Hosting a tor location hidden service on the Beaglebone

This guide will explain the initial steps I took to create a tor location-hidden service (more commonly just called “hidden service”) on the Beaglebone Black, running Debian. Hidden services are recognizable by their .onion domain address and can only be accessed in the tor network–a regular browser won’t be able to access those sites. One word of caution, my goal with this project is NOT to keep myself anonymous (after all, I’m just rehosting my own blog, with my name all over it!) so if you’re concerned about keeping anonymity there may be security issues I’ve overlooked since I’m a web-hosting newbie. Please keep that in mind.

My motivation to create a hidden service was inspired by Facebook’s own decision to host a version of their site inside the tor network so that people in countries which censor or block internet access could still get to it. Considering the recent attacks against GitHub and against open-source organizations by repressive countries, and considering the limitations that countries like Turkey, Iran, China, England and Egypt have placed on social media access, I want this blog to remain accessible to anyone around the world.

The default Debian image on the BBB comes with a webpage already running with apache2 that lets a user program in bonescript and find documentation easily. The files that are loaded by the apache service out-of-the-box are located in /var/lib/cloud9, but we’re going to switch to hosting from /var/www.

First install tor on the beaglebone by typing

and make sure the tor service is working by typing

and looking for a line that says “[ + ] tor”.

To create a custom .onion domain, I used Scallion, a program which uses brute force to generate many encryption keys while looking for ones with a given prefix. In my case I was looking for a key that would have the prefix “knektek”. Once I found a hostname that I liked, I edited the torrc file as explained on the torproject’s website to have tor create a directory with a private_key and corresponding hostname that it chose. I then stopped tor by typing:

removed the hostname file, edited the private key file to replace the randomly generated one with the one generated earlier by Scallion, and restarted tor. Sure enough, the hostname file generated by tor from the new private key matched the one Scallion gave so everything checked out.

Next, edit your apache2 .conf settings located in /etc/apache2 so that the apache2 service is loading the website from /var/www. I’ll defer to the official documentation and other sites that have covered it much better than I can.

Check to make sure the index.html file (or other website files) that you put under /var/www are being loaded by going to your Beaglebone’s IP address on your local network using a web browser. When you type the IP address into your browser’s address bar, it goes to port 80 by default, which is also what the apache2 service should be using by default. If you see your website, congratulations! You’re now hosting a page on the Beaglebone.

Now to get tor back up and running type

and let it re-load tor. Double check your hidden service directory to make sure the hostname file is what you expect it to be, and if it is, load that .onion address into the tor browser’s address bar. (Remember that normal web browsers that aren’t using tor’s network can’t resolve .onion addresses.) Your website should load, the same one you saw on your local network being hosted by the BB. If it doesn’t, you may need to double check some things:

• Give tor a few hours to set up a relay to your hidden service IP. It takes some time for the network to adjust to your new hidden service.
• Make sure that your configuration in /etc/tor/torrc is correct for the hidden service, specifically make sure it is forwarding port 80 to the correct port on localhost (127.0.0.1:8080 if your web server is hosting on port 8080).

Now that I’ve created both a “normal” website like knek-tek.me and a tor hidden-service website at knektek7naqk2334.onion , there are some interesting comparisons between the two. I had to pay a lot of money to a lot of different shady characters to get my clear-web site (register.com really sucks), while setting up in the tor network was not only free but by default far more secure. Hidden service sites don’t need to use https and certificate authorities (CAs) to prevent man-in-the-middle attacks because the .onion system already includes proof-of-ownership in the domain name. So if you visit http://www.example.com you might be visiting a spoofed page trying to steal your login because someone intercepted your request for the real example.com with a fake one. But if you visit example234567fff.onion you know it’s the right page because only the owner of that site has the private key which generates that .onion address.

Update 4 June 2015:

I’ve figured out an easier way of moving posts which I’ve written in WordPress over to the static .onion site. I installed a WordPress plugin called WP Static HTML Output (there are other more recent plugins which do this as well) and used it to generate a .zip of a static version of my site. From there I copy and paste each post into the index.html file for the static .onion site, which is being served from the /var/www directory on my beaglebone. I’m using a GitHub pages theme for the .onion site which I like, although I could just transfer the static HTML output wholesale and it would probably work.