Bitcoin through Tor on RBP3

7 min readJan 25, 2018

This is a 2nd part to the guide on setting up your own Bitcoin Full Node on Raspberry Pi guide.
Note: Inspiration for this guide is taken from guide by Jameson Lopp , Tor FAQ, sample torrc file, and Tor manual.

This guide assumes you’re on MacOS, comfortable with terminal, already have a Bitcoin Full Node running on Raspberry Pi 3 and now you want to also add Tor to it.

Before starting

While the technical side of the setup is pretty straightforward, you might want to make sure you’ve configured your node correctly, to avoid unpleasant surprises in the future (more about it in the Configure section).

Note: In code snippets with output, bold parts are the commands to run.

Connect to RBP

Quite necessary, ex:

ssh pi@192.168.1.102

Once you’re connected, run updates:

sudo apt update
sudo apt -y upgrade

Add Tor repo

While an up-to-date tor package isn’t available right away on Raspbian, it’s easy to add.

First make sure you run the same debian version that this guide was written for (stretch):

lsb_release -c
Codename: stretch

If you get a different output, you might need to consult here.

Note: Raspbian warning on the page above is only relevant to Raspberry Pi versions prior to 3, so in our case, it’s safe to ignore.

First of all, open:

sudo nano /etc/apt/sources.list

and there, append lines:

deb http://deb.torproject.org/torproject.org stretch main
deb-src http://deb.torproject.org/torproject.org stretch main

Save the file (ctrl+x + y), and install missing dirmngr:

sudo apt install dirmngr

Once that completes, adding the key should succeed:

gpg --keyserver keys.gnupg.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
gpg: /home/pi/.gnupg/trustdb.gpg: trustdb created
gpg: key EE8CBC9E886DDD89: public key "deb.torproject.org archive signing key" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
OK

Install Tor

Let’s fetch metadata about all the goodies we’ve just added:

sudo apt update

And install tor:

sudo apt install tor tor-arm

Note: tor-arm is not required, but it provides a useful tor dashboard, visualising what’s going on with your node:

Screenshot from nyx (newer arm), that’s not yet ***easily*** available on RBP

Configure

Warning

Proper Tor configuration is VERY important. Misconfigured node can end up:

using up all of your internet quota;
having ISP suspending/terminating your internet contract;
and, in some more draconian jurisdiction, with you in jail(!).

So do make sure your Tor node is configured correctly and always up to date.

Location

Tor configuration file is located in: /etc/tor/torrc and you need superuser privileges to edit it:

sudo nano /etc/tor/torrc

The minimal file, to just relay Bitcoin traffic, can look something like:

RunAsDaemon 1
PortForwarding 1# RAM limit that works for me w/SWAP off
#  if you run with SWAP, you can skip adding this line
MaxMemInQueues 455MBControlPort 9051CookieAuthentication 1
CookieAuthFileGroupReadable 1

Note: This config sets your node to serve through Tor in addition to the regular clearnet access.

Extras

More configuration options are very well documented in the file itself, docs online and in this very useful FAQ. Here, however I’ll only go through two more options:

To have Tor logs in a separate file, add this line:

Log notice file /var/log/tor/notices.log

To have your RBP also act as a relay, add the following lines:

ExitPolicy reject *:* # this is the important line# ORPort is required if you want to run your Tor node as a relay
#   If 443 is not available, set it to 9001 or anything else
ORPort 443# This one is very optional. Can be any port you choose.
DirPort 9030

Important: If you chose to go with either justORPort or both, make sure to see the section Configure Relay Ports below!

Exit Node

Do not run a Tor Exit Node unless you know what you’re doing and what are the associated risks.

If you are interested helping out the Tor network by running an Exit node, I recommend to read Tor Exit Guidelines and Tips for Running an Exit Node.

Restart

Save the configuration with ctrl+x and restart Tor with:

sudo systemctl restart tor@default

Tor only

To have your RBP serve Bitcoin traffic through Tor only, add the following line to your bitcoin.conf file:

onlynet=onion

Access

By default, Tor runs as debian-tor user and its access cookie is not accessible to the current bitcoin user. To change it run:

# so that Bitcoind can create Tor hidden service
sudo usermod -a -G debian-tor bitcoin# so that you can run `arm` as user 
sudo usermod -a -G debian-tor pi

You can verify that it succeeded by running below & making sure that debian-tor is in the output:

id bitcoin
uid=1001(bitcoin) gid=1001(bitcoin) groups=1001(bitcoin),113(debian-tor)

Bitcoind

Once all above is set up, just restart your Bitcoin node and it should automatically connect through Tor as well:

sudo systemctl restart bitcoind

The easiest way to verify the connection succeeded is switching to user bitcoin, and checking logs:

tail -f ~/.bitcoin/debug.log | grep tor# or for testnet
tail -f ~/.bitcoin/testnet3/debug.log | grep tor

and if there are lines similar to ones below, all is good & it’s working :).

2018-01-25 09:40:52 torcontrol thread start
2018-01-25 09:40:52 tor: Got service ID lan352mqgk4yclzx, advertising service lan352mqgk4yclzx.onion:18333
2018-01-25 09:40:52 AddLocal(lan352mqgk4yclzx.onion:18333,4)

Verify it’s reachable

Either go to bitnodes.earn.com and paste your .onion address there:

or, assuming your .onion address is tfvfqbkl4e53uzk2.onion, in browser, open:

https://bitnodes.earn.com/nodes/tfvfqbkl4e53uzk2.onion-8333/

or, from the command line:

curl https://bitnodes.earn.com/api/v1/nodes/tfvfqbkl4e53uzk2.onion-8333/ | jq
{
  "hostname": "",
  "address": "tfvfqbkl4e53uzk2.onion",
  "status": "UP",
  "data": [
    70015,
    "/Satoshi:0.16.1/",
    1529343293,
    1037,
    528204,
    null,
    null,
    null,
    0,
    0,
    null,
    "TOR",
    "Tor network"
  ],
  "bitcoin_address": "",
  "url": "",
  "verified": false,
  "mbps": "4601.473430"
}

Other thingies

Update Tor node

To update Tor on your RBP, run:

sudo apt update# either update Tor only:
sudo apt install --only-upgrade tor# or to all packages (recommended):
sudo apt upgradesudo systemctl restart tor@default

Configure Relay Ports

If you decided to expose DirPort, you might want to put on a notice about what Tor is. You can easily achieve that by also adding this line to your torrc file:

DirPortFrontPage /usr/share/doc/tor/tor-exit-notice.html

Now, any relay-related port you’ve chose needs to be exposed to the outside world, and there are two ways to do it:

Manual — login to your router and setup port forwarding there;
Automatic — have a crontab automatically set them up for you, using miniUPnP (instructions based on this):

As a pi user, install MiniUPnP:

sudo apt install miniupnpc

Now let’s create a simple script setting up out ports:

mkdir ~/bin
touch ~/bin/set_ports.sh
chmod +x ~/bin/set_ports.sh
nano ~/bin/set_ports.sh

And (assuming you’ve chosen 443 for ORPort, and 9030 for DirPort) paste/type this:

#!/bin/sh# ORPort
upnpc -e "Tor (ORPort, $(hostname))" -a $(ip route get 1 | awk '{print $NF;exit}') 443 443 TCP# DirPort (skip this line if you chose to go w/o DirPort)
upnpc -e "Tor (DirPort, $(hostname))" -a $(ip route get 1 | awk '{print $NF;exit}') 9030 9030 TCP

Finally, open your crontab with:

crontab -e

And, specify when the ports should be set:

@reboot       /home/pi/bin/set_ports.sh
*/20 * * * *  /home/pi/bin/set_ports.sh

The above will ensure the ports are properly set on your router, by renewing them on every reboot, and then every 20 minutes.

Note: Make sure that UPnP is enabled on your router.
Protip: You can see all UPnP port forwards on your router, with: upnpc -l.

The last thing that we need to do is to allow these ports on the Uncomplicated Firewall ufw:

sudo ufw allow 443 comment "Tor ORPort"
sudo ufw limit 9030 comment "Tor DirPort"

After all is done, you can verify that Tor notice page is accessible by going to <your-IP-or-ddns-domain>:<chosen-DirPort>, ex: meedamian.ddns.com:9030.

You should also start seeing traffic when running arm (the Tor dashboard), and (after some time), you should be able to find your node in Tor Metrics, by searching for your fingerprint (visible in the top right corner of arm dashboard).

Improvements? Mistakes? Tips?

If you’ve found anything incorrect in this guide, or have an idea on how to improve it, feel free to either leave a comment, btc AT meedamian DOT com or @meeDamian me.

If you liked the guide, it helped you or you just want to contribute to my ticket to 🚀 Mars, you can do it either through my PayNym: +quietmath379, or more traditionally: bc1q7va50m4fcld9kd85xnkz3uuxl3uujj20f5ynka.

Something went wrong?

See this?

gpg --keyserver keys.gnupg.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
gpg: directory '/home/pi/.gnupg' created
gpg: keybox '/home/pi/.gnupg/pubring.kbx' created
gpg: failed to start the dirmngr '/usr/bin/dirmngr': No such file or directory
gpg: connecting dirmngr at '/run/user/0/gnupg/S.dirmngr' failed: No such file or directory
gpg: keyserver receive failed: No dirmngr

You need to install dirmngr — see in “Add Tor repo” section.

Edits

2018–02–04
Changed dashboard script to handle case with bitcoind not running better.

2018–06–19
Removed dashboard section. Changed user to be compatible with the previous guide. Updated screenshots. Added more info about ORPort and DirPort. Added requested tips section.

Other Guides…

This is a forth guide in a series of planned:

Litecoin Full Node on RBP3,
(obsolete) Bitcoin Full Node (with or w/o BIP148 UASF 🙊) on RBP3,
Bitcoin Full Node on RBP3 (revised),
Bitcoin through Tor on RBP3,
Lightning Network (c-lightning) on RBP3,
Lightning Network (lnd) on RBP3.