Setting up Tor Proxy and Hidden Services in Linux

This covers setting up Tor service on Linux (CentOS) but should be similar for other distributions. It will first cover installing Tor so you can make requests through the Tor network using the SOCKS5 proxy and then will cover the additional step of setting up your own Tor hidden service.


# Install Tor using the package manager available
yum install tor


# Review/modify the configuration
vim /etc/tor/torrc

You can change the default port, or specify multiple IP addresses and ports for binding.

SOCKSPort 9050 # Default
SOCKSPort # Bind to specific IP/port


# Control the service using standard systemctl or service commands
service tor restart
systemctl restart tor


Test out your connection by setting your browser to use SOCKS5 localhost:9050 or follow the examples using cURL or Go.

Setting up Hidden Service

Hidden services are created by modifying the Tor configuration file. You need to specify how the ports are forwarded and where in the file system the hidden service information (.onion URL and private key file) should reside. Of course, the service will need write permission to the folder. By default, the permissions are set correctly for /var/lib/tor/*. You can specify var/lib/tor/AnythingYouWant and it will automatically create the folder when the service is restarted. You can have as many services as you want and you can map multiple ports for each service. See the examples below.

# Edit the config file to enter hidden service information
vim /etc/tor/torrc
# Hidden service #1 is a web app that supports HTTP and HTTPS
HiddenServiceDir /var/lib/tor/webapp_service/
HiddenServicePort 80
HiddenServicePort 443

# Hidden service #2 will have a different .onion URL but
# still point to this same server.
HiddenServiceDir /var/lib/tor/ssh_service/
HiddenServicePort 22

After adding these lines to /etc/tor/torrc restart the service using service tor restart and it should create those folders and start serving requests. Make sure you keep the hidden service directories protected and backed up if you ever need to move the service to a different machine. Inside the hidden service directory will be two generated files: hostname with your .onion url, and private_key with your private RSA key.

Permission Problems

If you have permission problems with the hidden service directory after restarting the service, try fixing it by editing the tor.service file for systemd and modifying the CapabilityBoundingSet.

vim /usr/lib/systemd/system/tor.service
# And add these two abilities:
#  CAP_CHOWN CAP_DAC_OVERRIDE to CapabilityBoundingSet
# So the line looks like this:
# Reload daemons
systemctl daemon-reload
systemctl restart tor


Use journalctl to view any errors after starting the service. Type G to get to the end of the log.