Technical articles focussed on security and privacy

Our goals

  • A truly anonymous VPS
  • Capable of running a secure and private email server
  • Not leaving any traces during setup and use that could reveal our true identity.

This is exactly how we setup MadWizards.Net itself.

Focus in this article is on the security and privacy steps, specific how-to's about installation of some of the software components might be depending on your OS-version and can be found everywhere on the internet.

Although your VPS and ISP might claim not to store any log files, in this article we just assume they do. Even if they produce their server logs to the authorities, we still want to keep our identities hidden. This article describes how to achieve that.


In this section we install our tools, discuss some digital hygiene, obtain a VPS and a domain name, and setup the DNS.


It is best to use only one device for setting up and maintaining the VPS. I use linux on my laptop, just like on the VPS. For maximum security, use the tails distribution, but other distributions are fine too if you know what you are doing.

Since we are going to use TOR exclusively for all access to the VPS, using your normal ISP would be fine. Routing your traffic via a VPN would add a bit extra security. If you are really paranoia, you could buy a “burner phone” with a prepaid SIM card to use as a hot-spot, or use a public (or compromised) WiFi.


You will have to pay for the VPS and domain name. Of course, if you use your credit card or Paypal account it is easy to trace the ownership of the VPS back to you. The providers I used accept cryptocurrency.

There is a lot of information on the internet how to safely acquire cryptocurrency without leaving a trace. Do some research about this.


The use of the TOR network is essential for all these and future steps. We need two components installed on your laptop:

  • A working TOR node.
  • The TOR browser.

The TOR browser comes with its own internal TOR node, but we still need an “external” TOR node to use for SSH.

There are rumors that TOR has been compromised in the past, and while this might be true, it is really an academic exercise to trace a specific TOR user. It takes a lot of time and effort. It took years to take down “silkroad”. While you are setting up your VPS, we can safely assume that you are not (yet) a target of prying eyes. So TOR is good enough.

In the rest of this article we assume that you are always using the TOR-browser for any of the steps described.

Domain name

Now it is time to think about a domain name.

What, you already thought about a domain name and have checked that it is available? Too bad, now you can not use it anymore. Because by checking for the availability of that specific domain, someone has your IP logged, and guess who later ends up buying that specific domain? It is too easy to connect the dots...

Ok, now think about a (new) domain name, and check for its availability using the TOR-browser only.

Safety net

If you ever mistakenly use a normal browser instead of your TOR-browser, even only once, you have spoiled the whole thing as there might now be logs showing that your IP has accessed the “anonymous” VPS. Especially in the beginning, it would be very bad if the very first IP accessing the VPS can be traced to your personal internet subscription...

To make this mistake less likely, you should somehow resolve any DNS requests for your domain to localhost. The easiest way to do this (assuming you run linux) is to edit the /etc/hosts file on your laptop like this: nano /etc/hosts

Add the following line:

If you now try to access your domain, your request will be routed to your laptop instead of the outside world and you will just receive an error.

Do this on all the machines in your house. You should never access your VPS with your home IP. Of course, if you have your own home DNS server like PiHole, you could blacklist your own domain there as well.

This safety net is not fool proof, some software may ignore your DNS settings and stubbornly request the IP directly from an “outside” DNS server. But at least, this safety net will catch the most common mistakes, like trying to open your domain with a normal browser.

Create a free account on Proton Mail

We need a temporary email account to arrange our VPS and domain name. Of course you can't use your gmail account for that! I used Proton Mail for it. Again (I will soon stop repeating this), it is utterly important that you setup this mail account via the TOR browser.

Create an account on

While there might exist other privacy claiming VPS providers I have chosen 1984hosting for a couple of reasons:

  • Iceland has among the best privacy and free speech rules world wide.
  • Iceland is a stable country, not likely to suddenly change rules.
  • Iceland has a good technical infrastructure and “sits” above the cable connecting the American and European continent, so it has good connections both ways.
  • 1984hosting totally runs on renewable energy.

While creating the account, 1984hosting asks for an email address for verification. This is why we created the Proton Mail account. Once your email server is up and running, you can change your email address to your own email server and delete your Proton Mail account.

SSH keys

If you don't have an SSH key-pair yet, it is now time to create one. There are plenty of howto's on the internet, I think it is beyond the scope of this article to guide you through this.

Order the VPS

When ordering the VPS, at some point you can upload your public SSH key. This secures your VPS right from the beginning. For the OS I chose Ubuntu 22.04 because there are many software packages for it and many “howto's”. Of course, at some point in the order process you need to pay for the VPS, and to keep your identity hidden you will have to pay with cryptocurrency.

Once you have obtained the VPS, resist the temptation to SSH into it. We first need to configure SSH to work via TOR, we will do that later.

Before you setup the VPS, it might be a good idea to check its IP address against blacklists. You don't know who the previous owner of the IP was; if it happened to be a spammer you will get problems if you setup your own email server. If it is blacklisted, you might request another IP address. You can check your IP here

Order the domain name

I ordered the MadWizards.Net domain from which is a anonymous domain name registrar. Again, here you can use your Proton Mail account and pay with cryptocurrency.

Setup the DNS

Once you have obtained your domain, optionally point the nameserver of Njalla to the FreeDNS server of 1984hosting. There is some information on 1984hosting how you can accomplish this.

Whatever nameserver you choose, you will have to add at least the following DNS entries:

  • An A-record to point your apex domain (@) to the IP of the VPS

If you want to install a mail server on your VPS, you can already add the necessary entries while you are at it:

  • An A-record to point your mail subdomain (mail) to the IP of the VPS
  • An MX-record to point your mail server to your mail subdomain, like (

Setup access to the VPS

In this section we will setup a secure way to access the terminal of our VPS. First we will use SSH over TOR to access the normal port 22, then we will setup a TOR hidden service to keep our SSH business entirely within the TOR network.

Setup SSH to use TOR

Before we can SSH into our VPS, we need to make sure the communication is routed over TOR. To accomplish this, create a config file in your .ssh directory, like:

nano ~/.ssh/config

In this file, copy something like the following:

Host *.onion
        Compression Yes
        ProxyCommand /bin/nc -x10.8.0.1:9050 -X5 %h %p

Host madwizards
        #User root
        IdentityFile /home/franz/.ssh/id_rsa_mw
        IdentitiesOnly yes
        Compression Yes
        ProxyCommand /bin/nc -x10.8.0.1:9050 -X5 %h %p

A few notes here:

  • Check that you actually have /bin/nc installed. If not, install it.
  • Hostname should refer to the IP of your VPS. Change it!
  • You need to review the line “IdentityFile”: It should point to your private SSH key. Your path and filename are likely different. Adjust.
  • You might want to change “madwizards” in something else. It doesn't has to be your domain name, it could just be 'guesswho' or whatever. It is an identifier so that you can later just enter ssh root@guesswho and the right entry will be taken from the config file.
  • The “ProxyCommand” will need to point to the TOR ip:port. I use because I use the TOR node on my external private VPN. If you use TOR on your laptop, change it into

SSH into the server via TOR

If everything went well, we can now SSH into the VPS, with ssh root@madwizards or whatever nickname you selected in the previous step.

You will notice that SSH is quite “sluggish” via TOR. Get used to it. It is now a sign that you are secure.

We can now install some software on the VPS, like:

apt update
apt upgrade
apt install tor

It is also a good idea to harden the security of the VPS a little bit more. Verify that password access in SSH is disallowed, and maybe setup a firewall.

Don't install too much yet though, it is better to first accomplish the following step.

Setup SSH access via TOR hidden service

We take our privacy one step further from here. We can already SSH into the server via TOR, but this means that the SSH-port of our VPS is accessed from some random TOR exit node. The TOR exit node can see your access (although he can not know where it is coming from) and the VPS host can see that there is SSH-access via port 22. Even seeing this access (although it is encrypted) reveals some information, like at what time the access took place (so what likely timezone you are in) and might correlate with other observations from your server (like a slower response or down time while you are doing some maintenance on it). So it is best to hide even the information when the server is being accessed by someone.

If we setup a TOR hidden service for port 22, we can keep the access completely within the TOR network. There is no longer a TOR exit node involved, there is no longer any port 22 access from the outside. Even the fact that “someone” is doing “something” is now completely concealed.

(In fact we could now close port 22 in the firewall, but this means that we would no longer be able to access our server if for some reason TOR went down. So we keep it open but just don't use it anymore, except in an emergency or when fixing a problem with TOR itself.)

Setup a hidden service for port 22 in TOR. There are plenty of “howto's” on the internet.

Once we have obtained the onion hostname of the hidden service, edit your ~/.ssh/config again: nano ~/.ssh/config

Add another entry:

Host madwizards.onion
        Hostname 7tduhinx5duni3wunung873ehernbqjfyd.onion
        IdentityFile /home/franz/.ssh/id_rsa_mw
        IdentitiesOnly yes


  • change “madwizards” into whatever nickname you came up with. It is important that it ends with “.onion” though.
  • Add your onion address after “Hostname”.
  • Point “IdentityFile” to your private ssh key.

Now we can, for additional security, also SSH via our hidden service:

ssh root@madwizards.onion


Congrats! You now have your own anonymous private VPS, ready to be loaded with software like your own anonymous email server, messenger, blog, etc.

From here setting up whatever services you want is the same as for any other VPS. You can follow the myriad of tutorials on the internet. Just make sure that you always use SSH via TOR, never use your gmail account to register something, and never log in to any service with credentials that you have used insecurely before.

Also, don't access any of your services with apps, your mobile phone, or whatever. Especially in the beginning, the first IP accessing a particular service is usually the IP of the owner...

In follow up articles we will talk a bit more about setting up services and how to use them without revealing your identity.

Franz (administrator) Fediverse (“Mastodon”) handle:

It seems like nobody has figured it out yet: How to use your email client (like Thunderbird) over TOR to access a “private” email provider. Almost all “private” email providers like Proton Mail only allow you to read your mail via a web service, either via the clearweb or via a TOR hidden service. But you might like to access your mail account via your own email client like Thunderbird, to get a notification when you have new mail, to keep the mail on your own system and access it offline. Yes, it is possible to do this completely safe and private but it looks like until now nobody figured out how to do it. Well here it is (don't skip the donate button!).

I tested this with Thunderbird with it will most likely work with any email client. No plugins are necessary.

What we are doing is setting up a few SSH-tunnels via TOR into the email-server. The SSH-tunnel will provide a few alternate ports and all you have to do in your email client is to change the port numbers. In this example we just added 8000 to the standard ports.


  • You have setup an anonymous VPS like in my previous post. (Really, there is no point in accessing your VPS with TOR if it is already known that you are associated with it.)
  • You have installed a mail server on the VPS.
  • You have tested with a local mail client on the VPS that imap works. I installed RoundCube on the VPS which is a web based mail client.
  • You have a laptop running linux with TOR installed on it. See again my previous post for more information.

On the server

First we create a new user “mailtunnel” without a home directory, without logging, and without shell access: useradd mailtunnel -s /bin/false -l -M

Even though we didn't set a password, we still need to delete the password provision from the user (if you don't understand this exactly, don't care about it, I don't understand it either and don't care about it as long as it stops the unnecessary password prompt): passwd -d mailtunnel

Now we need to change /etc/ssh/sshd_config to allow (but restrict) this passwordless user. Append the following to /etc/ssh/sshd_config: nano /etc/ssh/sshd_config

Match User mailtunnel
	AllowTcpForwarding yes
	X11Forwarding no
	AllowAgentForwarding no
	PermitTunnel no
	GatewayPorts no
	ForceCommand /bin/false
	PasswordAuthentication yes
	PermitEmptyPasswords yes

This allows the user “mailtunnel” to log in without a password but also without any privileges, except for accessing the ports mentioned in the “PermitOpen” list. This is not insecure: These are exactly the ports that would be open to the public anyway if you would have a normal clearnet mailserver. Once someone connects to these ports the mailserver will take it from there and proceed through its normal login procedure with password and TLS encryption etc.

If you want to use POP3 then you should also add the associated ports to the “PermitOpen” command.

On the laptop

Add/create this to the ssh config file of the root. sudo nano /root/.ssh/config


Host *.onion
        Compression Yes
        ProxyCommand /bin/nc -x10.8.0.1:9050 -X5 %h %p

Host mail.madwizards.onion
        Hostname 7tduhhyhyo9urniduppnedul6ebqovs2kwmyen5d7o4bqjfyd.onion
        User mailtunnel
        ForwardAgent no
        ServerAliveInterval 30
        ServerAliveCountMax 3
        LocalForward 8143
        LocalForward 8993
        LocalForward 8587

A few notes:

  • The “Host” entry is just a name, it doesn't has to be an actual domain name, it can be anything.
  • The “ProxyCommand” should refer to the TOR ip:port. In this example I used because that is the IP of my VPN which runs a TOR node. If you have TOR on your laptop you should change it into
  • For the “Hostname” this should be your SSH hidden service on the VPS. (See my previous blog).
  • The “LocalForward” entry is our workhorse. It specifies the local port on the laptop, and the ip:port once it arrives on the VPS.
  • If you want to use POP3 as well, add a corresponding “LocalForward” entry for it.

You can now test to see if it is working with the command ssh mailtunnel@mail.madwizards.onion

It should not ask for a password but reply with a simple “connection closed”. It means that it successfully logged in and was thrown out immediately after executing the /bin/false command, which is exactly what we want.

If you want to test it with your email client, you could run this with the addition of the -N parameter: Allow some 10 seconds or so to setup the initial connection. ssh -N mailtunnel@mail.madwizards.onion

While this is running you should be able to use your email client.

Setup the email client

In the email client (like Thunderbird) you normally have to enter the mail server domain and its port. As the mail server domain, it is best to enter the mail server domain provided you have redirected it in your /etc/hosts file to (see my previous post). If for some reason you choose to do not so, you will have to enter as the mail server domain name. In this case you might run into problems that the security certificate of the mail server doesn't match the mail server name, so in this case use port 143 (8143) without encryption. For the port, enter the default port but add 8000 to it. So port 143 becomes 8143, port 993 becomes 8993 and port 587 becomes 8587.

Since the connection is over TOR, it will run a bit slower than normal.

Make the connection permanent

So far so good. We now need to make this tunnel permanent and automatic. The test command given above works but we would lose this connection at every temporary disconnect from the wifi, internet backbone, tor, closing the lid of the laptop, or whatever. Luckily, there is a program that can reconnect the SSH connection automatically after a disconnect: autossh. This is a small program with no dependencies.

To install autossh go to the terminal and execute: sudo apt install autossh

While we are at it, let's turn it into a system service. Create a new service file: sudo nano /etc/systemd/system/mailtunnel.service

And paste the following into the file:

Description=AutoSSH tunnel "mailtunnel"

ExecStart=/usr/bin/autossh -M 0 -N mailtunnel@mail.madwizards.onion


To start this service, execute: sudo systemctl start mailtunnel

To allow this service to start up automatically, execute: sudo systemctl enable mailtunnel


You now have a anonymous email server which you can operate with your standard email client. You will receive new mail popups, you can receive and send emails without having to think about security. All the communication between your email client and the email server will go into TOR straight from your laptop and will magically arrive in your VPS without ever leaving the TOR network.

If for some reason TOR stops, the email client will not fall back to insecure connections but just fail to connect altogether, exactly what we want.

Franz (administrator) Fediverse (“Mastodon”) handle: