hidden service name (ie. my-onion-blog) and restart Tor:
sudo systemctl restart tor.service
4. Access and backup the Onion Service
Display your onion v3 service hostname with:
You should now be able to access the .onion with the Tor browser.
Make a backup of the
/var/lib/tor/hidden_service directory containing
private_key. That’s all you need to move the Onion Service to a new server.
- keep your
private_keyprivate and set properly restrictive user permissions for that file
- keep Tor up-to-date so that critical security flaws are fixed
- it is possible to create custom vanity onion addresses3 (ie. mysitenameyx4fi3l6x2gyzmtmgxjyqyorj9qsb5r543izcwymle.onion)
- advertise your onion site using the Onion-Location Header4
- for advanced threat models, look into the Vanguards Add-On5
- to learn how the hidden service protocol works, read the Tor v3 rendezvous spec6
Done. You are now in full control of your own domain, which is invulnerable to malicious takeovers from any authority.
Let me know if you find this helpful and, depending on interest, I will do my best to post a new Cypherpunk Transmission report every (other?) Monday.
Questions, edits and suggestions are always appreciated @ /about/.