aboutsummaryrefslogtreecommitdiff
path: root/doc/tor.md
diff options
context:
space:
mode:
authorJon Atack <jon@atack.com>2021-01-26 15:11:13 +0100
committerJon Atack <jon@atack.com>2021-01-26 15:13:29 +0100
commit193f9a9c975b612454a1f8121c09ef1e68d56dc1 (patch)
treeab2d05516ba29c37e1139b168aeee3c7487d2c82 /doc/tor.md
parent9af99b6f393e1d2463fc66f68a23acc691de394d (diff)
doc: update tor.md manual config, move after automatic config
Diffstat (limited to 'doc/tor.md')
-rw-r--r--doc/tor.md128
1 files changed, 63 insertions, 65 deletions
diff --git a/doc/tor.md b/doc/tor.md
index c72f16de5e..8a2aef2d07 100644
--- a/doc/tor.md
+++ b/doc/tor.md
@@ -34,8 +34,8 @@ outgoing connections, but more is possible.
have privacy concerns.
-listen When using -proxy, listening is disabled by default. If you want
- to run an onion service (see next section), you'll need to enable
- it explicitly.
+ to manually configure an onion service (see section 3), you'll
+ need to enable it explicitly.
-connect=X When behind a Tor proxy, you can specify .onion addresses instead
-addnode=X of IP addresses or hostnames in these parameters. It requires
@@ -55,67 +55,7 @@ In a typical situation, this suffices to run behind a Tor proxy:
./bitcoind -proxy=127.0.0.1:9050
-
-## 2. Manually create a Bitcoin Core onion service
-
-If you configure your Tor system accordingly, it is possible to make your node also
-reachable from the Tor network. Add these lines to your /etc/tor/torrc (or equivalent
-config file): *Needed for Tor version 0.2.7.0 and older versions of Tor only. For newer
-versions of Tor see [Section 3](#3-automatically-listen-on-tor).*
-
- HiddenServiceDir /var/lib/tor/bitcoin-service/
- HiddenServicePort 8333 127.0.0.1:8334
-
-The directory can be different of course, but virtual port numbers should be equal to
-your bitcoind's P2P listen port (8333 by default), and target addresses and ports
-should be equal to binding address and port for inbound Tor connections (127.0.0.1:8334 by default).
-
- -externalip=X You can tell bitcoin about its publicly reachable addresses using
- this option, and this can be an onion address. Given the above
- configuration, you can find your onion address in
- /var/lib/tor/bitcoin-service/hostname. For connections
- coming from unroutable addresses (such as 127.0.0.1, where the
- Tor proxy typically runs), onion addresses are given
- preference for your node to advertise itself with.
-
- You can set multiple local addresses with -externalip. The
- one that will be rumoured to a particular peer is the most
- compatible one and also using heuristics, e.g. the address
- with the most incoming connections, etc.
-
- -listen You'll need to enable listening for incoming connections, as this
- is off by default behind a proxy.
-
- -discover When -externalip is specified, no attempt is made to discover local
- IPv4 or IPv6 addresses. If you want to run a dual stack, reachable
- from both Tor and IPv4 (or IPv6), you'll need to either pass your
- other addresses using -externalip, or explicitly enable -discover.
- Note that both addresses of a dual-stack system may be easily
- linkable using traffic analysis.
-
-In a typical situation, where you're only reachable via Tor, this should suffice:
-
- ./bitcoind -proxy=127.0.0.1:9050 -externalip=7zvj7a2imdgkdbg4f2dryd5rgtrn7upivr5eeij4cicjh65pooxeshid.onion -listen
-
-(obviously, replace the .onion address with your own). It should be noted that you still
-listen on all devices and another node could establish a clearnet connection, when knowing
-your address. To mitigate this, additionally bind the address of your Tor proxy:
-
- ./bitcoind ... -bind=127.0.0.1
-
-If you don't care too much about hiding your node, and want to be reachable on IPv4
-as well, use `discover` instead:
-
- ./bitcoind ... -discover
-
-and open port 8333 on your firewall (or use port mapping, i.e., `-upnp` or `-natpmp`).
-
-If you only want to use Tor to reach .onion addresses, but not use it as a proxy
-for normal IPv4/IPv6 communication, use:
-
- ./bitcoind -onion=127.0.0.1:9050 -externalip=7zvj7a2imdgkdbg4f2dryd5rgtrn7upivr5eeij4cicjh65pooxeshid.onion -discover
-
-## 3. Automatically create a Bitcoin Core onion service
+## 2. Automatically create a Bitcoin Core onion service
Bitcoin Core makes use of Tor's control socket API to create and destroy
ephemeral onion services programmatically. This means that if Tor is running and
@@ -206,10 +146,68 @@ password` (refer to the [Tor Dev
Manual](https://2019.www.torproject.org/docs/tor-manual.html.en) for more
details).
+
+## 3. Manually create a Bitcoin Core onion service
+
+You can also manually configure your node to be reachable from the Tor network.
+Add these lines to your `/etc/tor/torrc` (or equivalent config file):
+
+ HiddenServiceDir /var/lib/tor/bitcoin-service/
+ HiddenServicePort 8333 127.0.0.1:8334
+
+The directory can be different of course, but virtual port numbers should be equal to
+your bitcoind's P2P listen port (8333 by default), and target addresses and ports
+should be equal to binding address and port for inbound Tor connections (127.0.0.1:8334 by default).
+
+ -externalip=X You can tell bitcoin about its publicly reachable addresses using
+ this option, and this can be an onion address. Given the above
+ configuration, you can find your onion address in
+ /var/lib/tor/bitcoin-service/hostname. For connections
+ coming from unroutable addresses (such as 127.0.0.1, where the
+ Tor proxy typically runs), onion addresses are given
+ preference for your node to advertise itself with.
+
+ You can set multiple local addresses with -externalip. The
+ one that will be rumoured to a particular peer is the most
+ compatible one and also using heuristics, e.g. the address
+ with the most incoming connections, etc.
+
+ -listen You'll need to enable listening for incoming connections, as this
+ is off by default behind a proxy.
+
+ -discover When -externalip is specified, no attempt is made to discover local
+ IPv4 or IPv6 addresses. If you want to run a dual stack, reachable
+ from both Tor and IPv4 (or IPv6), you'll need to either pass your
+ other addresses using -externalip, or explicitly enable -discover.
+ Note that both addresses of a dual-stack system may be easily
+ linkable using traffic analysis.
+
+In a typical situation, where you're only reachable via Tor, this should suffice:
+
+ ./bitcoind -proxy=127.0.0.1:9050 -externalip=7zvj7a2imdgkdbg4f2dryd5rgtrn7upivr5eeij4cicjh65pooxeshid.onion -listen
+
+(obviously, replace the .onion address with your own). It should be noted that you still
+listen on all devices and another node could establish a clearnet connection, when knowing
+your address. To mitigate this, additionally bind the address of your Tor proxy:
+
+ ./bitcoind ... -bind=127.0.0.1
+
+If you don't care too much about hiding your node, and want to be reachable on IPv4
+as well, use `discover` instead:
+
+ ./bitcoind ... -discover
+
+and open port 8333 on your firewall (or use port mapping, i.e., `-upnp` or `-natpmp`).
+
+If you only want to use Tor to reach .onion addresses, but not use it as a proxy
+for normal IPv4/IPv6 communication, use:
+
+ ./bitcoind -onion=127.0.0.1:9050 -externalip=7zvj7a2imdgkdbg4f2dryd5rgtrn7upivr5eeij4cicjh65pooxeshid.onion -discover
+
## 4. Privacy recommendations
-- Do not add anything but Bitcoin Core ports to the onion service created in section 2.
+- Do not add anything but Bitcoin Core ports to the onion service created in section 3.
If you run a web service too, create a new onion service for that.
Otherwise it is trivial to link them, which may reduce privacy. Onion
- services created automatically (as in section 3) always have only one port
+ services created automatically (as in section 2) always have only one port
open.