System
Privacy

Privacy

We configure Tor and I2P to run your node anonymously.

Running your own Bitcoin and Lightning node at home makes you a direct, sovereign peer on the Bitcoin network. However, if not configured without privacy in mind, it also tells the world that there is someone with Bitcoin at that address.

We'll also make it easy to connect to your node from outside your home network as an added benefit.

True, it's only your IP address that is revealed, but using services like iplocation.net (opens in a new tab), your physical address can be determined quite accurately. Especially with Lightning, your IP address would be widely used. We need to make sure that you keep your privacy.

Tor Project

We use Tor, a free software built by the Tor Project (opens in a new tab). It allows you to anonymize internet traffic by routing it through a network of nodes, hiding your location and usage profile.

It is called "Tor" for "The Onion Router": information is routed through many hops and encrypted multiple times. Each node decrypts only the layer of information addressed to it, learning only the previous and the next hop of the whole route. The data package is peeled like an onion until it reaches the final destination.

Preparation

Create tor group and user

$SU addgroup -S tor
$SU adduser \
    -S \
    -D \
    -H \
    -h /dev/null \
    -s /sbin/nologin \
    -G tor \
    -g tor \
    tor

Install

$SU apk add tor

Tor configuration

Bitcoin client will communicate directly with the Tor daemon to route all traffic through the Tor network. We need to enable Tor to accept instructions through its control port, with the proper authentication.

  • Edit the Tor configuration
$SU cp /etc/tor/torrc.sample /etc/tor/torrc
$SU $EDITOR /etc/tor/torrc
  • Uncomment the following lines
/etc/tor/torrc
...
## The port on which Tor will listen for local connections from Tor
## controller applications, as documented in control-spec.txt.
ControlPort 9051
## If you enable the controlport, be sure to enable one of these
## authentication methods, to prevent attackers from accessing it.
#HashedControlPassword 24:972860B76453A77B40CA2BB8C1A7982072093276A3D701AD685353
CookieAuthentication 1

############### This section is just for location-hidden services ###
...
  • Add under CookieAuthentication 1
/etc/tor/torrc
CookieAuthFile /var/lib/tor/control_auth_cookie
CookieAuthFileGroupReadable 1
DataDirectoryGroupReadable 1
  • Start Tor and add service to runlevel
$SU rc-service tor start
$SU rc-update add tor default
  • Ensure that the Tor service is working and listening at the default ports 9050 and 9051
$SU netstat -lntup | grep LISTEN | grep tor
output
tcp      0     0 127.0.0.1:9051       0.0.0.0:*             LISTEN     3359/tor
tcp      0     0 127.0.0.1:9050       0.0.0.0:*             LISTEN     3359/tor
  • Check the logs to see Tor in real time updates output logs. Exit with Ctrl-C
$SU tail -f /var/log/tor/notices.log

Not all network traffic is routed over the Tor network. But we now have the base to configure sensitive applications to use it.

SSH through Tor

If you want to log into your MicroBolt with SSH when you're away, you can easily do so by adding a Tor hidden service. This makes "calling home" very easy, without the need to configure anything on your internet router.

Server

  • Add the following lines in the "location hidden services" section, below "## This section is just for location-hidden services ##" in the torrc file
⚠️

It's interesting to put the same port as done on dropbear/openssh, default 22

$SU $EDITOR /etc/tor/torrc
/etc/tor/torrc
# Hidden Service SSH server
HiddenServiceDir /var/lib/tor/ssh/
HiddenServiceVersion 3
HiddenServicePoWDefensesEnabled 1
HiddenServicePort 2222 127.0.0.1:2222
  • Reload the Tor configuration to apply the configuration
$SU rc-service tor reload
  • Get the SSH Onion address
$SU cat /var/lib/tor/ssh/hostname
output
abcdefg..............xyz.onion
  • Save the Tor address in a secure location, e.g. your password manager

Client

You also need to have Tor installed on your regular computer where you start the SSH connection. Usage of SSH over Tor differs by client and operating system.

Popular tools like torify or torsocks are not available on Windows, and torifier are abandoned.

To work around this, first, make sure Tor is installed and running on your Windows. Run as admin:

⚠️

First you need to install chocolatey (opens in a new tab)

choco install tor
choco install nmap --version=7.92.0.20220321
tor --service start

Check tor service are working

netstat -aon | findstr ":9050"
output
  TCP    127.0.0.1:9050         0.0.0.0:0              LISTENING       23656

You can SSH to your PC "out of the box" with the following proxy command:

ssh `
    -o "ProxyCommand ncat --proxy-type socks5 --proxy 127.0.0.1:9050 %h %p" `
    satoshi@abcdefg..............xyz.onion -p 2222
  • For a more permanent solution, add these six lines below to your local SSH config file. Choose any HOSTNICKNAME you want, save, and exit
notepad .ssh/config
~/.ssh/config
Host HOSTNICKNAME
  Hostname abcdefg..............xyz.onion
  User satoshi
  Port 2222
  CheckHostIP no
  ProxyCommand ncat --proxy-type socks5 --proxy 127.0.0.1:9050 %h %p
  • Restart Tor
tor --service stop
tor --service start
  • You should now be able to SSH to your PC with
ssh HOSTNICKNAME

I2P Project

I2P (opens in a new tab) is a universal anonymous network layer. All communications over I2P are anonymous and end-to-end encrypted, participants don't reveal their real IP addresses. I2P allows people from all around the world to communicate and share information without restrictions.

I2P client is software used for building and using anonymous I2P networks. Such networks are commonly used for anonymous peer-to-peer applications (filesharing, cryptocurrencies) and anonymous client-server applications (websites, instant messengers, chat-servers).

We are to use i2pd (opens in a new tab) (I2P Daemon), a full-featured C++ implementation of the I2P client, as a Tor network complement.

I2P installation

$SU apk add i2pd
  • Start the i2p service and add to runlevel
$SU rc-service i2pd start
$SU rc-update add i2pd default
  • Ensure that the i2pd service is working and listening at the default ports
$SU netstat -lntup | grep LISTEN | grep i2pd
output
tcp      0     0 127.0.0.1:4447       0.0.0.0:*             LISTEN     3571/i2pd
tcp      0     0 127.0.0.1:4444       0.0.0.0:*             LISTEN     3571/i2pd
tcp      0     0 127.0.0.1:7656       0.0.0.0:*             LISTEN     3571/i2pd
tcp      0     0 0.0.0.0:26697        0.0.0.0:*             LISTEN     3571/i2pd
tcp      0     0 127.0.0.1:6668       0.0.0.0:*             LISTEN     3571/i2pd
tcp      0     0 127.0.0.1:7070       0.0.0.0:*             LISTEN     3571/i2pd
  • See i2p in action by monitoring its log file. Exit with Ctrl-C
$SU tail -f /var/log/i2pd/i2pd.log
SecurityBitcoin