Vanguards Addon for Tor Guard Discovery Protection

In the Tor network, each client maintains a small set of guard relays that serve as the first hop in all circuits. For hidden services, if an attacker can identify which guard relay your service uses, they significantly narrow the pool of possible server locations. Advanced attackers can then perform traffic analysis on the guard relay to identify your actual IP address.

Guard discovery attacks typically work by creating many circuits to your .onion address and analyzing timing patterns, or by running malicious relays that attempt to become your middle nodes. Once enough circuits are observed, statistical analysis can reveal the guard relay with high confidence.

The Vanguards addon addresses this by adding an additional layer of pinned relays (called vanguards) between your guard and the rendezvous point. It also detects and closes circuits that exhibit suspicious behavior, such as those that might be used for traffic analysis. Since Tor 0.4.7, basic vanguard functionality (vanguards-lite) is built into the Tor daemon, but the full Vanguards addon provides more comprehensive protection.

Install the Vanguards addon from the official repository and configure it to protect your hidden service:

# Install Vanguards
apt install -y python3-pip
pip3 install vanguards

# Or install from source
git clone https://github.com/mikeperry-tor/vanguards.git
cd vanguards
python3 setup.py install

# Create configuration file
cat > /etc/vanguards.conf << 'EOF'
[Global]
control_ip = 127.0.0.1
control_port = 9051
enable_cbtverify = True
enable_bandguard = True
enable_rendguard = True

[Bandguard]
# Close circuits with unusual bandwidth patterns
circuit_max_megabytes = 100
circuit_max_age_hours = 24

[Rendguard]
# Limit rendezvous point reuse
rend_use_max_use_to_bw_ratio = 5.0
rend_use_close_circuits_on_overuse = True
EOF

# Run Vanguards
vanguards --config /etc/vanguards.conf

Ensure your torrc includes ControlPort 9051 and a CookieAuthentication 1 or HashedControlPassword so Vanguards can communicate with the Tor daemon via the control protocol.

For production deployments, run Vanguards as a systemd service to ensure it starts automatically and restarts on failure:

# /etc/systemd/system/vanguards.service
[Unit]
Description=Vanguards Tor Guard Protection
After=tor.service
Requires=tor.service

[Service]
Type=simple
User=debian-tor
ExecStart=/usr/local/bin/vanguards --config /etc/vanguards.conf
Restart=on-failure
RestartSec=10

[Install]
WantedBy=multi-user.target

# Enable and start
systemctl daemon-reload
systemctl enable vanguards
systemctl start vanguards

# Check status
systemctl status vanguards
journalctl -u vanguards -f

Monitor Vanguards logs for warnings about suspicious circuit behavior. Messages about closed circuits due to bandwidth anomalies or rendezvous point overuse may indicate an active attack or simply heavy traffic. Establish a baseline of normal log output so you can identify genuine threats.

AnubizHost managed Tor hosting includes Vanguards pre-installed and configured on every server. Our team monitors Vanguards alerts and adjusts protection thresholds based on your traffic patterns, ensuring your hidden service is defended against guard discovery attacks without disrupting legitimate users.

With servers in Iceland, Romania, and Finland, your .onion service benefits from privacy-friendly jurisdictions and hardened infrastructure. Pay anonymously with Bitcoin, Monero, or other cryptocurrencies — no KYC, no identity verification. AnubizHost provides enterprise-grade Tor security that you would otherwise need a dedicated security team to maintain.