How to run hidden onion server? Step-by-step guide.


3 years ago
1) Buy any cheap VPS.
You can find good deals on http://www.lowendbox.com/ and also check out http://www.lowendtalk.com/wiki/ with examples of some common VPS installations, such as web-server.

2) Install nginx, mysql, php or anything your website needs to run.

3) Configure your web-server to listen ONLY to 127.0.0.1:4986

Apache:

Listen 127.0.0.1:4986

lighthttpd:

server.port = 4986
server.bind = "127.0.0.1"

nginx:

listen 127.0.0.1:4986;


Now restart your webserver.


4) Install Tor.

Debian:

apt-get install tor as root

CentOS:

sudo yum install tor

or you can find instructions here https://www.torproject.org/docs/debian.html.en (not only for Debian)


5) Configure Tor:

/etc/tor/torrc

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:4986



Now restart Tor:

/etc/init.d/tor restart


And your tor hidden service is now up and running.
It's *.onion address is written to this file:

/var/lib/tor/hidden_service/hostname


Type it in your browser & go check out!

!!! Take care:

1) Since your website is running on VPS, admins of host system could probably have access to all of your files & data. By simply reading that data they can easily match you and your hidden service. Using truecrypt or EncFS greatly reduce this possibility, but it is still possible to read passphrase or unencrypted data from VPS's memory image.

A good choice is to buy physical server & use encryption on it.
Even better choice - stay yourself anonymous to your VPS provider.
Google "bitcoin vps", or use some gift-card, anonymous coupon, ask for test period or whatever. Then, never show your real IP to hoster (create account, pay and later connect to your VPS only via Tor), use only secure protocols for that (https, ssh) and always verify signatures to avoid mitm attack of Tor exit node, that are popular.

2) Beware of web-based attacks. This is true for any website, not only hidden-one, but I'll repeat here once again: never trust user's data.

3) Limit access to your VPS from outside Tor. Configure iptables, or at least make sure you don't have Memcached listening to the whole world.

3 years ago
Thanks for this tutorial. I followed one just like this earlier, and it worked out great, except that I could not find out how to launch the browser.

3 years ago
Browser? This tutorial is about server-side hosting, there is no such thing as browser there. Browser is for other people to access your server from their computers, it should not be installed on server.

To access your hidden service you should do whatever you usually do to access other .onion sites, for example install Tor Browser Bundle.

2 years ago
Sorry to dig up a (relevantly) old post but I cannot stop my hidden service from being displayed in clearnet.

When I go to the onion site - the webpage loads
When I access 192.168.0.114:8008 (from another PC on this LAN) I can access the website.

I would have thought localhost is only for that PC and not from another within the same LAN, although i'm not fluent in this area...

I have added to torrc:

HiddenServiceDir /home/pi/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:8008


and also added to /etc/nginx/sites-available/default:

server {
listen 8008; ## listen for ipv4; this line is default and implied


And also restarted both, still can access it. Any advice for a noob?

2 years ago
In nginx.conf

listen 8008;

shoud change to

listen 127.0.0.1:8008;


or, if you run Tor and nginx on different servers, put there IP of Tor box.

2 years ago
Thanks for this - your assistance worked.

Reply

You are not logged in. Login or register to reply on this thread.