What a Tor hidden service is
A Tor hidden service — also called an onion service — is a website or application that is reachable only through the Tor network, at an address ending in .onion. Unlike an ordinary website, it has no public IP address and is not listed in DNS. Visitors reach it through Tor, and the connection between visitor and server is routed so that neither end learns the other's location or IP.
This is a different and stronger model than putting a normal website behind privacy measures. With an onion service the anonymity is built into the protocol: the server's location is hidden by design, not by configuration you might get wrong. There is no IP address to leak, no DNS record to subpoena, and no hosting IP for anyone to scan or attack. The address itself is derived from a cryptographic key, so it cannot be spoofed. It is, in a real sense, the strongest form of anonymous hosting available.
Why host a hidden service
Onion services are used by a wide range of legitimate operators: news organisations running secure tip lines, the SecureDrop submission systems journalists rely on, privacy-focused projects offering a censorship-resistant mirror, messaging and file-sharing tools, and individuals who simply want a site whose server location nobody can determine. Major organisations — from large newspapers to well-known software projects — run onion services precisely because they are robust.
The reasons come down to three properties. Location privacy: the server cannot be found by IP, so it cannot be geolocated, scanned or directly attacked. Censorship resistance: there is no IP or domain for a network to block, so the service stays reachable where ordinary sites are filtered. End-to-end encryption: Tor's protocol encrypts the connection by default, with no certificate authority involved. If any of those matter to your project, a hidden service is worth running — and this guide builds one.
What you need
The requirements are modest:
- A VPS. An onion service is lightweight; a small plan is enough. Choosing a no-KYC, offshore VPS matters here for a specific reason explained below — the anonymity of the service depends partly on the anonymity of the server itself.
- A fresh Linux install — Debian or Ubuntu for the commands here.
- The Tor Browser on your own machine, to reach and test the finished service.
You do not need a domain name — the .onion address is generated for you — and you do not need a TLS certificate, because Tor provides the encryption.
Step 1 — Set up the server and a web service
Provision the VPS and connect over SSH. Install whatever will serve your content — for a simple site, a lightweight web server such as nginx, installed with apt install -y nginx, is ideal.
The important configuration detail: bind the web server to localhost only. The web service should listen on 127.0.0.1, not on the server's public IP. Tor will connect to it locally; nothing should reach it directly from the internet. Binding to localhost means that even though the box has a public IP, the website itself is not served on it — only Tor can reach the content. Confirm the site works locally with a quick curl 127.0.0.1 before moving on.
Step 2 — Install Tor and configure the onion service
Install Tor itself with apt install -y tor. Then edit Tor's configuration file, /etc/tor/torrc, to define the hidden service. Two lines do it: a HiddenServiceDir pointing to a directory where Tor will store the service's keys, and a HiddenServicePort mapping the virtual port 80 to your local web server — for example HiddenServicePort 80 127.0.0.1:80.
Restart Tor with systemctl restart tor. On first start, Tor generates the service's cryptographic key pair in the directory you specified and derives the .onion address from it. That directory now holds the identity of your service — back it up securely and keep it readable only by the Tor user. Anyone who has those keys can impersonate your service; lose them and the address is gone forever.
Step 3 — Get your .onion address and test it
Tor writes the address into a file called hostname inside the HiddenServiceDir. Read it with cat and you will see a 56-character address ending in .onion — that is the public address of your service.
Open the Tor Browser on your own computer, paste the address and load it. Your localhost-only web service should appear, served entirely through Tor. The first connection can take a few seconds while Tor builds the circuit. That is it — the service is live, reachable by anyone with Tor, and its server location is hidden from every visitor.
Step 4 — Lock it down so it stays anonymous
A working onion service is not automatically an anonymous one. The protocol hides the server's location from visitors — but several mistakes can undo that. The discipline that keeps it anonymous:
- Bind everything to localhost. Re-check that the web server, and any database or backend, listen only on
127.0.0.1. A service accidentally exposed on the public IP can be matched to the onion site and deanonymise it. - Strip identifying content. Server banners, default error pages, analytics scripts, and metadata in files can all leak the real server or tie it to other sites. Audit what the service actually sends.
- Administer it anonymously. Reach the server for administration over Tor as well — never SSH to it directly from your home IP. The onion service hides the server; do not undo that with your own connection.
- Keep the server itself anonymous. This is why the no-KYC, offshore VPS matters: if the service is ever correlated to its host despite your precautions, the host should be a provider that holds no identity for the account and keeps no logs. The hidden service and the anonymous server reinforce each other.
- Disable anything that phones home. Software that makes outbound connections — update pingbacks, external fonts, third-party APIs — can leak the server. Keep the service self-contained.
Hidden service, clearnet, or both
You do not have to choose exclusively. There are three sensible setups. A hidden-service-only site is the most private — no clearnet footprint at all, ideal for a tip line or a service that must not be locatable. A clearnet site with an onion mirror serves an ordinary audience normally while offering a censorship-resistant, private route for those who want it — this is what large news organisations do. And a clearnet-only site, covered in our guide on hosting a website anonymously, is simpler when location privacy at the protocol level is not required.
For the strongest anonymity, hidden-service-only on a no-KYC offshore VPS is the answer: the server has no identity attached, the service has no IP to find, and the whole thing is reachable by anyone with Tor and locatable by no one. Set up with the discipline above, it is genuinely anonymous hosting — not as a marketing claim, but as a property of the protocol.