How to setup a truly anonymous VPS
Our goals
- A truly anonymous VPS
- Capable of running a secure and private email server
- Not leaving any traces during setup and use that could reveal our true identity.
This is exactly how we setup MadWizards.Net itself.
Focus in this article is on the security and privacy steps, specific how-to's about installation of some of the software components might be depending on your OS-version and can be found everywhere on the internet.
Although your VPS and ISP might claim not to store any log files, in this article we just assume they do. Even if they produce their server logs to the authorities, we still want to keep our identities hidden. This article describes how to achieve that.
Prerequisites
In this section we install our tools, discuss some digital hygiene, obtain a VPS and a domain name, and setup the DNS.
Hardware
It is best to use only one device for setting up and maintaining the VPS. I use linux on my laptop, just like on the VPS. For maximum security, use the tails distribution, but other distributions are fine too if you know what you are doing.
Since we are going to use TOR exclusively for all access to the VPS, using your normal ISP would be fine. Routing your traffic via a VPN would add a bit extra security. If you are really paranoia, you could buy a “burner phone” with a prepaid SIM card to use as a hot-spot, or use a public (or compromised) WiFi.
Payment
You will have to pay for the VPS and domain name. Of course, if you use your credit card or Paypal account it is easy to trace the ownership of the VPS back to you. The providers I used accept cryptocurrency.
There is a lot of information on the internet how to safely acquire cryptocurrency without leaving a trace. Do some research about this.
TOR
The use of the TOR network is essential for all these and future steps. We need two components installed on your laptop:
- A working TOR node.
- The TOR browser.
The TOR browser comes with its own internal TOR node, but we still need an “external” TOR node to use for SSH.
There are rumors that TOR has been compromised in the past, and while this might be true, it is really an academic exercise to trace a specific TOR user. It takes a lot of time and effort. It took years to take down “silkroad”. While you are setting up your VPS, we can safely assume that you are not (yet) a target of prying eyes. So TOR is good enough.
In the rest of this article we assume that you are always using the TOR-browser for any of the steps described.
Domain name
Now it is time to think about a domain name.
What, you already thought about a domain name and have checked that it is available? Too bad, now you can not use it anymore. Because by checking for the availability of that specific domain, someone has your IP logged, and guess who later ends up buying that specific domain? It is too easy to connect the dots...
Ok, now think about a (new) domain name, and check for its availability using the TOR-browser only.
Safety net
If you ever mistakenly use a normal browser instead of your TOR-browser, even only once, you have spoiled the whole thing as there might now be logs showing that your IP has accessed the “anonymous” VPS. Especially in the beginning, it would be very bad if the very first IP accessing the VPS can be traced to your personal internet subscription...
To make this mistake less likely, you should somehow resolve any DNS requests for your domain to localhost. The easiest way to do this (assuming you run linux) is to edit the /etc/hosts file on your laptop like this:
nano /etc/hosts
Add the following line:
127.0.0.1 madwizards.net www.madwizards.net mail.madwizards.net
If you now try to access your domain, your request will be routed to your laptop instead of the outside world and you will just receive an error.
Do this on all the machines in your house. You should never access your VPS with your home IP. Of course, if you have your own home DNS server like PiHole, you could blacklist your own domain there as well.
This safety net is not fool proof, some software may ignore your DNS settings and stubbornly request the IP directly from an “outside” DNS server. But at least, this safety net will catch the most common mistakes, like trying to open your domain with a normal browser.
Create a free account on Proton Mail
We need a temporary email account to arrange our VPS and domain name. Of course you can't use your gmail account for that! I used Proton Mail for it. Again (I will soon stop repeating this), it is utterly important that you setup this mail account via the TOR browser.
Create an account on 1984hosting.com
While there might exist other privacy claiming VPS providers I have chosen 1984hosting for a couple of reasons:
- Iceland has among the best privacy and free speech rules world wide.
- Iceland is a stable country, not likely to suddenly change rules.
- Iceland has a good technical infrastructure and “sits” above the cable connecting the American and European continent, so it has good connections both ways.
- 1984hosting totally runs on renewable energy.
While creating the account, 1984hosting asks for an email address for verification. This is why we created the Proton Mail account. Once your email server is up and running, you can change your email address to your own email server and delete your Proton Mail account.
SSH keys
If you don't have an SSH key-pair yet, it is now time to create one. There are plenty of howto's on the internet, I think it is beyond the scope of this article to guide you through this.
Order the VPS
When ordering the VPS, at some point you can upload your public SSH key. This secures your VPS right from the beginning. For the OS I chose Ubuntu 22.04 because there are many software packages for it and many “howto's”. Of course, at some point in the order process you need to pay for the VPS, and to keep your identity hidden you will have to pay with cryptocurrency.
Once you have obtained the VPS, resist the temptation to SSH into it. We first need to configure SSH to work via TOR, we will do that later.
Before you setup the VPS, it might be a good idea to check its IP address against blacklists. You don't know who the previous owner of the IP was; if it happened to be a spammer you will get problems if you setup your own email server. If it is blacklisted, you might request another IP address. You can check your IP here
Order the domain name
I ordered the MadWizards.Net domain from Njal.la which is a anonymous domain name registrar. Again, here you can use your Proton Mail account and pay with cryptocurrency.
Setup the DNS
Once you have obtained your domain, optionally point the nameserver of Njalla to the FreeDNS server of 1984hosting. There is some information on 1984hosting how you can accomplish this.
Whatever nameserver you choose, you will have to add at least the following DNS entries:
- An A-record to point your apex domain (@) to the IP of the VPS
If you want to install a mail server on your VPS, you can already add the necessary entries while you are at it:
- An A-record to point your mail subdomain (mail) to the IP of the VPS
- An MX-record to point your mail server to your mail subdomain, like (mail.madwizards.net).
Setup access to the VPS
In this section we will setup a secure way to access the terminal of our VPS. First we will use SSH over TOR to access the normal port 22, then we will setup a TOR hidden service to keep our SSH business entirely within the TOR network.
Setup SSH to use TOR
Before we can SSH into our VPS, we need to make sure the communication is routed over TOR. To accomplish this, create a config file in your .ssh directory, like:
nano ~/.ssh/config
In this file, copy something like the following:
Host *.onion
Compression Yes
ProxyCommand /bin/nc -x10.8.0.1:9050 -X5 %h %p
Host madwizards
Hostname 89.147.111.209
#User root
IdentityFile /home/franz/.ssh/id_rsa_mw
IdentitiesOnly yes
Compression Yes
ProxyCommand /bin/nc -x10.8.0.1:9050 -X5 %h %p
A few notes here:
- Check that you actually have /bin/nc installed. If not, install it.
- Hostname should refer to the IP of your VPS. Change it!
- You need to review the line “IdentityFile”: It should point to your private SSH key. Your path and filename are likely different. Adjust.
- You might want to change “madwizards” in something else. It doesn't has to be your domain name, it could just be 'guesswho' or whatever. It is an identifier so that you can later just enter
ssh root@guesswho
and the right entry will be taken from the config file. - The “ProxyCommand” will need to point to the TOR ip:port. I use 10.8.0.1 because I use the TOR node on my external private VPN. If you use TOR on your laptop, change it into 127.0.0.1.
SSH into the server via TOR
If everything went well, we can now SSH into the VPS, with
ssh root@madwizards
or whatever nickname you selected in the previous step.
You will notice that SSH is quite “sluggish” via TOR. Get used to it. It is now a sign that you are secure.
We can now install some software on the VPS, like:
apt update
apt upgrade
apt install tor
It is also a good idea to harden the security of the VPS a little bit more. Verify that password access in SSH is disallowed, and maybe setup a firewall.
Don't install too much yet though, it is better to first accomplish the following step.
Setup SSH access via TOR hidden service
We take our privacy one step further from here. We can already SSH into the server via TOR, but this means that the SSH-port of our VPS is accessed from some random TOR exit node. The TOR exit node can see your access (although he can not know where it is coming from) and the VPS host can see that there is SSH-access via port 22. Even seeing this access (although it is encrypted) reveals some information, like at what time the access took place (so what likely timezone you are in) and might correlate with other observations from your server (like a slower response or down time while you are doing some maintenance on it). So it is best to hide even the information when the server is being accessed by someone.
If we setup a TOR hidden service for port 22, we can keep the access completely within the TOR network. There is no longer a TOR exit node involved, there is no longer any port 22 access from the outside. Even the fact that “someone” is doing “something” is now completely concealed.
(In fact we could now close port 22 in the firewall, but this means that we would no longer be able to access our server if for some reason TOR went down. So we keep it open but just don't use it anymore, except in an emergency or when fixing a problem with TOR itself.)
Setup a hidden service for port 22 in TOR. There are plenty of “howto's” on the internet.
Once we have obtained the onion hostname of the hidden service, edit your ~/.ssh/config again:
nano ~/.ssh/config
Add another entry:
Host madwizards.onion
Hostname 7tduhinx5duni3wunung873ehernbqjfyd.onion
IdentityFile /home/franz/.ssh/id_rsa_mw
IdentitiesOnly yes
Again,
- change “madwizards” into whatever nickname you came up with. It is important that it ends with “.onion” though.
- Add your onion address after “Hostname”.
- Point “IdentityFile” to your private ssh key.
Now we can, for additional security, also SSH via our hidden service:
ssh root@madwizards.onion
Conclusion
Congrats! You now have your own anonymous private VPS, ready to be loaded with software like your own anonymous email server, messenger, blog, etc.
From here setting up whatever services you want is the same as for any other VPS. You can follow the myriad of tutorials on the internet. Just make sure that you always use SSH via TOR, never use your gmail account to register something, and never log in to any service with credentials that you have used insecurely before.
Also, don't access any of your services with apps, your mobile phone, or whatever. Especially in the beginning, the first IP accessing a particular service is usually the IP of the owner...
In follow up articles we will talk a bit more about setting up services and how to use them without revealing your identity.
Franz (administrator) Fediverse (“Mastodon”) handle: @franz@madwizards.net