This tutorial will show you how to set up TOR as a daemon and host hidden services. Hidden services are only available on the TOR darknet and allow you to host services without revealing your IP. Tor hidden services can be accessed via a special .onion
domain. Although it hides your IP address, Tor isn't completely untracable. If using Tor for illegal activity, you CAN and WILL get tracked down and held accountable.
Table of contents
- Introduction to Tor
- Setting up and testing Tor
- Setting up a Hidden Service
- Redirect user traffic through Tor
- Conclusion
Introduction to TOR
Tor is a tool used to enhance privacy on the internet. Tor is based on onion routing. When using Tor for web browsing, your traffic passes through the Tor network terminating at an exit node. An exit node functions as a conventional web proxy. To others on the internet, your apparent origin is the IP address of the exit node. The addresses of these exit nodes are public knowledge, so many sites will notice that you're browsing from Tor and possibly restrict access. This can be solved using a Tor bridge but that's outside of the scope of this tutorial
How hidden services work
Tor hidden services are simply servers hosted by Tor users. When connecting to a hidden service, your traffic passes through onion routers that 'peel' off a layer of encryption revealing the next hop. This obfuscates the true source of the client, and the true destination of the server.Hidden services allow services on your machine to be made available to other Tor users through a special proxy. Your hidden service has a unique identity based on your public key identified by a unique .onion domain When clients connect to your hidden service over tor, they appear to your server application to be originating from 127.0.0.1
Setting up Tor and Trying It Out
The installation begins with clean install of Debian 9.First, I need to add the Tor repositories and GPG keys. This is done by following the instructions here. In my case, I used the following commands (as root)
$ echo deb 'http://deb.torproject.org/torproject.org jessie main' >>/etc/apt/sources.list;
$ gpg --keyserver keys.gnupg.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89;
$ gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -;
$ apt-get update; apt-get install -y tor torsocks deb.torproject.org-keyring;
Following installation, place the following in /etc/tor/torrc
SocksPort 9050
DNSPort 9053
TransPort 9040
AutomapHostsOnResolve 1
To demonstrate TOR connectivity, curl will be used with a SOCKS5 proxy to connect to the TORcheck site. A message should appear saying "Congratulations. This browser is configured to use Tor"
$ grep -m1 Congratulations < <( curl -s https://check.torproject.org --socks5 127.0.0.1:9050)
Next, let's test DNS
$ dig propub3r6espa33w.onion @127.0.0.1 -p 9053 +short
127.236.146.171
Setting Up a Hidden Service
We have an instance of Nginx listening on
127.0.0.2:8080
, we will publish it as a hidden service on port 80.
First, we create a directory in /var/lib/tor
for the hidden service.
In our case /var/lib/nginx
.
HiddenServiceDir /var/lib/tor/nginx
HiddenServicePort 80 127.0.0.2:8080
$ curl -s --socks5 127.0.0.1:9050 $(cat /var/lib/tor/nginx/hostname) --head
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 01 Feb 2018 14:39:44 GMT
Content-Type: text/html
Content-Length: 1636
Last-Modified: Thu, 01 Feb 2018 14:34:02 GMT
Connection: keep-alive
ETag: "5a73255a-664"
Accept-Ranges: bytes
Websites running as TOR hidden services can also be accessed over the clearnet via the TOR2Web
proxy. Simply substitute .onion
with tor2web.io
and connect via HTTPS
. Warning: This does not provide anonymity for the client.
Redirect all traffic to TOR
Let's look at how to transparently redirect all traffic through TOR on a per-user basis. We create the user
tor-test
which we will use to test this.
We need two iptables rules. The first redirects any of the users DNS (udp/53) queries to localhost:5353
. The second iptables redirects any of the user's outbound tcp traffic that isn't destined to localhost into the TOR transport (localhost:9040)
We can test these are working by comparing the output of running curl https:// check.torproject.org
as the user root
or test
iptables -t nat -A OUTPUT -p udp --dport 53 \
-m owner --uid-owner test -j REDIRECT --to-ports 5353;
iptables -t nat -A OUTPUT ! --dst 127.0.0.0/8 -p tcp \
-m owner --uid-owner test --syn -j REDIRECT --to-ports 9040;
# curl -s https://check.torproject.org | grep -m1 "Tor."
Sorry. You are not using Tor
# sudo -u test curl -s https://check.torproject.org | grep -m1 "Tor."
Congratulations. This browser is configured to use Tor
Conclusion
In this tutorial we covered how to the following with the TOR client
- Access TOR via SOCKS5 Proxy
- Using the TOR DNS Resolver
- Host our very first TOR hidden service
- Transparently Proxy All TCP connections through TOR for a particular user
Hope this was helpful and thank you for reading.