How to Set Up a Tor Hidden Service on Linux Whonix in VirtualBox

How to Set Up a Tor Hidden Service on Linux Whonix in VirtualBox

By Category :

How to Set Up a Tor Hidden Service on Linux Whonix in VirtualBox with Nginx, PHP, MySQL, and Uploading a Website

Whonix is a security-focused operating system that provides strong anonymity by routing all traffic through the Tor network. When hosting a Tor hidden service, Whonix offers an additional layer of security by separating the Tor client (Gateway) from the application server (Workstation). This guide explains how to configure a Tor hidden service on Whonix Workstation, with Tor running on Whonix Gateway. We will also set up a LEMP stack (Linux, Nginx, MySQL, PHP), upload a website, and configure database connectivity—all within VirtualBox.

Step 1: Prerequisites

What You Need

  1. VirtualBox Installed: Install VirtualBox on your computer.
  2. Whonix Gateway and Workstation VMs: Download and set up Whonix Gateway and Whonix Workstation from Whonix.org.
  3. Basic Knowledge: Familiarity with Linux commands and SSH.
  4. Resources: A laptop/PC with at least 8 GB RAM for smooth operation (allocate 2 GB for Gateway and 4 GB for Workstation).

Step 2: Configure Whonix Gateway

Start Whonix Gateway

  1. Open VirtualBox and start the Whonix Gateway.
  2. Ensure it is connected to the internet and the Tor network is functioning.

Edit Tor Configuration

  1. Open the Tor configuration file on the Gateway: sudo nano /etc/tor/torrc
  2. Add the hidden service configuration: HiddenServiceDir /var/lib/tor/hidden_service/HiddenServicePort 80 10.152.152.11:80
    • HiddenServiceDir: Directory for the hidden service keys.
    • HiddenServicePort: Maps the .onion address to the Workstation’s Nginx server.
  3. Save and exit the file.

When configuring multiple Onion services (hidden services) on the same server, you must use a unique internal port for each service, while you can use the same external port. Here’s how it works:

  1. Internal Port: This is the port your local server (e.g., Apache or Nginx) listens on. Each Onion service must have a unique internal port so that Tor can correctly route traffic to the appropriate service.
  2. External Port: This is the port that Tor network users see and use when accessing your Onion service. You can use the same external port for all Onion services because each service has its unique .onion address.

Example:

HiddenServiceDir /var/lib/tor/hidden_service1/
HiddenServicePort 80 127.0.0.1:8081

HiddenServiceDir /var/lib/tor/hidden_service2/
HiddenServicePort 80 127.0.0.1:8082

In this case, service1 forwards to port 8081, and service2 forwards to port 8082 on the localhost.

Nginx Configuration

In the Nginx configuration, you need to ensure that Nginx listens on these internal ports and routes the traffic to the appropriate services. For example:

server {
listen 8081;
server_name hidden1.onion;

location / {
proxy_pass http://127.0.0.1:3000;
}

}

server {
listen 8082;
server_name hidden2.onion;

location / {
proxy_pass http://127.0.0.1:4000;
}

}

Here, Nginx listens on ports 8081 and 8082 for the hidden services hidden1.onion and hidden2.onion respectively, and forwards requests to the respective backend applications running on ports 3000 and 4000.

Why Different Internal Ports?

  • Tor cannot forward traffic from multiple hidden services to the same port on localhost, as it would create a conflict.
  • Each hidden service needs a dedicated internal port to uniquely route the traffic to the appropriate application.

Notes

  • The external port for the hidden service (e.g., 80 or 443) can be the same for all services, as this is what clients see when connecting through Tor.
  • The internal port (defined in torrc and used by Nginx or the backend service) must be unique for each hidden service.

Restart Tor

Restart Tor to apply the changes:

sudo systemctl restart tor

Retrieve the Onion Address

Check the .onion address:

sudo cat /var/lib/tor/hidden_service/hostname

Save this address—it will be your Tor hidden service URL.

Step 3: Configure Whonix Workstation

Network Setup

  1. Ensure that the Workstation is connected to the Gateway by using VirtualBox’s internal network configuration.
  2. Verify connectivity with: ping 10.152.152.10 This checks communication with the Gateway.

Step 4: Update and Secure the Workstation

  1. Update System: sudo apt update && sudo apt upgrade -y
  2. Install Essential Tools: sudo apt install curl wget ufw unzip -y

Step 5: Install Nginx

  1. Install Nginx: sudo apt install nginx -y
  2. Start and Enable Nginx: sudo systemctl start nginx sudo systemctl enable nginx
  3. Verify Installation: Confirm Nginx is running locally: curl http://127.0.0.1

Step 6: Install PHP

  1. Install PHP and Modules: sudo apt install php-fpm php-mysql -y
  2. Configure Nginx for PHP: Edit the Nginx configuration: sudo nano /etc/nginx/sites-available/default Add this block: location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; }
  3. Restart Nginx: sudo systemctl restart nginx

Step 7: Install MySQL

  1. Install MySQL: sudo apt install mysql-server -y
  2. Secure MySQL: sudo mysql_secure_installation Follow the prompts to set a root password and disable test databases.
  3. Create Database and User: Log in to MySQL: sudo mysql -u root -p Create a database and user: CREATE DATABASE my_website; CREATE USER 'my_user'@'localhost' IDENTIFIED BY 'strong_password'; GRANT ALL PRIVILEGES ON my_website.* TO 'my_user'@'localhost'; FLUSH PRIVILEGES; EXIT;

Step 8: Upload and Configure Your Website

  1. Prepare Files: Organize your website files, including PHP scripts.
  2. Transfer Files: Use scp or an SFTP client to upload files: scp -r /path/to/website/* user@workstation:/var/www/html/
  3. Set Permissions: sudo chown -R www-data:www-data /var/www/html/
  4. Connect Website to Database: Update your website’s configuration file: <?php $host = "127.0.0.1"; $user = "my_user"; $password = "strong_password"; $database = "my_website"; $connection = new mysqli($host, $user, $password, $database); if ($connection->connect_error) { die("Connection failed: " . $connection->connect_error); } ?>

Step 9: Security Hardening

  1. Restrict Access to Hidden Service Directory: sudo chmod -R 700 /var/lib/tor/hidden_service/
  2. Enable Firewall: sudo ufw allow 80 sudo ufw enable
  3. Install Fail2Ban: Protect against brute force: sudo apt install fail2ban -y
  4. Monitor Logs: Regularly check Nginx and Tor logs: sudo tail -f /var/log/nginx/access.log /var/log/nginx/error.log
  5. Disable Root SSH Access: Edit /etc/ssh/sshd_config: PermitRootLogin no

Step 10: Test Your Setup

  1. Open the Tor Browser on another machine.
  2. Navigate to your .onion address.
  3. Verify that your website is accessible and functional.

Benefits of Using Whonix for Tor Hidden Services

  1. Anonymity by Design: Whonix separates networking (Gateway) and applications (Workstation), ensuring no direct connection between your server and the internet.
  2. Reduced Attack Surface: The Gateway handles all Tor-related operations, limiting exposure of sensitive applications.

By carefully configuring your Whonix Workstation and Gateway, this setup ensures a robust and anonymous environment for your Tor hidden service.

/ / / / / / /
Author :

0 thoughts on “How to Set Up a Tor Hidden Service on Linux Whonix in VirtualBox

Leave a Reply

program9 social network
molly9 SEO agency
server5 web hosting
molly9 free blogs
blog5 free blogs
web analytics
seo reports tool
hetzner cloud