Learn how to host Tor hidden services using .onion addresses

As part of the "dark web," onion services are popular in many different areas outside of crime. The US Naval Research Laboratory developed the Onion Routing Protocol in the mid-1990s to protect online intelligence communications in the United States. Over the years, it has been further developed and received substantial funding from DARPA, the Internet Freedom Initiative of the U.S. State Department, EFF, and other organizations. The Tor project was established as a non-profit organization in 2006. In a world of increasing censorship, tracking, privacy intrusion, and surveillance, Tor provides a way to remain anonymous, access potentially restricted or sensitive content, and provide quality educational materials.

Tor network

The Tor network is built by clients and servers. Tor Browser enables clients to access the Internet and browse the open and dark web anonymously. Hidden services are sites with end-to-end encryption and privacy that you visit on the Tor network, where the owner of the service is also anonymous. Many currently available services are very unstable, and most services will not stay for long (see Lindy effect ). Few onion services are widely known, and often for the wrong reasons. This article is used as learning materials and technical notes on how to set up Tor v3 hidden services on the OpenBSD server . Please do not use it for illegal purposes.

Please note that onion services provide enough security to defend against most real-life opponents who will try to make you anonymous. If there is a wealthy opponent like the government pursuing the service, you will need to add more anonymity layers, buy servers and bandwidth with encrypted currency for hosting, and even be careful when you ssh into your machine to hide you The entrance IP.

Generate Vanity v3 hidden service onion address

The onion address is the encoding of the hash value of the public key of the onion service. Please note that completely random addresses and generated names can be easily spoofed, because visitors who click on a link somewhere may be spoofed by the seemingly correct .onion prefix without having to check the entire address. We generate a custom .onion address just to have an easier to identify address in the address list. Tor Onion v3 hidden service address follows torspec/224 .

We are using the tool mkp224o , which allows the use of brute force methods to generate a (partial) customized vanity .onion address. We can clone the source code from github and build it:

git clone https://github.com/cathugger/mkp224o.git
./autogen.sh
./configure
make

Then, we use the prefix noxim to brute force the calculation of the address, which should take a few seconds, given that it has only 5 characters.

mkdir -p keys
./mkp224o -d ./keys noxim

noximfcmcizkdxdaryrf56sypldotfz3b2pqdenjkc4zk4t6nmoghwid.onion
noximfusrfrcr75ry57pkv2uzqrkvxseluzl54zi2andktjlcoxhxaqd.onion
noximugpgjva2sjfsulos3bidudnku2tmiofzsobfzvlt4ffizspqjad.onion
noximwc5zsk6jh5jzkiljjtik3tkuue7w7byobvjz6is7tdu4dousfyd.onion
noximuifbmzya75bljh2nvu57pbf76bjbwtnrp3ilto753bnbjvgbgyd.onion
noximhkcqevri46e2kuthman5o6emplfcevppx3hvsvu55qcygj5elyd.onion
...

Of these I used the last one and copied it to the server:

scp -r keys/noximhkcqevri46e2kuthman5o6emplfcevppx3hvsvu55qcygj5elyd.onion [email protected]:~

Effective documents:

hs_ed25519_public_key
hs_ed25519_secret_key
hostname

On the server, we copy the private key and host name to its location for use in the next steps:

doas mkdir -p /var/tor/hidden_service
doas chown -R _tor:_tor /var/tor/
doas cp hostname /var/tor/hidden_service
doas cp hs_ed25519_secret_key /var/tor/hidden_service/
doas cp hs_ed25519_public_key /var/tor/hidden_service/

Please note that if we plan to keep this service, we will want to back up this key.

Set up Tor and hidden services

Install tor service:

doas pkg_add tor

Edit /etc/tor/torrc, grep -v -E '^#|^$' /etc/tor/torrcthe output shown here , all uncommented and non-blank lines:

Log notice file /var/log/tor/notices.log
RunAsDaemon 1
DataDirectory /var/tor
HiddenServiceDir /var/tor/hidden_service/
HiddenServiceVersion 3
HiddenServicePort 80 127.0.0.1:8080
User _tor

We have bound httpd to port 80 and redirected the onion address to port 8080 to connect properly. Start and enable the tor service:

rcctl start tor
rcctl enable tor

If it is due to permission problems or other reasons not start, you can try to run it for possible errors from the command line prompt:  doas -u _tor /usr/local/bin/tor.

Use httpd to provide content on the .onion address

Then we use another server part to configure httpd for our hidden service v3 .onion address:

server "noximhkcqevri46e2kuthman5o6emplfcevppx3hvsvu55qcygj5elyd.onion" {
    listen on * port 8080
    root "/htdocs/nox.im"
}

Test whether the configuration is available doas httpd -n, and then restart httpd:

doas rcctl restart httpd

Now we can access through the tor browser. In our access.log, we will see that the virtual server is requested from localhost:

noximhkcqevri46e2kuthman5o6emplfcevppx3hvsvu55qcygj5elyd.onion 127.0.0.1 - - [24/Jul/2021:13:56:49 +0000] "GET / HTTP/1.1" 200 4350