Bitcoin Core includes Tor integration
When Tor is correctly setup on your system, Bitcoin Core automatically identifies Tor and creates an anonymous service. Little configuration is required to be ‘off the grid’ and, just a tiny bit more to be completely anonymous if that is important to you, with none of your Bitcoin traffic reaching out onto the public internet.
Using these steps you can be anonymous in only five minutes.
With the full privacy setup, transactions will of course still be broadcast but will only be broadcast actually onto the public internet by other Bitcoin nodes. With the standard ‘off-the-grid’ Tor setup, your Bitcoin traffic will be routed through the anonymous Tor network before reaching the public internet and other Bitcoin nodes on and off the Tor network to be effectively untraceable.
Setting Up Bitcoin Core and Tor
These instructions work on Fedora 23 and assume a default setup of Bitcoin Core v0.15.1 and Tor v0.2.7.1 or newer (and have been tested to work with Bitcoin Core v0.16.0 on Fedora 27 with Tor v0.3.1.9). Fedora is a modern operating system that will run on most standard modern hardware. The configuration is the same on Windows, but the instructions are different. There are some instructions for setting up Tor on Windows here.
Further instructions for other *nix based systems are available here. NOTE: You do not need to configure your Tor client as a relay or exit node for Tor to operate, so you can skip the step for ‘Put the configuration file /etc/tor/torrc place:’ in that guide. You will still need to use all of the following steps in this guide.
Install the tor package:
sudo dnf install tor
Start the tor daemon and make sure it starts at boot:
sudo systemctl enable tor sudo systemctl start tor
Figure out where your
torrcfile is (
/etc/tor/torrcis one possibility).
torrcfile to edit:
sudo gedit /etc/tor/torrc
Add these lines to your
torrc(or ensure that they are uncommented):
ControlPort 9051 CookieAuthentication 1 CookieAuthFileGroupReadable 1
You need to figure out what group tor is using. On Fedora 23 it is
toranon. Run the following command:
ps -eo user,group,comm |egrep 'tor' |awk 'print "tor group: " $2'
You need to figure out what user bitcoind or bitcoin-qt is running as. Run the following command while Bitcoin is running:
ps -eo user,group,comm |egrep 'bitcoind|bitcoin-qt' |awk 'print "Bitcoin user: " $1'
Run the following command as root, which adds your Bitcoin user to the tor group. Replace TOR_GROUP and BITCOIN_USER with the actual information found above:
sudo usermod -a -G TOR_GROUP BITCOIN_USER
If you don’t modify any other settings, Bitcoin Core will usually connect over the regular Internet, but will also allow connections to and from the hidden Tor service.
So that Bitcoin Core wil only connect via Tor (for standard ‘off-the-grid’ setup), add these lines to
bitcoin.conf. In Bitcoin Core, go to Settings -> Options -> Open Configuration File. Bitcoin Core uses Tor stream isolation by default:
proxy=127.0.0.1:9050 #If you use Windows, this could possibly be 127.0.0.1:9150 in some cases. listen=1 bind=127.0.0.1
(optional) If you like, you can add some onion service peer nodes to connect to. This will help especially if you do all of the following optional configurations. Add the following lines to your
bitcoin.conffile. Bitcoin Core will only connect to a maximum of eight of these at any one time randomly, depending which ones are online:
addnode=gyn2vguc35viks2b.onion addnode=kvd44sw7skb5folw.onion addnode=nkf5e6b7pl4jfd4a.onion addnode=yu7sezmixhmyljn4.onion addnode=3ffk7iumtx3cegbi.onion addnode=3nmbbakinewlgdln.onion addnode=4j77gihpokxu2kj4.onion addnode=546esc6botbjfbxb.onion addnode=5at7sq5nm76xijkd.onion addnode=77mx2jsxaoyesz2p.onion addnode=7g7j54btiaxhtsiy.onion addnode=a6obdgzn67l7exu3.onion addnode=ab64h7olpl7qpxci.onion addnode=am2a4rahltfuxz6l.onion addnode=azuxls4ihrr2mep7.onion addnode=bitcoin7bi4op7wb.onion addnode=bitcoinostk4e4re.onion addnode=bk7yp6epnmcllq72.onion addnode=bmutjfrj5btseddb.onion addnode=ceeji4qpfs3ms3zc.onion addnode=clexmzqio7yhdao4.onion addnode=gb5ypqt63du3wfhn.onion addnode=h2vlpudzphzqxutd.onion addnode=n42h7r6oumcfsbrs.onion:4176 addnode=ncwk3lutemffcpc4.onion addnode=okdzjarwekbshnof.onion addnode=pjghcivzkoersesd.onion addnode=rw7ocjltix26mefn.onion addnode=uws7itep7o3yinxo.onion addnode=vk3qjdehyy4dwcxw.onion addnode=vqpye2k5rcqvj5mq.onion addnode=wpi7rpvhnndl52ee.onion
If you additionally want Bitcoin Core to only connect out to Tor hidden services and not even to connect to IPv4/IPv6 nodes on the public internet via the Tor network proxy:
(optional) Also add this to
bitcoin.conffor full anonymity (not particularly recommended)*:
*Note: Bitcoin Core will still query for peer addresses via DNS lookup if low on addresses. This also can be disabled using the next option. However, it is possible your node may not be able to find any other nodes to connect to.
*Note: Bitcoin Core v0.15.1 currently seems to make some outbound IPv4 connections at node startup even when
onlynet=onion, none have been observed after initial startup. These connections should be made via your onion proxy, however, using the next option has been observed to prevent them.
(optional) (advanced) If you also want to disable DNS lookup to query for peer addresses then also add the following to
bitcoin.conf(not particularly recommended) note: if you use this option your node may be unable to find peers until you add some good peers with the
sudo systemctl stop tor sudo systemctl start tor
Log out of your user, log back in (this is so that your new user group permissions are effective, I do not know what user you are running Bitcoin Core on).
Restart Bitcoin Core. Since Tor version 0.2.7.1 and newer the Bitcoin Core GUI version called bitcoin-qt automatically registers your Tor hidden service and makes it reachable on the onion network. For the command line version of Bitcoin Core, bitcoind, add the following parameter to your command line:
No port forwarding is necessary for everything to work with Tor including incoming connections via the Tor hidden service, you do not need to forward any ports for Bitcoin Core or Tor for this.
If you want your Bitcoin node still publicly reachable via the public internet for incoming connections you will still need to forward port 8333 for Bitcoin Core.
Checking everything is working
There are only two things to check that all is working. Checking peer info in the debug window of bitcoin-qt, you should see that connections to IPv4/IPv6 peers now have some extra connected ‘via’ info along with the peer address when you click on a peer. Onion addresses only route via Tor.
Checking the same thing via console or CLI for
getnetworkinfo, you should see for each network type the proxy info and, checking with
getpeerinfo you should see that the
addrlocal info is a remote address for each peer. Onion peers do not have
addrlocal and just have their onion service name for
The second thing to check is that your onion service for inbound Tor connections is up and all configuration is in place. Have a look in your
debug.log file, you should see a few entries after the most recent node restart that match the following:
2018-02-10 06:31:48 InitParameterInteraction: parameter interaction: -proxy set -> setting -upnp=0 2018-02-10 06:31:48 InitParameterInteraction: parameter interaction: -proxy set -> setting -discover=0 ... 2018-02-10 06:32:13 Bound to 127.0.0.1:8333 ... 2018-02-10 06:32:13 torcontrol thread start 2018-02-10 06:32:13 tor: Got service ID onion, advertising service onion.onion:8333 2018-02-10 06:32:13 AddLocal(onion.onion:8333,4)
advertising service information is your onion service address.
debug.log, connections to onion peers will only look like the following but still show up in the peers tab of the debug window on bitcoin-qt:
2018-02-10 06:34:07 receive version message: /Satoshi:0.15.1/: version 70015, blocks=508469, us=[::]:0, peer=7
It is not necessary to configure port forwarding on your modem/router for Tor to operate. If you are behind a restrictive firewall it may be necessary to configure outbound connections to allow Tor to connect out to other Tor nodes. Tor can be configured to only connect out using port 80/443 if that helps. See Appendix 1 – Monitoring Tor for
nyx and access to full Tor configuration options.
Done! Enjoy being anonymous!
Appendix 1 – Monitoring Tor
You can monitor (and further tweak/break) Tor using nyx.
There are several installation methods available. On Fedora 27:
sudo dnf install nyx
To start nyx simply type
nyx in the console and it will connect to Tor if it is running.
Once correctly configured, most synchronisation issues are to do with your hardware. See this answer for more information.
There are more configuration options available, and additional ways you can support the Tor network. Please see the several pages available here for information.
Thanks to en.bitcoin.it for your excellent guide that got me started on this.
Additional information is available from the bitcoin project here.
For an even higher level of anonymity, it is possible to configure Tor as a DNS resolver and, configure your system network configuration to use Tor to resolve DNS queries.
Article First Published here