Anonymous Self-Hosting Set.

[Fixxx]

In this article, I'll tell you about the self-hosted applications that can replace popular websites. Instead of trusting your data to a service provider, you can host alternatives to these services yourself. We will explore and deploy open-source applications on your own server. We will also consider using some of them through the Tor network. So, let’s get started!

Main Applications ​

• Nextcloud — Be your own cloud provider, including with encryption of your files, either server-side or end-to-end on the client.
• Shadowsocks Server — Alternative to standard VPN protocols with obfuscated traffic. It allows you to avoid basic protocol blocks.
• Bitwarden — Synchronization of encrypted passwords between your systems.
• Gitea — Your own GitHub for team development.
• Cryptgeon — Alternative to Privnote for storing messages/files encrypted in RAM. It works easily on an onion and deletes after reading.
• Matrix Synapse — Your own server for communication in the encrypted federated Matrix network.
• Picsur — Your own image hosting service with EXIF removal and anonymous uploads. It works easily on a Tor domain.

Installation and Setup​

Nextcloud​

This is almost the perfect option for a personal file synchronization server. There are clients for all popular systems, open-source code, numerous plugins and settings. Fully integrated systems for team project management, editing certain types of files, calendars, forms, tasks and much more. The easiest way to install this system on Ubuntu is using snap.

sudo snap install nextcloud

Next, we create an admin account. Replace "password" with a strong long password, especially if you plan to use encryption later.

sudo nextcloud.manual-install admin password

Great, now you can go to the server's IP address and log in. We can also set up an onion domain; for this, simply install Tor and edit /etc/tor/torrc.

sudo apt install tor

Add the following lines to torrc:

HiddenServiceDir /var/lib/tor/onion_service/
HiddenServicePort 80 127.0.0.1:80
sudo service tor restart

After this procedure, you can obtain the onion domain on your server with the command:

cat /var/lib/tor/onion_service/hostname

Upon first access through the onion domain, a message will be displayed stating that this is an untrusted domain. You will need to confirm.

​

files on the server side - this is the Default Encryption Module plugin. You need to enable it. Or you can use the end-to-end encryption plugin from clients, which is obviously more secure if you don't trust the server. The first plugin just needs to be activated and in the server settings under security, enable the option for server-side encryption. After this, all newly uploaded files will be encrypted. Alternatively, you can enable end-to-end encryption by activating another module. Upon re-logging into any of your clients, it will request the option to enable encryption and provide a key.

Shadowsocks​

The advantage of this protocol is that it's not detected by standard DPI, as it represents some noise. There are also more interesting new protocols like V2ray, Vless, Trojan, but we will not consider them here. The simplest way to set up a server for this protocol is as follows. Install Python pip and the package on the server.

apt-get install python3-pip
pip install shadowsocks

Then edit the config with nano /etc/shadowsocks.json:

{
"server":"0.0.0.0",
"server_port":8000,
"local_port":1080,
"password":"password",
"timeout":600,
"method":"chacha20"
}

Replace "password" with a strong password. For the encryption method, you can use "chacha20" or "aes256-gcm". AES is more proven, while ChaCha is new and faster on low-powered servers. Start your server with the command:

ssserver -c /etc/shadowsocks.json -d start

After this, you can connect to the server from your mobile device or PC. For mobile devices, the easiest clients to use are v2ray-ng or shadowsocks. They should be available on F-Droid. For iOS, you can use the Outline app. You can enter the data manually, but it’s more convenient to connect by scanning a QR code. Here’s an example QR code generator based on your server data - https://phoenixlzx.github.io/shadowsocks-qrgen/

​

Set the VPN mode in these applications and configure them for automatic VPN connection and to block network access without it. As a last resort, you can purchase Shadowsocks access from VPN providers that support it, for example, https://torguard.net/anonymouspremiumproxy.php. However, having your own server is certainly cheaper and better. Regarding the choice of a provider for your server, I recommend choosing a reputable hoster in safe countries with payment via Monero. This could be njalla, nicevps or flokinet.

Bitwarden​

This is a convenient service for encrypted synchronization of your passwords. Of course, the safest option is some local Keepass (and synchronize it through your encrypted cloud), but if you frequently change devices, you might consider a more convenient option. Fortunately, you are not required to use their own server. You can deploy your own Bitwarden server and use it in any of their applications. The simplest way to use this script for installation on Debian and Ubuntu systems is found here: https://github.com/bitwarden/self-host/blob/main/bitwarden.sh - download it, make it executable and install Bitwarden. You should have Docker and Docker Compose installed on your system.

sudo apt install git
git clone https://github.com/bitwarden/self-host.git
chmod a+x run.sh
./run.sh install

You will be prompted for necessary information, such as your domain and whether to create an HTTPS certificate. You will also need to obtain an ID and key for your email from here: https://bitwarden.com/host/ and enter them during the installation process. To start the server, enter:

./run.sh start

Your Bitwarden has an admin panel and a web interface; we can expose it on an onion domain using the standard method through /etc/tor/torrc, as described in the Nextcloud instructions, if necessary. However, it's most convenient to use their clients for mobile systems and browser plugins.

Gitea​

This is a full-fledged open-source Git service with multi-user development capabilities, private repositories, tags, projects and much more. For basic installation, you can deploy it using Docker: https://phoenixnap.com/kb/gitea-docker. There is also a slightly outdated repository with settings for use through onion: https://github.com/AnimusPEXUS/hiddengitea. However, you can also deploy it using the first instruction on the server's IP address and simply work with it through a Tor proxy using commands like these. You must have Tor installed on your system.

git -c http.proxy=socks5h://127.0.0.1:9050 clone ...
git -c http.proxy=socks5h://127.0.0.1:9050 push origin master

Since Gitea doesn't use file encryption, except for HTTPS traffic to the server, I recommend using full disk encryption on your server during installation. Alternatively, you can consider these tools for encrypting Git: https://opensource.com/article/19/2/secrets-management-tools-git

Cryptgeon​

This is a full-fledged alternative to services for one-time links. It has open-source code, which you can deploy on your server. Its advantages include that encryption occurs with your key on the client side and the server itself doesn't know the data uploaded to it. Additionally, all files and messages are stored in RAM and nothing is written to disk. By the way, I don't recommend rebooting to avoid losing anything. It also has a console client that can connect to a standard server or your own to quickly generate an encrypted link. Client installation:

npx cryptgeon
# Or install globally
npm -g install cryptgeon
cryptgeon

Examples of usage can be found here: https://github.com/cupcakearmy/cryptgeon/blob/main/packages/cli/README.md

Server installation: the simplest way is through Docker:

docker run cupcakearmy/cryptgeon

After this, the Cryptgeon interface will be available on your server's IP. The interface works perfectly through the onion domain. Just keep in mind that it uses JS scripts for encryption on the client side. To create a Tor domain, forward the port as per the first instruction with Nextcloud.

Matrix Synapse​

This is an excellent alternative to Jabber, an encrypted federated protocol. By default, when you use Matrix clients like Element, you connect to the standard server. However, it's best to deploy your own, especially within a team or for multiple users. To install on a server with Ubuntu, enter:

sudo wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/matrix-org.list

Here we import the Matrix keys and their repository.

sudo apt update
sudo apt install matrix-synapse-py3

Next, we install the Matrix server. It's written in Python. You will be prompted for a domain. Enter your domain and it will ask whether to send anonymous statistics; respond with "no". Next, start the server.

sudo systemctl start matrix-synapse
sudo systemctl enable matrix-synapse

Now, modify the configuration file:

sudo nano /etc/matrix-synapse/homeserver.yaml

It should look like this. Just set the IP address to your server's IP and replace the word "secret" with a strong long string of random characters.

listeners:
- port: 8008
tls: false
type: http
x_forwarded: true
bind_addresses: ['127.0.0.1']

resources:
- names: [client, federation]
compress: false

enable_registration: false
registration_shared_secret: "secret"

Restart the server.

sudo systemctl restart matrix-synapse

Now, register an admin account:

register_new_matrix_user -c /etc/matrix-synapse/homeserver.yaml https://localhost:8008

This command can also be used to register other accounts. You need to generate an HTTPS certificate.

sudo apt install certbot -y
certbot certonly --rsa-key-size 2048 --standalone --agree-tos --no-eff-email --email admin@example.com -d matrix.example.com

You can use Nginx as a server.

sudo apt install nginx
sudo nano /etc/nginx/sites-available/matrix.conf

Here’s an example configuration:

server {
listen 80;
server_name matrix.example.com;
return 301 https://$host$request_uri;
}

server {
listen 443 ssl;
server_name matrix.example.com;

ssl_certificate /etc/pki/certificates/matrix.crt;
ssl_certificate_key /etc/pki/certificates/matrix.key;

location /_matrix {
proxy_pass https://localhost:8008;
proxy_set_header X-Forwarded-For $remote_addr;
client_max_body_size 10M; # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
}
}

# This is used for Matrix Federation
server {
listen 8448 ssl;
server_name matrix.example.com;

ssl_certificate /etc/pki/certificates/matrix.crt;
ssl_certificate_key /etc/pki/certificates/matrix.key;

location / {
proxy_pass https://localhost:8008;
proxy_set_header X-Forwarded-For $remote_addr;
}
}

Just change the paths for the certificates if they are located elsewhere. SSL certificates are only needed for federation with other servers; they are not particularly necessary for local use.

sudo ln -s /etc/nginx/sites-available/matrix.conf /etc/nginx/sites-enabled/
sudo systemctl restart nginx

Modify the firewall configuration.

sudo ufw allow 8448
sudo ufw allow https
sudo ufw allow http

Your server is now running. If you navigate to https://matrix.yourdomain:8448, the start page should be displayed. If you have configured everything correctly, your server will also be able to communicate with other servers and your users can message users from other servers. You can also consider using verified public servers created by others: https://tatsumoto-ren.github.io/blog/list-of-matrix-servers.html

Picsur​

This is a great way to host one-time images to share with other users or on forums. Why use someone else's hosting when you can deploy your own? For this, you need to have Docker installed. In a separate folder, create a compose file.

nano docker-compose.yml

And inside, write the following:

version: '3'
services:
picsur:
image: ghcr.io/caramelfur/picsur:latest
container_name: picsur
ports:
- '8080:8080'
environment:
PICSUR_DB_HOST: picsur_postgres
restart: unless-stopped
picsur_postgres:
image: postgres:14-alpine
container_name: picsur_postgres
environment:
POSTGRES_DB: picsur
POSTGRES_PASSWORD: picsur
POSTGRES_USER: picsur
restart: unless-stopped
volumes:
- picsur-data:/var/lib/postgresql/data
volumes:
picsur-data:

Change the passwords in the config to your own. Now, start it.

docker compose up -d

Now, the Picsur interface will be available on your server's IP at port 8080. To host it on a Tor domain, simply forward port 8080 to port 80 of the onion domain using the standard instructions. Refer to the Nextcloud instructions for the Tor setup.

HiddenServiceDir /var/lib/tor/onion_service/
HiddenServicePort 80 127.0.0.1:8080

Now you will have an anonymous image hosting service on Tor.

Useful Services​

Here, I'll list some useful services for use. There will also be some services for free hosting. These are not places to host permanently, but they may come in handy if you have a limited budget.

• glitch.com - Here you can host any application or bot in many languages for a test run of 5 minutes, as well as static websites. Keep in mind that by default, the code is published in a format accessible to everyone.
• moremins.com - A service for virtual numbers (SMS, calls) for a long time. Prices are extremely cheap. In most countries, it doesn't require any documents and allows payment in cryptocurrency.
• noez.de - A decent provider for cryptocurrency with a trial KVM server. It's issued if all conditions are met: the IP address and country name must match and the country number must be able to receive calls. You can use the previous service for number verification.
• infinityfree.com - Completely free eternal web hosting with a good reputation for static sites and PHP with a database.
• pythonanywhere.com - A free host for small Python applications.
• onionmail.org - Free email, both on onion and in the regular network. By default, sending messages is paid, while receiving is free. There is an option to set up forwarding to an external email.
• cheapwindowsvps.com - Extremely cheap remote Windows desktops with payment in cryptocurrency.

Conclusion​

As we can see, there have long been ways to use secure self-hosted alternatives to the services of large companies and keep your personal data under your control. Once you have set them up, using them is no more complicated than any other services. Additionally, here is an interesting comparative table of email providers regarding anonymity: https://dismail.de/serverlist.html.