Setting up Tor Hidden Service

Tools Jul 31, 2019

Tor hidden services allow various types of services (web server, telnet server, chat server, etc) to be operated within the Tor network. This allows both users and service operators to conceal their identities and locations. Just about anything that can be run on the clearnet can be run within the Tor darknet.

Hidden Services are called "hidden" because your website’s IP in ToR is hidden - they cannot see the IP of your server — they can’t track you. An onion service needs to advertise its existence in the Tor network before clients will be able to contact it. Therefore, the service randomly picks some relays, builds circuits to them, and asks them to act as introduction points by telling them its public key.

Setting up a hidden service on Tor is a simple process and depending on the level of detail, an operator can keep their service completely anonymous. Depending on your use-case, you may or may not choose to anonymise your service at all. For anonymous operation, it is recommended to bind services being offered to localhost and make sure that they do not leak information such as an IP address or hostname in any situation (such as with error messages).

Setting up the hidden service

Prerequisite

  1. A virtual machine to host the hidden service with Ubuntu or Debian installed and root access

Download Tor

Edit the /etc/apt/sources.list file and based on your OS, make the relevant entries at the end of the file

Ubuntu Bionic Beaver (18.04 LTS)

deb https://deb.torproject.org/torproject.org bionic main
deb-src https://deb.torproject.org/torproject.org bionic main

Ubuntu Xenial Xerus (16.04 LTS)

deb https://deb.torproject.org/torproject.org xenial main
deb-src https://deb.torproject.org/torproject.org xenial main

Debian Jessie

deb https://deb.torproject.org/torproject.org jessie main
deb-src https://deb.torproject.org/torproject.org jessie main

Debian Stretch

deb https://deb.torproject.org/torproject.org stretch main
deb-src https://deb.torproject.org/torproject.org stretch main

Then add the gpg key used to sign the packages by running the following commands at your command prompt:

# curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import
# gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -

Now to install Tor, run the following commands

# apt update
# apt install tor deb.torproject.org-keyring -y

Configure torrc file

Edit the torrc file

nano /etc/tor/torrc

Find the section where it says "This section is just for location-hidden services". Uncomment the two lines below:

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:80

HiddenServiceDir is where you'll find the hostname and its private key. We will change this to /var/lib/tor/hideme/
HiddenServicePort tell Tor on which port it should listen and on which port it should forward the request. We will change it to 80 127.0.0.1:8000. Tor will listen to port 80 and forward to at port 8000.

Save the file and exit. Now restart the Tor service.

sudo systemctl restart tor

Install and Setup NGINX

First, install the NGINX server

apt install nginx -y

We will delete the default configuration file of NGINX

rm /etc/nginx/sites-enabled/default

Now we will create a configuration file for our hidden service

nano /etc/nginx/sites-available/hideme.conf

In the editor, enter the following lines:

server {
  listen 127.0.0.1:80;
  server_name _;

  root /var/www/html;
  try_files $uri $uri/ /index.html;
}

Create a symbolic link of the configuration file to the sites-enable directory

ln -s /etc/nginx/sites-available/hideme.conf /etc/nginx/sites-enabled/hideme.conf

Restart the NGINX server

service nginx restart

Now we will create an index file in html directory to be server over Tor hidden service

nano /var/www/html/index.html

Add the following lines in the editor window

<html>
    <head>
        <title>Tor test file</title>
    </head>
    <body>
        <p>This tor configuration is working as expected.</p>
    </body>
</html>

Save the file and exit.

Get onion address

We will find the onion address of our service in the directory entered against HiddenServiceDir in the torrc file.

cd /var/lib/tor/hideme/

Run ls to ensure that there are both the hostname and private_key file. View the hostname by running

cat hostname

You will get a 56 character long onion address. Copy this address.

Test the configuration

Open the Tor browser and enter the hostname that we obtained in the previous step.

If you get a screen like this, you have successfully configured your Tor hidden service.

Onion address v3 vs v2

By default, in the latest version of Tor, you will get a v3 onion address that is 56 characters long. If you wish you use 16 characters long v2 address, edit the torrc file and replace the previous configuration with the lines below

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServiceVersion 2
HiddenServicePort 80 127.0.0.1:80

Restart Tor by running systemctl restart tor

Find your new hostname

cat /var/lib/tor/hideme/hostname


Tor by no means is illegal. Many search engines and even Facebook provide service over Tor for countries with heavy censorship.

Facebook has its onion service at facebookcorewwwi.onion and duckduckgo runs on 3g2upl4pq6kufc4m.onion. You can also view my website on rishabhlmlphvet2zw4jm4gnr5x2powd453n73kwsdcrdcqsluihmdqd.onion using TOR Browser.