Garlic and onion hosting: how to raise the web resource so that the domain is not selected

Garlic and onion hosting: how to raise the web resource so that the domain is not selected

The tools described here are absolutely legal. It’s like a knife: someone cuts the cabbage into a salad, someone uses it for attacks. This post is therefore dedicated exclusively to tools that can be used for good or bad purposes.

The Global DNS is a beautiful thing that has survived more than one decade. But it has a fundamental problem – your domain can be simply partitioned if it decides that you have violated something. Or someone with money and connections will have a grudge against you. Everybody remembers the story of the same thing. If for some reason you want to remove such risks – you can look in the direction of overlay networks, which simply do not have a regulator capable of separating the domain name. So we will raise onion and i2p web resources.

Onion Rings

Let’s start with the classics. I think that on Habra almost everybody used Tor as a bandle Tor-browser. It helped me a lot when, while hunting for Telegram, they suddenly started to tear up the connection with the biggest hosters in the most unexpected places. In this mode, Tor uses classic onion encryption, wrapping the data layer by layer so that it is impossible to establish the source and the final destination of the packet. However, the endpoint of the route is still the regular Internet, where we end up via Exit-nodes.

This solution has several problems:

  1. The owner of an Exit-node may be approached by malevolent people and begin to assert that the owner is a hardened criminal who swears bad words at the authorities. There is a non-zero risk that your explanations about the fact that you are just a weekend knot, few people will listen.
  2. The use of the tor network as a proxy to regular resources anonymizes the client, but does not help from domain splitting and claims against the service owner.
  3. .

Prepare Content and Plain Web Server

Therefore, we will raise the onion resource directly within the network, without access to the usual Internet. For example, as an additional backup point of entry to your resource. Suppose that you already have a web server with some content that gives nginx. For starters, if you don’t want to shine on the public Internet, don’t be lazy to go to iptables and configure the firewall. You should have access blocked to your web server from anywhere except localhost. As a result, you have a website available locally at localhost:8080/. The extra spin on https here will be redundant, as the tor transport will take over this task.

Expand TOR

I will consider the installation on the example of Ubuntu, but with other distributions there will be no fundamental differences. First let’s define the repository. The official documentation does not recommend using packages that are maintained by the distribution itself, as they may contain critical vulnerabilities already fixed by the developers in the upstream. Moreover, the developers recommend to use the mechanism of automatic updates of unattended-upgrades in order to guarantee their timely delivery.

We create a file for an additional repository:

# nano /etc/apt/sources.list.d/tor.list

And we add to it the necessary addresses:

deb bionic main
deb-src bionic main

Now we have to take care of the gpg key, without which the server will not reasonably trust the new packages.

# curl A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import
# gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -

Now you can install the main upstream package and the keychain to automatically update your signature.

# apt update
# apt install tor

Customize Proxy

In /etc/tor/torrc you will find the daemon configuration file. After updating it do not forget to restart it.

I want to warn particularly curious users right away. Do not enable relay mode on your home machine! Especially in exit-node mode. They may knock. On a VPS I wouldn’t configure a node as a relay either as this will put quite a heavy load on both the processor and the traffic. On a wide channel you can easily reach 2-3 terabytes per month.

Find the following section in torrc:

############### This section is just for location-hidden services ###.

Here you need to register your localhost web resource. Approximately so:

HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/
HiddenServicePort 80

Or you can use unix sockets:

HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/
HiddenServicePort 80 unix:/path/to/socket

Get Address

That’s it, now let’s restart the tor daemon via systemctl and look in HiddenServiceDir. There will be some files there – a private key and your “onion” hostname. It is a random identifier of 16 characters. For example, gjobqjj7wyczbqie.onion is the address of the Candle search resource. The address is completely random, but if you search long enough you can generate a human-readable pair from the address and private key. Of course, not all 16 characters – it would take billions of years. For example, everybody’s famous Flibusta book directory has a mirror flibustahezeous3.onion, and Facebook has spent a lot of resources to choose the most sounding option from the generated ones: facebookcorewwwi.onion.

Everything, after a while your resource will be announced and available globally. Note that you can proxy not only the http protocol, but any other protocol as well.





The second variant was conceived as even more paranoid in its essence. The i2p project was not initially conceived as a tool for proxying traffic to the regular Internet and is completely closed overlay network by architecture. There are separate gates in both directions, but this is rather an exception. And it is potentially unsafe.



Red i2p master logo and magenta i2pd implementation

i2p has several implementation options for software router nodes. The official implementation is written in Java. And it just monstrously devours all available resources in terms of both RAM and CPU. Nevertheless, it is considered to be the benchmark and is subject to regular audits. I would recommend you to use a much lighter version – i2pd, written in C++. It has its own nuances that may cause some i2p applications to fail, but overall it is a great alternative implementation. The project is being actively nibbled at the moment.

Set Daemon

The most convenient thing is that the authors have provided many deployment options, including docker and snap. You can go through a classic repository.

sudo add-apt-repository ppa:purplei2p/i2pd
sudo apt-get update
sudo apt-get install i2pd

But I would recommend using snap. It will not only quickly and conveniently deploy the daemon, but also provide automatic updates directly from the upstream, depending on the selected distribution channel.

[email protected]:~$ snap info i2pd
name: i2pd
summary: Distributed anonymous networking framework
publisher: Darknet Villain (supervillain)
license: BSD-3-Clause
description: |
  i2pd (I2P Daemon) is a full-featured C++ implementation of I2P client.
  I2P (Invisible Internet Protocol) is a universal anonymous network layer.
  All communications over I2P are anonymous and end-to-end encrypted,
  participants don't reveal their real IP addresses.
snap-id: clap1qoxuw4OdjJHVqEeHEqBBgIvwOTv
  latest/stable: 2.32.1 2020-06-02 (62) 16MB -
  latest/candidate: ↑
  latest/beta: ↑
  latest/edge: 2.32.1 2020-06-02 (62) 16MB -

Install snap if you have not already done so and set the default to stable:

apt install snapd
snap install i2pd


Unlike web-gui Java version, i2pd does not have so many settings, twists and tabs. Only the most necessary to ascetic. Nevertheless, the easiest way to configure it directly in the configuration file.

For your web resource to become available in i2p, it must be proxied in the same way as with onion. To do this, go to the ~/.i2pd/tunnels.conf file and add your backend.

type = http
host =
port = 8080
keys = anon-website.dat

After restarting the demon you will get a random 32-bit address. You can see it in the web console, which is available by default in Remember to allow access to it from your IP address if necessary. By default, it is only available on the local interface. There will be something scary like ukeu3k5oycgaauneqgtnvselmt4yemvoilkln7jpvamvfx7dnkdq.b32.i2p.

The i2p network has a kind of DNS, but it is more like a scattered /etc/hosts list. You subscribe to specific sources in the console that tell you how to get to the conditional flibusta.i2p. So it makes sense to add a more or less beautiful name to large resources like inr.i2p.

Can we deploy i2p and onion in Russia?

Immediately I want to warn RuVDS not Abuzo hosting. In case of a motivated complaint against our client, we can terminate the contract and put out the virtual machine. The same way most hosters will do. However, due to the peculiarities of tor architecture and especially i2p it is very difficult, and often it is simply impossible to determine where exactly a website is hosted.

However, there is nothing illegal about using such tools. So we won’t mind if you open a mirror of your legal web resource on overlay networks. Anyway, I strongly recommend once again not to experiment blindly with tor on your home machine. Either IP can get blacklisted or the Patient will come. It is better to rent a VPS, it is inexpensive.


WARNING! All links in the articles may lead to malicious sites or contain viruses. Follow them at your own risk. Those who purposely visit the article know what they are doing. Do not click on everything thoughtlessly.


0 0 vote
Article Rating
Notify of
Inline Feedbacks
View all comments

Do NOT follow this link or you will be banned from the site!
Would love your thoughts, please comment.x

Spelling error report

The following text will be sent to our editors: