Bitcoin Core includes Tor integration

When Tor is correctly setup on your system, Bitcoin Core automatically identifies Tor and creates an anonymous service. Little configuration is required to be ‘off the grid’ and, just a tiny bit more to be completely anonymous if that is important to you, with none of your Bitcoin traffic reaching out onto the public internet.

Using these steps you can be anonymous in only five minutes.

With the full privacy setup, transactions will of course still be broadcast but will only be broadcast actually onto the public internet by other Bitcoin nodes. With the standard ‘off-the-grid’ Tor setup, your Bitcoin traffic will be routed through the anonymous Tor network before reaching the public internet and other Bitcoin nodes on and off the Tor network to be effectively untraceable.

Setting Up Bitcoin Core and Tor

These instructions work on Fedora 23 and assume a default setup of Bitcoin Core v0.15.1 and Tor v0.2.7.1 or newer (and have been tested to work with Bitcoin Core v0.16.0 on Fedora 27 with Tor v0.3.1.9). Fedora is a modern operating system that will run on most standard modern hardware. The configuration is the same on Windows, but the instructions are different. There are some instructions for setting up Tor on Windows here.

Further instructions for other *nix based systems are available here. NOTE: You do not need to configure your Tor client as a relay or exit node for Tor to operate, so you can skip the step for ‘Put the configuration file /etc/tor/torrc place:’ in that guide. You will still need to use all of the following steps in this guide.

  1. Setup Tor

    1. Install the tor package:

      sudo dnf install tor
      
    2. Start the tor daemon and make sure it starts at boot:

      sudo systemctl enable tor
      sudo systemctl start tor
      
  2. Figure out where your torrc file is (/etc/tor/torrc is one possibility).

  3. Open the torrc file to edit:

    sudo gedit /etc/tor/torrc
    
  4. Add these lines to your torrc (or ensure that they are uncommented):

    ControlPort 9051
    CookieAuthentication 1
    CookieAuthFileGroupReadable 1
    
  5. You need to figure out what group tor is using. On Fedora 23 it is toranon. Run the following command:

    ps -eo user,group,comm |egrep 'tor' |awk 'print "tor group: " $2'
    
  6. You need to figure out what user bitcoind or bitcoin-qt is running as. Run the following command while Bitcoin is running:

    ps -eo user,group,comm |egrep 'bitcoind|bitcoin-qt' |awk 'print "Bitcoin user: " $1'
    
  7. Run the following command as root, which adds your Bitcoin user to the tor group. Replace TOR_GROUP and BITCOIN_USER with the actual information found above:

    sudo usermod -a -G TOR_GROUP BITCOIN_USER
    

If you don’t modify any other settings, Bitcoin Core will usually connect over the regular Internet, but will also allow connections to and from the hidden Tor service.

  1. So that Bitcoin Core wil only connect via Tor (for standard ‘off-the-grid’ setup), add these lines to bitcoin.conf. In Bitcoin Core, go to Settings -> Options -> Open Configuration File. Bitcoin Core uses Tor stream isolation by default:

    proxy=127.0.0.1:9050 #If you use Windows, this could possibly be 127.0.0.1:9150 in some cases.
    listen=1
    bind=127.0.0.1
    
  2. (optional) If you like, you can add some onion service peer nodes to connect to. This will help especially if you do all of the following optional configurations. Add the following lines to your bitcoin.conf file. Bitcoin Core will only connect to a maximum of eight of these at any one time randomly, depending which ones are online:

    addnode=gyn2vguc35viks2b.onion
    addnode=kvd44sw7skb5folw.onion
    addnode=nkf5e6b7pl4jfd4a.onion
    addnode=yu7sezmixhmyljn4.onion
    addnode=3ffk7iumtx3cegbi.onion
    addnode=3nmbbakinewlgdln.onion
    addnode=4j77gihpokxu2kj4.onion
    addnode=546esc6botbjfbxb.onion
    addnode=5at7sq5nm76xijkd.onion
    addnode=77mx2jsxaoyesz2p.onion
    addnode=7g7j54btiaxhtsiy.onion
    addnode=a6obdgzn67l7exu3.onion
    addnode=ab64h7olpl7qpxci.onion
    addnode=am2a4rahltfuxz6l.onion
    addnode=azuxls4ihrr2mep7.onion
    addnode=bitcoin7bi4op7wb.onion
    addnode=bitcoinostk4e4re.onion
    addnode=bk7yp6epnmcllq72.onion
    addnode=bmutjfrj5btseddb.onion
    addnode=ceeji4qpfs3ms3zc.onion
    addnode=clexmzqio7yhdao4.onion
    addnode=gb5ypqt63du3wfhn.onion
    addnode=h2vlpudzphzqxutd.onion
    addnode=n42h7r6oumcfsbrs.onion:4176
    addnode=ncwk3lutemffcpc4.onion
    addnode=okdzjarwekbshnof.onion
    addnode=pjghcivzkoersesd.onion
    addnode=rw7ocjltix26mefn.onion
    addnode=uws7itep7o3yinxo.onion
    addnode=vk3qjdehyy4dwcxw.onion
    addnode=vqpye2k5rcqvj5mq.onion
    addnode=wpi7rpvhnndl52ee.onion
    

If you additionally want Bitcoin Core to only connect out to Tor hidden services and not even to connect to IPv4/IPv6 nodes on the public internet via the Tor network proxy:

  1. (optional) Also add this to bitcoin.conf for full anonymity (not particularly recommended)*:

    onlynet=onion
    

*Note: Bitcoin Core will still query for peer addresses via DNS lookup if low on addresses. This also can be disabled using the next option. However, it is possible your node may not be able to find any other nodes to connect to.

*Note: Bitcoin Core v0.15.1 currently seems to make some outbound IPv4 connections at node startup even when onlynet=onion, none have been observed after initial startup. These connections should be made via your onion proxy, however, using the next option has been observed to prevent them.

  1. (optional) (advanced) If you also want to disable DNS lookup to query for peer addresses then also add the following to bitcoin.conf (not particularly recommended) note: if you use this option your node may be unable to find peers until you add some good peers with the addnode= parameter.:

    dnsseed=0
    dns=0
    
  2. Restart tor:

    sudo systemctl stop tor
    sudo systemctl start tor
    
  3. Log out of your user, log back in (this is so that your new user group permissions are effective, I do not know what user you are running Bitcoin Core on).

  4. Restart Bitcoin Core. Since Tor version 0.2.7.1 and newer the Bitcoin Core GUI version called bitcoin-qt automatically registers your Tor hidden service and makes it reachable on the onion network. For the command line version of Bitcoin Core, bitcoind, add the following parameter to your command line:

    >bitcoind -listenonion
    

No port forwarding is necessary for everything to work with Tor including incoming connections via the Tor hidden service, you do not need to forward any ports for Bitcoin Core or Tor for this.

If you want your Bitcoin node still publicly reachable via the public internet for incoming connections you will still need to forward port 8333 for Bitcoin Core.

Checking everything is working

There are only two things to check that all is working. Checking peer info in the debug window of bitcoin-qt, you should see that connections to IPv4/IPv6 peers now have some extra connected ‘via’ info along with the peer address when you click on a peer. Onion addresses only route via Tor.

Checking the same thing via console or CLI for getnetworkinfo, you should see for each network type the proxy info and, checking with getpeerinfo you should see that the addrlocal info is a remote address for each peer. Onion peers do not have addrlocal and just have their onion service name for addr.

The second thing to check is that your onion service for inbound Tor connections is up and all configuration is in place. Have a look in your debug.log file, you should see a few entries after the most recent node restart that match the following:

2018-02-10 06:31:48 InitParameterInteraction: parameter interaction: -proxy set -> setting -upnp=0
2018-02-10 06:31:48 InitParameterInteraction: parameter interaction: -proxy set -> setting -discover=0
...
2018-02-10 06:32:13 Bound to 127.0.0.1:8333
...
2018-02-10 06:32:13 torcontrol thread start
2018-02-10 06:32:13 tor: Got service ID onion, advertising service onion.onion:8333
2018-02-10 06:32:13 AddLocal(onion.onion:8333,4)

The advertising service information is your onion service address.

In the debug.log, connections to onion peers will only look like the following but still show up in the peers tab of the debug window on bitcoin-qt:

2018-02-10 06:34:07 receive version message: /Satoshi:0.15.1/: version 70015, blocks=508469, us=[::]:0, peer=7

It is not necessary to configure port forwarding on your modem/router for Tor to operate. If you are behind a restrictive firewall it may be necessary to configure outbound connections to allow Tor to connect out to other Tor nodes. Tor can be configured to only connect out using port 80/443 if that helps. See Appendix 1 – Monitoring Tor for nyx and access to full Tor configuration options.

Done! Enjoy being anonymous!

Appendix 1 – Monitoring Tor

You can monitor (and further tweak/break) Tor using nyx.

There are several installation methods available. On Fedora 27:

sudo dnf install nyx

To start nyx simply type nyx in the console and it will connect to Tor if it is running.

Footnotes

Once correctly configured, most synchronisation issues are to do with your hardware. See this answer for more information.

There are more configuration options available, and additional ways you can support the Tor network. Please see the several pages available here for information.

Thanks to en.bitcoin.it for your excellent guide that got me started on this.

Additional information is available from the bitcoin project here.

For an even higher level of anonymity, it is possible to configure Tor as a DNS resolver and, configure your system network configuration to use Tor to resolve DNS queries.

Article First Published here