Create a Hidden Tor Service with VestaCP in 10 MINUTES! ULTIMATE ONION SITE GUIDE! Ubuntu/Debian/CentOS!

Disclaimer: this guide was written for research purposes only because the Author wanted an .onion version of a normal website.
The Author does not host any hidden services, only .onion addresses for already existing .com websites so that they can be accesses by .onion addresses too.
This guide requires almost NO technical knowledge to start a tor hidden service.

UPDATE 2019: This guide was written in late 2016. It may be updated eventually! We don’t touch TOR so it would be cool to see if anything has changed since this guide was first written.

If you do what this guide says, but don’t harden your service, then any hidden services without doing more than what is mentioned in this guide is pretty much guaranteed to be un-hidden..

You have been sternly warned. I am not a TOR expert and this is not rocket science but if you are familiar with all of the software below already, you will have an even better idea than the Author on hosting through tor.

This website was offline for 7 months earlier this year and in that time another cool post was added for Debian version of this guide. I may write another Debian guide soon as it is always interesting to see what changes version-to-version.

Law Enforcement: this guide is for research purposes only. If you would like this post taken down, please leave an anonymous comment stating so and the post will be promptly removed.

Comes already out-of-the box with:

  • nginx
  • iptables & fail2ban
  • MySQL

This setup does NOT use apache (uses php-fpm instead!).

We recommend NOT using a mail server or allowing ftp access with your VestaCP installation.

Get a VPS on ANY of the following:
# RHEL / CentOS 5,6,7
# Debian 6,7,8
# Ubuntu 12.04-15.10

We highly recommend CentOS and the commands in this guide are based on CentOS only.

Disclaimer: this guide was written because I wanted an .onion version of a normal website.

VestaCP is a free server & hosting control panel. See more at vestacp.com.

Log into your server via SSH.

Download installation script

1
curl -O http://vestacp.com/pub/vst-install.sh

Next, visit vestacp.com and scroll down to generate some Advanced Install Settings.
Choose the following options, which are, nginx + php+fpm, NO ftp, NO mail, NO DNS.

VestaCP advanced install settings

Our generated install command is below, paste this into your terminal.

1
bash vst-install.sh --nginx yes --phpfpm yes --apache no --vsftpd no --proftpd no --exim no --dovecot no --spamassassin no --clamav no --named no --iptables yes --fail2ban yes --mysql yes --postgresql no --remi yes --quota no

Press y and enter to install VestaCP.

VestaCP installation generic

Press enter when it asks for an email (no email).

For hostname, you can change it to anything, I suggest something very generic, so just type hostname and hit enter.

When it’s finished installing, note down the password.

Open a browser (TOR browser) and visit the URL supplied, it will be your server IP with https:// at the start and :8083 at the end.

Tor browser will give you an insecure certificate warning. Click advaned, allow exception, and confirm security exception.

Click on the IP tab at the very top and then click on the green (+) symbol to add an additional IP.

Vestacp ip settings tab

The IP address we want to add is 127.0.0.1. This is the localhost machine IP, but tor will listen on this address on port 80.
This means that your website will only be accessible by the TOR browsers and never by clear-net browsers.

Set Netmask as 255.255.255.255 and change the Interface to venet0.

VestaCP add 127.0.0.1 new ip address

In a new tab on the Tor Browser, type the IP of your server to see the demo page and make sure the web server is working.

So instead of: https://xx.xx.xx.xx:8083/

Visit http://xx.xx.xx.xx/

You should see a demo page:

VesatCP Demo Page

Next, go to the WEB tab and delete the example website. To delete the site, you may need to turn javascript on temporarily. Hover over the site, click delete and confirm delete.

VestaCP Tor delete example website

Refresh the other tab with the demo website. It should now give an error.

VestaCP Tor Error

Go back to your terminal and install tor.

1
yum install tor -y

Add tor to startup too.

1
chkconfig tor on

Remove the default tor settings file and replace it with your own as follows.

1
2
3
rm -f /etc/tor/torrc
echo "HiddenServiceDir /var/lib/tor/hidden_service/" >> /etc/tor/torrc
echo "HiddenServicePort 80 127.0.0.1:80" >> /etc/tor/torrc

Start tor.

1
service tor start

This will generate a new onion address for you.

1
cat /var/lib/tor/hidden_service/hostname

This is your .onion address.
Now we need to add it to the VestaCP WEB panel and make sure the IP is set to 127.0.0.1.
Make sure DNS and Mail are turned OFF.NOT

Add onion website to VestaCP

Done!

Now visit your URL is a tor browser.

It may take 5 minutes to show up.

Your service will ONLY be accessible by TOR!

TOR SITE UNAVAILABLE TURNING OFF AFTER REBOOT?

1
2
service tor start
service nginx reload

ADDITIONAL SECURITY MEASURES

Go to UPDATES tab and disable autoupdates for vestacp.

Head to the FIREWALL tab and suspend everything except for 22 and 8083.

You can open 25 again later if you need to send emails.

HARDEN YOUR WEB SERVER

This guide is currently for research purposes and does NOT include any hardening tips and is provided as is.

Please see more information here: https://www.reddit.com/r/onions/wiki/hidden_services

You may want to disable phpmyadmin.

HOST MULTIPLE HIDDEN SERVICES ON ONE SERVER

You’ll want to
Open /etc/tor/torrc for editing and add as many services as you want!

Make a new /hidden_service/ directory for each new service:

1
2
HiddenServiceDir /var/lib/tor/hidden_service2/
HiddenServicePort 80 127.0.0.1:80
1
2
HiddenServiceDir /var/lib/tor/hidden_service3/
HiddenServicePort 80 127.0.0.1:80

Restart tor to generate these new service .onion addresses.

1
2
service tor stop
service tor start

Find out the new .onion addresses

1
2
cat /var/lib/tor/hidden_service2/hostname
cat /var/lib/tor/hidden_service3/hostname

Add each new .onion address into the WEB tab in the VestaCP admin area!
These are example .onions generated and are not live addresses:

Host Multiple Tor Websites on One Server CentOS 7

HOSTING A .ONION VERSION OF A CLEARNET WEBSITE

I have no idea if this secure or not.
Instead of putting 127.0.0.1 in the torrc file as the HiddenServicePort, change it to the server IP.
Add a new website to your WEB area in the VestaCP admin panel.
This will make your service accessible at both the IP address of your server and at the .onion address.

1
2
echo "HiddenServiceDir /var/lib/tor/hidden_service/" >> /etc/tor/torrc
echo "HiddenServicePort 80 xx.xx.xx.xx:80" >> /etc/tor/torrc

Depending on the URL and linking structure of your clearnet website and if there are any htaccess redirects, you may find your .onion service just works for only the homepage and then uses the normal URL because of how your website works.

This guide is, again, for research purposes only, and therefore does not offer any advice on that.

5 thoughts on “Create a Hidden Tor Service with VestaCP in 10 MINUTES! ULTIMATE ONION SITE GUIDE! Ubuntu/Debian/CentOS!”

  1. After succesfully creating my hidden service, I can see the default page with the onion name… but where are the html/php files?

    1. The websites are in /home/admin/web/
      And the website files are in public_html inside each of these folders.
      This tutorial does not have any security measures whatsoever, and any uses might be able to see other websites by navigating this folder.
      To fix this, create a new user account in VestaCP for each user. each user will have /home/USER/web/

      To truly prevent snooping, you’ll need the VestaCP SFTP chroot plugin http://vestacp.com/features/#sftpchroot

      The most secure way of hosting multiple hidden services would be to have multiple server.
      One server/vps for one website.

Leave a Reply

Your email address will not be published. Required fields are marked *