Hosting a .onion Site: Complete Technical Guide 2026

One of the most remarkable features of Tor is that anyone can host a .onion site, with no registration through a registrar, no domain name to purchase, no SSL certificate to obtain from a certificate authority. A few lines of configuration are enough to transform an existing server into a hidden service accessible to the global Tor network. This complete technical guide walks you through the process, from hardware prerequisites to advanced configuration, including operational security best practices to protect your identity as an operator.

⚫ Page filtered. The full catalog is on Tor. Tor access →

Why host a .onion site?

The reasons for hosting a .onion site are varied and, for the most part, perfectly legitimate. Major media organizations (BBC, NYT, ProPublica, Deutsche Welle) do it to offer readers in censored countries risk-free access. Privacy services (ProtonMail, DuckDuckGo, Mullvad) do it out of philosophical consistency: offering their service without even the connection revealing the user's identity. Whistleblowing platforms (SecureDrop, GlobaLeaks) do it out of technical necessity: receiving documents from anonymous sources requires that the reception itself be unobservable.

For an individual or a more modest project, the motivations can be varied. An anonymous personal blog on a sensitive topic (mental health experience, political criticism in an authoritarian country, minority activism). A small community that wants to exchange ideas without depending on a centralized platform. An open-source project that wants to offer .onion access to its official site. A document repository shared with collaborators. A game or an experimental artistic project.

Technically, hosting a .onion offers several advantages over a traditional clearnet site. No registrar: the address is generated cryptographically — no one can take it from you. No DNS: your site is not vulnerable to DNS attacks or state DNS blocks. No SSL certificate needed: the .onion address itself cryptographically authenticates the server. No public IP required: you can host behind NAT, on a home connection, without port forwarding.

Hardware prerequisites and skills

Hosting a .onion site requires moderate technical skills and minimal hardware. Don't be put off: if you can follow a Linux tutorial, you can do it.

Hardware

Technically, any computer with an internet connection will do. A Raspberry Pi 4 (€50–80) with an SD card is ideal for a personal site or an experimental project, consumes very little electricity, and can stay on permanently. A recycled old PC works too. For a professional site with sustained traffic, a VPS (Virtual Private Server) with a hosting provider is more suitable.

Operating system

A Linux distribution is recommended: Debian, Ubuntu Server, and Arch Linux are the most common. Debian is the reference for stable servers, with long support cycles. The examples in this guide use Debian/Ubuntu commands (apt), easily adaptable to other distributions.

Recommended skills

Basic knowledge: using the Linux command line, editing files with nano or vim, understanding Unix permissions, knowing how to use SSH. Useful concepts: HTTP/HTTPS, nginx or Apache configuration, DNS (to know what you're not using). If you are a complete Linux beginner, start with a "Linux basics" tutorial before tackling .onion hosting.

Step 1: install Tor on the server

The first step is to install Tor (the server software, not Tor Browser) on your machine. On Debian or Ubuntu:

sudo apt update
sudo apt install tor

This command installs Tor from Debian's official repositories. To get the latest version, you can add the Tor Project's official repository, which follows the latest releases:

sudo apt install apt-transport-https gnupg
echo "deb https://deb.torproject.org/torproject.org $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/tor.list
curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | sudo gpg --dearmor -o /usr/share/keyrings/tor-archive-keyring.gpg
sudo apt update
sudo apt install tor deb.torproject.org-keyring

Once installed, Tor starts automatically as a system service. You can check its status:

sudo systemctl status tor

The service should display active (running). If not, start it with sudo systemctl start tor, then enable it at boot with sudo systemctl enable tor.

Step 2: configure the web server

Your web server (nginx, Apache, Caddy) must listen on localhost only — never on a public IP. This ensures that only Tor can reach it. Here is a minimal nginx configuration (/etc/nginx/sites-available/myoniononsite):

server {
    listen 127.0.0.1:8080;
    server_name _;
    root /var/www/myoniononsite;
    index index.html;

    # Hide server information
    server_tokens off;

    # No access log for anonymity
    access_log off;
    error_log /var/log/nginx/myoniononsite-error.log crit;

    location / {
        try_files $uri $uri/ =404;
    }
}

Key points: the server listens only on 127.0.0.1 (unreachable from the internet), server_tokens off hides the nginx version, access_log off prevents visit logging (essential to protect your visitors).

Enable the site and restart nginx:

sudo ln -s /etc/nginx/sites-available/myoniononsite /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

Create a test file:

sudo mkdir -p /var/www/myoniononsite
echo "<h1>My first .onion site</h1>" | sudo tee /var/www/myoniononsite/index.html

Step 3: configure torrc for the hidden service

Tor's configuration file is /etc/tor/torrc. To declare a hidden service, add two lines:

HiddenServiceDir /var/lib/tor/myoniononsite/
HiddenServicePort 80 127.0.0.1:8080

The first line tells Tor where to store the private key and service information (the directory is created automatically). The second line means: when someone connects via HTTP to your .onion, redirect to port 8080 on localhost (where nginx is listening).

Restart Tor to generate the address:

sudo systemctl restart tor

Tor will create the /var/lib/tor/myoniononsite/ directory and generate an Ed25519 key pair inside it. Your .onion address is in the hostname file:

sudo cat /var/lib/tor/myoniononsite/hostname

You get a 56-character address followed by .onion. Your site is now accessible from any Tor Browser! Propagation through the Tor network's DHT takes a few minutes; be patient during the first test.

Back up the private key

The private key stored in /var/lib/tor/myoniononsite/hs_ed25519_secret_key is essential: it is what defines your .onion address. If you lose it, your address changes (your visitors can no longer find you). Back it up immediately in a safe, encrypted location (VeraCrypt, KeePassXC).

Hardening the configuration

A few additional options to add in torrc to strengthen security:

# Do not act as a Tor relay in addition to being a client
SocksPort 0
ClientOnly 1

# No Tor logging
Log notice file /dev/null

# Hidden service hardening
HiddenServiceSingleHopMode 0
HiddenServiceNonAnonymousMode 0

Step 4 (optional): custom .onion address

Randomly generated .onion addresses are hard to remember. You can create a "vanity" address whose first characters form a word, like Facebook with facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion. The reference tool is mkp224o, developed by the Tor Project and actively maintained.

Installation and compilation:

sudo apt install build-essential autoconf libsodium-dev
git clone https://github.com/cathugger/mkp224o.git
cd mkp224o
./autogen.sh
./configure
make

Generating an address starting with "oniondir":

./mkp224o oniondir

The tool randomly traverses the Ed25519 key space until it finds one matching the prefix. Time estimates (on a modern GPU): 5 characters = a few minutes, 6 characters = a few hours, 7 characters = one day, 8 characters = several days, 9 characters = several weeks. Beyond that, it is economically prohibitive without a dedicated GPU farm.

Once a key is generated, copy the folder into /var/lib/tor/ and modify torrc to point to it:

sudo cp -r oniondirxxxxxxxxxx.onion /var/lib/tor/
sudo chown -R debian-tor:debian-tor /var/lib/tor/oniondirxxxxxxxxxx.onion
sudo chmod 700 /var/lib/tor/oniondirxxxxxxxxxx.onion

Modify torrc to point to this new directory, then restart Tor.

Opsec: protecting your operator anonymity

If you host a sensitive site, protecting your identity as an operator deserves as much attention as protecting your visitors. Here are the essential opsec rules.

Never include identifying information on the site. No real name, no address, no personal photo, no links to accounts in your real name. Your writing style itself can betray you (stylometry): for highly sensitive uses, have your texts reviewed to smooth out stylistic tics.

Pay for your infrastructure anonymously. The VPS, the domain name (if you have one for the clearnet version), third-party services: everything must be paid for without a link to your real identity. Cryptocurrencies (ideally Monero), gift cards purchased with cash, services that accept full anonymity (Mullvad, Njalla for domains).

Strictly configure the web server. HTTP headers that don't reveal the nginx version, no access logs, no third-party monitoring (no Google Analytics, obviously), file timestamps that don't correspond to a revealing time zone. Every detail matters.

Separate the administration identity from the public identity. If your site has an author under a pseudonym (for example "MeOnionSide"), never use that pseudonym elsewhere, especially not for server administration. The administrator must be a distinct and invisible identity.

Limit data in the database. If your site has a database (WordPress, dynamic applications), take care that it reveals nothing about you. No stored visitor IPs, no compromising metadata in uploaded files, regular cleanup.

Consider jurisdiction. If you host with a European provider, your data is subject to the GDPR but also to EU legal requests. Jurisdictions like Iceland (1984 Hosting) offer enhanced freedom of expression protections. Njalla, based in the Caribbean, systematically refuses requests that do not go through complete legal procedures.

Specialized hosting providers and alternatives

Several hosting providers are known for their respect for privacy and their compatibility with Tor hidden services.

Njalla (njal.la) is the registrar and hosting provider founded by Peter Sunde, co-founder of The Pirate Bay. It registers clearnet domains in its own name and then "leases" them to you, masking your identity in WHOIS. Accepts cryptocurrencies, no identity verification. Based in the Caribbean, infrastructure in Sweden.

1984 Hosting (1984.is) is an Icelandic host focused on freedom of expression, named after Orwell's novel. Iceland offers a particularly protective legal framework. Accepts cryptocurrencies and anonymous payments.

Ablative Hosting specializes in hosting Tor hidden services. Their infrastructure is designed from the ground up for this use, with optimizations specific to the Tor network.

Impreza Host (imprezahost.com) is another privacy-first host, accessible only via .onion, which accepts Bitcoin.

Simple alternative: OnionShare. For occasional or experimental needs, the OnionShare software turns any computer into a temporary .onion server with a single click. You select a folder, OnionShare generates a .onion address, and the site is accessible as long as the software is running. Perfect for sharing a file or publishing a static site without infrastructure.

Further reading

To get a broader grasp of the Tor environment, see our dark web access guide, our article on .onion links and their cryptographic workings, and our technical glossary. For VPN and pluggable transport aspects, see our VPN and Tor guide.

To explore legitimate .onion services that illustrate what your site could become, see our top 30 legitimate .onion sites. For complementary anonymity tools (SecureDrop, OnionShare, Tails), see our Tools & Privacy category. For specialized hosting providers, see our Hosting category.

FAQ on .onion hosting

Is it legal to host a .onion site in France?
Yes, absolutely. Hosting a Tor hidden service is legally identical to hosting a regular website under French law. It is the hosted content that determines legality. A personal blog, an independent journalism site, a privacy tool — all can legally be hosted on .onion. Sites hosting illegal content (glorification of terrorism, child pornography) are obviously illegal, whether they end in .com or .onion.
What is the minimum hardware needed to host a .onion site?
A computer with an internet connection is technically sufficient. For an experimental site, any PC or Raspberry Pi will do. For a serious site with traffic, a VPS with a regular host (OVH, Hetzner) or a specialized one (Njalla, 1984 Hosting, Ablative Hosting) is recommended starting at a few euros per month. Bandwidth consumption remains modest for most sites.
How do you get a custom .onion address?
With a vanity address generator like mkp224o. It computes billions of random Ed25519 keys until it finds one whose address begins with the desired word. Six characters take a few hours on a good GPU, eight characters several days; beyond that it becomes industrially costly. Facebook used this technique to obtain facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion.
Is a .onion site accessible from a regular browser?
No, only from Tor Browser or another browser configured with a Tor proxy. Ordinary browsers do not speak the Tor protocol and cannot resolve .onion addresses. Gateways like Tor2web exist but are strongly discouraged because they compromise anonymity. To reach a broad audience, maintaining both a clearnet version and a .onion version simultaneously (like the BBC, NYT) is the best approach.
How do you protect your anonymity when hosting a .onion site?
Several essential rules: 1) Do not register a clearnet domain for your .onion in your own name (or use Njalla). 2) Pay your VPS in cryptocurrencies without KYC. 3) Strictly configure torrc so it does not expose the server's IP (no logs, proper settings). 4) Disable all server identifiers (ServerTokens, revealing HTTP headers). 5) Separate the operator's identity from the site's public identity. These rules form the basic hosting opsec.
How much does hosting a .onion site cost?
Very variable. Budget option: Raspberry Pi 4 + home internet connection = roughly €100 one-time investment. VPS at a regular host: €5–15/month (Hetzner CX11, OVH VPS Starter, Scaleway). VPS at a privacy-first host: €10–30/month (Njalla, 1984 Hosting). Dedicated .onion specialized hosting: €15–50/month (Ablative Hosting, Impreza Host). OnionShare (free) for occasional shares.