We're missing documentation on how to run Mastodon as a hidden (e.g. ) service. If you know how to do it, please either submit it or tell me so I can write it down

@Gargron Requires ssl so it's like normal but you need to have a self signed cert

@Sir_Boops Imagine you're explaining it to someone who never used Tor (because you are)


> Setup mastodon following the usual steps except generate a self-signed cert ( Because you /can't/ get certs for .onion addresses )

> Install tor and add append these three lines to the end of the torrc file

HiddenServiceDir /var/lib/tor/<some name>/
HiddenServicePort 80
HiddenServicePort 443

And that's it it's now on tor

Now it won't fed because other instances won't take the broken ssl but that's a masto issue ;p

@Gargron @Sir_Boops additionally, if your instance is behind Cloudflare, you can enable onion routing via a single button in the dashboard (and while you're there, whitelist the country code T1)

@ben @Gargron @Sir_Boops

but tor usese onion domain? How that works with cloudflare i can see the option though

@Sir_Boops @Gargron If you're using Debian Testing (or even Debian Sid), you can pull tor from Debian's repos

It is also recommended to use the new version of Onion Services by adding HiddenServiceVersion 3 right after what Sir_Boops said, as explained here:

@mrtino @Gargron v3s are buggy af

I havn't used them in a while so they might be better now but when I was using them half the time they'd take a good 30 min to start working where-as v2 is near-instant

@Sir_Boops @mrtino Wait hold on so federation with Tor instances doesn't work? The person who submitted the changes that added Tor support didn't mention that

@Gargron @mrtino No federation with onion instances works just fine but those instances are modded to not use https at all

@Gargron @mrtino So when my instance talks to an onion instance ( Hi @notjeff ) their instance will only talk using http

Hopefully I'm making some sense x.x

@Sir_Boops @mrtino But he have those rules where https is required in ActivityPub URIs, and I don't believe there is a special case for Tor there.

@Gargron @mrtino afaik Masto will just send to whatever the server tells it You tell it http it'll use http

Also I can't connect to that instance over https so masto has to be using http

@Sir_Boops @Gargron @mrtino onion routing and https are doing basically the same job (ensuring that you're talking to who you think you are and hiding the data from MITM attacks) so there's no real reason to use both

@Sir_Boops @Gargron @mrtino the difference is that onion routing confirms the identity by making it really hard to claim a specific identity (you'd need to generate a key with the same hash) whereas HTTPS confirms the identity of something human-readable (a domain name) and therefore requires at least some level of trust in the certificate before you can send any data

@Gargron @Sir_Boops when did you tell masto's config to use WHAT onion domain?
i dont know anything about Tor so you can test with me 😈

@Sir_Boops @Gargron Why the self-signed cert? HTTPS over TOR is pointless.


Actually, you can get valid tls certificates for .onion. But that require an EV-certificate :P


@Sir_Boops @Gargron it sucks alot that ssl is required when you... don't need it actually.

@Gargron Thanks for addressing this! I've been curious whether you can run on myself, but couldn't find much other than hearing it should be possible. I'm especially curious if a Tor instance can federate with normal instances.

@MirceaKitsune @Gargron You should be able to federate normally with any instance that doesn't block tor exit nodes.

Other instances won't be able to federate with you unless they route the requests through tor.

One way of doing this is by using a proxy on the local machine(such as squid) that routes .onion domains to a local tor client.


@MirceaKitsune @Gargron
Another way is to use a tor2web server. The advantages being not having to setup tor locally(what is very easy) and slightly faster connections since you would cut the length of the complete circuit in half. Configuring url redirects on a local proxy would still be necessary.

To make things even easier for people trying to federate with hidden services(not from behind them) the mastodon software could automatically route .onion domains to a tor2web server.

@MirceaKitsune @Gargron
It seems I'm late to the party. If everything just werks™ disregard may comment.

@KatGoesWoof @Gargron Thanks... first time someone explains this. I was hoping instances could somehow federate with any other instance (both ways) but it's pretty logical that this won't happen unless those instances open a Tor gateway themselves.

Sign in to participate in the conversation

Invite-only Mastodon server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!