First of all, this tutorial is for education purposes only. Make sure it's legal to use TOR in your country. You are responsible for your use of TOR and it's related services.
Key Points
- A TOR (.onion) link allows users to browse a site using the TOR browser
- You can serve an IIS website over TOR on Windows Server for free
- Steps such as opening a port, setting a configuration file and running a background process are required
What You'll Need
As far as this tutorial goes, you will need the following to run an IIS site over TOR:
- A Windows Server 2022 VPS (Virual Private Server) with Administrator permissions (use Softsys if you don't have a VPS)
- Tor Expert Bundle for Windows
- 7-Zip (to extract the contents of the .tar.gz file)
- A website that will run on IIS
Why Should You Offer A TOR Link?
TOR offers users a way to use the internet anonymously. While this can be used for both good and bad purposes, this tutorial assumes you are simply offering one of your existing public clearnet (e.g., .com
) websites to be served to people who want to see it in a TOR browser.
Offering a TOR link can attract you more readers or customers who may prefer TOR as a means to browse the internet without advertising networks logging their personal IP address.
Setting Up Your Website
Before you go on the path to setting up a TOR service, you should have some web page or application you want to run. It's best to start with a simple index.html page to make sure have anything working at all.
In IIS Manager to to Site, then create a new site by going to the Actions menu and selecting "Add Website...". Give the site a name, set its path to the folder on your server you want served.
For the binding, keep it as http, then set 127.0.0.1 for the IP address and set the port to what you want this to be. For the purpose of this tutorial, it will be 8081. Leave the hostname blank.
For testing, the folder you set for the path should have an index.html file in it with some text you can use to identify it's working, example: testing123.
Once you have set this up, make sure your site is responding by opening PowerShell and running:
curl -v http://127.0.0.1:8081
The result should be include your testing message such as testing123. If this works, you can move on to setting up TOR.
If you have an existing website or application you want to serve over TOR, you can simply add the binding of 127.0.0.1 on port 8081 (in this case).
Enabling The Port
To make sure that your serivce can be accessed, you will need to open the port to you want to use. Go into the Windows Firewall (Windows Defender Firewall with Advanced Security). From there, click to make a "New Rule...".
Select to create a Port, then next to select TCP, type the specific port, (e.g., 8081). Select to "Allow the connection" and then set it to Domain, Private and Public, then give it a name and finish.
Setting Up The TOR Service
To be able to run a TOR website, you will need to run the tor.exe.
Download
You can get the TOR .exe for Windows Server by using the Tor Expert Bundle. First, download the file to your server: https://www.torproject.org/download/tor/.
From here, extract the contents using 7-Zip and place the contents in a location such as: C:\tor
Configuration
By default, when you run tor.exe, it will look for a file called "torrc" located at: C:\Users\Administrator\AppData\Roaming\tor\torrc . If that is what you want to do, then the file will reside there.
You can create an extensionless file using PowerShell at the location you want using this command (change path if you want):
New-Item -Path "C:\tor\tor\torcc" -ItemType File -Force
From here, open the file in notepad.exe to make edits.
The contents of the file allow setting various parameters, for the purpose of this tutorial, the following are what will be used:
HiddenServiceDir C:\tor\TorHiddenServiceKeys HiddenServicePort 80 127.0.0.1:8081 SocksPort 9050
In this case, the path to where the public/ private keys and the host (URL) are set to a specific folder. Port 8081 is set to be used as the one your IIS website listens on whereas the 9050 is the default port that the TOR service listens on.
If you want to run multiple TOR services on the same server, you will have these same variables again but each time they are listed, they will have different values, for example:
HiddenServiceDir C:\tor\TorHiddenServiceKeys2 HiddenServicePort 80 127.0.0.1:8082 SocksPort 9050
To use the configuration file you created as part of starting tor.exe, you need to run the exe such as:
tor.exe -f "C:\tor\tor\torrc"
Running The Service
While testing, you may way to run tor.exe in a command prompt like PowerShell to see what it's doing. However, once you confirm it's working, you will need to have a way to run the service in the background on the server so that when the server restarts, you do not need to take action to start it again.
The best way to run Tor is as a Windows Service. The following assumes you are running Windows Server 2022 and have set the location of the exe to be in a folder on your server at: C:\tor and configs at C:\tor\configs.
To install the Tor service:
C:\tor\tor\tor.exe --service install -options -f "C:\tor\configs\torrc"
If you need to change the path, remove the service by running:
C:\tor\tor\tor.exe --service remove
You can start or stop the service using these commands:
C:\tor\tor\tor.exe --service start
C:\tor\tor\tor.exe --service stop
If you go into Services on the server (Windows search "services"), you should see "Tor Win32 Service" installed and set to run automatically. This indicates that when you restart the server, it will start the tor.exe for you. If it's not set to start automatically, you can right click, go to properties and set this yourself.
Getting The ".onion" Link
Once your service has started, files are created based on your configuration file's directory (HiddenServiceDir). In this folder you set, you will see a "hostname" file. Open this with notepad.exe and you will see random letters and numbers followed by ".onion".
On another computer, download and install the TOR browser: https://www.torproject.org/download/
Once installed, you can paste in your ".onion" link and then you should see the test message you set in the index.html "testing123". If you can see this, it means everything has been set up and you are running a TOR service.
Challenges With Applications
If you are able to get a simple website html page served over TOR, you can then consider running a .NET application in the folder you are serving the content from.
For the most part, no changes are required to do run a .NET web application. However, you may run into challenges such as when you force redirect http to https on your clearnet site. In this case, you may need to either allow unsecure http connnections for your public facing site (the .com version) or block them entirely. The reason is that TOR uses http, not https. So, if your application tries to redirect an http user, the TOR browser will not be able to serve it.
Depending on your needs, you could deploy a second version of your site to another folder for TOR so that it runs with http and then have your first version be the one that redirects http to https. For some applications, especially ones that use caching or cannot deploy the same site to both folders easily, this option becomes much more complicated.
You will need to determine what your requirements are to be able to serve the same site over different ports with redirections. It may be best to just allow ports 443 and your TOR port, ignoring port 80 completely.
Security Improvements
In trying to make your TOR service as secure as possible, you should try to remove all external clearnet resources so that all the resources load over TOR. For example, if you are using a CDN for your CSS, you will want to try to host that in the application directory so that it does not make a clearnet request.
Furthermore, many people on TOR do not use JavaScript as it can compromise their anonymity through tracking. Therefore, you if you are going to have a TOR service, be aware that it should work without JavaScript enabled. Rely on CSS for style.
Backing Up And Moving Your Service
When you create a TOR service, you get a folder with files like: hostname, hs_ed25519_public_key and hs_ed25519_secret_key. They are used with your TOR service.
What about the situation where your server goes offline and you need a new one, or if you want to move to another server? Unlike a traditional .com website, you cannot point DNS through a centralized location or company to change the IP of your site
The good news is, you can back up your TOR service using PowerShell, save this information offline as a string of text and then restore your service.
Backing Up Your Service Keys
Restoring Your Service Keys
Making It Easy To Find
To let users know there is a .onion version of the site available, you will want to link to it at the bottom of your clearnet site with a link that says "TOR" or ".onion".
Additionally, if someone is using the TOR browser, they can discover your TOR service when a request returns an onion location header. The name of the header is "Onion-Location" and the value is your "http://whatever.onion" URL. Once added, a user will see the ".onion available" option in their address bar.
Sometimes it's difficult to set a custom header so if that option doesn't work then adding an HTML meta tag with http-equiv="onion-location" and the "content" set to the URL of your TOR page, will accomplish the same thing.
Summary
Now you have seen how to create a TOR service on IIS using only Windows based products and open source software. This gives you more power and ability to use your existing solutions to reach more people who you otherwise may not be able to reach due to their privacy and security concerns.