sábado, 16 de maio de 2026RSS

MetropoaNews

Porto Alegre · Região Metropolitana · Rio Grande do Sul

Sponsored by Anubiz HostAnonymous VPS for Tor · from $17.90/mo
EN · tecnologia

Self-Hosted Tor Hidden Service Tutorial 2026

Step-by-step 2026 tutorial to launch your own Tor v3 onion service. Setup, OPSEC, real-world use cases for journalists, whistleblowers and censored users.

MetropoaNews Tech Desk··5 min read
Tor Project homepage in Tor Browser, the platform for hosting onion hidden services
Tor Project / Wikimedia Commons · source · CC BY 3.0 us

A Tor onion service (formerly "hidden service") lets you publish a website, drop box, chat room, or any TCP service so that visitors reach it through the Tor network without ever learning its physical location. The service binds to a .onion address generated from a cryptographic key, and that address only resolves inside Tor.

In 2026, the version that matters is v3. The old v2 addresses were deprecated in 2021 and stopped working entirely shortly after. If anything you read uses 16-character addresses, it is out of date. Modern onion addresses are 56 characters, look like long random strings, and use stronger cryptography.

This tutorial walks through bringing up a v3 onion service on a Debian or Ubuntu VPS. The same approach works on most Linux distributions with minor changes.

Step 1: Rent a VPS

The hosting choice is part of the OPSEC, not separate from it. The server's real IP will technically not be exposed by the onion service itself, but any leak in the application layer (wrong configuration, server-side script printing the IP, error pages, misbehaving plugins) can reveal it. Pick a provider that does not require KYC, accepts cryptocurrency, and operates in a jurisdiction with strong free-speech protections.

For a basic onion site, even the cheapest VPS tier works. Modern Tor is not CPU-heavy for low-traffic sites.

Step 2: Update and Install Tor

Connect to the server over SSH and bring everything up to date:

apt update && apt upgrade -y
apt install -y tor

The Tor package in the default Debian and Ubuntu repositories is usually a release or two behind. For a serious deployment, follow the Tor Project's instructions to add their official repository and install the latest stable version.

After install, verify the service is running:

systemctl status tor

Step 3: Configure the Hidden Service

Edit the Tor configuration file:

nano /etc/tor/torrc

Add the following two lines (uncomment them if they already exist):

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:8080

The first line tells Tor where to store the keys for this service. The second line says: when a Tor user connects to port 80 of this onion address, forward the traffic to a local web server listening on port 8080.

Save and exit.

Step 4: Restart Tor

systemctl restart tor

If everything is correct, Tor will create the hidden_service directory and generate a new keypair on first start.

Step 5: Get Your .onion Address

cat /var/lib/tor/hidden_service/hostname

This is your public onion address. Anyone with this string can visit your service through Tor Browser. The contents of this directory, especially hs_ed25519_secret_key, are the cryptographic root of your service. If that file leaks, anyone can impersonate your address. Back it up to encrypted storage. Set strict permissions:

chmod 700 /var/lib/tor/hidden_service
chmod 600 /var/lib/tor/hidden_service/*
chown -R debian-tor:debian-tor /var/lib/tor/hidden_service

Step 6: Run an Actual Service

The Tor configuration above forwards traffic to 127.0.0.1:8080. You need something listening there. The simplest option is a static-content web server like nginx:

apt install -y nginx

Edit /etc/nginx/sites-available/onion to bind only to localhost:

server {
    listen 127.0.0.1:8080;
    server_name _;
    root /var/www/onion;
    index index.html;
}

Enable the site, create the content directory, place an index.html, and reload nginx. Visit your onion address in Tor Browser. You should see your page.

OPSEC Rules

Standing up the service is the easy part. Keeping it safe takes more discipline.

Do not bind anything to the public interface. Every service that should be reachable only over Tor must listen on 127.0.0.1, never 0.0.0.0. A WordPress install that helpfully starts an admin panel on the public IP can leak your real location.

Disable JavaScript on the served pages when possible. A misbehaving script or a vulnerable client-side library can be used to deanonymize visitors. Static HTML is safer than any framework.

Do not include PII in the content. Names, dates, locations, internal photos with embedded EXIF data - any of these can correlate with public sources.

Use a dedicated VPS. Do not run the onion service on a box that also hosts your real-name blog. Cross-contamination is how people get traced.

Keep logs minimal. Configure nginx to not log IP addresses. The visitors reaching you via Tor present 127.0.0.1 anyway, but minimize the log surface.

Patch fast. Tor itself, the operating system, and any application stack must be kept current. The Tor Project's security advisories are worth subscribing to.

Legitimate Use Cases

Onion services are not a synonym for illegal markets. The legitimate use cases vastly outnumber the criminal ones.

  • Journalism: many major newsrooms run SecureDrop instances as onion services. Sources can submit documents without leaving an IP trail. The New York Times, The Guardian, ProPublica and others have used SecureDrop for years.
  • Whistleblower drops: similar to journalism, but for activist and watchdog organizations.
  • Secure messaging: instant messengers like Briar and Cwtch use onion services as their transport layer.
  • Censorship bypass: when a site is blocked in a country, mirroring it as an onion service provides a route in.
  • Personal hardening: running your own infrastructure (Nextcloud, Matrix, RSS reader) behind an onion address means even your home IP cannot be probed.

For the journalism case, SecureDrop is the canonical tool. The Tails distribution is what most sources are advised to use to access it. Privacy Guides has a longer list of vetted services.

Closing Thoughts

The .onion you generate today is one of millions of onion addresses on the network. Most are mundane: personal Matrix homeservers, code repositories, mirror sites, IRC bouncers. The technology is widely used and well understood.

What separates a successful deployment from a leaked one is not the Tor configuration. It is the OPSEC discipline around it.

The Hosting Layer Most People Forget

Online anonymity isn't just about Tor Browser or VPN. If you run any service yourself (email server, Matrix homeserver, blog, Tor relay), where you host it matters. Anonymous hosting requires no KYC, crypto payment, and offshore jurisdiction. Anubiz Host offers offshore VPS from $17.90/mo, Monero/Bitcoin accepted, no KYC, with DMCA-ignored locations in Iceland, Romania and Finland - useful baseline for self-hosted privacy infrastructure.

tags:privacyanonymity2026
// Sponsored by Anubiz Host

Run Tor relays, hidden services and onion sites on hardware that respects you.

01Anonymous VPS for Torfrom $17.90/mo024 CPU offshore VPS03Pay with Bitcoin or Monero
Visit anubizhost.com
from $17.90/moGet VPS →