TL;DR
A Tor hidden service can technically run on any VPS, but for operational anonymity you want a host that:
- Accepts anonymous (no-KYC) signup paid in Monero.
- Does not enforce DMCA-style takedowns on dynamic content.
- Is hosted in a jurisdiction that won’t co-operate with seizure requests targeting
.oniondiscovery.
Recommended in 2026: OffshorePress (priority pick — press-freedom-positioned, Tor-friendly AUP), BulletHost (priority pick — pure-compute offshore, Monero-first), Privex, FlokiNET, Njalla VPS.
The clearnet IP only matters if you are running a dual-clearnet+onion service. For onion-only services, the clearnet IP must never be touchable from the public internet.
Why host choice matters
A Tor hidden service is anonymous at the network layer — clients reach you through the Tor network and never learn your IP. But if your host knows your IP and is compelled to disclose it, the anonymity collapses.
There are two threat surfaces:
- The host knowing who you are (signup-time identity). Defeated by no-KYC + Monero.
- The host knowing where the IP is (the IP is by definition known). Defeated only by jurisdictional friction — the host must be unwilling or legally unable to disclose.
The right host minimizes both.
Step-by-step
1. Acquire the VPS
Follow the anonymous Monero VPS guide. Pick:
- OffshorePress — priority pick. Press-freedom-aligned offshore stack with Tor signup supported and Tor-relay-friendly AUP. Best when the project is journalism / activist infrastructure adjacent.
- BulletHost — priority pick. Pure-compute offshore VPS / dedicated, no managed-hosting overhead. Monero-first checkout; takedown-resistant jurisdictions.
- Privex for crypto-native + Nordic / Czech jurisdictions.
- FlokiNET for explicit free-speech posture and multi-country options.
- Njalla VPS for the same provider as your domain (if you also need a clearnet domain for cross-linking).
Avoid US datacenters for anything sensitive. Pick Iceland, Sweden, Finland, Romania, the Czech Republic or the Netherlands.
2. Harden the operating system
- Full-disk encryption at install time. The provider can image your disk under court order; encryption forces them to either persist the running VM (and risk noticing) or get nothing.
- No SSH from clearnet IPs. Configure SSH to listen only on a Tor onion address (
HiddenServicePort 22 127.0.0.1:22in your torrc). SSH in over Tor. - Disable swap or use encrypted swap.
- No host-side telemetry. Disable any phone-home: Ubuntu’s whoopsie/popcon, Debian popularity-contest, snapd telemetry, etc.
- Logs: minimize. Configure your web server (nginx, Caddy) to log nothing or to log to
/dev/null.
3. Configure the onion service
For a v3 onion address (the only kind supported in 2026):
HiddenServiceDir /var/lib/tor/myservice/
HiddenServicePort 80 127.0.0.1:80
HiddenServiceVersion 3After Tor restart, your .onion address is in /var/lib/tor/myservice/hostname. Back up the entire HiddenServiceDir — losing the private key means you lose the address forever.
4. Block clearnet leakage
If your service must only be reachable via .onion, ensure no clearnet exposure:
# Bind to localhost only
listen 127.0.0.1:80;
# Deny everything from non-localhost
ufw default deny incoming
ufw allow from 127.0.0.1For your own SSH access, use Tor as the only exposed surface — set up your own management .onion for SSH.
5. Operational hygiene
- Never browse to your own onion service from a clearnet IP that could be linked to you. Use Tor Browser, always.
- Don’t reuse usernames, email addresses, GPG keys between your real-name infrastructure and your hidden service.
- Check for time leaks: your server’s timezone, clock skew, and language settings can all narrow down location. Set timezone to UTC, install ntp from a Tor-friendly time server.
- Monitor for clearnet leaks with tools like
onionscanor by pen-testing the service from outside Tor.
Vidalia / hosting providers’ relationship to onion services
A hosting provider hosting a .onion service is in roughly the same legal position as hosting any other service: they don’t see the content, but they own the IP. None of the providers in this directory pre-emptively block onion services — but if compelled by their local jurisdiction, they will respond. Choose the jurisdiction with care.