Bitcoin through Tor on RBP3
This is a 2nd part to the guide on setting up your own Bitcoin Full Node on Raspberry Pi guide.
Note: Inspiration for this guide is taken from guide by Jameson Lopp , Tor FAQ, sample torrc file, and Tor manual.
This guide assumes you’re on MacOS, comfortable with terminal, already have a Bitcoin Full Node running on Raspberry Pi 3 and now you want to also add Tor to it.
Before starting
While the technical side of the setup is pretty straightforward, you might want to make sure you’ve configured your node correctly, to avoid unpleasant surprises in the future (more about it in the Configure section).
Note: In code snippets with output, bold parts are the commands to run.
Connect to RBP
Quite necessary, ex:
ssh pi@192.168.1.102
Once you’re connected, run updates:
sudo apt update
sudo apt -y upgrade
Add Tor repo
While an up-to-date tor
package isn’t available right away on Raspbian, it’s easy to add.
First make sure you run the same debian version that this guide was written for (stretch
):
lsb_release -c
Codename: stretch
If you get a different output, you might need to consult here.
Note: Raspbian warning on the page above is only relevant to Raspberry Pi versions prior to 3, so in our case, it’s safe to ignore.
First of all, open:
sudo nano /etc/apt/sources.list
and there, append lines:
deb http://deb.torproject.org/torproject.org stretch main
deb-src http://deb.torproject.org/torproject.org stretch main
Save the file (ctrl+x
+ y
), and install missing dirmngr
:
sudo apt install dirmngr
Once that completes, adding the key should succeed:
gpg --keyserver keys.gnupg.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
gpg: /home/pi/.gnupg/trustdb.gpg: trustdb created
gpg: key EE8CBC9E886DDD89: public key "deb.torproject.org archive signing key" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
OK
Install Tor
Let’s fetch metadata about all the goodies we’ve just added:
sudo apt update
And install tor
:
sudo apt install tor tor-arm
Note:
tor-arm
is not required, but it provides a usefultor
dashboard, visualising what’s going on with your node:
Configure
Warning
Proper Tor configuration is VERY important. Misconfigured node can end up:
- using up all of your internet quota;
- having ISP suspending/terminating your internet contract;
- and, in some more draconian jurisdiction, with you in jail(!).
So do make sure your Tor node is configured correctly and always up to date.
Location
Tor configuration file is located in: /etc/tor/torrc
and you need superuser privileges to edit it:
sudo nano /etc/tor/torrc
Contents
The minimal file, to just relay Bitcoin traffic, can look something like:
RunAsDaemon 1
PortForwarding 1# RAM limit that works for me w/SWAP off
# if you run with SWAP, you can skip adding this line
MaxMemInQueues 455MBControlPort 9051CookieAuthentication 1
CookieAuthFileGroupReadable 1
Note: This config sets your node to serve through Tor in addition to the regular clearnet access.
Extras
More configuration options are very well documented in the file itself, docs online and in this very useful FAQ. Here, however I’ll only go through two more options:
To have Tor logs in a separate file, add this line:
Log notice file /var/log/tor/notices.log
To have your RBP also act as a relay, add the following lines:
ExitPolicy reject *:* # this is the important line# ORPort is required if you want to run your Tor node as a relay
# If 443 is not available, set it to 9001 or anything else
ORPort 443# This one is very optional. Can be any port you choose.
DirPort 9030
Important: If you chose to go with either just
ORPort
or both, make sure to see the section Configure Relay Ports below!
Exit Node
Do not run a Tor Exit Node unless you know what you’re doing and what are the associated risks.
If you are interested helping out the Tor network by running an Exit node, I recommend to read Tor Exit Guidelines and Tips for Running an Exit Node.
Restart
Save the configuration with ctrl+x
and restart Tor with:
sudo systemctl restart tor@default
Tor only
To have your RBP serve Bitcoin traffic through Tor only, add the following line to your bitcoin.conf
file:
onlynet=onion
Access
By default, Tor runs as debian-tor
user and its access cookie is not accessible to the current bitcoin
user. To change it run:
# so that Bitcoind can create Tor hidden service
sudo usermod -a -G debian-tor bitcoin# so that you can run `arm` as user
sudo usermod -a -G debian-tor pi
You can verify that it succeeded by running below & making sure that debian-tor
is in the output:
id bitcoin
uid=1001(bitcoin) gid=1001(bitcoin) groups=1001(bitcoin),113(debian-tor)
Bitcoind
Once all above is set up, just restart your Bitcoin node and it should automatically connect through Tor as well:
sudo systemctl restart bitcoind
The easiest way to verify the connection succeeded is switching to user bitcoin
, and checking logs:
tail -f ~/.bitcoin/debug.log | grep tor# or for testnet
tail -f ~/.bitcoin/testnet3/debug.log | grep tor
and if there are lines similar to ones below, all is good & it’s working :).
2018-01-25 09:40:52 torcontrol thread start
2018-01-25 09:40:52 tor: Got service ID lan352mqgk4yclzx, advertising service lan352mqgk4yclzx.onion:18333
2018-01-25 09:40:52 AddLocal(lan352mqgk4yclzx.onion:18333,4)
Verify it’s reachable
Either go to bitnodes.earn.com and paste your .onion
address there:
or, assuming your .onion
address is tfvfqbkl4e53uzk2.onion
, in browser, open:
https://bitnodes.earn.com/nodes/tfvfqbkl4e53uzk2.onion-8333/
or, from the command line:
curl https://bitnodes.earn.com/api/v1/nodes/tfvfqbkl4e53uzk2.onion-8333/ | jq
{
"hostname": "",
"address": "tfvfqbkl4e53uzk2.onion",
"status": "UP",
"data": [
70015,
"/Satoshi:0.16.1/",
1529343293,
1037,
528204,
null,
null,
null,
0,
0,
null,
"TOR",
"Tor network"
],
"bitcoin_address": "",
"url": "",
"verified": false,
"mbps": "4601.473430"
}
Other thingies
Update Tor node
To update Tor on your RBP, run:
sudo apt update# either update Tor only:
sudo apt install --only-upgrade tor# or to all packages (recommended):
sudo apt upgradesudo systemctl restart tor@default
Configure Relay Ports
If you decided to expose DirPort
, you might want to put on a notice about what Tor is. You can easily achieve that by also adding this line to your torrc
file:
DirPortFrontPage /usr/share/doc/tor/tor-exit-notice.html
Now, any relay-related port you’ve chose needs to be exposed to the outside world, and there are two ways to do it:
- Manual — login to your router and setup port forwarding there;
- Automatic — have a
crontab
automatically set them up for you, usingminiUPnP
(instructions based on this):
As a pi
user, install MiniUPnP:
sudo apt install miniupnpc
Now let’s create a simple script setting up out ports:
mkdir ~/bin
touch ~/bin/set_ports.sh
chmod +x ~/bin/set_ports.sh
nano ~/bin/set_ports.sh
And (assuming you’ve chosen 443
for ORPort
, and 9030
for DirPort
) paste/type this:
#!/bin/sh# ORPort
upnpc -e "Tor (ORPort, $(hostname))" -a $(ip route get 1 | awk '{print $NF;exit}') 443 443 TCP# DirPort (skip this line if you chose to go w/o DirPort)
upnpc -e "Tor (DirPort, $(hostname))" -a $(ip route get 1 | awk '{print $NF;exit}') 9030 9030 TCP
Finally, open your crontab
with:
crontab -e
And, specify when the ports should be set:
@reboot /home/pi/bin/set_ports.sh
*/20 * * * * /home/pi/bin/set_ports.sh
The above will ensure the ports are properly set on your router, by renewing them on every reboot, and then every 20 minutes.
Note: Make sure that UPnP is enabled on your router.
Protip: You can see all UPnP port forwards on your router, with:
upnpc -l
.
The last thing that we need to do is to allow these ports on the Uncomplicated Firewall ufw
:
sudo ufw allow 443 comment "Tor ORPort"
sudo ufw limit 9030 comment "Tor DirPort"
After all is done, you can verify that Tor notice page is accessible by going to <your-IP-or-ddns-domain>:<chosen-DirPort>
, ex: meedamian.ddns.com:9030
.
You should also start seeing traffic when running arm
(the Tor dashboard), and (after some time), you should be able to find your node in Tor Metrics, by searching for your fingerprint (visible in the top right corner of arm
dashboard).
Improvements? Mistakes? Tips?
If you’ve found anything incorrect in this guide, or have an idea on how to improve it, feel free to either leave a comment, btc AT meedamian DOT com
or @meeDamian me.
If you liked the guide, it helped you or you just want to contribute to my ticket to 🚀 Mars, you can do it either through my PayNym: +quietmath379, or more traditionally: bc1q7va50m4fcld9kd85xnkz3uuxl3uujj20f5ynka
.
Something went wrong?
See this?
gpg --keyserver keys.gnupg.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
gpg: directory '/home/pi/.gnupg' created
gpg: keybox '/home/pi/.gnupg/pubring.kbx' created
gpg: failed to start the dirmngr '/usr/bin/dirmngr': No such file or directory
gpg: connecting dirmngr at '/run/user/0/gnupg/S.dirmngr' failed: No such file or directory
gpg: keyserver receive failed: No dirmngr
You need to install dirmngr
— see in “Add Tor repo” section.
Edits
2018–02–04
Changed dashboard script to handle case with bitcoind
not running better.
2018–06–19
Removed dashboard section. Changed user to be compatible with the previous guide. Updated screenshots. Added more info about ORPort
and DirPort
. Added requested tips section.
Other Guides…
This is a forth guide in a series of planned:
- Litecoin Full Node on RBP3,
- (obsolete) Bitcoin Full Node (with or w/o BIP148 UASF 🙊) on RBP3,
- Bitcoin Full Node on RBP3 (revised),
- Bitcoin through Tor on RBP3,
- Lightning Network (c-lightning) on RBP3,
- Lightning Network (lnd) on RBP3.