Bitcoin as a Tor hidden service
In my previous post, I explained how to run an anonymous Bitcoin node using Tor. Now I want to be able to connect to it via my mobile wallet.
I followed the below steps to set up just that.
The package I downloaded for Bitcoin executables comes with a file called rpcauth.py, I use this to generate the auth credentials replacing USER_NAME with the desired username:
$ sudo python /mnt/sda/downloads/bitcoin-25.0/share/rpcauth/rpcauth.py USER_NAMECopy the line that starts with rpcauth= and paste it in bitcoin.conf, and safely save the username and password given by rpcauth.py
# RPC Config
rpcauth=USER:PASSWORD_HASHStop bitcoin, I like to use bitcoin-cli to stop it because systemctl tends to timeout and stop the service before it’s gracefully shutdown
$ sudo -u sandbox bitcoin-cli stopNow Add a new hidden service to allow connecting to my node via tor, first open torrc
$ sudo vi /etc/tor/torrcThen, paste the following lines to add a new hidden service, the bitcoind_hidden_service directory will be created when tor is restarted, /var/lib/tor/ should already exist.
I configured it to use Bitcoin’s default port for rpc.
HiddenServiceDir /var/lib/tor/bitcoind_hidden_service/
HiddenServicePort 8332 127.0.0.1:8332Restart tor and start bitcoind:
$ sudo systemctl restart tor
$ sudo systemctl start bitcoindThe Tor address will be located in a file called hostname under bitcoind_hidden_service, copy the onion address, you’re going to use it to connect to your node.
$ sudo cat /var/lib/tor/bitcoind_hidden_service/hostnameConnecting to your node from your phone
I found two apps from Fully Noded, one called Fully Noded and the other one called FN — Bitcoin Core, for these instructions I’m going to use the basic Bitcoin Core version.
Fully Noded apps allow connecting Bitcoin nodes without running Electrum Server! Yes, no extra servers! (I’m in no way affiliated with or sponsored by Fully Noded)
After launching Fully Noded from the AppStore, you will be asked to enter the Onion URL and RPC credentials which you already know from the above steps
Enter the node credentials manually, don’t forget to include the port number on onion address: youronionaddresshere.onion:8332
Click save and the node info should start populating on the main information screen as follows:
Even tho I will be using a hardware wallet, I like how this app creates hot wallets on device and not on the node itself keeping the private key locally and not transferring it to the node.
Add an extra layer of security
Even tho Tor is awesome, there are malicious scanners out there scanning for open ports on the Tor network for their next attack.
To prevent unwanted connections add an extra layer of security to your node by activating Tor Authentication by following the steps below:
First, get the public key from the client, in my case, I’m using Fully Noded, I go to Fully Noded > Settings > Security Center > V3 Authentication Key and copy the public key.
I then go to my node via SSH and add the public key to the Bitcoin hidden service as follows, change USER for whatever you want.
$ sudo -u debian-tor vi /var/lib/tor/bitcoind_hidden_service/authorized_clients/USER.authThis will activate authentication for all clients that want to connect to this service, so no client will be able to connect without their public key added to the authorized_clients folder.
Now restart tor
$ sudo systemctl restart torAs you saw, I didn’t mention anything about opening a port on the router, or adding an exception to ufw firewall and this is only possible because of Tor’s rendezvous point tech. 🔒
