Late night... Building the Onion website

.onion is a domain suffix specifically for the Tor browser. This domain allows access to your onion site through the Tor browser, essentially proxying a local web listening port via Tor.

Applicable systems: Debian-based distributions, including Ubuntu and Armbian; other distributions can generally follow the process with slight command modifications.

Estimated time to complete: 25 minutes

I might have made some mistakes, please let me know if I’ve gotten anything wrong!

Registering a .onion domain does not require purchasing from domain management organizations or registrars; it is generated through computation, simply a random string. Currently, the v3 domains in use consist of 56 lowercase letters or numbers between 2 and 7. To obtain a specific string, extensive computation is necessary. For example, the very nice .onion v2 domain for Facebook – facebookcorewwwi.onion – would take an estimated 2.6 million years to brute-force with a 1.5 GHz processor.

AhFei calculated the first domain matching the vfly2com*.onion pattern on a single-threaded VDS with a 5950X processor over 43 continuous hours; the specific method is detailed below.

The original purpose of onion sites is to maintain the anonymity of servers, avoiding the leakage of source server information, such as IP addresses. This characteristic can be used to protect those revealing dark truths, but it can also be exploited to hide dark realities.

Sneak into the village quietly, don’t shoot

The late-night atmosphere is quite nice.

If you want to maintain the anonymity of the server as much as possible, here are some precautions:

Do not run any other services on this server.
Do not run a Tor relay on this server, as the IP of a Tor relay is public.
Do not provide any identity information to the VPS provider. Try to pay with cryptocurrency.
Perform a fresh installation on the server, and do not retain any services from the VPS provider.
Ensure that the web software is secure and has no backdoors, using strong passwords. Review the code and avoid pulling resources from any external services.
Ensure that the onion site does not leak any error messages or identity information.
Keep the VPS security updates up to date.

Official security recommendations:

Operational Security.
Onion services best practices by Riseup Collective.
OnionScan is a tool to check if your onionsite is leaking information that could compromise your anonymity, like your server IP address.

The process of setting up an onion site is quite simple: install Tor, run a web software, and configure Tor to proxy the web software.

Official tutorial: Tor Project | Set up Your Onion Service

Install Tor#

Official tutorial: Tor Project | How to install Tor

Note: Execute commands as root

apt update && apt upgrade && apt install apt-transport-https

Currently, the official repository only supports amd64, arm64, and i386 architectures. You can check with dpkg --print-architecture.

Create a new file in /etc/apt/sources.list.d/, named tor.list

cd /etc/apt/sources.list.d/ && vim tor.list

Add the following content:

Replace <DISTRIBUTION> with the name of your system distribution, which you can check by running lsb_release -c or cat /etc/debian_version.

   deb     [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org <DISTRIBUTION> main
   deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org <DISTRIBUTION> main

For example, for Debian 11, which is codenamed bullseye, you would enter the following.

deb     [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bullseye main
deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bullseye main

If you want to try the experimental version, use this format tor-experimental-<DISTRIBUTION>, or nightly builds tor-nightly-main-<DISTRIBUTION>.

Execute the following command to add the GPG key, which is used for package signing.

wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null

Install Tor and the Tor Debian keyring (which helps keep our signing key current):

apt update && apt install tor deb.torproject.org-keyring

Run a web server#

It can be Nginx, Apache, or any other. Here, we will use Python3 for a simple demonstration:

mkdir ~/tor_service && cd ~/tor_service && \
echo '<html><body>Vfly2.com!</body></html>' > index.html

Run the web server

python3 -m http.server --bind 127.0.0.1 8080

You can use curl to check if it is running successfully

curl 127.0.0.1:8080

Use systemd to run persistently in the directory /root/tor_service

Add a configuration file

sudo vim /etc/systemd/system/tor_service.service

No changes are needed, just copy it

[Unit]
Description=Python HTTP Server
After=network.target

[Service]
Type=simple
WorkingDirectory=/root/tor_service
ExecStart=/usr/bin/python3 -m http.server --bind 127.0.0.1 8080

[Install]
WantedBy=multi-user.target

Reload

sudo systemctl daemon-reload

Set to start on boot and run immediately

sudo systemctl enable --now tor_service

For reader convenience 👇

sudo systemctl status tor_service

sudo systemctl stop tor_service

sudo systemctl start tor_service

Configure Tor Onion Service#

The configuration file for Tor is named torrc, and its location may vary depending on the system. Find it and edit:

whereis tor
# tor: /usr/bin/tor /usr/sbin/tor /etc/tor /usr/share/tor /usr/share/man/man1/tor.1.gz

cd /etc/tor && vim torrc

Add the following two lines (customize first)

 HiddenServiceDir /var/lib/tor/my_website/
 HiddenServicePort 80 127.0.0.1:80

HiddenServiceDir. Specifies the directory where "Onion Service information and cryptographic keys" are stored. This directory will be automatically created when Tor runs.
HiddenServicePort. Specifies two ports; the first 80 is the port for the website in the Tor network, and the second 80 is the port on the server that the website listens on. Tor will forward all information received on port 80 in the Tor network to port 80 on the server. Modify the latter port according to the actual running web server.

For example:

 HiddenServiceDir /var/lib/tor/hidden_service/
 HiddenServicePort 80 127.0.0.1:8080

Save and exit

If using Unix sockets instead of TCP sockets, it can avoid leaking the local network to the onion service, providing better security, as follows:

HiddenServiceDir /var/lib/tor/my-website/
HiddenServicePort 80 unix:/var/run/tor-my-website.sock

However, this is just supplementary; general users do not need to consider it.

Restart Tor and verify it is working#

sudo systemctl restart tor

If it restarts successfully, then the configuration file has no errors, and you are generally done.

If it fails, you can check the logs for reasons:

journalctl -f -e -u tor@default

Access your onion site#

Go to the HiddenServiceDir directory and find the file named hostname, which contains your onion v3 URL.

cat /var/lib/tor/hidden_service/hostname
# It looks like a bunch of random strings, another is the one calculated by AhFei
# bq7yvamkogvqidw6qgeyzo4bnqvxd6ed246evk3rfu6xplzdkwak2aid.onion
# vfly2com5ogzrtpfpnsdfqwt6p2eclebjuxi24ps2jeujnikuypvfeqd.onion

Other files are Onion Service keys; ensuring the secrecy of these files is important and urgent, please take it seriously. If the keys are leaked, others can impersonate your Onion Service.

You can then use the Tor Browser to access your onion site, using the above onion v3 URL: http://vfly2com5ogzrtpfpnsdfqwt6p2eclebjuxi24ps2jeujnikuypvfeqd.onion/.

However, a site configured this way can be accessed by anyone, meaning anyone can see the site content directly. If you want to add verification so that only those with credentials can connect to the service, see this: Tor Project | Client Authorization, which is the most hidden part of the network. (Emails and WeChat are also included)

Brute-force calculation to obtain Onion V3 domain name#

The generation of .onion domains is private key > (rsa) > public key > (sha1) > hash value > (base32 encoding) > resulting in the final .onion.

A tool for CPU computation: Releases · cathugger/mkp224o (github.com)

Prerequisites

sudo apt install gcc libc6-dev libsodium-dev make autoconf

Compile the brute-force calculation tool#

Download the project

git clone https://github.com/cathugger/mkp224o.git

Enter the project directory

cd mkp224o

Generate the configuration script (if it is a git clone, it won't have it; it will be in the downloaded release archive)

./autogen.sh

Generate the makefile

./configure   # Defaults to ensure maximum compatibility
# ./configure --enable-amd64-51-30k   # Adding appropriate parameters can optimize,

Start building

make

After the build is complete, you will see the compiled mkp224o in the directory.

The later parameter --enable-amd64-51-30k passed to the configuration script can speed up key generation; different CPUs have different parameters that can be optimized. Run ./configure --help to see all available options. Specific details: https://github.com/cathugger/mkp224o/blob/master/OPTIMISATION.txt

--enable-amd64-51-30k enables the amd64-51-30k SUPERCOP ed25519 implementation. This implementation uses the AMD64 architecture and employs a specific optimization method suitable for environments with lower performance requirements. --enable-amd64-64-24k enables the amd64-64-24k SUPERCOP ed25519 implementation, which uses a different optimization strategy suitable for environments with higher performance requirements.

Using mkp224o#

Start the calculation

./mkp224o -d vkeys vfly2com

vkeys is the directory to save the keys,
vfly2com is the generated address, which should start with vfly2com; please refer to the project homepage for specific rules.

You can run mkp224o using tmux or screen, so it can continue running even if disconnected. Do not run it on a VPS for extended periods, as it will use 100% CPU.

How to make Tor use the generated keys?#

Copy the key folder (technically only hs_ed25519_secret_key is needed) to a location:

sudo cp -r vfly2com...onion /var/lib/tor/vfly2_service
# Earlier, our key folder was /var/lib/tor/hidden_service/, so choose this one

Adjust ownership and permissions:

sudo chown -R debian-tor: /var/lib/tor/vfly2_service
sudo chmod -R 700 /var/lib/tor/vfly2_service

Then edit torrc to change the key folder to the new one:

sudo vim /etc/tor/torrc

 HiddenServiceDir /var/lib/tor/vfly2_service
 HiddenServicePort 80 127.0.0.1:8080

After reloading, Tor should pick it up.

sudo systemctl reload tor

sudo systemctl status tor

At this point, check your new beautiful .onion address in the Tor Browser!

Original link: https://blog.vfly2.com/2023/10/building-an-onion-website/

Copyright statement: All articles on this blog are original works by AhFei, licensed under CC BY-NC-SA 4.0. Please indicate the source when reprinting 承飞之咎 (blog.vfly2.com).

Stay updated ٩(•̤̀ᵕ•̤́๑)ᵒᵏᵎᵎᵎᵎ with clear and practical skills, feel free to use RSS to subscribe, or follow @[email protected] on platforms supporting ActivityPub to receive new article notifications. It would be even better if you could leave comments and interact.

You can join the Telegram group https://t.me/vfly2 to discuss any issues encountered during the article's steps.