This is basically an onion service crash course and vanity site guide. If you just want a simple site and don't run into problems very often (or you think I talk too much idk) reference the official guide
Note: My server runs off a raspberry pi 5 (with raspbian) so the installation commands in this guide are best suited for debian based distros!
Vanilla Setup:
1) First install tor and your webserver of choice (usually apache2 or nginx). I decided to go with nginx
sudo apt install tor
sudo apt install nginx
2) Nginx starts the webserver on install by default, so I check to make sure everything looks right with
sudo systemctl status nginx and nmap -sV -p80 localhost (nmap is optional, but its faster to type than systemctl
and I already have it installed sooooo)
3) To set up a (normal) hostname, edit /etc/tor/torrc to contain the following, replacing my_website with whatever you want
HiddenServiceDir /var/lib/tor/my_website/
HiddenServicePort 80 127.0.0.1:80
4) Save the file and restart tor (or start if it's not yet running)
sudo systemctl restart tor
5) At this point your hostname is in the /var/lib/tor/name_u_chose/hostname file (you need to be root to view it, DO NOT chown for convenience it MUST
be owned by debian-tor (on debian based distros) to work correctly. If you literally ignore everything I just said and get a hostring error later on that's why)
Note: There are other files in this directory including your public and private keys. Your private key must be kept secret, because an onion site can easily be stolen if you know the private
key and hostname
6) You can use the Tor Browser to navigate to your site and make sure everything's running
Note: I recommend Pi-Apps to install the Tor Browser on a raspberry pi since the architecture in unsupported normally
Vanity Site:
Vanity sites are onion hostnames that contain some readable text at the beginning like mangosfljsklfjdfjkgdkjfgksddfjkl.onion instead of sfjlksjldkdfhkahfskjfhjkjdjkfhgksljfl.onion
Note: One of the main concerns is that people will only look at the first section to identify the site and may end up getting phished or worse
by an imposter site as a result. I personally say #1 skill issue (jk kinda) #2 pgp keys exist keep track of them and #3 don't enter personal info into any onion site and this won't be an issue tbh
1) First we need to install the tool mkp224o. Here's the github repo with specifics and the option to run it from
a docker container if you don't want to/ can't install it
2) After cloning the repo, install the dependencies and CD into the repo dir for the rest of the steps
sudo apt install gcc libc6-dev libsodium-dev make autoconf
./autogen.sh
./configure
make
3) Create a new hostname and public/ private key pair (-d is for directory to store generated hostnames, replace vanitynamehere with your chosen string)
./mkp224o -d dir vanitynamehere
4) Let this run until you see a hostname that you like (every time it lists a name in output that is a generated directory)
5) Switch to root and copy the hostname, private, and public keys to the hidden directory you created before
6) These keys are generated based on the hostname, which is why you can't just modify the hostname file and hope it works
7) Restart the tor service with sudo systemctl restart tor (though I usually stop and start) and navigate to your new hostname to make sure it resolves correctly
Troubleshooting:
If your site won't connect correctly or you get offline errors these checks solve it about 94% of the time
1) Run sudo systemctl status on both tor and nginx. Error messages? Now you know wher the problem is. None? Step 2
2) sudo systemctl stop nginx and sudo systemctl start nginx then sudo systemctl stop tor and sudo systemctl start tor. For
some reason this works more consistently than just restarting. Still problems? Step 3
3) If there are no status errors, no nginx errors, no config errors, and you restarted both services it's probably a permission error
-> I've found that the tor service doesn't throw an error when the site directory is owned by the wrong user
-> In debian's case, the hidden site dir must be owned by debian-tor or else the tor service doesn't have the right perms to access the directory at all and just throws a 0xFsmth error when you try to access the site
If none of these solve the problem double-check your configs and check nginx + tor browser error logs
Questions/ concerns/ objections/ wtv? contact me!
july 2024