Quick overview of Tor and some history

One way of accessing your self hosted services outside of your home network is via Tor. Tor is a privacy network, “Tor” stands for The Onion Router. Onion routing was developed by the DOD in the mid-’90s by mathematician Paul Syverson, and computer scientists Michael G. Reed and David Goldschla, then released under a free license in 2004. Around this point, the EFF took over the project funding Roger Dingledine and Nick Mathewson to continue the project.

Tor enables users to surf the internet, chat, and send files anonymously by encrypting their data in layers, hence the “onion” name. The first relay you enter, known as the “guard relay”, peels off the first layer of encryption then passes it to the next relay. The guard relay is the only relay that knows your IP address. It knows nothing else about you, even the site you are trying to visit. All it can do is pass you to the next relay.The next relays in the chain do not have your IP address nor know what site you are visiting. All they do is peel a layer of encryption and pass you to the next relay. The last relay your data reaches is called the “exit node”. It removes the last layer of encryption and passes on the web request of your final destination. The website you request will only see the IP address if the exit node and the website’s response is passed back to you via the same method.

A few notes

If you are using the Tor browser, it is generally not recommended to change too much on the browser like installing new plugins. Changes to the browser give you a unique fingerprint that might lead to deanonymization. Luckily a large amount of self hosted services have a web accessible UI so you won’t need to install a browser plugin.

On Android and IOS there is an app called Orbot that allows you to route app traffic through the Tor network, allowing you to access your services. There is the Tor browser on IOS but due to the requirement of “WebKit” by Apple, it severely downgrades the security of your connection making it not the best option.

Installing Tor

On most modern systems you can get away with just running:

sudo apt install tor –y

In case that does not work run this set of commands to add the TOR repository to your system and install.

#Install the apt-transport-https package if it's not already installed
sudo apt install apt-transport-https

sudo nano /etc/apt/sources.list.d/tor.list

#Copy and paste this into the new file. Hit ctl-s and then ctl-x to save and exit.
deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bullseye main

curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | sudo tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null

sudo apt update

sudo apt install tor -y

Nginx

I’m only going to cover Nginx, as this is what I know best. This guide will be for Debian based Linux like ubuntu. It is also recommended that you install a new separate web server for your onion service. If you need a hand getting a server up and going check out this post.

If you haven’t already installed Nginx, do so now:

sudo apt install nginx –y

By default, the web server runs on port 80 test the install by going to your devices IP. If you got no errors during install, you should see a page saying “Welcome to Nginx ‘’ you can now move on to configuration.

Next step is editing Tor’s configuration file known as the “torrc” file. Depending on your flavor of Linux, the default file path may change, but in Debian based Linux, this should open the file.

Sudo nano /etc/tor/torrc

If you don't find the torrc file, check for a directory named 'torrc.d'in /etc/tor/. You can create a new configuration file there. Scroll down to around line 70 and you’ll see two lines like so:

HiddenServiceDir /var/lib/tor/hidden_service/

HiddenServicePort 80 127.0.0.1:80

Uncomment these lines and edit as needed.The “HiddenServiceDir ” line specifies the directory which should contain information and cryptographic keys for your Tor site. You will want to change this to a directory that is readable/writable by the user that will run Tor.

The “HiddenServicePort “ line specifies a virtual port (that is, the port that people visiting your Onion Service will be using) If your web server is on a different IP or port then use those values instead but keep the initial 80 the same.Save the file with CTRL + S and exit with CTRL + X Then restart Tor with :

sudo systemctl restart tor

If Tor starts up again, move on to the next step. Otherwise, something is wrong. Check your log files for troubleshooting hints. Typically, there are typos in the torrc or wrong directory permissions. At this point restarting Tor generates your HiddenServiceDir in the directory specified. Assuming you installed it in the default directory you can now see your new address by entering this command :

Cat /var/lib/tor/hidden_service/hostname

The hostname file in your Onion Service configuration directory contains the hostname for your new onion v3 service. The other files are your Onion Service keys, so it is imperative that these are kept private. If your keys leak, other people can impersonate your Onion Service, deeming it compromised, useless, and dangerous to visit.

Web server Configuration

If your web server just serves all connections on port 80, you’re already done. You should be able to access your website using the .onion address shown in your HiddenServiceDir. If, however, you use something like Nginx virtual hosts then you have a little more work to do.

You’ll need to edit the config file for your site (/etc/nginx/sites-available/your site name here) to add the new hostname to the server block:

server {    listen 80;    server_name becomesovran.com

yourinoinsitehere.onion;    
index index.html;    
root /var/www/becomesovran.com; }

Enable it with: 

sudo ln -s /etc/nginx/sites-available/your_site_name /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

Running more that one service on Nginx

If you want to forward multiple virtual ports for a single Onion Service, just add more HiddenServicePort lines. If you want to run multiple Onion Services from the same Tor client, just add another HiddenServiceDir line. All the following HiddenServicePort lines refer to this HiddenServiceDir line until you add another HiddenServiceDir line. It will end up looking something like this:

HiddenServiceDir /var/lib/tor/onion_service/ 

HiddenServicePort 80 127.0.0.1:80 
HiddenServiceDir /var/lib/tor/other_onion_service/ 
HiddenServicePort 6667 127.0.0.1:6667

If you’re running multiple onion sites on the same web server, remember to edit your web server virtual host file and add the onion address for each website. For example, in Nginx and using Tor with Unix sockets, the configuration would look like this:

server {        

listen unix:/var/run/tor-my-website.sock;        

server_name .onion;        
access_log /var/log/nginx/my-website.log;        

index index.html;        
root /path/to/htdocs; }

Tor site security

This is a complex topic and I’m not an expert on Tor. Here are some links from the official Tor site that will help you dive deeper into safely running your site. One thing I will say is that if you plan on running your site for a long time, it’s a good idea to backup your “private_key” file somewhere safe.

Opsec : https://community.torproject.org/onion-services/advanced/opsec/

General best practices : https://riseup.net/en/security/network-security/tor/onionservices-best-practices
‍
‍Onion scan helps with site opsec : https://onionscan.org

PasswordAuthentication no 

ChallengeResponseAuthentication no 
UsePAM no 
PermitRootLogin no 

A custom domain

Ok, on to something I find super fun, mining a custom address. If you have any experience making a vanity Bitcoin address, you’ll find that is this pretty much the same. All it really takes is time. How much time depends on the computing power at your disposal. For a normal. onion address is goes something like this:

1. Generate a 1024-bit RSA key pair
2. Take the SHA-1 of the public key
3. Base32 encode the first 80 bytes of the hash…

… and you have your .onion address.

There are a few programs out there designed to help you generate a ton of hashes, but I'm using  mkp224o. First install mkp224o and its dependencys:

sudo apt install git build-essential autoconf  

git clone https://github.com/cathugger/mkp224o.git  

cd mkp224o  
./autogen.sh 
./configure 
make

Now you can use mkp224o to generate a custom address. Here's the basic syntax:

./mkp224o [options] prefix1 [prefix2] ...

For example, to generate an address starting with "test":

./mkp224o -v test

The-v flag enables verbose output. You can also use multiple CPU threads with the -t option:

./mkp224o -v -t 4 test

Keep in mind that generating a custom address can take a very long time,especially for longer prefixes. The longer the prefix, the exponentially longer it will take to generate.

Installing the Key

Once mkp224o finds a matching address, it will create a directory with the necessary key files. To use this custom address stop the Tor service:

sudo systemctl stop tor

Copy the generated key files to your hidden service directory:

sudo cp /path/to/generated/keys/* /var/lib/tor/my_hidden_service/

Ensure the correct ownership and permissions:

sudo chown -R debian-tor:debian-tor /var/lib/tor/my_hidden_service/

sudo chmod 700 /var/lib/tor/my_hidden_service/

Restart the Tor service:

sudo systemctl restart tor

You should be able to visit the site at the custom address now!

In conclusion

I hope this helps you on your self hosting and privacy journey. Stay safe out there and as always, feel free to reach out if some thing doesn’t work. Until next time.