Changeset View
Changeset View
Standalone View
Standalone View
doc/tor.md
TOR SUPPORT IN BITCOIN | # TOR SUPPORT IN BITCOIN | ||||
====================== | |||||
It is possible to run Bitcoin as a Tor hidden service, and connect to such services. | It is possible to run Bitcoin as a Tor hidden service, and connect to such services. | ||||
The following directions assume you have a Tor proxy running on port 9050. Many distributions default to having a SOCKS proxy listening on port 9050, but others may not. In particular, the Tor Browser Bundle defaults to listening on port 9150. See [Tor Project FAQ:TBBSocksPort](https://www.torproject.org/docs/faq.html.en#TBBSocksPort) for how to properly | The following directions assume you have a Tor proxy running on port 9050. Many distributions default to having a SOCKS proxy listening on port 9050, but others may not. In particular, the Tor Browser Bundle defaults to listening on port 9150. See [Tor Project FAQ:TBBSocksPort](https://www.torproject.org/docs/faq.html.en#TBBSocksPort) for how to properly | ||||
configure Tor. | configure Tor. | ||||
1. Run bitcoin behind a Tor proxy | ## 1. Run bitcoin behind a Tor proxy | ||||
--------------------------------- | |||||
The first step is running Bitcoin behind a Tor proxy. This will already make all | The first step is running Bitcoin behind a Tor proxy. This will already make all | ||||
outgoing connections be anonymized, but more is possible. | outgoing connections be anonymized, but more is possible. | ||||
-proxy=ip:port Set the proxy server. If SOCKS5 is selected (default), this proxy | -proxy=ip:port Set the proxy server. If SOCKS5 is selected (default), this proxy | ||||
server will be used to try to reach .onion addresses as well. | server will be used to try to reach .onion addresses as well. | ||||
-onion=ip:port Set the proxy server to use for tor hidden services. You do not | -onion=ip:port Set the proxy server to use for tor hidden services. You do not | ||||
Show All 9 Lines | outgoing connections be anonymized, but more is possible. | ||||
-seednode=X SOCKS5. In Tor mode, such addresses can also be exchanged with | -seednode=X SOCKS5. In Tor mode, such addresses can also be exchanged with | ||||
other P2P nodes. | other P2P nodes. | ||||
In a typical situation, this suffices to run behind a Tor proxy: | In a typical situation, this suffices to run behind a Tor proxy: | ||||
./bitcoin -proxy=127.0.0.1:9050 | ./bitcoin -proxy=127.0.0.1:9050 | ||||
2. Run a bitcoin hidden server | ## 2. Run a bitcoin hidden server | ||||
------------------------------ | |||||
If you configure your Tor system accordingly, it is possible to make your node also | If you configure your Tor system accordingly, it is possible to make your node also | ||||
reachable from the Tor network. Add these lines to your /etc/tor/torrc (or equivalent | reachable from the Tor network. Add these lines to your /etc/tor/torrc (or equivalent | ||||
config file): | config file): *Needed for Tor version 0.2.7.0 and older versions of Tor only. For newer | ||||
versions of Tor see [Section 3](#3-automatically-listen-on-tor).* | |||||
HiddenServiceDir /var/lib/tor/bitcoin-service/ | HiddenServiceDir /var/lib/tor/bitcoin-service/ | ||||
HiddenServicePort 8333 127.0.0.1:8333 | HiddenServicePort 8333 127.0.0.1:8333 | ||||
HiddenServicePort 18333 127.0.0.1:18333 | HiddenServicePort 18333 127.0.0.1:18333 | ||||
The directory can be different of course, but (both) port numbers should be equal to | The directory can be different of course, but (both) port numbers should be equal to | ||||
your bitcoind's P2P listen port (8333 by default). | your bitcoind's P2P listen port (8333 by default). | ||||
Show All 32 Lines | |||||
and open port 8333 on your firewall (or use -upnp). | and open port 8333 on your firewall (or use -upnp). | ||||
If you only want to use Tor to reach onion addresses, but not use it as a proxy | If you only want to use Tor to reach onion addresses, but not use it as a proxy | ||||
for normal IPv4/IPv6 communication, use: | for normal IPv4/IPv6 communication, use: | ||||
./bitcoin -onion=127.0.0.1:9050 -externalip=57qr3yd1nyntf5k.onion -discover | ./bitcoin -onion=127.0.0.1:9050 -externalip=57qr3yd1nyntf5k.onion -discover | ||||
3. Automatically listen on Tor | ## 3. Automatically listen on Tor | ||||
-------------------------------- | |||||
Starting with Tor version 0.2.7.1 it is possible, through Tor's control socket | Starting with Tor version 0.2.7.1 it is possible, through Tor's control socket | ||||
API, to create and destroy 'ephemeral' hidden services programmatically. | API, to create and destroy 'ephemeral' hidden services programmatically. | ||||
Bitcoin Core has been updated to make use of this. | Bitcoin Core has been updated to make use of this. | ||||
This means that if Tor is running (and proper authentication has been configured), | This means that if Tor is running (and proper authentication has been configured), | ||||
Bitcoin Core automatically creates a hidden service to listen on. This will positively | Bitcoin Core automatically creates a hidden service to listen on. This will positively | ||||
affect the number of available .onion nodes. | affect the number of available .onion nodes. | ||||
Show All 9 Lines | |||||
preconfigured and the creation of a hidden service is automatic. If permission problems | preconfigured and the creation of a hidden service is automatic. If permission problems | ||||
are seen with `-debug=tor` they can be resolved by adding both the user running tor and | are seen with `-debug=tor` they can be resolved by adding both the user running tor and | ||||
the user running bitcoind to the same group and setting permissions appropriately. On | the user running bitcoind to the same group and setting permissions appropriately. On | ||||
Debian-based systems the user running bitcoind can be added to the debian-tor group, | Debian-based systems the user running bitcoind can be added to the debian-tor group, | ||||
which has the appropriate permissions. An alternative authentication method is the use | which has the appropriate permissions. An alternative authentication method is the use | ||||
of the `-torpassword` flag and a `hash-password` which can be enabled and specified in | of the `-torpassword` flag and a `hash-password` which can be enabled and specified in | ||||
Tor configuration. | Tor configuration. | ||||
4. Privacy recommendations | ## 4. Privacy recommendations | ||||
--------------------------- | |||||
- Do not add anything but bitcoin ports to the hidden service created in section 2. | - Do not add anything but bitcoin ports to the hidden service created in section 2. | ||||
If you run a web service too, create a new hidden service for that. | If you run a web service too, create a new hidden service for that. | ||||
Otherwise it is trivial to link them, which may reduce privacy. Hidden | Otherwise it is trivial to link them, which may reduce privacy. Hidden | ||||
services created automatically (as in section 3) always have only one port | services created automatically (as in section 3) always have only one port | ||||
open. | open. |