Running Bitcoin over Tor

Tor is a great service to promote privacy and censorship resistance. These goals align directly with the Bitcoin network.

Running Bitcoin over Tor

Tor is a great service to promote privacy and censorship resistance.  These goals align directly with the Bitcoin network.

By running Bitcoin over Tor, you get the following benefits:

  1. It hides your IP address from the world
  2. You don't need to worry about setting up firewall port forwarding
  3. Promotes privacy for others to connect into your node anonymously

This guide is going to show how to set up an existing Bitcoin node to run over Tor.  It is using a Bitcoin node that was set up on a Raspberry Pi (see the other article for details about how to get to this point).

See the video for a detailed walkthrough, but the instructions below will get you there quicker.

The first thing that you will need to do is to install Tor.  On the Raspberry Pi this is as simple as...

$ sudo apt-get install tor

Once this has been installed, you should be able to query the tor service and see that it is enabled and running.

$ sudo systemctl status tor

● tor.service - Anonymizing overlay network for TCP (multi-instance-master)
   Loaded: loaded (/lib/systemd/system/tor.service; enabled; vendor preset: enabled)
   Active: active (exited) since Sat 2020-08-15 21:12:45 PDT; 13min ago
  Process: 427 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
 Main PID: 427 (code=exited, status=0/SUCCESS)

Also you should see that port 9050 is listening for incoming connections to proxy for the local loopback address:

$ netstat -an | grep 9050

tcp        0      0 127.0.0.1:9050          0.0.0.0:*               LISTEN

We will be setting up Bitcoin to run as a hidden service to allow incoming connections.  To do this, we need to enable the Tor control port in the Tor config file.

$ sudo vi /etc/tor/torrc

Uncomment the following 2 lines to enable the control port and cookie authentication.

## The port on which Tor will listen for local connections from Tor
## controller applications, as documented in control-spec.txt.

ControlPort 9051

## If you enable the controlport, be sure to enable one of these
## authentication methods, to prevent attackers from accessing it.
#HashedControlPassword ...

CookieAuthentication 1

Next, restart the tor service and verify that port 9051 is listening.

$ sudo systemctl restart [email protected]

$ netstat -an | grep 9051
tcp        0      0 127.0.0.1:9051          0.0.0.0:*               LISTEN

Lastly, you need to add the user account running bitcoin to the Tor group so it can access the cookie file.  You can see the cookie here:

$ ls -al /run/tor/
total 8
drwxr-sr-x  2 debian-tor debian-tor 120 Aug 15 21:12 .
drwxr-xr-x 29 root       root       860 Aug 15 21:25 ..
srw-rw----  1 debian-tor debian-tor   0 Aug 15 21:12 control
-rw-r-----  1 debian-tor debian-tor  32 Aug 15 21:12 control.authcookie
srw-rw-rw-  1 debian-tor debian-tor   0 Aug 15 21:12 socks
-rw-r--r--  1 debian-tor debian-tor   4 Aug 15 21:12 tor.pid

It is owned by the debian-tor group.  The account I am running my node as is the "pi" user, but usually this may be the "bitcoin" user.  Whichever one it is, add it to the debian-tor group.

$ sudo usermod -a -G debian-tor pi

You may need to reboot to pick this up.  You can verify by running the "groups" command.

$ groups
pi adm dialout cdrom sudo audio video plugdev games users input netdev debian-tor gpio i2c spi

You can see my user is in the debian-tor group now.

Finally, you need to configure bitcoind to use the proxy and also listen over Tor for incoming connections.  This can be done one of 2 ways.

First, you can just add it to the command line:

$ bitcoind -proxy=127.0.0.1:9050 -listen -debug=tor

Or you can add it to your bitcoin.conf file:

proxy=127.0.0.1:9050
listen=1
debug=tor

The debug param tells it to print info about tor when the service comes up so you can see if anything is not working.

When you bring up the service, you should see a statement like

tor: Got service ID XXXXXXXXXX, advertising service XXXXXXXX.onion:8333

This means that the service was able to be configured and is up and running.

For any other debugging hints, see the Bitcoin readme about Tor.