Dec. 14, 2019, 4:50 p.m.

Hosting a website within a Carrier Grade NAT using Tor

My ISP just enabled Carrier Grade NAT (CGNAT), this means that all of my public/private facing web services through a dynamic DNS service has been unreachable. I did try to use some service alternative to ngrok ( but they are unreliable. I also do not have a VPS host and do not plan on hosting one in the near future. All I have is a Raspberry Pi and a Slow CGNAT ISP.

A possible solution is to use the Tor network to host my website by creating my own hidden service (not so hidden anymore), but the drawback is the slow network throughput and normal people that uses the clearnet does not know how to access onion sites. The positive side of things is, the Tor network protects the anonymity of the visitors of this site.

So, how to create your own hidden service?

Here are the steps that I used in building my own hidden service.


  • 24/7 PC (Raspberry Pi or other Pi derivatives)
  • Debian GNU+Linux based OS
  • Internet connection be it CGNAT or not
  • A webserver setup (I assume that your website is accessible from localhost port 80)
  • We need to install the tor package using the apt command.

$ sudo apt install apt

You may also want to use the packages from the torproject website instead of the Debian repo, but this is out of the scope of this tutorial.

  1. Configuring the tor, we need to edit the /etc/torrc file and add the folling at the end of the file:
    HiddenServiceDir /var/lib/tor/hidden_service/
    HiddenServicePort 80
  2. This means that the hidden service will bind to port 80 and create a service that can be accessible to port 80. Restart tor service and determine your onion address by navigating to /var/lib/tor/hidden_service/, view the file hostname this contains the full onion url of your new hidden service.$ cat /var/lib/tor/hidden_service/hostname

Further hardening of the web server and tor configuration is recommended. Enjoy your new hidden service and do not do anything illegal!


I also want to be able to ssh to my home machine using tor.
We need to edit the file /etc/tor/torrc:

HiddenServiceDir /var/lib/tor/ssh_hidden_service/
HiddenServicePort 2222

This will create a hidden service after we restart tor sudo systemctl restart tor
To find our onion accessible url just execute:

$ sudo cat /var/lib/tor/ssh_hidden_service/hostname

We also need to disable SSH’s password authentication as it will make our machine vulnerable to brute force attacks, it is recommended to use public key authentication.

Edit the file: /etc/ssh/sshd_config

 PasswordAuthentication no
 PermitRootLogin no

This will disallow root login and password logins.

Finally, to be able to login to our onion ssh. We need to install a package called: netcat-openbsd
If not done already, you also need to install tor to your client machine to be able to access onion urls.

Edit this file ~/.ssh/config

Host pi
 HostName myrandomverylongtorlink.onion
 port 22
ProxyCommand nc -X 5 -x %h %p

Try to connect to our onion ssh:

$ ssh pi@pi

Enter passphrase for key '/home/user/.ssh/id_rsa': 
Last login: Fri Mar  6 11:44:55 2020 from 172.x.x.x
pi@PI:~$ whoami

Note that the speed is slow, I would recommend to use tmux or screen for you to not loose your session.