Onion hosting · reachable only over Tor

Run a Tor hidden service on a server nobody can trace to you

Onion hosting puts your site, app, or drop behind a .onion address on the Tor network — no public IP, no DNS, no exposed origin. Rent an anonymous VPS with full root, point your service at Tor, and pay in Monero. You don't exist. We don't ask.

Tor·
Reachable via .onion
0 ID·
No KYC at signup
XMR·
Monero-only billing
Root·
You hold the onion key
Start here

What onion hosting actually is

Onion hosting means running a service as a Tor onion service, reachable at a .onion address instead of a public IP and a DNS name. When someone visits, Tor routes the connection through a chain of relays to a rendezvous point, so the visitor never learns your server's IP and your server never learns theirs. There is no clearnet front door to scan, geolocate, or knock over.

Underneath, an onion service is still just software on a real machine. You run a web server, an API, a chat backend, or a file drop on localhost, and you tell the Tor daemon to publish that local port as a v3 onion address. Tor handles the introduction points, the descriptor, and the cryptography; you handle the service. That split is the whole appeal — you get a globally reachable endpoint with no exposed origin, no certificate authority in the loop, and address authentication baked into the name itself.

The catch is that the anonymity of the address is only as good as the anonymity of the machine behind it. A hidden service hides your server's IP from the world, but it does nothing about the account that rented the server. If your provider knows your name, your card, and the clearnet IP you SSH in from, then the hard part of your privacy has quietly been handed to a third party. Onion hosting done properly closes that gap end to end — and that is exactly what HushVPS is built for.

Why self-host

Reasons to run your own onion service

A shared onion platform hands you convenience in exchange for control. Self-hosting flips that: more setup, but the keys, the software, and the data are yours.

You hold the private key

The v3 onion key material is generated inside your VPS and never leaves it. Nobody can impersonate your address or seize it from a platform operator, because there is no platform operator holding it.

Run anything on it

A private Nextcloud, a Matrix homeserver, a static site, an SSH endpoint, an internal dashboard, a SecureDrop-style intake — if it listens on a port, you can publish it as an onion service. No platform whitelist decides for you.

No exposed origin

Because there is no public IP behind the service, there is nothing to port-scan, geolocate, or hit with a volumetric flood aimed at the origin. The clearnet attack surface you would normally defend simply is not there.

Onion hosting sits next to two related things worth knowing about: contributing bandwidth to the network with a VPS built for running a Tor relay, and doing your day-to-day administration privately, covered in our guide to managing your VPS entirely over Tor.

The high-level setup

From bare VPS to live .onion in three moves

This is the shape of the process, not a copy-paste script — the exact commands and hardening steps change between Tor versions, so follow the source of truth linked below. On a HushVPS box you have full root, so every step is yours to run.

01

Run your service on localhost

Install and bind your app to the loopback interface — for example a web server on 127.0.0.1:80. Keeping it off the public interface means it is only ever reachable through the tunnel you are about to build.

02

Point Tor at that port

Install the Tor daemon and add a HiddenServiceDir and HiddenServicePort to your torrc, mapping the onion's port to your localhost port. Restart Tor and it generates your v3 .onion hostname and keys.

03

Harden and back up the key

Lock down file permissions on the key directory, consider client authorization for private services, encrypt your disk, and back up the onion key somewhere safe. Lose it and the address is gone for good.

Use the authoritative, version-current instructions from the Tor Project — their onion service documentation is the reference to trust over any third-party walkthrough. We provide the anonymous machine and full root; the onion configuration lives entirely inside your VPS.

The whole chain, not just the last mile

Why end-to-end anonymity is the real requirement

A .onion address hides your server's IP from visitors. It does nothing about the trail that leads from the server back to you. Three links have to hold, or the weakest one defines your exposure.

Anonymous signup

No KYC, no real name, no identity document. The account that owns the server never becomes a record that ties the onion service to a person. Email is optional; leave it blank and there is nothing to correlate.

Monero payment

Pay in XMR and no card processor writes your name into a ledger next to the box. A hidden service funded by a traceable card is only pseudonymous — the payment is the thread investigators pull first.

Manage over Tor

Administer the machine through Tor so your management sessions do not stamp your clearnet IP onto the server. Our walkthrough on managing a VPS over Tor shows the SSH-over-onion pattern.

This is the same minimisation model behind our anonymous VPS: collect nothing at signup, bill in Monero, and let you keep your identity off the wire. The onion address is the last mile; the account and the payment are the first.

Choose a ghost

Onion hosting plans

Every plan runs the same anonymity posture — there is no "privacy tier." Pick the size your service needs; a small onion site is happy on Phantom, while a busy Matrix or Nextcloud wants more headroom. Prices are in USD, billed monthly, charged in Monero at checkout.

Phantom
$14/mo

A quiet, low-cost box for a single onion site, a small drop, or a static hidden service.

  • 1 vCPU · 2 GB RAM
  • 30 GB NVMe storage
  • 2 TB bandwidth
  • Full root · IPv4 + IPv6
Spectre
Most popular
$34/mo

The sweet spot for a real service behind Tor — a Nextcloud, a Matrix homeserver, or an app stack with headroom.

  • 2 vCPU · 4 GB RAM
  • 80 GB NVMe storage
  • 4 TB bandwidth
  • Full root · IPv4 + IPv6
Wraith
$64/mo

For heavier onion workloads — a busy community server, media backend, or several hidden services on one hardened host.

  • 4 vCPU · 8 GB RAM
  • 160 GB NVMe storage
  • 8 TB bandwidth
  • Full root · IPv4 + IPv6
Revenant
$119/mo

Our biggest ghost — for dense containers, high-traffic onion services, and anything that eats CPU and RAM for breakfast.

  • 8 vCPU · 16 GB RAM
  • 320 GB NVMe storage
  • 16 TB bandwidth
  • Full root · IPv4 + IPv6

Want to weigh monthly against yearly, or see the full spec grid side by side? The pricing page lays every plan out in one place.

Why HushVPS

What makes it good ground for an onion service

Nothing collected at signup

No KYC, no name, no card. The account that owns your onion service never becomes a record that can be tied back to you.

Monero billing

Payment confirms without a processor writing your identity to a ledger. No card trail means no thread leading from the box to a person.

Full root, your keys

The onion private key is generated and stays inside your VPS. Encrypt the disk and even our operational layer only ever sees ciphertext.

Privacy, not lawlessness

Minimisation is paired with a clear acceptable-use policy — no CSAM, malware, spam, or DDoS. Offshore-legal, not anything-goes.

A word on what this is for

Onion services are a legitimate, everyday part of the Tor network — used by newsrooms for secure tips, by messaging tools for metadata-resistant delivery, and by anyone routing around censorship or surveillance. HushVPS exists to serve those lawful uses. Our acceptable-use policy prohibits CSAM, malware and botnet command-and-control, spam operations, and DDoS, and we enforce it. Privacy is protection for people who need it — not a shield for abuse. If your hidden service falls inside the AUP, you are exactly who we built this for.

Straight answers

Onion hosting FAQ

What is onion hosting?
Onion hosting means running a service — a website, API, chat, or file drop — as a Tor onion service, reachable at a .onion address instead of a public IP and DNS name. The Tor network handles connections through a chain of relays and a rendezvous point, so a visitor never learns the server's IP and the server never learns the visitor's. You still need a real machine to run the software on; onion hosting is the practice of pointing that machine's service at Tor rather than at the open internet. HushVPS gives you the machine — an anonymous VPS with full root — and you configure the onion service yourself.
Why self-host an onion service instead of using a shared platform?
Control and trust boundaries. On a shared onion platform you inherit someone else's software, someone else's keys, and someone else's view of your data. On your own VPS you hold the onion service private key, you choose the software, and you decide what is logged. Self-hosting also lets you run things a shared platform never would — a private Nextcloud, a Matrix homeserver, an SSH endpoint, an internal dashboard — all reachable only over Tor. The trade-off is that you own the maintenance: patching, backups, and key hygiene are yours.
How do I actually set up a Tor hidden service?
At a high level: install the Tor daemon on your VPS, run your service on localhost (for example a web server on 127.0.0.1:80), then add a HiddenServiceDir and HiddenServicePort to your torrc so Tor publishes the localhost port as a v3 onion address. Restart Tor and it generates the .onion hostname and key material in that directory. The Tor Project publishes the authoritative, current instructions — follow their onion service guide rather than a random tutorial, because the details change between versions.
Does the .onion address hide the server, or do I still need anonymous hosting?
Tor hides your server's IP from visitors, but it does not hide who rented the server from the host. If you signed up with a real name, paid with a card, and manage the box over a clearnet IP, the anonymity is only skin-deep — the paper trail sits with the provider and your ISP. End-to-end anonymity means the whole chain is covered: anonymous signup with no KYC, payment in Monero so there is no card ledger, and administering the machine over Tor so your management sessions do not tie your identity to the box. The .onion is the last mile; the account is the first.
Is running an onion service legal, and what will you not allow?
Running an onion service is a normal, legal use of Tor — news outlets, whistleblower drops, and privacy tools all use them. HushVPS is offshore-legal and data-minimising, not a lawless zone. Our acceptable-use policy forbids CSAM, malware and botnet infrastructure, spam, and DDoS, and we enforce it. Privacy protects lawful users from surveillance and censorship; it is not cover for abuse. If your onion service falls inside the AUP, you are welcome here.
Can you see what my onion service is or hand it over?
We can only ever produce what exists. We do not run KYC, we do not keep traffic access logs, and we bill in Monero, so there is no name, card, or browsing history tied to your server for us to disclose. We cannot see the .onion address you generate — that key material lives inside your VPS, under your root, and never touches us. For the strongest posture, encrypt your disk and hold the onion private key yourself so even the operational layer only ever sees ciphertext.
Deploy a ghost

Give your hidden service a home that keeps its mouth shut

Spin up an anonymous VPS paid in Monero and publish your onion service on your own terms — or read the surrounding pieces first: the anonymity model, running a relay, and administering the box over Tor.