Late night... Building an onion website

.onion is a domain suffix specifically for the Tor browser. This domain allows access to your onion site through the Tor browser, essentially proxying a local web listening port via Tor.

Applicable systems: Debian-based distributions, including Ubuntu and Armbian; other distributions can generally follow the process with slight command modifications.

Estimated time to complete: 25 minutes

I might have made some mistakes, please let me know if I’ve gotten anything wrong!

Registering a .onion domain does not require purchasing from a domain management organization or registrar; instead, it is generated through computation, resulting in a random string. Currently, the v3 domains in use consist of 56 lowercase letters or numbers between 2 and 7. To obtain a specific string, extensive computation is necessary. For example, the very nice .onion v2 domain for Facebook – facebookcorewwwi.onion – would take an estimated 2.6 million years to brute-force with a 1.5GHz processor.

AhFei calculated the first domain conforming to the vfly2com*.onion pattern on a single-threaded VDS with a 5950X processor over 43 continuous hours; the specific method is detailed below.

The primary purpose of onion sites is to maintain the anonymity of the server, avoiding the disclosure of source server information, such as IP addresses. This characteristic can be used to protect whistleblowers revealing dark truths, but it can also be exploited to hide nefarious activities.

Quietly entering the village, don't shoot

The late-night atmosphere is quite immersive.

If you want to maintain the anonymity of the server as much as possible, here are some precautions:

Do not run any other services on this server.
Do not run a Tor relay on this server, as the IP of a Tor relay is public.
Do not provide any identity information to the VPS provider. Try to pay with cryptocurrency.
Perform a fresh installation on the server, and do not retain any services from the VPS provider.
Ensure that the web software is secure and free of backdoors, using strong passwords. Review the code and avoid pulling resources from any external services.
Ensure that the onion site does not leak any error messages or identity information.
Keep the VPS security updates timely.

Official security recommendations:

Operational Security.
Onion services best practices by Riseup Collective.
OnionScan is a tool to check if your onionsite is leaking information that could compromise your anonymity, such as your server IP address.

The process of setting up an onion site is straightforward: install Tor, run a web software, and configure Tor to proxy the web software.

Official tutorial: Tor Project | Set up Your Onion Service

Install Tor#

Official tutorial: Tor Project | How to install Tor

Note: Execute commands as root

apt update && apt upgrade && apt install apt-transport-https

Currently, the official repository only supports amd64, arm64, and i386 architectures. You can check with dpkg --print-architecture.

Create a new file in /etc/apt/sources.list.d/, named tor.list

cd /etc/apt/sources.list.d/ && vim tor.list

Add the following content:

Replace <DISTRIBUTION> with the name of your system distribution, which can be checked by running lsb_release -c or cat /etc/debian_version.

   deb     [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org <DISTRIBUTION> main
   deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org <DISTRIBUTION> main

For example, for Debian 11, which is codenamed bullseye, you would enter the following.

deb     [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bullseye main
deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bullseye main

If you want to try the experimental version, use this format tor-experimental-<DISTRIBUTION>, or nightly builds tor-nightly-main-<DISTRIBUTION>.

Execute the following command to add the GPG key, which is used for package signing.

wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null

Install Tor and the Tor Debian keyring (which helps keep our signing key current):

apt update && apt install tor deb.torproject.org-keyring

Run a web server#

It can be Nginx, Apache, or any other. Here, we will use Python3 for a simple demonstration:

mkdir ~/tor_service && cd ~/tor_service && \
echo '<html><body>Vfly2.com!</body></html>' > index.html

Run the web server

python3 -m http.server --bind 127.0.0.1 8080

You can use curl to check if it is running successfully

curl 127.0.0.1:8080

Use systemd to run persistently in the directory /root/tor_service

Add a configuration file

sudo vim /etc/systemd/system/tor_service.service

No changes are needed; just copy it

[Unit]
Description=Python HTTP Server
After=network.target

[Service]
Type=simple
WorkingDirectory=/root/tor_service
ExecStart=/usr/bin/python3 -m http.server --bind 127.0.0.1 8080

[Install]
WantedBy=multi-user.target

Reload

sudo systemctl daemon-reload

Set it to start on boot and run immediately

sudo systemctl enable --now tor_service

For reader convenience 👇

sudo systemctl status tor_service

sudo systemctl stop tor_service

sudo systemctl start tor_service

Configure Tor Onion Service#

The configuration file for Tor is named torrc, and its location may vary depending on the system. Find it and edit:

whereis tor
# tor: /usr/bin/tor /usr/sbin/tor /etc/tor /usr/share/tor /usr/share/man/man1/tor.1.gz

cd /etc/tor && vim torrc

Add the following two lines (customize first)

 HiddenServiceDir /var/lib/tor/my_website/
 HiddenServicePort 80 127.0.0.1:80

HiddenServiceDir. Specifies the directory for storing "Onion Service information and cryptographic keys." This directory will be automatically created when Tor runs.
HiddenServicePort. Specifies two ports; the first 80 is the port for the website in the Tor network, and the second 80 is the port on the server where the website listens. Tor will forward any information received on port 80 in the Tor network to port 80 on the server. Modify the latter port according to the actual web server in use.

For example:

 HiddenServiceDir /var/lib/tor/hidden_service/
 HiddenServicePort 80 127.0.0.1:8080

Save and exit

If using Unix sockets instead of TCP sockets, it can prevent leaking the local network to the onion service, providing better security, as follows:

HiddenServiceDir /var/lib/tor/my-website/
HiddenServicePort 80 unix:/var/run/tor-my-website.sock

However, this is just supplementary; general users do not need to consider this.

Restart Tor and verify it is working#

sudo systemctl restart tor

If it restarts successfully, then the configuration file is error-free, and you are generally done.

If it fails, you can check the logs for reasons:

journalctl -f -e -u tor@default

Access your onion site#

Go to the HiddenServiceDir directory and find the file named hostname, which contains your onion v3 address.

cat /var/lib/tor/hidden_service/hostname
# It looks like a bunch of random strings; another is the one calculated by AhFei
# bq7yvamkogvqidw6qgeyzo4bnqvxd6ed246evk3rfu6xplzdkwak2aid.onion
# vfly2com5ogzrtpfpnsdfqwt6p2eclebjuxi24ps2jeujnikuypvfeqd.onion

Other files are Onion Service keys; ensuring the secrecy of these files is crucial and urgent, so please take it seriously. If the keys are leaked, others can impersonate your Onion Service.

You can then use the Tor Browser to access your onion site using the above onion v3 address: http://vfly2com5ogzrtpfpnsdfqwt6p2eclebjuxi24ps2jeujnikuypvfeqd.onion/.

However, a site configured this way can be accessed by anyone, meaning anyone can directly see the website content. If you want to add a verification step so that only those with credentials can connect to the service, see this: Tor Project | Client Authorization, which is the most secretive part of the network. (Email and WeChat are also included)

Brute-force calculation to obtain Onion V3 domain name#

The generation of .onion domains is private key > (rsa) > public key > (sha1) > hash value > (base32 encoding) > resulting in the final .onion.

A tool for CPU-based computation: Releases · cathugger/mkp224o (github.com)

Prerequisites

sudo apt install gcc libc6-dev libsodium-dev make autoconf

Compile the brute-force calculation tool#

Download the project

git clone https://github.com/cathugger/mkp224o.git

Enter the project directory

cd mkp224o

Generate the configuration script (if cloned via git, it won't have it; it is included in the downloaded release archive)

./autogen.sh

Generate the makefile

./configure   # Defaults to ensure maximum compatibility
# ./configure --enable-amd64-51-30k   # Adding appropriate parameters can optimize,

Start building

make

Once the build is complete, you will see the compiled mkp224o in the directory.

The later parameter --enable-amd64-51-30k passed to the configuration script can speed up key generation; different CPUs have different parameters for optimization; run ./configure --help to see all available options. For specific details: https://github.com/cathugger/mkp224o/blob/master/OPTIMISATION.txt

--enable-amd64-51-30k enables the amd64-51-30k SUPERCOP ed25519 implementation. This implementation uses the AMD64 architecture and employs a specific optimization method suitable for environments with lower performance requirements. --enable-amd64-64-24k enables the amd64-64-24k SUPERCOP ed25519 implementation, which uses a different optimization strategy suitable for higher performance requirements.

Using mkp224o#

Start the calculation

./mkp224o -d vkeys vfly2com

vkeys is the directory to save the keys,
vfly2com is the generated address, which should start with vfly2com; please refer to the project homepage for specific rules.

You can run mkp224o using tmux or screen, so it can continue running even if disconnected. Do not run it on a VPS for extended periods, as it will occupy 100% of CPU.

How to make Tor use the generated keys?#

Copy the key folder (although technically only hs_ed25519_secret_key is needed) to a certain location:

sudo cp -r vfly2com...onion /var/lib/tor/vfly2_service
# Previously, our key folder was /var/lib/tor/hidden_service/, so choose this location

Adjust ownership and permissions:

sudo chown -R debian-tor: /var/lib/tor/vfly2_service
sudo chmod -R 700 /var/lib/tor/vfly2_service

Then edit torrc to change the key folder to the new one:

sudo vim /etc/tor/torrc

 HiddenServiceDir /var/lib/tor/vfly2_service
 HiddenServicePort 80 127.0.0.1:8080

After reloading, Tor should pick it up.

sudo systemctl reload tor

sudo systemctl status tor

At this point, check your new beautiful .onion address in the Tor Browser!

Original link: https://blog.vfly2.com/2023/10/building-an-onion-website/

Copyright statement: All articles on this blog are original works by AhFei unless otherwise stated, licensed under CC BY-NC-SA 4.0. Please indicate the source when reprinting 承飞之咎 (blog.vfly2.com).

Stay updated ٩(•̤̀ᵕ•̤́๑)ᵒᵏᵎᵎᵎᵎ with clear and practical skills, feel free to subscribe using RSS or follow @[email protected] on platforms supporting ActivityPub to receive new article notifications. It would be even better if you could leave comments and interact.

You can discuss any issues encountered during the article steps in the Telegram group https://t.me/vfly2.