Run a Website Nobody Can Find: Hide Your Server with Whonix

:detective: Anonymous Hosting for Beginners — Whonix + Tor Step-by-Step

One-Line Flow: Your server hides inside a Whonix VM → all traffic routes through Tor → you get a .onion address → optional: keep your normal domain working through a proxy layer → nobody knows where you actually are.


Who this guide is for?

For the :pirate_flag: paranoid bastards who want to run a website without governments, corporations, or your nosy ex knowing where it lives. If you’re hosting anything that makes lawyers nervous, this is your blueprint.


:thinking: Why Should You Care?

Here’s the cold truth: 97.8% of hidden service busts happen because of human mistakes, not Tor getting hacked.

A 2024 study analyzing 136 court cases found that actual Tor protocol attacks worked in only 3 cases. Everything else? Email headers with real names. Username reuse. Logging in from home once.

Tor works. People don’t. This guide fixes that.


:brain: The Architecture

Users → Cloudflare (optional) → Frontend VPS → Tor Network → Your Hidden Server in Whonix

Even with root access on your web server, attackers can’t find your real IP. Keys live on a separate VM they can’t touch.


:gear: Part 1: Setting Up Whonix

Requirements: Ubuntu 24.04 server, 4GB+ RAM, 50GB storage, CPU virtualization support.

Step 1: Install KVM

VirtualBox is for desktops. KVM is built into Linux and runs headless.

# Check CPU virtualization (output > 0 = good)
egrep -c '(vmx|svm)' /proc/cpuinfo

# Install KVM
sudo apt update
sudo apt install -y qemu-kvm libvirt-daemon-system libvirt-clients \
    bridge-utils qemu-utils dnsmasq-base iptables xz-utils

# Add yourself to groups
sudo adduser "$(whoami)" libvirt
sudo adduser "$(whoami)" kvm

# Reboot required
sudo reboot

After reboot:

lsmod | grep kvm
sudo systemctl enable --now libvirtd
virsh -c qemu:///system net-autostart default
virsh -c qemu:///system net-start default
Step 2: Download Whonix

Get the CLI version — no desktop = less RAM, smaller attack surface.

Check whonix.org/wiki/KVM for current version, then:

wget https://download.whonix.org/libvirt/17.x.x.x/Whonix-CLI-17.x.x.x.Intel_AMD64.qcow2.libvirt.xz
wget https://download.whonix.org/libvirt/17.x.x.x/Whonix-CLI-17.x.x.x.Intel_AMD64.qcow2.libvirt.xz.asc

# Verify signature
gpg --keyserver keyserver.ubuntu.com --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA
gpg --verify Whonix*.libvirt.xz.asc Whonix*.libvirt.xz

# Extract
tar -xvf Whonix*.libvirt.xz
Step 3: Import & Start Whonix
# Setup networks
sudo virsh -c qemu:///system net-define Whonix_external*.xml
sudo virsh -c qemu:///system net-define Whonix_internal*.xml
sudo virsh -c qemu:///system net-autostart Whonix-External
sudo virsh -c qemu:///system net-start Whonix-External
sudo virsh -c qemu:///system net-autostart Whonix-Internal
sudo virsh -c qemu:///system net-start Whonix-Internal

# Import VMs
sudo virsh -c qemu:///system define Whonix-Gateway*.xml
sudo virsh -c qemu:///system define Whonix-Workstation*.xml
sudo mv Whonix-Gateway*.qcow2 /var/lib/libvirt/images/Whonix-Gateway.qcow2
sudo mv Whonix-Workstation*.qcow2 /var/lib/libvirt/images/Whonix-Workstation.qcow2

# Start (Gateway FIRST, always)
sudo virsh start Whonix-Gateway
sudo virsh start Whonix-Workstation

# Autostart on boot
sudo virsh autostart Whonix-Gateway
sudo virsh autostart Whonix-Workstation

Console access: sudo virsh console Whonix-Gateway (exit with Ctrl+])


:onion: Part 2: Creating Your Hidden Service

Machine IP Role
Gateway 10.152.152.10 Tor router
Workstation 10.152.152.11 Your website

The Workstation has zero direct internet. Everything goes through Gateway’s Tor.

Configure Hidden Service (on Gateway)
sudo nano /usr/local/etc/torrc.d/50_user.conf

Add:

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 10.152.152.11:80
HiddenServiceVersion 3

Get your .onion:

sudo service tor@default reload
sudo cat /var/lib/tor/hidden_service/hostname

:warning: BACK UP /var/lib/tor/hidden_service/ NOW. Lose keys = lose address forever.

Open Firewall (on Workstation)
sudo nano /usr/local/etc/whonix_firewall.d/50_user.conf

Add (note the spaces):

EXTERNAL_OPEN_PORTS+=" 80 "
sudo whonix_firewall
Install Web Server (on Workstation)
sudo apt update && sudo apt install nginx

Hardened config:

server {
    listen 127.0.0.1:80;
    server_name your-onion-address.onion;
    root /var/www/html;
    index index.html;
    
    server_tokens off;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    
    location / { try_files $uri $uri/ =404; }
    location ~ /\. { deny all; }
}

:globe_with_meridians: Part 3: Keep Your Normal Domain (Optional)

Want yoursite.com working while the server stays hidden?

Option A: Cloudflare + Tor Backend (Recommended)

Domain → Cloudflare → Cheap VPS → Tor → Your hidden server

On frontend VPS:

sudo apt install socat tor

Create /etc/systemd/system/onion-proxy.service:

[Unit]
Description=Onion Proxy
After=network.target tor.service

[Service]
ExecStart=/usr/bin/socat TCP4-LISTEN:8080,reuseaddr,fork SOCKS4A:127.0.0.1:YOUR-ONION.onion:80,socksport=9050
Restart=always

[Install]
WantedBy=multi-user.target
sudo systemctl enable --now onion-proxy

Nginx on same VPS:

server {
    listen 443 ssl http2;
    server_name yoursite.com;
    
    ssl_certificate /etc/letsencrypt/live/yoursite.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yoursite.com/privkey.pem;
    
    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
    }
}

Point Cloudflare at this VPS with orange cloud enabled.

Option B: .onion Only

Skip clearnet. Users visit your .onion directly via Tor Browser.

Faster, simpler, smaller audience.

Bonus: Onion-Location Header

Tell Tor Browser users about your .onion:

add_header Onion-Location http://your-onion-address.onion$request_uri;

Shows a purple “.onion available” button. Classy.


:locked: Part 4: Security Hardening

🛡️ Vanguards — Stop Guard Discovery Attacks

Without this, attackers can find your server in minutes. With it, they need months.

Vanguards-lite is default in Tor 0.4.7+ — but for full protection:

pip3 install vanguards

Add to Gateway’s torrc:

ControlPort 9099
CookieAuthentication 1

Run: vanguards --control_port 9099

GitHub: mikeperry-tor/vanguards

⚡ PoW DDoS Protection (Tor 0.4.8+)

Makes attackers solve puzzles before connecting:

HiddenServicePoWDefensesEnabled 1
HiddenServicePoWQueueRate 200
HiddenServicePoWQueueBurst 1000

:warning: Does NOT work with OnionBalance. Pick one.

🔌 Unix Sockets (Faster + Secure)

Instead of TCP:

HiddenServicePort 80 unix:/var/run/tor/website.sock

Configure nginx to listen on that socket. Eliminates network attack surface.

🔧 Hidden Whonix Tools

Onion-grater — Filters dangerous Tor control commands github.com/Whonix/onion-grater

Corridor — Only allows Tor relay connections. Run corridor-init-logged to watch for leaks. github.com/rustybird/corridor

Sdwdate — Time sync through Tor, not NTP whonix.org/wiki/Sdwdate

Tirdad — Randomizes TCP sequence numbers

All included with Whonix. Most people never enable them.

🔬 Advanced torrc Options
# More introduction points (max 10)
HiddenServiceNumIntroductionPoints 6

# Stream limits
HiddenServiceMaxStreams 100
HiddenServiceMaxStreamsCloseCircuit 1

# Rate limiting at protocol level
HiddenServiceEnableIntroDoSDefense 1
HiddenServiceEnableIntroDoSRatePerSec 25
HiddenServiceEnableIntroDoSBurstPerSec 200

# Export circuit ID for custom rate limiting
HiddenServiceExportCircuitID haproxy

:test_tube: Part 5: Testing

Scan Yourself Before Going Live

OnionScanner (v3 support): github.com/N4rr34n6/OnionScanner

Checks for exposed server info, directory listings, metadata leaks, SSH banners, EXIF data.

Verify config: tor --verify-config

Watch Vanguards logs for suspicious patterns.


:money_bag: Part 6: Anonymous Hosting Providers

🥇 Accepts Monero (Best Privacy)
Provider Location Price Notes
Njalla Sweden/Nevis ~€15/mo Pirate Bay founder. Owns domains on your behalf.
FlokiNET Iceland €9.50/mo Hosts WikiLeaks. Allows Tor relays.
1984 Hosting Iceland $5/mo Fights legal requests in court.
Privex Belize $0.99/mo No IP logging.
🧅 Has .onion Signup
  • Njalla: njallalafimoej5i4eg7vlnqjvmb6zhdh27qxcatdn647jtwwwui3nad.onion
  • IncogNET: incoghostm2dytlqdiaj3lmtn7x2l5gb76jhabb6ywbqhjfzcoqq6aad.onion
  • NiceVPS: nicevpsvzo5o6mtvvdiurhkemnv7335f74tjk42rseoj7zdnqy44mnqd.onion

Full list: bitcoin-vps.com

📛 Anonymous Domains

Njalla — They legally own it, you control it. WHOIS shows Njalla.

NameSilo — Free lifetime WHOIS privacy, takes crypto.


:performing_arts: Part 7: Vanity Addresses

Generate Custom .onion Prefix

Use mkp224o:

git clone https://github.com/cathugger/mkp224o
cd mkp224o && ./autogen.sh
./configure --enable-amd64-51-30k && make
./mkp224o yourprefix
Chars Time
5 ~16 min
6 ~8.5 hrs
7 ~11 days
8 ~1 year

Longer = harder for attackers to spoof. Generate on air-gapped machine.


:skull: Part 8: How People Actually Get Caught

Hall of Shame — Learn From Their Mistakes

AlphaBay — Email header: [email protected]. Username reuse.

Silk Road — Promoted site on forums with real name during development. Logged in without Tor “just once.”

Freedom Hosting — FBI JavaScript exploit grabbed real IPs. Prevented by Tor Browser “Safest” mode.

2024 German Case — Outdated Tor without Vanguards. Police ran malicious relays for months. Source

The Pattern:

  • Reusing identities
  • Posting personal details
  • Skipping hardening
  • Outdated software
  • “Just this once”

More: github.com/jermanuts/bad-opsec


:high_voltage: Part 9: Performance Reality

Speed Expectations
Metric Reality
Initial connection 24-56 sec
Per-request 4+ sec
Page load 5-30 sec

Yeah, it’s slow. That’s the price of invisibility.

WordPress on Tor — The Setup

Install the usual LAMP/LEMP stack on your Workstation:

sudo apt install nginx mariadb-server php-fpm php-mysql php-curl php-gd php-mbstring php-xml php-zip

In wp-config.php, add:

// Force your .onion as site URL
define('WP_HOME', 'http://your-onion-address.onion');
define('WP_SITEURL', 'http://your-onion-address.onion');

// Disable external HTTP requests (security + speed)
define('WP_HTTP_BLOCK_EXTERNAL', true);

// Allow only specific hosts if needed
define('WP_ACCESSIBLE_HOSTS', 'your-onion-address.onion');

// Disable auto-updates (they'll fail anyway)
define('AUTOMATIC_UPDATER_DISABLED', true);
define('WP_AUTO_UPDATE_CORE', false);

Critical: Disable pingbacks, trackbacks, and XML-RPC — they leak your .onion to external servers.

Add to functions.php:

add_filter('xmlrpc_enabled', '__return_false');
add_filter('pings_open', '__return_false');

Or just install Disable XML-RPC plugin.

Joomla/Drupal on Tor

Same concept. In your CMS config:

Joomla (configuration.php):

public $live_site = 'http://your-onion-address.onion';

Drupal (settings.php):

$settings['trusted_host_patterns'] = ['^your\-onion\-address\.onion$'];
$base_url = 'http://your-onion-address.onion';

Disable all external API calls, update checks, and CDN integrations.

Speed Tips for PHP Sites
  • Enable OPcache — huge PHP performance boost
  • Use Redis/Memcached for object caching
  • Static HTML caching with WP Super Cache or W3 Total Cache
  • Disable Gravatar — leaks user emails to external server
  • Self-host all assets — no Google Fonts, no CDN, no external JS
  • Lazy load images — .onion connections are painful
  • Minify CSS/JS but host locally

The goal: zero external requests. Every outbound connection is a potential leak.


:books: Part 10: Resources

Official Docs
Tools
Learning

:money_with_wings: Part 11: How to Make Money From This

You built an invisible server. Cool. Now let’s talk cash.

Here’s the dirty secret: people don’t pay for Tor — they pay for peace of mind. Sell certainty in a world that spies by default.

1️⃣ Anonymous Drop-Box Website (Paid Dead Drops)

Turn your hidden site into a private file inbox.

Who pays: Journalists, whistleblowers, lawyers, activists, researchers.

The model:

  • Sell unique .onion receiving addresses
  • Monthly subscription for a private drop
  • Zero logs, zero identity, zero trust required

Why it works: Trust is rare. Anonymous trust is rarer. High demand, low supply.

2️⃣ Burner Business Hosting (Sell Invisibility)

Resell pre-configured anonymous hosting as a service.

Who pays: People in gray niches — adult content, political stuff, controversial opinions, anything that gets deplatformed.

The model:

  • You don’t host content — you host infrastructure
  • Monthly recurring income
  • They bring their drama, you bring the invisibility

Why it works: You’re not selling opinions. You’re selling the ability to have opinions without consequences.

3️⃣ Paywalled Onion Knowledge Vault

Create a Tor-only paid content site.

What to sell:

  • Leaks and research dumps
  • OSINT guides and rare tutorials
  • PDFs nobody can find elsewhere
  • Niche expertise in paranoid formats

The model:

  • Crypto / Monero payments only
  • Scarcity + secrecy = perceived value

Why it works: Information feels 10x more valuable when it’s hidden behind a .onion and a paywall.

4️⃣ Can't-Be-Taken-Down Backup Sites

Sell mirrored emergency websites.

Who pays: NGOs, activists, banned creators, anyone who’s been deplatformed before.

The model:

  • Their normal site gets nuked → .onion stays alive
  • Monthly “insurance” pricing
  • Peace of mind as a subscription

Why it works: Everyone who’s been banned once knows it’ll happen again. You’re selling uptime when platforms panic.

5️⃣ Anonymous Feedback / Confession Platform

Host a zero-log anonymous confession or feedback board.

Who pays: Companies, schools, communities, teams — anyone who wants brutal honesty without HR drama.

The model:

  • No tracking, no IPs, no emails
  • Charge the receivers of feedback, not the senders
  • Monthly or per-campaign pricing

Why it works: People tell the truth when they can’t be punished for it. Organizations pay good money for that truth.

6️⃣ Dark Funnel for Sensitive Consulting

Use clearnet → Tor as a client filter.

How it works:

  • Normal domain = marketing, SEO, public face
  • .onion site = serious inquiries only
  • The technical barrier filters out tire-kickers

Who uses this: Lawyers, crypto fixers, security researchers, private investigators, anyone whose best clients are paranoid.

Why it works: Tor users self-qualify as high-intent. If someone figures out how to reach your .onion, they’re serious.

7️⃣ Verified Anonymous Services Directory

Run a “Yelp for paranoid people.”

The model:

  • List only services that operate fully via Tor
  • Charge for listings or verification badges
  • Curate hard so your list actually means something

Why it works: Curation beats scale. When everything is anonymous, trust becomes the product.

8️⃣ Sell the Setup, Not the Site

Package this guide as a done-for-you install.

The pitch: “We set it up. You don’t touch commands.”

The model:

  • One-time setup fee ($200-500+)
  • Optional monthly support retainer
  • Target non-technical people with money and paranoia

Why it works: Fear + complexity = money. Non-technical people LOVE outsourcing things that scare them.

9️⃣ Anonymous Testing Sandboxes

Offer anonymous testing environments for researchers.

Who pays: Security researchers, academics, journalists testing censorship tools, anyone who needs to do sketchy-looking stuff for legitimate reasons.

The model:

  • No logs, no identity
  • Paid hourly or monthly access
  • Pre-configured environments for specific use cases

Why it works: Safe playgrounds for risky experiments. Plausible deniability as a service.

🔟 Identity Reset System

Help people start over with a clean digital slate.

Who pays: Writers with controversy, activists with enemies, whistleblowers, anyone whose past follows them online.

The model:

  • Sell guides + hosting + OPSEC basics as a package
  • New persona, new .onion presence, zero past linkage
  • Premium pricing for hand-holding

Why it works: Starting over is priceless. Some people would pay anything to not be Googleable.


:brain: The Big Truth Most People Miss

This isn’t about hiding. It’s about selling certainty in a world that spies by default.

Most users don’t want Tor. They want peace of mind — and they’ll pay for it.


:bullseye: Pre-Launch Checklist

Click to expand
  • KVM installed, Whonix VMs running
  • Hidden service configured on Gateway
  • Firewall opened on Workstation
  • Web server accessible via .onion
  • Vanguards enabled
  • PoW defense enabled (if not using OnionBalance)
  • OnionScanner run — no leaks
  • Keys backed up securely
  • Frontend proxy configured (if clearnet)
  • All software updated

Stay paranoid. Stay updated. Don’t be the person caught because of an email header.

4 Likes

@srz my biggest problem is nobody finds my website eitherway ….hahahaha

2 Likes