The tools described here are absolutely legal. It’s like a knife: someone cuts the cabbage into a salad, someone uses it for attacks. This post is therefore dedicated exclusively to tools that can be used for good or bad purposes.
The Global DNS is a beautiful thing that has survived more than one decade. But it has a fundamental problem – your domain can be simply partitioned if it decides that you have violated something. Or someone with money and connections will have a grudge against you. Everybody remembers the story of the same thing. If for some reason you want to remove such risks – you can look in the direction of overlay networks, which simply do not have a regulator capable of separating the domain name. So we will raise onion and i2p web resources.
Let’s start with the classics. I think that on Habra almost everybody used Tor as a bandle
This solution has several problems:
- The owner of an Exit-node may be approached by malevolent people and begin to assert that the owner is a hardened criminal who swears bad words at the authorities. There is a non-zero risk that your explanations about the fact that you are just a weekend knot, few people will listen.
- The use of the tor network as a proxy to regular resources anonymizes the client, but does not help from domain splitting and claims against the service owner.
Prepare Content and Plain Web Server
Therefore, we will raise the onion resource directly within the network, without access to the usual Internet. For example, as an additional backup point of entry to your resource. Suppose that you already have a web server with some content that gives nginx. For starters, if you don’t want to shine on the public Internet, don’t be lazy to go to iptables and configure the firewall. You should have access blocked to your web server from anywhere except localhost. As a result, you have a website available locally at localhost:8080/. The extra spin on https here will be redundant, as the tor transport will take over this task.
I will consider the installation on the example of Ubuntu, but with other distributions there will be no fundamental differences. First let’s define the repository. The official documentation does not recommend using packages that are maintained by the distribution itself, as they may contain critical vulnerabilities already fixed by the developers in the upstream. Moreover, the developers recommend to use the mechanism of automatic updates of unattended-upgrades in order to guarantee their timely delivery.
We create a file for an additional repository:
# nano /etc/apt/sources.list.d/tor.list
And we add to it the necessary addresses:
deb https://deb.torproject.org/torproject.org bionic main deb-src https://deb.torproject.org/torproject.org bionic main
Now we have to take care of the gpg key, without which the server will not reasonably trust the new packages.
# curl https://deb.torproject.org/torproject.org A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import # gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -
Now you can install the main upstream package and the keychain to automatically update your signature.
# apt update # apt install tor deb.torproject.org-keyring
In /etc/tor/torrc you will find the daemon configuration file. After updating it do not forget to restart it.
I want to warn particularly curious users right away. Do not enable relay mode on your home machine! Especially in exit-node mode. They may knock. On a VPS I wouldn’t configure a node as a relay either as this will put quite a heavy load on both the processor and the traffic. On a wide channel you can easily reach 2-3 terabytes per month.
Find the following section in torrc:
############### This section is just for location-hidden services ###.
Here you need to register your localhost web resource. Approximately so:
HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/ HiddenServicePort 80 127.0.0.1:8080
Or you can use unix sockets:
HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/ HiddenServicePort 80 unix:/path/to/socket
That’s it, now let’s restart the tor daemon via systemctl and look in HiddenServiceDir. There will be some files there – a private key and your “onion” hostname. It is a random identifier of 16 characters. For example,
Everything, after a while your resource will be announced and available globally. Note that you can proxy not only the http protocol, but any other protocol as well.
The second variant was conceived as even more paranoid in its essence. The i2p project was not initially conceived as a tool for proxying traffic to the regular Internet and is completely closed overlay network by architecture. There are separate gates in both directions, but this is rather an exception. And it is potentially unsafe.
Red i2p master logo and magenta i2pd implementation
i2p has several implementation options for software router nodes. The official implementation is written in Java. And it just monstrously devours all available resources in terms of both RAM and CPU. Nevertheless, it is considered to be the benchmark and is subject to regular audits. I would recommend you to use a much lighter version – i2pd, written in C++. It has its own nuances that may cause some i2p applications to fail, but overall it is a great alternative implementation. The project is being actively nibbled at the moment.
The most convenient thing is that the authors have provided many deployment options, including docker and snap. You can go through a classic repository.
sudo add-apt-repository ppa:purplei2p/i2pd sudo apt-get update sudo apt-get install i2pd
But I would recommend using snap. It will not only quickly and conveniently deploy the daemon, but also provide automatic updates directly from the upstream, depending on the selected distribution channel.
[email protected]:~$ snap info i2pd name: i2pd summary: Distributed anonymous networking framework publisher: Darknet Villain (supervillain) store-url: https://snapcraft.io/i2pd license: BSD-3-Clause description: | i2pd (I2P Daemon) is a full-featured C++ implementation of I2P client. I2P (Invisible Internet Protocol) is a universal anonymous network layer. All communications over I2P are anonymous and end-to-end encrypted, participants don't reveal their real IP addresses. snap-id: clap1qoxuw4OdjJHVqEeHEqBBgIvwOTv channels: latest/stable: 2.32.1 2020-06-02 (62) 16MB - latest/candidate: ↑ latest/beta: ↑ latest/edge: 2.32.1 2020-06-02 (62) 16MB -
Install snap if you have not already done so and set the default to stable:
apt install snapd snap install i2pd
Unlike web-gui Java version, i2pd does not have so many settings, twists and tabs. Only the most necessary to ascetic. Nevertheless, the easiest way to configure it directly in the configuration file.
For your web resource to become available in i2p, it must be proxied in the same way as with onion. To do this, go to the ~/.i2pd/tunnels.conf file and add your backend.
[anon-website]. type = http host = 127.0.0.1 port = 8080 keys = anon-website.dat
After restarting the demon you will get a random 32-bit address. You can see it in the web console, which is available by default in
The i2p network has a kind of DNS, but it is more like a scattered /etc/hosts list. You subscribe to specific sources in the console that tell you how to get to the conditional
Can we deploy i2p and onion in Russia?
Immediately I want to warn RuVDS not Abuzo hosting. In case of a motivated complaint against our client, we can terminate the contract and put out the virtual machine. The same way most hosters will do. However, due to the peculiarities of tor architecture and especially i2p it is very difficult, and often it is simply impossible to determine where exactly a website is hosted.
However, there is nothing illegal about using such tools. So we won’t mind if you open a mirror of your legal web resource on overlay networks. Anyway, I strongly recommend once again not to experiment blindly with tor on your home machine. Either IP can get blacklisted or the Patient will come. It is better to rent a VPS, it is inexpensive.