Setting up Tor Proxy and Hidden Services in Linux

This covers setting up Tor service on Linux (CentOS) but should be similar for other distributions. It will first cover installing Tor so you can make requests through the Tor network using the SOCKS5 proxy and then will cover the additional step of setting up your own Tor hidden service.

Install

# Install Tor using the package manager available
yum install tor

Configure

# Review/modify the configuration
vim /etc/tor/torrc

You can change the default port, or specify multiple IP addresses and ports for binding.

SOCKSPort 9050 # Default
SOCKSPort 10.10.1.23:9999 # Bind to specific IP/port

Run

# Control the service using standard systemctl or service commands
service tor restart
systemctl restart tor

Test

Test out your connection by setting your browser to use SOCKS5 localhost:9050 or follow the examples using cURL or Go.

• Making Tor requests with command-line cURL
• Making HTTP Tor requests with Go

Setting up Hidden Service

Hidden services are created by modifying the Tor configuration file. You need to specify how the ports are forwarded and where in the file system the hidden service information (.onion URL and private key file) should reside. Of course, the service will need write permission to the folder. By default, the permissions are set correctly for /var/lib/tor/*. You can specify var/lib/tor/AnythingYouWant and it will automatically create the folder when the service is restarted. You can have as many services as you want and you can map multiple ports for each service. See the examples below.

# Edit the config file to enter hidden service information
vim /etc/tor/torrc

# Hidden service #1 is a web app that supports HTTP and HTTPS
HiddenServiceDir /var/lib/tor/webapp_service/
HiddenServicePort 80 127.0.0.1:80
HiddenServicePort 443 127.0.0.1:443

# Hidden service #2 will have a different .onion URL but
# still point to this same server.
HiddenServiceDir /var/lib/tor/ssh_service/
HiddenServicePort 22 127.0.0.1:22

After adding these lines to /etc/tor/torrc restart the service using service tor restart and it should create those folders and start serving requests. Make sure you keep the hidden service directories protected and backed up if you ever need to move the service to a different machine. Inside the hidden service directory will be two generated files: hostname with your .onion url, and private_key with your private RSA key.

Permission Problems

If you have permission problems with the hidden service directory after restarting the service, try fixing it by editing the tor.service file for systemd and modifying the CapabilityBoundingSet.

vim /usr/lib/systemd/system/tor.service

# And add these two abilities:
#  CAP_CHOWN CAP_DAC_OVERRIDE to CapabilityBoundingSet
# So the line looks like this:
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_CHOWN CAP_DAC_OVERRIDE

# Reload daemons
systemctl daemon-reload
systemctl restart tor

Troubleshooting

Use journalctl to view any errors after starting the service. Type G to get to the end of the log.

journalctl