Published: Mon, Sep 22, 25

Tor-Only SSH VPS Deployment (Privex IPv6-Only VPS).

Tor Only VPS (IPv6)

  • Fix DNS Resolution
sudo bash -c 'echo -e "nameserver 2606:4700:4700::1111\nnameserver 1.1.1.1" > /etc/resolv.conf'
  • Install and Configure Tor

Creating a Swap File

  • May help if tor can’t bootstrap
sudo fallocate -l 500M /swapfile  
sudo chmod 600 /swapfile             
sudo mkswap /swapfile 
sudo swapon /swapfile
  • nano /etc/fstab
/swapfile none swap sw 0 0

sudo apt update && sudo apt install tor torsocks -y
  • Edit /etc/tor/torrc:
# Enable IPv6-only operation
ClientUseIPv4 0
ClientPreferIPv6ORPort 1

# Logging
#Log notice stdout

# Hidden SSH service
HiddenServiceDir /var/lib/tor/hidden_ssh/
HiddenServicePort 6666 127.0.0.1:22
  • Apply and restart:
sudo systemctl restart tor
sudo journalctl -u tor -f
  • Grab your .onion:
sudo cat /var/lib/tor/hidden_ssh/hostname

  • OpenSSH Configuration (Optional Harden)

    • Edit /etc/ssh/sshd_config:
Port 22
PermitRootLogin prohibit-password
PasswordAuthentication no
PubkeyAuthentication yes
  • Then:
sudo systemctl restart ssh

  • Connect Over Tor

    • From your local machine:
torsocks ssh -p 6666 root@your.onion

# Or
TORSOCKS_LOG_LEVEL=5 torsocks ssh -vvv -p 6666 root@your.onion
  • Example .ssh/config
Host tor-vps
    HostName YOUR_ONION_ADDRESS # REPLACE WITH YOUR ONION ADDRESS
    Port 6666
    User debian # CHANGE ME
    ProxyCommand torsocks -P 9050 nc %h %p
    LogLevel DEBUG3
    IdentityFile ~/.ssh/id_rsa

Enable HTTPS

sudo apt update
sudo apt install lighttpd openssl

# Enable the mod_openssl module:
sudo lighty-enable-mod ssl
service lighttpd force-reload
  • NOTE: YOUR_ONION_ADDRESS
# Install Caddy (has easy TLS support)
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

# Create self-signed cert for your .onion (replace YOUR_ONION_ADDRESS)
mkdir -p /etc/caddy/certs
cd /etc/caddy/certs
openssl req -x509 -newkey rsa:4096 -sha256 -days 365 \
  -nodes -keyout your_onion.key -out your_onion.crt \
  -subj "/CN=YOUR_ONION_ADDRESS.onion" \
  -addext "subjectAltName=DNS:YOUR_ONION_ADDRESS.onion"

# Create Caddyfile
cat <<EOF | sudo tee /etc/caddy/Caddyfile
YOUR_ONION_ADDRESS.onion:443 {
  tls /etc/caddy/certs/your_onion.crt /etc/caddy/certs/your_onion.key
  reverse_proxy 127.0.0.1:80
}
EOF

# Restart Caddy
sudo systemctl restart caddy

sudo mkdir -p /etc/caddy/certs
cd /etc/caddy/certs
sudo openssl req -x509 -newkey rsa:4096 -sha256 -days 365 \
  -nodes -keyout YOUR_ONION_ADDRESS.key -out YOUR_ONION_ADDRESS.crt \
  -subj "/CN=YOUR_ONION_ADDRESS" \
  -addext "subjectAltName=DNS:YOUR_ONION_ADDRESS/"
  
  YOUR_ONION_ADDRESS:443 {
  tls /etc/caddy/certs/your_onion.crt /etc/caddy/certs/YOUR_ONION_ADDRESS.key
  reverse_proxy 127.0.0.1:80
}


sudo chown root:caddy /etc/caddy/certs/*onion.*
sudo chmod 640 /etc/caddy/certs/*onion.*
  • Finally edit torrc configuration
HiddenServicePort 443 127.0.0.1:443
  • Restart Services
systemctl tor restart
service lighttpd force-reload