Just like v2 Onion services, we can also set up client authorization for Onion
services v3. In simple terms, when you have a client authorization setup on an
Onion service, only the Tor clients with the private token can access the
service. Using this, you can run services (without opening up any port in your
system) and only selected people can access that service, that is also being
inside of totally encrypted Tor network. Last month, I did a workshop in
Rootconf about the same topic, but, I demoed v2
Onion services. In this blog post, I am going to show you how you can do the
same with the latest v3 services.
Setting up the Onion service
We assume that we are already running
apache on port
80 of the
server. Add the following two lines at the end of the
/etc/tor/torrc file of
HiddenServicePort 80 127.0.0.1:80
Then, restart the
systemctl restart tor
The above command will create the onion service at
/var/lib/tor/hidden_service/ directory, and we can see the address from the
It should also create a
authorized_clients directory at the service
Next, we will create keys of type
x25519, and you can either use any of the
following options to create the keys.
I used the Rust implementation, and I got the secret and the public key.
Now, we will use the public key to create a
clientname.auth file in
/var/lib/tor/hidden_service/authorized_clients/ directory, I chose the name
descriptor:x25519:RO7N45JLVI5UXOLALOK4V22JLMMF5ZDC2W6DXVKIAU3C7FNIVROQ > /var/lib/tor/hidden_service/authorized_clients/kushal.auth
If you look closely, the file format is like below:
Now, restart the
tor service once again in the server.
systemctl restart tor
Setting up client authorization
The first step is to close down my Tor Browser as I will be manually editing
torrc file of the same. Then, I added the following line to the same
Next, we will create the directory.
chmod 0700 tor-browser_en-US/Browser/TorBrowser/Data/Tor/onion_auth
Then, add the following in
kushal.auth_private file inside of the
The format of the file:
Now, start the Tor Browser, and you should be able to visit the authorized
Onion service at
Use case for students
If you want to demo your web project to a selected group of people, but, don't
want to spend money to get a web server or VPS, Onion services is a great way
to showcase your work to the world. With the authenticated services, you can
choose whom all can view the site/service you are running.