Configure

Warning

Proper Tor configuration is VERY important. Misconfigured node can end up:

using up all of your internet quota;

having ISP suspending/terminating your internet contract;

and, in some more draconian jurisdiction, with you in jail(!).

So do make sure your Tor node is configured correctly and always up to date.

Location

Tor configuration file is located in: /etc/tor/torrc and you need superuser privileges to edit it:

sudo nano /etc/tor/torrc

Contents

The minimal file, to just relay Bitcoin traffic, can look something like:

RunAsDaemon 1

PortForwarding 1 # RAM limit that works for me w/SWAP off

# if you run with SWAP, you can skip adding this line

MaxMemInQueues 455MB ControlPort 9051 CookieAuthentication 1

CookieAuthFileGroupReadable 1

Note: This config sets your node to serve through Tor in addition to the regular clearnet access.

Extras

More configuration options are very well documented in the file itself, docs online and in this very useful FAQ. Here, however I’ll only go through two more options:

To have Tor logs in a separate file, add this line:

Log notice file /var/log/tor/notices.log

To have your RBP also act as a relay, add the following lines:

ExitPolicy reject *:* # this is the important line # ORPort is required if you want to run your Tor node as a relay

# If 443 is not available, set it to 9001 or anything else

ORPort 443 # This one is very optional. Can be any port you choose.

DirPort 9030 DirPort 9030

Important: If you chose to go with either just ORPort or both, make sure to see the section Configure Relay Ports below!

Exit Node

Do not run a Tor Exit Node unless you know what you’re doing and what are the associated risks.

If you are interested helping out the Tor network by running an Exit node, I recommend to read Tor Exit Guidelines and Tips for Running an Exit Node.

Restart

Save the configuration with ctrl+x and restart Tor with:

sudo systemctl restart tor@default

Tor only

To have your RBP serve Bitcoin traffic through Tor only, add the following line to your bitcoin.conf file:

onlynet=onion

Access

By default, Tor runs as debian-tor user and its access cookie is not accessible to the current bitcoin user. To change it run:

# so that Bitcoind can create Tor hidden service

sudo usermod -a -G debian-tor bitcoin # so that you can run `arm` as user

sudo usermod -a -G debian-tor pi

You can verify that it succeeded by running below & making sure that debian-tor is in the output:

id bitcoin

uid=1001(bitcoin) gid=1001(bitcoin) groups=1001(bitcoin),113(debian-tor)

Bitcoind

Once all above is set up, just restart your Bitcoin node and it should automatically connect through Tor as well:

sudo systemctl restart bitcoind

The easiest way to verify the connection succeeded is switching to user bitcoin , and checking logs:

tail -f ~/.bitcoin/debug.log | grep tor # or for testnet

tail -f ~/.bitcoin/testnet3/debug.log | grep tor

and if there are lines similar to ones below, all is good & it’s working :).

2018-01-25 09:40:52 torcontrol thread start

2018-01-25 09:40:52 tor: Got service ID lan352mqgk4yclzx, advertising service lan352mqgk4yclzx.onion:18333

2018-01-25 09:40:52 AddLocal(lan352mqgk4yclzx.onion:18333,4)

Verify it’s reachable

Either go to bitnodes.earn.com and paste your .onion address there:

Green == good; Red == bad ;)

or, assuming your .onion address is tfvfqbkl4e53uzk2.onion , in browser, open:

https://bitnodes.earn.com/nodes/tfvfqbkl4e53uzk2.onion-8333/

or, from the command line:

curl https://bitnodes.earn.com/api/v1/nodes/tfvfqbkl4e53uzk2.onion-8333/ | jq

{

"hostname": "",

"address": "tfvfqbkl4e53uzk2.onion",

"status": "UP",

"data": [

70015,

"/Satoshi:0.16.1/",

1529343293,

1037,

528204,

null,

null,

null,

0,

0,

null,

"TOR",

"Tor network"

],

"bitcoin_address": "",

"url": "",

"verified": false,

"mbps": "4601.473430"

}

Other thingies

Update Tor node

To update Tor on your RBP, run:

sudo apt update # either update Tor only:

sudo apt install --only-upgrade tor # or to all packages (recommended):

sudo apt upgrade sudo systemctl restart tor@default

Configure Relay Ports

If you decided to expose DirPort , you might want to put on a notice about what Tor is. You can easily achieve that by also adding this line to your torrc file:

DirPortFrontPage /usr/share/doc/tor/tor-exit-notice.html

Now, any relay-related port you’ve chose needs to be exposed to the outside world, and there are two ways to do it:

Manual — login to your router and setup port forwarding there; Automatic — have a crontab automatically set them up for you, using miniUPnP (instructions based on this):

As a pi user, install MiniUPnP:

sudo apt install miniupnpc

Now let’s create a simple script setting up out ports:

mkdir ~/bin

touch ~/bin/set_ports.sh

chmod +x ~/bin/set_ports.sh

nano ~/bin/set_ports.sh

And (assuming you’ve chosen 443 for ORPort , and 9030 for DirPort ) paste/type this:

#!/bin/sh # ORPort

upnpc -e "Tor (ORPort, $(hostname))" -a $(ip route get 1 | awk '{print $NF;exit}') 443 443 TCP # DirPort (skip this line if you chose to go w/o DirPort)

upnpc -e "Tor (DirPort, $(hostname))" -a $(ip route get 1 | awk '{print $NF;exit}') 9030 9030 TCP

Finally, open your crontab with:

crontab -e

And, specify when the ports should be set:

@reboot /home/pi/bin/set_ports.sh

*/20 * * * * /home/pi/bin/set_ports.sh

The above will ensure the ports are properly set on your router, by renewing them on every reboot, and then every 20 minutes.

Note: Make sure that UPnP is enabled on your router. Protip: You can see all UPnP port forwards on your router, with: upnpc -l .

The last thing that we need to do is to allow these ports on the Uncomplicated Firewall ufw :

sudo ufw allow 443 comment "Tor ORPort"

sudo ufw limit 9030 comment "Tor DirPort"

After all is done, you can verify that Tor notice page is accessible by going to <your-IP-or-ddns-domain>:<chosen-DirPort> , ex: meedamian.ddns.com:9030 .

You should also start seeing traffic when running arm (the Tor dashboard), and (after some time), you should be able to find your node in Tor Metrics, by searching for your fingerprint (visible in the top right corner of arm dashboard).

Improvements? Mistakes? Tips?

If you’ve found anything incorrect in this guide, or have an idea on how to improve it, feel free to either leave a comment, btc AT meedamian DOT com or @meeDamian me.

If you liked the guide, it helped you or you just want to contribute to my ticket to 🚀 Mars, you can do it either through my PayNym: +quietmath379, or more traditionally: bc1q7va50m4fcld9kd85xnkz3uuxl3uujj20f5ynka .

Something went wrong?

See this?

gpg --keyserver keys.gnupg.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89

gpg: directory '/home/pi/.gnupg' created

gpg: keybox '/home/pi/.gnupg/pubring.kbx' created

gpg: failed to start the dirmngr '/usr/bin/dirmngr': No such file or directory

gpg: connecting dirmngr at '/run/user/0/gnupg/S.dirmngr' failed: No such file or directory

gpg: keyserver receive failed: No dirmngr

You need to install dirmngr — see in “Add Tor repo” section.

Edits

2018–02–04

Changed dashboard script to handle case with bitcoind not running better.

2018–06–19

Removed dashboard section. Changed user to be compatible with the previous guide. Updated screenshots. Added more info about ORPort and DirPort . Added requested tips section.

Other Guides…

This is a forth guide in a series of planned: