How to set up an onion service?

I have tried following the tor tutorial and I’ve tried a few other tutorials on Digital Ocean, including how to set up nginx, though most of them are focused on making clearnet sites.

However, I can never connect to my onion site, the connection always times out and I can’t figure out why. Is there something I need to expose or do? A minimum connection speed perhaps? A tweak to torrc or the nginx config?

Torrc
$ sudo cat /etc/tor/torrc
## Configuration file for a typical Tor user
## Last updated 9 October 2013 for Tor 0.2.5.2-alpha.
## (may or may not work for much older or much newer versions of Tor.)
##
## Lines that begin with "## " try to explain what's going on. Lines
## that begin with just "#" are disabled commands: you can enable them
## by removing the "#" symbol.
##
## See 'man tor', or https://www.torproject.org/docs/tor-manual.html,
## for more options you can use in this file.
##
## Tor will look for this file in various places based on your platform:
## https://www.torproject.org/docs/faq#torrc

## Tor opens a socks proxy on port 9050 by default -- even if you don't
## configure one below. Set "SocksPort 0" if you plan to run Tor only
## as a relay, and not make any local application connections yourself.
#SocksPort 9050 # Default: Bind to localhost:9050 for local connections.
#SocksPort 192.168.0.1:9100 # Bind to this address:port too.

## Entry policies to allow/deny SOCKS requests based on IP address.
## First entry that matches wins. If no SocksPolicy is set, we accept
## all (and only) requests that reach a SocksPort. Untrusted users who
## can access your SocksPort may be able to learn about the connections
## you make.
#SocksPolicy accept 192.168.0.0/16
#SocksPolicy reject *

## Logs go to stdout at level "notice" unless redirected by something
## else, like one of the below lines. You can have as many Log lines as
## you want.
##
## We advise using "notice" in most cases, since anything more verbose
## may provide sensitive information to an attacker who obtains the logs.
##
## Send all messages of level 'notice' or higher to /var/log/tor/notices.log
# Log notice file /var/log/tor/notices.log
## Send every possible message to /var/log/tor/debug.log
Log debug file /var/log/tor/debug.log
## Use the system log instead of Tor's logfiles
#Log notice syslog
## To send all messages to stderr:
#Log debug stderr

## Uncomment this to start the process in the background... or use
## --runasdaemon 1 on the command line. This is ignored on Windows;
## see the FAQ entry if you want Tor to run as an NT service.
#RunAsDaemon 1

## The directory for keeping all the keys/etc. By default, we store
## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
#DataDirectory /var/lib/tor

## The port on which Tor will listen for local connections from Tor
## controller applications, as documented in control-spec.txt.
#ControlPort 9051
## If you enable the controlport, be sure to enable one of these
## authentication methods, to prevent attackers from accessing it.
#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C
#CookieAuthentication 1

############### This section is just for location-hidden services ###

## Once you have configured a hidden service, you can look at the
## contents of the file ".../hidden_service/hostname" for the address
## to tell people.
##
## HiddenServicePort x y:z says to redirect requests on port x to the
## address y:z.

#HiddenServiceDir /var/lib/tor/hidden_service/
#HiddenServicePort 80 127.0.0.1:80

#HiddenServiceDir /var/lib/tor/other_hidden_service/
#HiddenServicePort 80 127.0.0.1:80
#HiddenServicePort 22 127.0.0.1:22

HiddenServiceDir /var/lib/tor/test_onion
HiddenServicePort 80 unix:/var/run/tor/test_onion.sock
#HiddenServicePort 80 127.0.0.1:80

################ This section is just for relays #####################
#
## See https://www.torproject.org/docs/tor-doc-relay for details.

## Required: what port to advertise for incoming Tor connections.
#ORPort 9001
## If you want to listen on a port other than the one advertised in
## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as
## follows.  You'll need to do ipchains or other port forwarding
## yourself to make this work.
#ORPort 443 NoListen
#ORPort 127.0.0.1:9090 NoAdvertise

## The IP address or full DNS name for incoming connections to your
## relay. Leave commented out and Tor will guess.
#Address noname.example.com

## If you have multiple network interfaces, you can specify one for
## outgoing traffic to use.
# OutboundBindAddress 10.0.0.5

## A handle for your relay, so people don't have to refer to it by key.
#Nickname ididnteditheconfig

## Define these to limit how much relayed traffic you will allow. Your
## own traffic is still unthrottled. Note that RelayBandwidthRate must
## be at least 20 KB.
## Note that units for these config options are bytes per second, not bits
## per second, and that prefixes are binary prefixes, i.e. 2^10, 2^20, etc.
#RelayBandwidthRate 100 KB  # Throttle traffic to 100KB/s (800Kbps)
#RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps)

## Use these to restrict the maximum traffic per day, week, or month.
## Note that this threshold applies separately to sent and received bytes,
## not to their sum: setting "4 GB" may allow up to 8 GB total before
## hibernating.
##
## Set a maximum of 4 gigabytes each way per period.
#AccountingMax 4 GB
## Each period starts daily at midnight (AccountingMax is per day)
#AccountingStart day 00:00
## Each period starts on the 3rd of the month at 15:00 (AccountingMax
## is per month)
#AccountingStart month 3 15:00

## Administrative contact information for this relay or bridge. This line
## can be used to contact you if your relay or bridge is misconfigured or
## something else goes wrong. Note that we archive and publish all
## descriptors containing these lines and that Google indexes them, so
## spammers might also collect them. You may want to obscure the fact that
## it's an email address and/or generate a new address for this purpose.
#ContactInfo Random Person <nobody AT example dot com>
## You might also include your PGP or GPG fingerprint if you have one:
#ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>

## Uncomment this to mirror directory information for others. Please do
## if you have enough bandwidth.
#DirPort 9030 # what port to advertise for directory connections
## If you want to listen on a port other than the one advertised in
## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as
## follows.  below too. You'll need to do ipchains or other port
## forwarding yourself to make this work.
#DirPort 80 NoListen
#DirPort 127.0.0.1:9091 NoAdvertise
## Uncomment to return an arbitrary blob of html on your DirPort. Now you
## can explain what Tor is if anybody wonders why your IP address is
## contacting them. See contrib/tor-exit-notice.html in Tor's source
## distribution for a sample.
#DirPortFrontPage /etc/tor/tor-exit-notice.html

## Uncomment this if you run more than one Tor relay, and add the identity
## key fingerprint of each Tor relay you control, even if they're on
## different networks. You declare it here so Tor clients can avoid
## using more than one of your relays in a single circuit. See
## https://www.torproject.org/docs/faq#MultipleRelays
## However, you should never include a bridge's fingerprint here, as it would
## break its concealability and potentionally reveal its IP/TCP address.
#MyFamily $keyid,$keyid,...

## A comma-separated list of exit policies. They're considered first
## to last, and the first match wins. If you want to _replace_
## the default exit policy, end this with either a reject *:* or an
## accept *:*. Otherwise, you're _augmenting_ (prepending to) the
## default exit policy. Leave commented to just use the default, which is
## described in the man page or at
## https://www.torproject.org/documentation.html
##
## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses
## for issues you might encounter if you use the default exit policy.
##
## If certain IPs and ports are blocked externally, e.g. by your firewall,
## you should update your exit policy to reflect this -- otherwise Tor
## users will be told that those destinations are down.
##
## For security, by default Tor rejects connections to private (local)
## networks, including to your public IP address. See the man page entry
## for ExitPolicyRejectPrivate if you want to allow "exit enclaving".
##
#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more
#ExitPolicy accept *:119 # accept nntp as well as default exit policy
#ExitPolicy reject *:* # no exits allowed

## Bridge relays (or "bridges") are Tor relays that aren't listed in the
## main directory. Since there is no complete public list of them, even an
## ISP that filters connections to all the known Tor relays probably
## won't be able to block all the bridges. Also, websites won't treat you
## differently because they won't know you're running Tor. If you can
## be a real relay, please do; but if not, be a bridge!
#BridgeRelay 1
## By default, Tor will advertise your bridge to users through various
## mechanisms like https://bridges.torproject.org/. If you want to run
## a private bridge, for example because you'll give out your bridge
## address manually to your friends, uncomment this line:
#PublishServerDescriptor 0
2 Likes

If your torrc file is missing anything, sharing it will help your problem.

If you still can’t figure out what the issue is, you can try to set it up using software like OnionShare, it’s third-party software, but trusted. They offer GUI and CLI.

1 Like

I’ve added my torrc.

For slightly further detail this server is hosted at home and it is behind a router. It’s on an ancient netbook circa 2013.

1 Like

Could you also add your nginx config?

1 Like

You don’t need to expose ports, onion services use NAT punching, so no need to worry about that.

Regarding your problem… I reproduced the setup guide and got the same issue, I haven’t made an effort to fix it but if I had to guess, it would be on file permissions, since unix domain sockets rely on them.

I noticed the website.sock isn’t created on /var/run/tor/

If I use a TCP socket, it works straight away.

I did all of this on a rootless podman container, so I didn’t have systemd available at the moment and had to start the service with SysV, not ideal but should work. I also had to fix some permissions when creating the website folder under /var/lib/tor/

1 Like

It seems like the symlink from /var/run to /run is causing problems. If i change the socket’s path from /var/run/tor/my-website.sock to /run/tor/my-website.sock everything works.

2 Likes

You can easily set up a Tor onion service using OnionShare:

1 Like

I can… but it’s as per install.

Tor Project | Set up Your Onion Service gives no guidance of what I might need to change.

Edit.

I’m pretty sure the Tor instruction set needs to be updated, I seem to have managed to get ‘something’ working after reconfiguring some nginx stuff. Those who need to use tor onions, are unlikely to be those who have sophisticated technical knowledge. So some additional support or at least links to reputable tutorials would be helpful.

1 Like

It might be useful for others that face the same issue as you if you post those tweaks you’ve made to nginx. Also, sharing that part of your experience can help the community to contribute to the setup guide.

Thanks in advance,
C.

1 Like

I’ve got this working -ish. Struggling with SSHing via the v3 address at the moment.

The biggest problem with the Onion Service tutorial is a very minimal focus on security. Notably the need to split the SSH and the HTTP, firewalls, public keys and client authorization. Given how important tor is there should always be a completely hardened set-up guide from start to finish.

Now this is how I have set up my Torrc for hidden services

HiddenServiceDir /var/lib/tor/hidden_ssh
HiddenSrevicePort 22 unix:/var/run/tor/hidden_ssh.sock

HiddenServiceDir /var/lib/tor/hidden_http/
HiddenServicePort 80 unix:/var/run/tor/hidden_http.sock

This is my .ssh/config

Host *
    IdentitiesOnly yes

Host myonion
    HostName onion.onion
    Port 22
    User user
    IdentityFile ~/.ssh/onion_key
    ProxyCommand nc -X 5 -x localhost:9050 %h %p

and my server block is

server{
    listen unix:/var/run/tor/onion.sock;
    server_name onionaddr.onion
    access_log /dev/null;
    index index.html;
    root /var/www/hidden_http;
}

My struggle appeared to be a mistake on my part differentiating between two parts of the tutorial I was following and hadn’t properly set up the hidden service itself.

It’s worth noting that you should have a hidden service addr for SSH and another for http. Another was confusion with how and where to use unix socks. I still don’t quite understand what is required and where but I think I’ve got it working appropriately.

1 Like

Further… since I can’t edit my post while it’s being approved…

I had to completely purge my installs of SSH, Nginx and Tor a few times (making sure to completely remove them from the /etc/ /var/ and /home/. Otherwise stray bits would stay behind and cause conflicts.

This reminds me that tutorials should often have checks to make sure that things are working and highlight when something is not going to work immediately without following the rest of the process. For example there are some SSH changes that are required to be done immediately before restarting the server else you may lock yourself out (like moving the public key across, or resetting tor/nginx before resetting tor, which has caught me out once or twice by breaking the connection. For an example for me, when I switched from clearnet to tor processing, something clearly broke the ssh and I can’t figure out what at present.

1 Like

Actually, there’s some OpSec tips here. We, as relay ops, can’t expect to have technical guides about any service we may want to set up, the matter is just too wide. It is expected for us to have some knowledge, and if setting up any additional service, to know what we are doing. Remember, Tor can’t help you if you use it wrong!

The most important thing for me is to use the Vanguards addon and check for any information leaking by using OnionScan. OnionScan is deprecated since it still uses v2 onion links, but there are forks that have updated it and a PR pending. The project is abandoned.

Thanks for sharing your tweaks, it will help others that may come by. If you consider some tweaks a must, you can contribute to the documentation on the dedicated GitLab.

2 Likes

I had to swap out the unix socks because they refuse to work with the set and went back to 127.0.0.1:port. After that the SSH etc magically started working again.

They worked fine initially, but at some point through the hardening process, they became the weak link. Some work needs to be done around how unix sockets can be used for each part of the onion service such as SSH, SFTP etcetera.

2 Likes

I believe the problem could be caused by AppArmor. Do this commands show something about tor?

dmesg | grep DENIED

or

journalctl -k | grep DENIED
1 Like