Anonymous Hosting for Beginners — Whonix + Tor Step-by-Step
One-Line Flow: Your server hides inside a Whonix VM → all traffic routes through Tor → you get a .onion address → optional: keep your normal domain working through a proxy layer → nobody knows where you actually are.
Who this guide is for?
For the
paranoid bastards who want to run a website without governments, corporations, or your nosy ex knowing where it lives. If you’re hosting anything that makes lawyers nervous, this is your blueprint.

Why Should You Care?
Here’s the cold truth: 97.8% of hidden service busts happen because of human mistakes, not Tor getting hacked.
A 2024 study analyzing 136 court cases found that actual Tor protocol attacks worked in only 3 cases. Everything else? Email headers with real names. Username reuse. Logging in from home once.
Tor works. People don’t. This guide fixes that.
The Architecture
Users → Cloudflare (optional) → Frontend VPS → Tor Network → Your Hidden Server in Whonix
Even with root access on your web server, attackers can’t find your real IP. Keys live on a separate VM they can’t touch.
Part 1: Setting Up Whonix
Requirements: Ubuntu 24.04 server, 4GB+ RAM, 50GB storage, CPU virtualization support.
Step 1: Install KVM
VirtualBox is for desktops. KVM is built into Linux and runs headless.
# Check CPU virtualization (output > 0 = good)
egrep -c '(vmx|svm)' /proc/cpuinfo
# Install KVM
sudo apt update
sudo apt install -y qemu-kvm libvirt-daemon-system libvirt-clients \
bridge-utils qemu-utils dnsmasq-base iptables xz-utils
# Add yourself to groups
sudo adduser "$(whoami)" libvirt
sudo adduser "$(whoami)" kvm
# Reboot required
sudo reboot
After reboot:
lsmod | grep kvm
sudo systemctl enable --now libvirtd
virsh -c qemu:///system net-autostart default
virsh -c qemu:///system net-start default
Step 2: Download Whonix
Get the CLI version — no desktop = less RAM, smaller attack surface.
Check whonix.org/wiki/KVM for current version, then:
wget https://download.whonix.org/libvirt/17.x.x.x/Whonix-CLI-17.x.x.x.Intel_AMD64.qcow2.libvirt.xz
wget https://download.whonix.org/libvirt/17.x.x.x/Whonix-CLI-17.x.x.x.Intel_AMD64.qcow2.libvirt.xz.asc
# Verify signature
gpg --keyserver keyserver.ubuntu.com --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA
gpg --verify Whonix*.libvirt.xz.asc Whonix*.libvirt.xz
# Extract
tar -xvf Whonix*.libvirt.xz
Step 3: Import & Start Whonix
# Setup networks
sudo virsh -c qemu:///system net-define Whonix_external*.xml
sudo virsh -c qemu:///system net-define Whonix_internal*.xml
sudo virsh -c qemu:///system net-autostart Whonix-External
sudo virsh -c qemu:///system net-start Whonix-External
sudo virsh -c qemu:///system net-autostart Whonix-Internal
sudo virsh -c qemu:///system net-start Whonix-Internal
# Import VMs
sudo virsh -c qemu:///system define Whonix-Gateway*.xml
sudo virsh -c qemu:///system define Whonix-Workstation*.xml
sudo mv Whonix-Gateway*.qcow2 /var/lib/libvirt/images/Whonix-Gateway.qcow2
sudo mv Whonix-Workstation*.qcow2 /var/lib/libvirt/images/Whonix-Workstation.qcow2
# Start (Gateway FIRST, always)
sudo virsh start Whonix-Gateway
sudo virsh start Whonix-Workstation
# Autostart on boot
sudo virsh autostart Whonix-Gateway
sudo virsh autostart Whonix-Workstation
Console access: sudo virsh console Whonix-Gateway (exit with Ctrl+])
Part 2: Creating Your Hidden Service
| Machine | IP | Role |
|---|---|---|
| Gateway | 10.152.152.10 | Tor router |
| Workstation | 10.152.152.11 | Your website |
The Workstation has zero direct internet. Everything goes through Gateway’s Tor.
Configure Hidden Service (on Gateway)
sudo nano /usr/local/etc/torrc.d/50_user.conf
Add:
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 10.152.152.11:80
HiddenServiceVersion 3
Get your .onion:
sudo service tor@default reload
sudo cat /var/lib/tor/hidden_service/hostname
BACK UP /var/lib/tor/hidden_service/ NOW. Lose keys = lose address forever.
Open Firewall (on Workstation)
sudo nano /usr/local/etc/whonix_firewall.d/50_user.conf
Add (note the spaces):
EXTERNAL_OPEN_PORTS+=" 80 "
sudo whonix_firewall
Install Web Server (on Workstation)
sudo apt update && sudo apt install nginx
Hardened config:
server {
listen 127.0.0.1:80;
server_name your-onion-address.onion;
root /var/www/html;
index index.html;
server_tokens off;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
location / { try_files $uri $uri/ =404; }
location ~ /\. { deny all; }
}
Part 3: Keep Your Normal Domain (Optional)
Want yoursite.com working while the server stays hidden?
Option A: Cloudflare + Tor Backend (Recommended)
Domain → Cloudflare → Cheap VPS → Tor → Your hidden server
On frontend VPS:
sudo apt install socat tor
Create /etc/systemd/system/onion-proxy.service:
[Unit]
Description=Onion Proxy
After=network.target tor.service
[Service]
ExecStart=/usr/bin/socat TCP4-LISTEN:8080,reuseaddr,fork SOCKS4A:127.0.0.1:YOUR-ONION.onion:80,socksport=9050
Restart=always
[Install]
WantedBy=multi-user.target
sudo systemctl enable --now onion-proxy
Nginx on same VPS:
server {
listen 443 ssl http2;
server_name yoursite.com;
ssl_certificate /etc/letsencrypt/live/yoursite.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yoursite.com/privkey.pem;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
}
}
Point Cloudflare at this VPS with orange cloud enabled.
Option B: .onion Only
Skip clearnet. Users visit your .onion directly via Tor Browser.
Faster, simpler, smaller audience.
Bonus: Onion-Location Header
Tell Tor Browser users about your .onion:
add_header Onion-Location http://your-onion-address.onion$request_uri;
Shows a purple “.onion available” button. Classy.
Part 4: Security Hardening
🛡️ Vanguards — Stop Guard Discovery Attacks
Without this, attackers can find your server in minutes. With it, they need months.
Vanguards-lite is default in Tor 0.4.7+ — but for full protection:
pip3 install vanguards
Add to Gateway’s torrc:
ControlPort 9099
CookieAuthentication 1
Run: vanguards --control_port 9099
⚡ PoW DDoS Protection (Tor 0.4.8+)
Makes attackers solve puzzles before connecting:
HiddenServicePoWDefensesEnabled 1
HiddenServicePoWQueueRate 200
HiddenServicePoWQueueBurst 1000
Does NOT work with OnionBalance. Pick one.
🔌 Unix Sockets (Faster + Secure)
Instead of TCP:
HiddenServicePort 80 unix:/var/run/tor/website.sock
Configure nginx to listen on that socket. Eliminates network attack surface.
🔧 Hidden Whonix Tools
Onion-grater — Filters dangerous Tor control commands github.com/Whonix/onion-grater
Corridor — Only allows Tor relay connections. Run corridor-init-logged to watch for leaks. github.com/rustybird/corridor
Sdwdate — Time sync through Tor, not NTP whonix.org/wiki/Sdwdate
Tirdad — Randomizes TCP sequence numbers
All included with Whonix. Most people never enable them.
🔬 Advanced torrc Options
# More introduction points (max 10)
HiddenServiceNumIntroductionPoints 6
# Stream limits
HiddenServiceMaxStreams 100
HiddenServiceMaxStreamsCloseCircuit 1
# Rate limiting at protocol level
HiddenServiceEnableIntroDoSDefense 1
HiddenServiceEnableIntroDoSRatePerSec 25
HiddenServiceEnableIntroDoSBurstPerSec 200
# Export circuit ID for custom rate limiting
HiddenServiceExportCircuitID haproxy
Part 5: Testing
Scan Yourself Before Going Live
OnionScanner (v3 support): github.com/N4rr34n6/OnionScanner
Checks for exposed server info, directory listings, metadata leaks, SSH banners, EXIF data.
Verify config: tor --verify-config
Watch Vanguards logs for suspicious patterns.
Part 6: Anonymous Hosting Providers
🥇 Accepts Monero (Best Privacy)
| Provider | Location | Price | Notes |
|---|---|---|---|
| Njalla | Sweden/Nevis | ~€15/mo | Pirate Bay founder. Owns domains on your behalf. |
| FlokiNET | Iceland | €9.50/mo | Hosts WikiLeaks. Allows Tor relays. |
| 1984 Hosting | Iceland | $5/mo | Fights legal requests in court. |
| Privex | Belize | $0.99/mo | No IP logging. |
🧅 Has .onion Signup
- Njalla:
njallalafimoej5i4eg7vlnqjvmb6zhdh27qxcatdn647jtwwwui3nad.onion - IncogNET:
incoghostm2dytlqdiaj3lmtn7x2l5gb76jhabb6ywbqhjfzcoqq6aad.onion - NiceVPS:
nicevpsvzo5o6mtvvdiurhkemnv7335f74tjk42rseoj7zdnqy44mnqd.onion
Full list: bitcoin-vps.com
📛 Anonymous Domains
Njalla — They legally own it, you control it. WHOIS shows Njalla.
NameSilo — Free lifetime WHOIS privacy, takes crypto.
Part 7: Vanity Addresses
Generate Custom .onion Prefix
Use mkp224o:
git clone https://github.com/cathugger/mkp224o
cd mkp224o && ./autogen.sh
./configure --enable-amd64-51-30k && make
./mkp224o yourprefix
| Chars | Time |
|---|---|
| 5 | ~16 min |
| 6 | ~8.5 hrs |
| 7 | ~11 days |
| 8 | ~1 year |
Longer = harder for attackers to spoof. Generate on air-gapped machine.
Part 8: How People Actually Get Caught
Hall of Shame — Learn From Their Mistakes
AlphaBay — Email header: [email protected]. Username reuse.
Silk Road — Promoted site on forums with real name during development. Logged in without Tor “just once.”
Freedom Hosting — FBI JavaScript exploit grabbed real IPs. Prevented by Tor Browser “Safest” mode.
2024 German Case — Outdated Tor without Vanguards. Police ran malicious relays for months. Source
The Pattern:
- Reusing identities
- Posting personal details
- Skipping hardening
- Outdated software
- “Just this once”
Part 9: Performance Reality
Speed Expectations
| Metric | Reality |
|---|---|
| Initial connection | 24-56 sec |
| Per-request | 4+ sec |
| Page load | 5-30 sec |
Yeah, it’s slow. That’s the price of invisibility.
WordPress on Tor — The Setup
Install the usual LAMP/LEMP stack on your Workstation:
sudo apt install nginx mariadb-server php-fpm php-mysql php-curl php-gd php-mbstring php-xml php-zip
In wp-config.php, add:
// Force your .onion as site URL
define('WP_HOME', 'http://your-onion-address.onion');
define('WP_SITEURL', 'http://your-onion-address.onion');
// Disable external HTTP requests (security + speed)
define('WP_HTTP_BLOCK_EXTERNAL', true);
// Allow only specific hosts if needed
define('WP_ACCESSIBLE_HOSTS', 'your-onion-address.onion');
// Disable auto-updates (they'll fail anyway)
define('AUTOMATIC_UPDATER_DISABLED', true);
define('WP_AUTO_UPDATE_CORE', false);
Critical: Disable pingbacks, trackbacks, and XML-RPC — they leak your .onion to external servers.
Add to functions.php:
add_filter('xmlrpc_enabled', '__return_false');
add_filter('pings_open', '__return_false');
Or just install Disable XML-RPC plugin.
Joomla/Drupal on Tor
Same concept. In your CMS config:
Joomla (configuration.php):
public $live_site = 'http://your-onion-address.onion';
Drupal (settings.php):
$settings['trusted_host_patterns'] = ['^your\-onion\-address\.onion$'];
$base_url = 'http://your-onion-address.onion';
Disable all external API calls, update checks, and CDN integrations.
Speed Tips for PHP Sites
- Enable OPcache — huge PHP performance boost
- Use Redis/Memcached for object caching
- Static HTML caching with WP Super Cache or W3 Total Cache
- Disable Gravatar — leaks user emails to external server
- Self-host all assets — no Google Fonts, no CDN, no external JS
- Lazy load images — .onion connections are painful
- Minify CSS/JS but host locally
The goal: zero external requests. Every outbound connection is a potential leak.
Part 10: Resources
Official Docs
Tools
- Vanguards — Guard protection
- mkp224o — Vanity generator
- OnionScanner — Security scanner
- OnionBalance — Load balancing
- Corridor — Traffic filtering
Part 11: How to Make Money From This

You built an invisible server. Cool. Now let’s talk cash.
Here’s the dirty secret: people don’t pay for Tor — they pay for peace of mind. Sell certainty in a world that spies by default.
1️⃣ Anonymous Drop-Box Website (Paid Dead Drops)
Turn your hidden site into a private file inbox.
Who pays: Journalists, whistleblowers, lawyers, activists, researchers.
The model:
- Sell unique .onion receiving addresses
- Monthly subscription for a private drop
- Zero logs, zero identity, zero trust required
Why it works: Trust is rare. Anonymous trust is rarer. High demand, low supply.
2️⃣ Burner Business Hosting (Sell Invisibility)
Resell pre-configured anonymous hosting as a service.
Who pays: People in gray niches — adult content, political stuff, controversial opinions, anything that gets deplatformed.
The model:
- You don’t host content — you host infrastructure
- Monthly recurring income
- They bring their drama, you bring the invisibility
Why it works: You’re not selling opinions. You’re selling the ability to have opinions without consequences.
3️⃣ Paywalled Onion Knowledge Vault
Create a Tor-only paid content site.
What to sell:
- Leaks and research dumps
- OSINT guides and rare tutorials
- PDFs nobody can find elsewhere
- Niche expertise in paranoid formats
The model:
- Crypto / Monero payments only
- Scarcity + secrecy = perceived value
Why it works: Information feels 10x more valuable when it’s hidden behind a .onion and a paywall.
4️⃣ Can't-Be-Taken-Down Backup Sites
Sell mirrored emergency websites.
Who pays: NGOs, activists, banned creators, anyone who’s been deplatformed before.
The model:
- Their normal site gets nuked → .onion stays alive
- Monthly “insurance” pricing
- Peace of mind as a subscription
Why it works: Everyone who’s been banned once knows it’ll happen again. You’re selling uptime when platforms panic.
5️⃣ Anonymous Feedback / Confession Platform
Host a zero-log anonymous confession or feedback board.
Who pays: Companies, schools, communities, teams — anyone who wants brutal honesty without HR drama.
The model:
- No tracking, no IPs, no emails
- Charge the receivers of feedback, not the senders
- Monthly or per-campaign pricing
Why it works: People tell the truth when they can’t be punished for it. Organizations pay good money for that truth.
6️⃣ Dark Funnel for Sensitive Consulting
Use clearnet → Tor as a client filter.
How it works:
- Normal domain = marketing, SEO, public face
- .onion site = serious inquiries only
- The technical barrier filters out tire-kickers
Who uses this: Lawyers, crypto fixers, security researchers, private investigators, anyone whose best clients are paranoid.
Why it works: Tor users self-qualify as high-intent. If someone figures out how to reach your .onion, they’re serious.
7️⃣ Verified Anonymous Services Directory
Run a “Yelp for paranoid people.”
The model:
- List only services that operate fully via Tor
- Charge for listings or verification badges
- Curate hard so your list actually means something
Why it works: Curation beats scale. When everything is anonymous, trust becomes the product.
8️⃣ Sell the Setup, Not the Site
Package this guide as a done-for-you install.
The pitch: “We set it up. You don’t touch commands.”
The model:
- One-time setup fee ($200-500+)
- Optional monthly support retainer
- Target non-technical people with money and paranoia
Why it works: Fear + complexity = money. Non-technical people LOVE outsourcing things that scare them.
9️⃣ Anonymous Testing Sandboxes
Offer anonymous testing environments for researchers.
Who pays: Security researchers, academics, journalists testing censorship tools, anyone who needs to do sketchy-looking stuff for legitimate reasons.
The model:
- No logs, no identity
- Paid hourly or monthly access
- Pre-configured environments for specific use cases
Why it works: Safe playgrounds for risky experiments. Plausible deniability as a service.
🔟 Identity Reset System
Help people start over with a clean digital slate.
Who pays: Writers with controversy, activists with enemies, whistleblowers, anyone whose past follows them online.
The model:
- Sell guides + hosting + OPSEC basics as a package
- New persona, new .onion presence, zero past linkage
- Premium pricing for hand-holding
Why it works: Starting over is priceless. Some people would pay anything to not be Googleable.
The Big Truth Most People Miss
This isn’t about hiding. It’s about selling certainty in a world that spies by default.
Most users don’t want Tor. They want peace of mind — and they’ll pay for it.
Pre-Launch Checklist
Click to expand
- KVM installed, Whonix VMs running
- Hidden service configured on Gateway
- Firewall opened on Workstation
- Web server accessible via .onion
- Vanguards enabled
- PoW defense enabled (if not using OnionBalance)
- OnionScanner run — no leaks
- Keys backed up securely
- Frontend proxy configured (if clearnet)
- All software updated
Stay paranoid. Stay updated. Don’t be the person caught because of an email header.

!