From 193f9a9c975b612454a1f8121c09ef1e68d56dc1 Mon Sep 17 00:00:00 2001 From: Jon Atack Date: Tue, 26 Jan 2021 15:11:13 +0100 Subject: doc: update tor.md manual config, move after automatic config --- doc/tor.md | 128 ++++++++++++++++++++++++++++++------------------------------- 1 file changed, 63 insertions(+), 65 deletions(-) (limited to 'doc') diff --git a/doc/tor.md b/doc/tor.md index c72f16de5e..8a2aef2d07 100644 --- a/doc/tor.md +++ b/doc/tor.md @@ -34,8 +34,8 @@ outgoing connections, but more is possible. have privacy concerns. -listen When using -proxy, listening is disabled by default. If you want - to run an onion service (see next section), you'll need to enable - it explicitly. + to manually configure an onion service (see section 3), you'll + need to enable it explicitly. -connect=X When behind a Tor proxy, you can specify .onion addresses instead -addnode=X of IP addresses or hostnames in these parameters. It requires @@ -55,67 +55,7 @@ In a typical situation, this suffices to run behind a Tor proxy: ./bitcoind -proxy=127.0.0.1:9050 - -## 2. Manually create a Bitcoin Core onion service - -If you configure your Tor system accordingly, it is possible to make your node also -reachable from the Tor network. Add these lines to your /etc/tor/torrc (or equivalent -config file): *Needed for Tor version 0.2.7.0 and older versions of Tor only. For newer -versions of Tor see [Section 3](#3-automatically-listen-on-tor).* - - HiddenServiceDir /var/lib/tor/bitcoin-service/ - HiddenServicePort 8333 127.0.0.1:8334 - -The directory can be different of course, but virtual port numbers should be equal to -your bitcoind's P2P listen port (8333 by default), and target addresses and ports -should be equal to binding address and port for inbound Tor connections (127.0.0.1:8334 by default). - - -externalip=X You can tell bitcoin about its publicly reachable addresses using - this option, and this can be an onion address. Given the above - configuration, you can find your onion address in - /var/lib/tor/bitcoin-service/hostname. For connections - coming from unroutable addresses (such as 127.0.0.1, where the - Tor proxy typically runs), onion addresses are given - preference for your node to advertise itself with. - - You can set multiple local addresses with -externalip. The - one that will be rumoured to a particular peer is the most - compatible one and also using heuristics, e.g. the address - with the most incoming connections, etc. - - -listen You'll need to enable listening for incoming connections, as this - is off by default behind a proxy. - - -discover When -externalip is specified, no attempt is made to discover local - IPv4 or IPv6 addresses. If you want to run a dual stack, reachable - from both Tor and IPv4 (or IPv6), you'll need to either pass your - other addresses using -externalip, or explicitly enable -discover. - Note that both addresses of a dual-stack system may be easily - linkable using traffic analysis. - -In a typical situation, where you're only reachable via Tor, this should suffice: - - ./bitcoind -proxy=127.0.0.1:9050 -externalip=7zvj7a2imdgkdbg4f2dryd5rgtrn7upivr5eeij4cicjh65pooxeshid.onion -listen - -(obviously, replace the .onion address with your own). It should be noted that you still -listen on all devices and another node could establish a clearnet connection, when knowing -your address. To mitigate this, additionally bind the address of your Tor proxy: - - ./bitcoind ... -bind=127.0.0.1 - -If you don't care too much about hiding your node, and want to be reachable on IPv4 -as well, use `discover` instead: - - ./bitcoind ... -discover - -and open port 8333 on your firewall (or use port mapping, i.e., `-upnp` or `-natpmp`). - -If you only want to use Tor to reach .onion addresses, but not use it as a proxy -for normal IPv4/IPv6 communication, use: - - ./bitcoind -onion=127.0.0.1:9050 -externalip=7zvj7a2imdgkdbg4f2dryd5rgtrn7upivr5eeij4cicjh65pooxeshid.onion -discover - -## 3. Automatically create a Bitcoin Core onion service +## 2. Automatically create a Bitcoin Core onion service Bitcoin Core makes use of Tor's control socket API to create and destroy ephemeral onion services programmatically. This means that if Tor is running and @@ -206,10 +146,68 @@ password` (refer to the [Tor Dev Manual](https://2019.www.torproject.org/docs/tor-manual.html.en) for more details). + +## 3. Manually create a Bitcoin Core onion service + +You can also manually configure your node to be reachable from the Tor network. +Add these lines to your `/etc/tor/torrc` (or equivalent config file): + + HiddenServiceDir /var/lib/tor/bitcoin-service/ + HiddenServicePort 8333 127.0.0.1:8334 + +The directory can be different of course, but virtual port numbers should be equal to +your bitcoind's P2P listen port (8333 by default), and target addresses and ports +should be equal to binding address and port for inbound Tor connections (127.0.0.1:8334 by default). + + -externalip=X You can tell bitcoin about its publicly reachable addresses using + this option, and this can be an onion address. Given the above + configuration, you can find your onion address in + /var/lib/tor/bitcoin-service/hostname. For connections + coming from unroutable addresses (such as 127.0.0.1, where the + Tor proxy typically runs), onion addresses are given + preference for your node to advertise itself with. + + You can set multiple local addresses with -externalip. The + one that will be rumoured to a particular peer is the most + compatible one and also using heuristics, e.g. the address + with the most incoming connections, etc. + + -listen You'll need to enable listening for incoming connections, as this + is off by default behind a proxy. + + -discover When -externalip is specified, no attempt is made to discover local + IPv4 or IPv6 addresses. If you want to run a dual stack, reachable + from both Tor and IPv4 (or IPv6), you'll need to either pass your + other addresses using -externalip, or explicitly enable -discover. + Note that both addresses of a dual-stack system may be easily + linkable using traffic analysis. + +In a typical situation, where you're only reachable via Tor, this should suffice: + + ./bitcoind -proxy=127.0.0.1:9050 -externalip=7zvj7a2imdgkdbg4f2dryd5rgtrn7upivr5eeij4cicjh65pooxeshid.onion -listen + +(obviously, replace the .onion address with your own). It should be noted that you still +listen on all devices and another node could establish a clearnet connection, when knowing +your address. To mitigate this, additionally bind the address of your Tor proxy: + + ./bitcoind ... -bind=127.0.0.1 + +If you don't care too much about hiding your node, and want to be reachable on IPv4 +as well, use `discover` instead: + + ./bitcoind ... -discover + +and open port 8333 on your firewall (or use port mapping, i.e., `-upnp` or `-natpmp`). + +If you only want to use Tor to reach .onion addresses, but not use it as a proxy +for normal IPv4/IPv6 communication, use: + + ./bitcoind -onion=127.0.0.1:9050 -externalip=7zvj7a2imdgkdbg4f2dryd5rgtrn7upivr5eeij4cicjh65pooxeshid.onion -discover + ## 4. Privacy recommendations -- Do not add anything but Bitcoin Core ports to the onion service created in section 2. +- Do not add anything but Bitcoin Core ports to the onion service created in section 3. If you run a web service too, create a new onion service for that. Otherwise it is trivial to link them, which may reduce privacy. Onion - services created automatically (as in section 3) always have only one port + services created automatically (as in section 2) always have only one port open. -- cgit v1.2.3