Tor-to-IP tunnel service for HTTPS

Use the public IP address of a Virtual Private Server (VPS) to make Tor Hidden Services reachable on the clearnet.


  • hides the IP of the host from the public and from the VPS
  • no port forwarding needed on the LAN of the host
  • additional encryption by Tor between the host and the VPS


  • SSH access to a Virtual Private Server (VPS) - eg. a minimal package on Lunanode for ~3.5$/month
  • Note that only the root user can forward to ports below 1000.
  • Tor should not be the only encryption layer of the service as the traffic exposed on the VPS is meant to be for the localhost
  • Always check the terms and rules of the VPS provider to avoid bans and don’t do anything causing them trouble to keep these services going.

On the VPS

  • Login with ssh to the root user
    ssh root@VPS_IP_ADDRESS
  • Install tor (leave on default settings) and socat
    # apt install tor socat

Set up a systemd service

  • make a separate process for every connected Hidden Service to avoid restarting every connection when a service added or removed.
    Suggestion for naming the service is to put the VPS_PORT used on the VPS into the name: tor2ip<VPS_PORT>

  • create the service file:
    # nano /etc/systemd/system/tor2ip443.service
    • Paste the following and fill in:
      • the VPS_PORT you want to use (facing the public) - in this example: 443.
        • generate the address with:
          • config.scripts/ HTTPS 443 443
          • this will expose the local port 443 on the .onion:443
      • The TOR_PORT the Hidden Service is using - in this example: 443
      Description=Tor2IP Tunnel Service
      ExecStart=/usr/bin/socat TCP4-LISTEN:443,bind=,fork SOCKS4A:localhost:TOR_HIDDEN_SERVICE_ADDRESS.onion:443,socksport=9050
  • Enable and start the service:
    # systemctl enable tor2ip443
    # systemctl start tor2ip443

Setting up this Tor-to-IP tunnel service is now complete. You can carry on adding other services using different ports on the VPS.
You should be able access the ports/services of the host computer through: VPS_IP_ADDRESS:VPS_PORT. To connect to the HTTPS website served from the node in the example:

Monitoring on the VPS

  • To check if tunnel is active on the VPS:
    # netstat -tulpn

    • Look for the lines: ``` Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

    tcp 0 0* LISTEN 13684/socat

  • Monitor the service with:
    # systemctl status tor2ip443 ``` ● tor2ip443.service - Tor2IP Tunnel Service Loaded: loaded (/etc/systemd/system/tor2ip443.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2020-04-05 14:58:43 BST; 2min 23s ago Main PID: 13684 (socat) Tasks: 1 (limit: 1078) Memory: 540.0K CGroup: /system.slice/tor2ip443.service └─13684 /usr/bin/socat TCP4-LISTEN:443,bind=,fork SOCKS4A:localhost:TOR_HIDDEN_SERVICE_ADDRESS.onion:443,socksport=9050

Apr 05 14:58:43 VPS_hostname systemd[1]: Started Tor2IP Tunnel Service. ```