Bitcoin Wiki - User contributions [en]

Setting up a Tor hidden service

2018-12-21T19:02:04Z

Cavemansalem:

If you use a Bitcoin [[full node]] over Tor, then usually it will only be able to make outgoing connections. Therefore, you will only get a maximum of 8 total connections. This is fine, and is not something you usually need to worry about, but if your computer is often online and you want to be a big help to the network, you can run a Tor hidden service in order to accept incoming connections over Tor.

Note that there is no need to forward port 8333 when using a Tor hidden service. The hidden service will cause most firewalls and NAT setups to be bypassed. For this reason, running a Tor hidden service is also a good idea if you want incoming connections but are for some reason unable to forward port 8333.

=== Prerequisites ===

These instructions are for Linux. It is possible to do on Windows, but the instructions would be rather different. (If you've done it on Windows, consider adding the instructions to this page.)

You need Tor (at least version 0.2.7.1). Figure out where your <tt>torrc</tt> file is (<tt>/etc/tor/torrc</tt> is one possibility). This guide assumes default Tor settings. This guide assumes that Tor is running under the user and group <tt>tor</tt>, which will usually be the case if you install Tor using your distro's package manager. Note that Bitcoin '''does not''' support hidden service version 3 (ie. long onion addresses).

You need Bitcoin Core (or similar). For method 1, you need at least version 0.12.0. Find <tt>bitcoin.conf</tt> in your [[data directory]].

=== Method 1 (recommended) ===

This sets up an automatic hidden service that is initiated by Bitcoin Core. On the first startup of <tt>bitcoind</tt> after configuring Bitcoin Core to use Tor ControlPort as follows, Bitcoin Core will generate a file called <tt>onion_private_key</tt> in the [[data directory]]. The file <tt>onion_private_key</tt> contains the private key needed to generate your unique <tt>XXXXXXX.onion</tt> address. KEEP THIS SAFE. If someone copies this file they can run a server with your .onion address. Also, if you delete this file, the next time bitcoind loads it will generate a new key file and <tt>xxxxxxxx.onion</tt> address. Note that while a malicious party cannot necessarily associate the server with you as a person, as long as your server has the same xxxx.onion address they will know it is run by the same person. For absolute security delete <tt>onion_private_key</tt> at each reboot or some frequent interval.

Add these lines to your <tt>torrc</tt>:

<pre>ControlPort 9051
CookieAuthentication 1
CookieAuthFileGroupReadable 1</pre>

You need to figure out what user bitcoind or bitcoin-qt is running as. Run the following command while Bitcoin is running:
<pre>ps -eo user,group,comm |egrep 'bitcoind|bitcoin-qt' |awk '{print "Bitcoin user: " $1}'</pre>
Write down the reported user.

Run the following command as root, which adds your Bitcoin user to the tor group. Replace BITCOIN_USER with the actual user name found above:
<pre>usermod -a -G tor BITCOIN_USER</pre>

At this point your node will work over Tor without further configuartion. Bitcoin Core v0.12 and later automatically tries to connect to Tor via the ControlPort if <tt>listen=1</tt> is set in <tt>bitcoin.conf</tt>. By default Bitcoin Core will usually connect over the regular Internet as well as allow connections to and from the Tor hidden service. This will help other users who wish to submit transactions to the bitcoin network securely and obscurely, but transactions you submit could theoretically be traced back to your ip address. If you want Bitcoin Core to only connect via Tor (for anonymity), add these lines to bitcoin.conf:

<pre>proxy=127.0.0.1:9050
listen=1
bind=127.0.0.1</pre>

If you additionally want Bitcoin Core to only connect out to Tor ''hidden services'', also add this line (not particularly recommended):
<pre>onlynet=onion</pre>

Doing so will make your specific bitcoind node arguably more secure because it will never have an unencrypted connection to another node, but if everyone used <tt>onlynet=onion</tt> nobody on the onion bitcoin chain would be able to communicate with the clearnet chain. It is essential that some nodes access both clearnet and Tor. If you need to submit bitcoin transactions to the network with the highest level of obscurity, use <tt>onlynet=onion</tt>. If you only wish to give access to your node to other Tor users, do not use it.

Now restart Tor, and then Bitcoin Core. At some point during startup in <tt>~/.bitcoin/debug.log</tt> you will see
<pre>tor: Got service ID XXXXXXXXXXX, advertising service XXXXXXXXXXX.onion:8333</pre> This is the .onion address of your server. You should eventually get incoming connections via the hidden service.

=== Method 2 ===

This sets up a manual hidden service controlled by the tor daemon. The hidden service address (xxxx.onion). Note that as in method 1, your xxxxx.onion address will stay the same until you delete your key file. Someone tracking you can't necessarily associate the xxxx.onion with you, but they will know it is run by the same person or entity.

Add these lines to your <tt>torrc</tt>:
<pre>HiddenServiceDir /var/lib/tor/bitcoin-service/
HiddenServicePort 8333 127.0.0.1:8333</pre>

Restart Tor. As root, run <tt>cat /var/lib/tor/bitcoin-service/hostname</tt>. Your onion address will be reported. If it didn't work, then probably your distro's version of Tor doesn't actually use <tt>/var/lib/tor</tt> for this purpose. You should try to figure out the correct HiddenServiceDir location.

In the following steps, replace ONION_ADDR with the onion address reported above.

If you don't care about anonymity and are only looking to help the network, add the following lines to bitcoin.conf:
<pre>onion=127.0.0.1:9050
listen=1
externalip=ONION_ADDR
discover=1</pre>
This will allow you to accept connections both via your onion address and your IP address (if you have port 8333 forwarded), and Tor will only be used for connections to and from Tor hidden services.

If you care about anonymity, '''instead''' of the above, add the following lines to bitcoin.conf to use Tor for everything:
<pre>proxy=127.0.0.1:9050
listen=1
bind=127.0.0.1
externalip=ONION_ADDR</pre>

If you additionally want Bitcoin Core to only connect out to Tor ''hidden services'', also add this line (not particularly recommended):
<pre>onlynet=onion</pre>

Now restart Bitcoin Core. You should eventually get incoming connections via your hidden service.

[[Category:Guides]]

Setting up a Tor hidden service

2018-12-21T16:56:53Z

Cavemansalem:

If you use a Bitcoin [[full node]] over Tor, then usually it will only be able to make outgoing connections. Therefore, you will only get a maximum of 8 total connections. This is fine, and is not something you usually need to worry about, but if your computer is often online and you want to be a big help to the network, you can run a Tor hidden service in order to accept incoming connections over Tor.

Note that there is no need to forward port 8333 when using a Tor hidden service. The hidden service will cause most firewalls and NAT setups to be bypassed. For this reason, running a Tor hidden service is also a good idea if you want incoming connections but are for some reason unable to forward port 8333.

=== Prerequisites ===

These instructions are for Linux. It is possible to do on Windows, but the instructions would be rather different. (If you've done it on Windows, consider adding the instructions to this page.)

You need Tor (at least version 0.2.7.1). Figure out where your <tt>torrc</tt> file is (<tt>/etc/tor/torrc</tt> is one possibility). This guide assumes default Tor settings. This guide assumes that Tor is running under the user and group <tt>tor</tt>, which will usually be the case if you install Tor using your distro's package manager. Note that Bitcoin '''does not''' support hidden service version 3 (ie. long onion addresses).

You need Bitcoin Core (or similar). For method 1, you need at least version 0.12.0. Find <tt>bitcoin.conf</tt> in your [[data directory]].

=== Method 1 (recommended) ===

This sets up an automatic hidden service that is initiated by Bitcoin Core. On the first startup of <tt>bitcoind</tt> after configuring Bitcoin Core to use Tor ControlPort as follows, Bitcoin Core will generate a file called <tt>onion_private_key</tt> in the [[data directory]]. The file <tt>onion_private_key</tt> contains the private key needed to generate your unique <tt>XXXXXXX.onion</tt> address. KEEP THIS SAFE. If someone copies this file they can run a server with your .onion address. Also, if you delete this file, the next time bitcoind loads it will generate a new key file and <tt>xxxxxxxx.onion</tt> address. Note that while a malicious party cannot necessarily associate the server with you as a person, as long as your server has the same xxxx.onion address they will know it is run by the same person. For absolute security delete <tt>onion_private_key</tt> at each reboot or some frequent interval.

Add these lines to your <tt>torrc</tt>:

<pre>ControlPort 9051
CookieAuthentication 1
CookieAuthFileGroupReadable 1</pre>

You need to figure out what user bitcoind or bitcoin-qt is running as. Run the following command while Bitcoin is running:
<pre>ps -eo user,group,comm |egrep 'bitcoind|bitcoin-qt' |awk '{print "Bitcoin user: " $1}'</pre>
Write down the reported user.

Run the following command as root, which adds your Bitcoin user to the tor group. Replace BITCOIN_USER with the actual user name found above:
<pre>usermod -a -G tor BITCOIN_USER</pre>

Edit bitcoin.conf and add the following line:

<pre>listenonion=1</pre>

If you don't modify any other settings, Bitcoin Core will usually connect over the regular Internet, but will also allow connections to and from the hidden service. This will help other users who wish to submit transactions to the bitcoin network securely and obscurely, but transactions you submit could theoretically be traced back to your ip address. If you want Bitcoin Core to only connect via Tor (for anonymity), add these lines to bitcoin.conf:

<pre>proxy=127.0.0.1:9050
listen=1
bind=127.0.0.1</pre>

If you additionally want Bitcoin Core to only connect out to Tor ''hidden services'', also add this line (not particularly recommended):
<pre>onlynet=onion</pre>

Doing so will make your specific bitcoind node arguably more secure because it will never have an unencrypted connection to another node, but if everyone used <tt>onlynet=onion</tt> nobody on the onion bitcoin chain would be able to communicate with the clearnet chain. It is essential that some nodes access both clearnet and Tor. If you need to submit bitcoin transactions to the network with the highest level of obscurity, use <tt>onlynet=onion</tt>. If you only wish to give access to your node to other Tor users, do not use it.

Now restart Tor, and then Bitcoin Core. At some point during startup in <tt>~/.bitcoin/debug.log</tt> you will see
<pre>tor: Got service ID XXXXXXXXXXX, advertising service XXXXXXXXXXX.onion:8333</pre> This is the .onion address of your server. You should eventually get incoming connections via the hidden service.

=== Method 2 ===

This sets up a manual hidden service controlled by the tor daemon. The hidden service address (xxxx.onion). Note that as in method 1, your xxxxx.onion address will stay the same until you delete your key file. Someone tracking you can't necessarily associate the xxxx.onion with you, but they will know it is run by the same person or entity.

Add these lines to your <tt>torrc</tt>:
<pre>HiddenServiceDir /var/lib/tor/bitcoin-service/
HiddenServicePort 8333 127.0.0.1:8333</pre>

Restart Tor. As root, run <tt>cat /var/lib/tor/bitcoin-service/hostname</tt>. Your onion address will be reported. If it didn't work, then probably your distro's version of Tor doesn't actually use <tt>/var/lib/tor</tt> for this purpose. You should try to figure out the correct HiddenServiceDir location.

In the following steps, replace ONION_ADDR with the onion address reported above.

If you don't care about anonymity and are only looking to help the network, add the following lines to bitcoin.conf:
<pre>onion=127.0.0.1:9050
listen=1
externalip=ONION_ADDR
discover=1</pre>
This will allow you to accept connections both via your onion address and your IP address (if you have port 8333 forwarded), and Tor will only be used for connections to and from Tor hidden services.

If you care about anonymity, '''instead''' of the above, add the following lines to bitcoin.conf to use Tor for everything:
<pre>proxy=127.0.0.1:9050
listen=1
bind=127.0.0.1
externalip=ONION_ADDR</pre>

If you additionally want Bitcoin Core to only connect out to Tor ''hidden services'', also add this line (not particularly recommended):
<pre>onlynet=onion</pre>

Now restart Bitcoin Core. You should eventually get incoming connections via your hidden service.

[[Category:Guides]]

Setting up a Tor hidden service

2018-12-21T15:20:00Z

Cavemansalem:

If you use a Bitcoin [[full node]] over Tor, then usually it will only be able to make outgoing connections. Therefore, you will only get a maximum of 8 total connections. This is fine, and is not something you usually need to worry about, but if your computer is often online and you want to be a big help to the network, you can run a Tor hidden service in order to accept incoming connections over Tor.

Note that there is no need to forward port 8333 when using a Tor hidden service. The hidden service will cause most firewalls and NAT setups to be bypassed. For this reason, running a Tor hidden service is also a good idea if you want incoming connections but are for some reason unable to forward port 8333.

=== Prerequisites ===

These instructions are for Linux. It is possible to do on Windows, but the instructions would be rather different. (If you've done it on Windows, consider adding the instructions to this page.)

You need Tor (at least version 0.2.7.1). Figure out where your <tt>torrc</tt> file is (<tt>/etc/tor/torrc</tt> is one possibility). This guide assumes default Tor settings. This guide assumes that Tor is running under the user and group <tt>tor</tt>, which will usually be the case if you install Tor using your distro's package manager. Note that Bitcoin '''does not''' support hidden service version 3 (ie. long onion addresses).

You need Bitcoin Core (or similar). For method 1, you need at least version 0.12.0. Find <tt>bitcoin.conf</tt> in your [[data directory]].

=== Method 1 (recommended) ===

This sets up an automatic hidden service that is initiated by Bitcoin Core. On the first startup of <tt>bitcoind</tt> after configuring Bitcoin Core to use Tor ControlPort as follows, Bitcoin Core will generate a file called <tt>onion_private_key</tt> in the [[data directory]]. The file <tt>onion_private_key</tt> contains the private key needed to generate your unique <tt>XXXXXXX.onion</tt> address. KEEP THIS SAFE. If someone copies this file they can run a server with your .onion address. Also, if you delete this file, the next time bitcoind loads it will generate a new key file and <tt>xxxxxxxx.onion</tt> address. Note that while a malicious party cannot necessarily associate the server with you as a person, as long as your server has the same xxxx.onion address they will know it is run by the same person. For absolute security delete <tt>onion_private_key</tt> at each reboot or some frequent interval.

Add these lines to your <tt>torrc</tt>:

<pre>ControlPort 9051
CookieAuthentication 1
CookieAuthFileGroupReadable 1</pre>

You need to figure out what user bitcoind or bitcoin-qt is running as. Run the following command while Bitcoin is running:
<pre>ps -eo user,group,comm |egrep 'bitcoind|bitcoin-qt' |awk '{print "Bitcoin user: " $1}'</pre>
Write down the reported user.

Run the following command as root, which adds your Bitcoin user to the tor group. Replace BITCOIN_USER with the actual user name found above:
<pre>usermod -a -G tor BITCOIN_USER</pre>

If you don't modify any other settings, Bitcoin Core will usually connect over the regular Internet, but will also allow connections to and from the hidden service. This will help other users who wish to submit transactions to the bitcoin network securely and obscurely, but transactions you submit could theoretically be traced back to your ip address. If you want Bitcoin Core to only connect via Tor (for anonymity), add these lines to bitcoin.conf:

<pre>proxy=127.0.0.1:9050
listen=1
bind=127.0.0.1</pre>

If you additionally want Bitcoin Core to only connect out to Tor ''hidden services'', also add this line (not particularly recommended):
<pre>onlynet=onion</pre>

Doing so will make your specific bitcoind node arguably more secure because it will never have an unencrypted connection to another node, but if everyone used <tt>onlynet=onion</tt> nobody on the onion bitcoin chain would be able to communicate with the clearnet chain. It is essential that some nodes access both clearnet and Tor. If you need to submit bitcoin transactions to the network with the highest level of obscurity, use <tt>onlynet=onion</tt>. If you only wish to give access to your node to other Tor users, do not use it.

Now restart Tor, and then Bitcoin Core. At some point during startup in <tt>~/.bitcoin/debug.log</tt> you will see
<pre>tor: Got service ID XXXXXXXXXXX, advertising service XXXXXXXXXXX.onion:8333</pre> This is the .onion address of your server. You should eventually get incoming connections via the hidden service.

=== Method 2 ===

This sets up a manual hidden service controlled by the tor daemon. The hidden service address (xxxx.onion). Note that as in method 1, your xxxxx.onion address will stay the same until you delete your key file. Someone tracking you can't necessarily associate the xxxx.onion with you, but they will know it is run by the same person or entity.

Add these lines to your <tt>torrc</tt>:
<pre>HiddenServiceDir /var/lib/tor/bitcoin-service/
HiddenServicePort 8333 127.0.0.1:8333</pre>

Restart Tor. As root, run <tt>cat /var/lib/tor/bitcoin-service/hostname</tt>. Your onion address will be reported. If it didn't work, then probably your distro's version of Tor doesn't actually use <tt>/var/lib/tor</tt> for this purpose. You should try to figure out the correct HiddenServiceDir location.

In the following steps, replace ONION_ADDR with the onion address reported above.

If you don't care about anonymity and are only looking to help the network, add the following lines to bitcoin.conf:
<pre>onion=127.0.0.1:9050
listen=1
externalip=ONION_ADDR
discover=1</pre>
This will allow you to accept connections both via your onion address and your IP address (if you have port 8333 forwarded), and Tor will only be used for connections to and from Tor hidden services.

If you care about anonymity, '''instead''' of the above, add the following lines to bitcoin.conf to use Tor for everything:
<pre>proxy=127.0.0.1:9050
listen=1
bind=127.0.0.1
externalip=ONION_ADDR</pre>

If you additionally want Bitcoin Core to only connect out to Tor ''hidden services'', also add this line (not particularly recommended):
<pre>onlynet=onion</pre>

Now restart Bitcoin Core. You should eventually get incoming connections via your hidden service.

[[Category:Guides]]

Setting up a Tor hidden service

2018-12-21T15:18:08Z

Cavemansalem: /* Method 1 (recommended) */

If you use a Bitcoin [[full node]] over Tor, then usually it will only be able to make outgoing connections. Therefore, you will only get a maximum of 8 total connections. This is fine, and is not something you usually need to worry about, but if your computer is often online and you want to be a big help to the network, you can run a Tor hidden service in order to accept incoming connections over Tor.

Note that there is no need to forward port 8333 when using a Tor hidden service. The hidden service will cause most firewalls and NAT setups to be bypassed. For this reason, running a Tor hidden service is also a good idea if you want incoming connections but are for some reason unable to forward port 8333.

=== Prerequisites ===

These instructions are for Linux. It is possible to do on Windows, but the instructions would be rather different. (If you've done it on Windows, consider adding the instructions to this page.)

You need Tor (at least version 0.2.7.1). Figure out where your <tt>torrc</tt> file is (<tt>/etc/tor/torrc</tt> is one possibility). This guide assumes default Tor settings. This guide assumes that Tor is running under the user and group <tt>tor</tt>, which will usually be the case if you install Tor using your distro's package manager. Note that Bitcoin '''does not''' support hidden service version 3 (ie. long onion addresses).

You need Bitcoin Core (or similar). For method 1, you need at least version 0.12.0. Find <tt>bitcoin.conf</tt> in your [[data directory]].

=== Method 1 (recommended) ===

This sets up an automatic hidden service that is initiated by Bitcoin Core. On the first startup of <tt>bitcoind</tt> after configuring Bitcoin Core to use Tor ControlPort as follows, Bitcoin Core will generate a file called <tt>onion_private_key</tt> in the data directory (default: <tt>~/.bitcoin</tt>, or specified using <tt>-datadir=/path/to/bitcoin/data</tt> at the command line or <tt>datadir=/path/to/bitcoin/data</tt> in bitcoin.conf). The file <tt>onion_private_key</tt> contains the private key needed to generate your unique <tt>XXXXXXX.onion</tt> address. KEEP THIS SAFE. If someone copies this file they can run a server with your .onion address. Also, if you delete this file, the next time bitcoind loads it will generate a new key file and <tt>xxxxxxxx.onion</tt> address. Note that while a malicious party cannot necessarily associate the server with you as a person, as long as your server has the same xxxx.onion address they will know it is run by the same person. For absolute security delete <tt>onion_private_key</tt> at each reboot or some frequent interval.

Add these lines to your <tt>torrc</tt>:

<pre>ControlPort 9051
CookieAuthentication 1
CookieAuthFileGroupReadable 1</pre>

You need to figure out what user bitcoind or bitcoin-qt is running as. Run the following command while Bitcoin is running:
<pre>ps -eo user,group,comm |egrep 'bitcoind|bitcoin-qt' |awk '{print "Bitcoin user: " $1}'</pre>
Write down the reported user.

Run the following command as root, which adds your Bitcoin user to the tor group. Replace BITCOIN_USER with the actual user name found above:
<pre>usermod -a -G tor BITCOIN_USER</pre>

If you don't modify any other settings, Bitcoin Core will usually connect over the regular Internet, but will also allow connections to and from the hidden service. This will help other users who wish to submit transactions to the bitcoin network securely and obscurely, but transactions you submit could theoretically be traced back to your ip address. If you want Bitcoin Core to only connect via Tor (for anonymity), add these lines to bitcoin.conf:

<pre>proxy=127.0.0.1:9050
listen=1
bind=127.0.0.1</pre>

If you additionally want Bitcoin Core to only connect out to Tor ''hidden services'', also add this line (not particularly recommended):
<pre>onlynet=onion</pre>

Doing so will make your specific bitcoind node arguably more secure because it will never have an unencrypted connection to another node, but if everyone used <tt>onlynet=onion</tt> nobody on the onion bitcoin chain would be able to communicate with the clearnet chain. It is essential that some nodes access both clearnet and Tor. If you need to submit bitcoin transactions to the network with the highest level of obscurity, use <tt>onlynet=onion</tt>. If you only wish to give access to your node to other Tor users, do not use it.

Now restart Tor, and then Bitcoin Core. At some point during startup in <tt>~/.bitcoin/debug.log</tt> you will see
<pre>tor: Got service ID XXXXXXXXXXX, advertising service XXXXXXXXXXX.onion:8333</pre> This is the .onion address of your server. You should eventually get incoming connections via the hidden service.

=== Method 2 ===

This sets up a manual hidden service controlled by the tor daemon. The hidden service address (xxxx.onion). Note that as in method 1, your xxxxx.onion address will stay the same until you delete your key file. Someone tracking you can't necessarily associate the xxxx.onion with you, but they will know it is run by the same person or entity.

Add these lines to your <tt>torrc</tt>:
<pre>HiddenServiceDir /var/lib/tor/bitcoin-service/
HiddenServicePort 8333 127.0.0.1:8333</pre>

Restart Tor. As root, run <tt>cat /var/lib/tor/bitcoin-service/hostname</tt>. Your onion address will be reported. If it didn't work, then probably your distro's version of Tor doesn't actually use <tt>/var/lib/tor</tt> for this purpose. You should try to figure out the correct HiddenServiceDir location.

In the following steps, replace ONION_ADDR with the onion address reported above.

If you don't care about anonymity and are only looking to help the network, add the following lines to bitcoin.conf:
<pre>onion=127.0.0.1:9050
listen=1
externalip=ONION_ADDR
discover=1</pre>
This will allow you to accept connections both via your onion address and your IP address (if you have port 8333 forwarded), and Tor will only be used for connections to and from Tor hidden services.

If you care about anonymity, '''instead''' of the above, add the following lines to bitcoin.conf to use Tor for everything:
<pre>proxy=127.0.0.1:9050
listen=1
bind=127.0.0.1
externalip=ONION_ADDR</pre>

If you additionally want Bitcoin Core to only connect out to Tor ''hidden services'', also add this line (not particularly recommended):
<pre>onlynet=onion</pre>

Now restart Bitcoin Core. You should eventually get incoming connections via your hidden service.

[[Category:Guides]]

Setting up a Tor hidden service

2018-12-21T15:16:02Z

Cavemansalem: /* Method 1 (recommended) */

If you use a Bitcoin [[full node]] over Tor, then usually it will only be able to make outgoing connections. Therefore, you will only get a maximum of 8 total connections. This is fine, and is not something you usually need to worry about, but if your computer is often online and you want to be a big help to the network, you can run a Tor hidden service in order to accept incoming connections over Tor.

Note that there is no need to forward port 8333 when using a Tor hidden service. The hidden service will cause most firewalls and NAT setups to be bypassed. For this reason, running a Tor hidden service is also a good idea if you want incoming connections but are for some reason unable to forward port 8333.

=== Prerequisites ===

These instructions are for Linux. It is possible to do on Windows, but the instructions would be rather different. (If you've done it on Windows, consider adding the instructions to this page.)

You need Tor (at least version 0.2.7.1). Figure out where your <tt>torrc</tt> file is (<tt>/etc/tor/torrc</tt> is one possibility). This guide assumes default Tor settings. This guide assumes that Tor is running under the user and group <tt>tor</tt>, which will usually be the case if you install Tor using your distro's package manager. Note that Bitcoin '''does not''' support hidden service version 3 (ie. long onion addresses).

You need Bitcoin Core (or similar). For method 1, you need at least version 0.12.0. Find <tt>bitcoin.conf</tt> in your [[data directory]].

=== Method 1 (recommended) ===

This sets up an automatic hidden service that is initiated by Bitcoin Core. On the first startup of <tt>bitcoind</tt> after configuring Bitcoin Core to use Tor ControlPort as follows, Bitcoin Core will generate a file called <tt>onion_private_key</tt> in the data directory (default: <tt>~/.bitcoin</tt>, or specified using <tt>-datadir=/path/to/bitcoin/data</tt> at the command line or <tt>datadir=/path/to/bitcoin/data</tt> in bitcoin.conf). The file <tt>onion_private_key</tt> contains the private key needed to generate your unique <tt>XXXXXXX.onion</tt> address. KEEP THIS SAFE. If someone copies this file they can run a server with your .onion address. Also, if you delete this file, the next time bitcoind loads it will generate a new key file and <tt>xxxxxxxx.onion</tt> address. Note that while a malicious party cannot necessarily associate the server with you as a person, as long as your server has the same xxxx.onion address they will know it is run by the same person. For absolute security delete <tt>onion_private_key</tt> at each reboot or some frequent interval.

Add these lines to your <tt>torrc</tt>:

<pre>ControlPort 9051
CookieAuthentication 1
CookieAuthFileGroupReadable 1</pre>

You need to figure out what user bitcoind or bitcoin-qt is running as. Run the following command while Bitcoin is running:
<pre>ps -eo user,group,comm |egrep 'bitcoind|bitcoin-qt' |awk '{print "Bitcoin user: " $1}'</pre>
Write down the reported user.

Run the following command as root, which adds your Bitcoin user to the tor group. Replace BITCOIN_USER with the actual user name found above:
<pre>usermod -a -G tor BITCOIN_USER</pre>

If you don't modify any other settings, Bitcoin Core will usually connect over the regular Internet, but will also allow connections to and from the hidden service. This will help other users who wish to submit transactions to the bitcoin network securely and obscurely, but transactions you submit could theoretically be traced back to your ip address. If you want Bitcoin Core to only connect via Tor (for anonymity), add these lines to bitcoin.conf:

<pre>proxy=127.0.0.1:9050
listen=1
bind=127.0.0.1</pre>

If you additionally want Bitcoin Core to only connect out to Tor ''hidden services'', also add this line (not particularly recommended):
<pre>onlynet=onion</pre>

Doing so will make your specific bitcoind node arguably more secure because it will never have an unencrypted connection to another node, but if everyone used <tt>onlynet=onion</tt> nobody on the onion bitcoin chain would be able to communicate with the clearnet chain. It is essential that some nodes access both clearnet and Tor. If you need to submit bitcoin transactions to the network with the highest level of obscurity, use <tt>onlynet=onion</tt>. If you only wish to give access to your node to other Tor users, do not use it.

Now restart Tor, and then Bitcoin Core. At some point during startup in <tt>~/.bitcoin/debug.log</tt> you will see
<pre>tor: Got service ID XXXXXXXXXXX, advertising service XXXXXXXXXXX.onion:8333</pre> This is the .onion address of your server. You should eventually get incoming connections via the hidden service.

=== Method 2 ===

This sets up a manual hidden service controlled by the tor daemon. The hidden service address (xxxx.onion). Note that as in method 1, your xxxxx.onion address will stay the same until you delete your key file. Someone tracking you can't necessarily associate the xxxx.onion with you, but they will know it is run by the same person or entity.

Add these lines to your <tt>torrc</tt>:
<pre>HiddenServiceDir /var/lib/tor/bitcoin-service/
HiddenServicePort 8333 127.0.0.1:8333</pre>

Restart Tor. As root, run <tt>cat /var/lib/tor/bitcoin-service/hostname</tt>. Your onion address will be reported. If it didn't work, then probably your distro's version of Tor doesn't actually use <tt>/var/lib/tor</tt> for this purpose. You should try to figure out the correct HiddenServiceDir location.

In the following steps, replace ONION_ADDR with the onion address reported above.

If you don't care about anonymity and are only looking to help the network, add the following lines to bitcoin.conf:
<pre>onion=127.0.0.1:9050
listen=1
externalip=ONION_ADDR
discover=1</pre>
This will allow you to accept connections both via your onion address and your IP address (if you have port 8333 forwarded), and Tor will only be used for connections to and from Tor hidden services.

If you care about anonymity, '''instead''' of the above, add the following lines to bitcoin.conf to use Tor for everything:
<pre>proxy=127.0.0.1:9050
listen=1
bind=127.0.0.1
externalip=ONION_ADDR</pre>

If you additionally want Bitcoin Core to only connect out to Tor ''hidden services'', also add this line (not particularly recommended):
<pre>onlynet=onion</pre>

Now restart Bitcoin Core. You should eventually get incoming connections via your hidden service.

[[Category:Guides]]

Setting up a Tor hidden service

2018-12-21T15:15:27Z

Cavemansalem:

If you use a Bitcoin [[full node]] over Tor, then usually it will only be able to make outgoing connections. Therefore, you will only get a maximum of 8 total connections. This is fine, and is not something you usually need to worry about, but if your computer is often online and you want to be a big help to the network, you can run a Tor hidden service in order to accept incoming connections over Tor.

Note that there is no need to forward port 8333 when using a Tor hidden service. The hidden service will cause most firewalls and NAT setups to be bypassed. For this reason, running a Tor hidden service is also a good idea if you want incoming connections but are for some reason unable to forward port 8333.

=== Prerequisites ===

These instructions are for Linux. It is possible to do on Windows, but the instructions would be rather different. (If you've done it on Windows, consider adding the instructions to this page.)

You need Tor (at least version 0.2.7.1). Figure out where your <tt>torrc</tt> file is (<tt>/etc/tor/torrc</tt> is one possibility). This guide assumes default Tor settings. This guide assumes that Tor is running under the user and group <tt>tor</tt>, which will usually be the case if you install Tor using your distro's package manager. Note that Bitcoin '''does not''' support hidden service version 3 (ie. long onion addresses).

You need Bitcoin Core (or similar). For method 1, you need at least version 0.12.0. Find <tt>bitcoin.conf</tt> in your [[data directory]].

=== Method 1 (recommended) ===

This sets up an automatic hidden service that is initiated by Bitcoin Core. On the first startup of <tt>bitcoind</tt> after configuring Bitcoin Core to use Tor ControlPort, Bitcoin Core will generate a file called <tt>onion_private_key</tt> in the data directory (default: <tt>~/.bitcoin</tt>, or specified using <tt>-datadir=/path/to/bitcoin/data</tt> at the command line or <tt>datadir=/path/to/bitcoin/data</tt> in bitcoin.conf). The file <tt>onion_private_key</tt> contains the private key needed to generate your unique <tt>XXXXXXX.onion</tt> address. KEEP THIS SAFE. If someone copies this file they can run a server with your .onion address. Also, if you delete this file, the next time bitcoind loads it will generate a new key file and <tt>xxxxxxxx.onion</tt> address. Note that while a malicious party cannot necessarily associate the server with you as a person, as long as your server has the same xxxx.onion address they will know it is run by the same person. For absolute security delete <tt>onion_private_key</tt> at each reboot or some frequent interval.

Add these lines to your <tt>torrc</tt>:

<pre>ControlPort 9051
CookieAuthentication 1
CookieAuthFileGroupReadable 1</pre>

You need to figure out what user bitcoind or bitcoin-qt is running as. Run the following command while Bitcoin is running:
<pre>ps -eo user,group,comm |egrep 'bitcoind|bitcoin-qt' |awk '{print "Bitcoin user: " $1}'</pre>
Write down the reported user.

Run the following command as root, which adds your Bitcoin user to the tor group. Replace BITCOIN_USER with the actual user name found above:
<pre>usermod -a -G tor BITCOIN_USER</pre>

If you don't modify any other settings, Bitcoin Core will usually connect over the regular Internet, but will also allow connections to and from the hidden service. This will help other users who wish to submit transactions to the bitcoin network securely and obscurely, but transactions you submit could theoretically be traced back to your ip address. If you want Bitcoin Core to only connect via Tor (for anonymity), add these lines to bitcoin.conf:

<pre>proxy=127.0.0.1:9050
listen=1
bind=127.0.0.1</pre>

If you additionally want Bitcoin Core to only connect out to Tor ''hidden services'', also add this line (not particularly recommended):
<pre>onlynet=onion</pre>

Doing so will make your specific bitcoind node arguably more secure because it will never have an unencrypted connection to another node, but if everyone used <tt>onlynet=onion</tt> nobody on the onion bitcoin chain would be able to communicate with the clearnet chain. It is essential that some nodes access both clearnet and Tor. If you need to submit bitcoin transactions to the network with the highest level of obscurity, use <tt>onlynet=onion</tt>. If you only wish to give access to your node to other Tor users, do not use it.

Now restart Tor, and then Bitcoin Core. At some point during startup in <tt>~/.bitcoin/debug.log</tt> you will see
<pre>tor: Got service ID XXXXXXXXXXX, advertising service XXXXXXXXXXX.onion:8333</pre> This is the .onion address of your server. You should eventually get incoming connections via the hidden service.

=== Method 2 ===

This sets up a manual hidden service controlled by the tor daemon. The hidden service address (xxxx.onion). Note that as in method 1, your xxxxx.onion address will stay the same until you delete your key file. Someone tracking you can't necessarily associate the xxxx.onion with you, but they will know it is run by the same person or entity.

Add these lines to your <tt>torrc</tt>:
<pre>HiddenServiceDir /var/lib/tor/bitcoin-service/
HiddenServicePort 8333 127.0.0.1:8333</pre>

Restart Tor. As root, run <tt>cat /var/lib/tor/bitcoin-service/hostname</tt>. Your onion address will be reported. If it didn't work, then probably your distro's version of Tor doesn't actually use <tt>/var/lib/tor</tt> for this purpose. You should try to figure out the correct HiddenServiceDir location.

In the following steps, replace ONION_ADDR with the onion address reported above.

If you don't care about anonymity and are only looking to help the network, add the following lines to bitcoin.conf:
<pre>onion=127.0.0.1:9050
listen=1
externalip=ONION_ADDR
discover=1</pre>
This will allow you to accept connections both via your onion address and your IP address (if you have port 8333 forwarded), and Tor will only be used for connections to and from Tor hidden services.

If you care about anonymity, '''instead''' of the above, add the following lines to bitcoin.conf to use Tor for everything:
<pre>proxy=127.0.0.1:9050
listen=1
bind=127.0.0.1
externalip=ONION_ADDR</pre>

If you additionally want Bitcoin Core to only connect out to Tor ''hidden services'', also add this line (not particularly recommended):
<pre>onlynet=onion</pre>

Now restart Bitcoin Core. You should eventually get incoming connections via your hidden service.

[[Category:Guides]]