We configure Tor to run your node anonymously.
- Tor Project
- SSH remote access through Tor (optional)
Running your own Bitcoin and Lightning node at home makes you a direct, sovereign peer on the Bitcoin network. However, if not configured without privacy in mind, it also tells the world that there is someone with Bitcoin at that address.
True, it’s only your IP address that is revealed, but using services like iplocation.net, your physical address can be determined quite accurately. Especially with Lightning, your IP address would be widely used. We need to make sure that you keep your privacy.
We’ll also make it easy to connect to your node from outside your home network as an added benefit.
We use Tor, a free software built by the Tor Project. It allows you to anonymize internet traffic by routing it through a network of nodes, hiding your location and usage profile.
It is called “Tor” for “The Onion Router”: information is routed through many hops and encrypted multiple times. Each node decrypts only the layer of information addressed to it, learning only the previous and the next hop of the whole route. The data package is peeled like an onion until it reaches the final destination.
Log in to your RaspiBolt via SSH as user “admin” and install Tor.
$ sudo apt install tor
Bitcoin Core will communicate directly with the Tor daemon to route all traffic through the Tor network. We need to enable Tor to accept instructions through its control port, with the proper authentication.
Modify the Tor configuration by uncommenting (removing the
#) or adding the following lines. Save and exit
$ sudo nano /etc/tor/torrc
# uncomment: ControlPort 9051 CookieAuthentication 1 # add: CookieAuthFileGroupReadable 1
Reload Tor configuration to activate the modifications
$ sudo systemctl reload tor
Check the systemd journal to see Tor real time updates output logs.
$ sudo journalctl -f -u tor@default
Not all network traffic is routed over the Tor network. But we now have the base to configure sensitive applications to use it.
If you want to log into your RaspiBolt with SSH when you’re away, you can easily do so by adding a Tor hidden service. This makes “calling home” very easy, without the need to configure anything on your internet router.
Add the following three lines in the “location-hidden services” section of the
torrcfile. Save and exit
$ sudo nano /etc/tor/torrc
############### This section is just for location-hidden services ### # Hidden Service SSH server HiddenServiceDir /var/lib/tor/hidden_service_sshd/ HiddenServiceVersion 3 HiddenServicePort 22 127.0.0.1:22
Reload Tor configuration and look up your Tor connection address
$ sudo systemctl reload tor $ sudo cat /var/lib/tor/hidden_service_sshd/hostname > abcdefg..............xyz.onion
Save the Tor address in a secure location, e.g., your password manager.
You also need to have Tor installed on your regular computer where you start the SSH connection. Usage of SSH over Tor differs by client and operating system.
A few examples:
Windows: configure PuTTY as described in this guide Torifying PuTTY by the Tor Project.
- Note: If you are using PuTTy and fail to connect to your Pi by setting port 9050 in the PuTTy proxy settings, try setting port 9150 instead. When Tor runs as an installed application instead of a background process it uses port 9150.
torsocks. Both work similarly; just use whatever you have available:
$ torify ssh admin@abcdefg..............xyz.onion
$ torsocks ssh admin@abcdefg..............xyz.onion
torsocksmay not work due to Apple’s System Integrity Protection (SIP) which will deny access to
To work around this, first make sure Tor is installed and running on your Mac:
$ brew install tor && brew services start tor
You can SSH to your Pi “out of the box” with the following proxy command:
$ ssh -o "ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p" admin@abcdefg..............xyz.onion
For a more permanent solution, add these six lines below to your local SSH config file. Choose any HOSTNICKNAME you want, save and exit.
$ sudo nano .ssh/config
Host HOSTNICKNAME Hostname abcdefg..............xyz.onion User admin Port 22 CheckHostIP no ProxyCommand /usr/bin/nc -x localhost:9050 %h %p
$ brew services restart tor
You should now be able to SSH to your Pi with
$ ssh HOSTNICKNAME
Next: Bitcoin »