Privacy
We configure Tor and I2P to run your node anonymously.
Running your own Bitcoin and Lightning node at home makes you a direct, sovereign peer on the Bitcoin network. However, if not configured without privacy in mind, it also tells the world that there is someone with Bitcoin at that address.
We’ll also make it easy to connect to your node from outside your home network as an added benefit.
True, it’s only your IP address that is revealed, but using services like iplocation.net, your physical address can be determined quite accurately. Especially with Lightning, your IP address would be widely used. We need to make sure that you keep your privacy.
Tor Project
We use Tor, a free software built by the Tor Project. It allows you to anonymize internet traffic by routing it through a network of nodes, hiding your location and usage profile.
It is called “Tor” for “The Onion Router”: information is routed through many hops and encrypted multiple times. Each node decrypts only the layer of information addressed to it, learning only the previous and the next hop of the whole route. The data package is peeled like an onion until it reaches the final destination.
Preparation
Create tor
group and user
$SU addgroup -S tor
$SU adduser \
-S \
-D \
-H \
-h /dev/null \
-s /sbin/nologin \
-G tor \
-g tor \
tor
Install
$SU apk add tor
Tor configuration
Bitcoin client will communicate directly with the Tor daemon to route all traffic through the Tor network. We need to enable Tor to accept instructions through its control port, with the proper authentication.
- Edit the Tor configuration
$SU cp /etc/tor/torrc.sample /etc/tor/torrc
$SU $EDITOR /etc/tor/torrc
- Uncomment the following lines
...
## The port on which Tor will listen for local connections from Tor
## controller applications, as documented in control-spec.txt.
ControlPort 9051
## If you enable the controlport, be sure to enable one of these
## authentication methods, to prevent attackers from accessing it.
#HashedControlPassword 24:972860B76453A77B40CA2BB8C1A7982072093276A3D701AD685353
CookieAuthentication 1
############### This section is just for location-hidden services ###
...
- Add under
CookieAuthentication 1
CookieAuthFile /var/lib/tor/control_auth_cookie
CookieAuthFileGroupReadable 1
DataDirectoryGroupReadable 1
- Start Tor and add service to runlevel
$SU rc-service tor start
$SU rc-update add tor default
- Ensure that the Tor service is working and listening at the default ports
9050
and9051
$SU netstat -lntup | grep LISTEN | grep tor
tcp 0 0 127.0.0.1:9051 0.0.0.0:* LISTEN 3359/tor
tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 3359/tor
- Check the logs to see Tor in real time updates output logs. Exit with
Ctrl-C
$SU tail -f /var/log/tor/notices.log
Not all network traffic is routed over the Tor network. But we now have the base to configure sensitive applications to use it.
SSH through Tor
If you want to log into your Microbolt with SSH when you’re away, you can easily do so by adding a Tor hidden service. This makes “calling home” very easy, without the need to configure anything on your internet router.
Server
- Add the following lines in the “location hidden services” section, below
“
## This section is just for location-hidden services ##
” in the torrc file
It’s interesting to put the same port as done on dropbear
/openssh
, default
22
$SU $EDITOR /etc/tor/torrc
# Hidden Service SSH server
HiddenServiceDir /var/lib/tor/ssh/
HiddenServiceVersion 3
HiddenServicePoWDefensesEnabled 1
HiddenServicePort 2222 127.0.0.1:2222
- Reload the Tor configuration to apply the configuration
$SU rc-service tor reload
- Get the SSH Onion address
$SU cat /var/lib/tor/ssh/hostname
abcdefg..............xyz.onion
- Save the Tor address in a secure location, e.g. your password manager
Client
You also need to have Tor installed on your regular computer where you start the SSH connection. Usage of SSH over Tor differs by client and operating system.
Popular tools like torify
or torsocks
are not available on Windows, and
torifier
are abandoned.
To work around this, first, make sure Tor is installed and running on your Windows. Run as admin:
First you need to install chocolatey
choco install tor
choco install nmap --version=7.92.0.20220321
tor --service start
Check tor service are working
netstat -aon | findstr ":9050"
TCP 127.0.0.1:9050 0.0.0.0:0 LISTENING 23656
You can SSH to your PC “out of the box” with the following proxy command:
ssh `
-o "ProxyCommand ncat --proxy-type socks5 --proxy 127.0.0.1:9050 %h %p" `
satoshi@abcdefg..............xyz.onion -p 2222
- For a more permanent solution, add these six lines below to your local SSH config file. Choose any HOSTNICKNAME you want, save, and exit
notepad .ssh/config
Host HOSTNICKNAME
Hostname abcdefg..............xyz.onion
User satoshi
Port 2222
CheckHostIP no
ProxyCommand ncat --proxy-type socks5 --proxy 127.0.0.1:9050 %h %p
- Restart Tor
tor --service stop
tor --service start
- You should now be able to SSH to your PC with
ssh HOSTNICKNAME
I2P Project
I2P is a universal anonymous network layer. All communications over I2P are anonymous and end-to-end encrypted, participants don’t reveal their real IP addresses. I2P allows people from all around the world to communicate and share information without restrictions.
I2P client is software used for building and using anonymous I2P networks. Such networks are commonly used for anonymous peer-to-peer applications (filesharing, cryptocurrencies) and anonymous client-server applications (websites, instant messengers, chat-servers).
We are to use i2pd (I2P Daemon), a full-featured C++ implementation of the I2P client, as a Tor network complement.
I2P installation
$SU apk add i2pd
- Start the i2p service and add to runlevel
$SU rc-service i2pd start
$SU rc-update add i2pd default
- Ensure that the i2pd service is working and listening at the default ports
$SU netstat -lntup | grep LISTEN | grep i2pd
tcp 0 0 127.0.0.1:4447 0.0.0.0:* LISTEN 3571/i2pd
tcp 0 0 127.0.0.1:4444 0.0.0.0:* LISTEN 3571/i2pd
tcp 0 0 127.0.0.1:7656 0.0.0.0:* LISTEN 3571/i2pd
tcp 0 0 0.0.0.0:26697 0.0.0.0:* LISTEN 3571/i2pd
tcp 0 0 127.0.0.1:6668 0.0.0.0:* LISTEN 3571/i2pd
tcp 0 0 127.0.0.1:7070 0.0.0.0:* LISTEN 3571/i2pd
- See
i2p
in action by monitoring its log file. Exit withCtrl-C
$SU tail -f /var/log/i2pd/i2pd.log