From 0b5f4062488cdad27d55ddbdf4253bed6b116a4d Mon Sep 17 00:00:00 2001 From: furszy Date: Thu, 29 Jul 2021 19:24:33 -0300 Subject: [PATCH] Doc: update tor.md with latest upstream information. Combination of upstream's #19961, #21753 and #22172 --- doc/tor.md | 265 +++++++++++++++++++++++++++++++++++------------------ 1 file changed, 178 insertions(+), 87 deletions(-) diff --git a/doc/tor.md b/doc/tor.md index 773082f3d684e..5b48a4504fd4a 100644 --- a/doc/tor.md +++ b/doc/tor.md @@ -1,134 +1,225 @@ # TOR SUPPORT IN PIVX -It is possible to run PIVX Core as a Tor hidden service, and connect to such services. +It is possible to run PIVX Core as a Tor onion service, and connect to such services. The following directions assume you have a Tor proxy running on port 9050. Many distributions default to having a SOCKS proxy listening on port 9050, but others may not. In particular, the Tor Browser Bundle defaults to listening on port 9150. See [Tor Project FAQ:TBBSocksPort](https://www.torproject.org/docs/faq.html.en#TBBSocksPort) for how to properly configure Tor. +## Compatibility + +- Starting with version 5.3.0, PIVX Core only supports Tor version 3 hidden + services (Tor v3). Tor v2 addresses are ignored by PIVX Core and neither + relayed nor stored. + +- Tor removed v2 support beginning with version 0.4.6. + +## How to see information about your Tor configuration via PIVX Core + +There are several ways to see your local onion address in PIVX Core: +- in the debug log (grep for "tor:" or "AddLocal") +- in the output of RPC `getnetworkinfo` in the "localaddresses" section +- in the output of the CLI `-netinfo` peer connections dashboard + +You may set the `-debug=tor` config logging option to have additional +information in the debug log about your Tor configuration. + +CLI `-addrinfo` returns the number of addresses known to your node per network +type, including Tor v2 and v3. This is useful to see how many onion addresses +are known to your node for `-onlynet=onion` and how many Tor v3 addresses it +knows when upgrading to PIVX Core v5.3.0 and up that supports Tor v3 only. ## 1. Run PIVX Core behind a Tor proxy ----------------------------------- -The first step is running PIVX behind a Tor proxy. This will already anonymize all +The first step is running PIVX Core behind a Tor proxy. This will already anonymize all outgoing connections, but more is possible. - -proxy=ip:port Set the proxy server. If SOCKS5 is selected (default), this proxy - server will be used to try to reach .onion addresses as well. + -proxy=ip:port Set the proxy server. If SOCKS5 is selected (default), this proxy + server will be used to try to reach .onion addresses as well. + You need to use -noonion or -onion=0 to explicitly disable + outbound access to onion services. + + -onion=ip:port Set the proxy server to use for Tor onion services. You do not + need to set this if it's the same as -proxy. You can use -onion=0 + to explicitly disable access to onion services. + Note: Only the -proxy option sets the proxy for DNS requests; + with -onion they will not route over Tor, so use -proxy if you + have privacy concerns. + + -listen When using -proxy, listening is disabled by default. If you want + to manually configure an onion service (see section 3), you'll + need to enable it explicitly. + + -connect=X When behind a Tor proxy, you can specify .onion addresses instead + -addnode=X of IP addresses or hostnames in these parameters. It requires + -seednode=X SOCKS5. In Tor mode, such addresses can also be exchanged with + other P2P nodes. + + -onlynet=onion Make outgoing connections only to .onion addresses. Incoming + connections are not affected by this option. This option can be + specified multiple times to allow multiple network types, e.g. + ipv4, ipv6 or onion. If you use this option with values other + than onion you *cannot* disable onion connections; outgoing onion + connections will be enabled when you use -proxy or -onion. Use + -noonion or -onion=0 if you want to be sure there are no outbound + onion connections over the default proxy or your defined -proxy. + +In a typical situation, this suffices to run behind a Tor proxy: - -onion=ip:port Set the proxy server to use for Tor hidden services. You do not - need to set this if it's the same as -proxy. You can use -noonion - to explicitly disable access to hidden services. + ./pivxd -proxy=127.0.0.1:9050 - -listen When using -proxy, listening is disabled by default. If you want - to run a hidden service (see next section), you'll need to enable - it explicitly. +## 2. Automatically create a PIVX Core onion service - -connect=X When behind a Tor proxy, you can specify .onion addresses instead - -addnode=X of IP addresses or hostnames in these parameters. It requires - -seednode=X SOCKS5. In Tor mode, such addresses can also be exchanged with - other P2P nodes. +PIVX Core makes use of Tor's control socket API to create and destroy +ephemeral onion services programmatically. This means that if Tor is running and +proper authentication has been configured, PIVX Core automatically creates an +onion service to listen on. The goal is to increase the number of available +onion nodes. - -onlynet=onion Make outgoing connections only to .onion addresses. Incoming - connections are not affected by this option. This option can be - specified multiple times to allow multiple network types, e.g. - ipv4, ipv6, or onion. +This feature is enabled by default if PIVX Core is listening (`-listen`) and +it requires a Tor connection to work. It can be explicitly disabled with +`-listenonion=0`. If it is not disabled, it can be configured using the +`-torcontrol` and `-torpassword` settings. -In a typical situation, this suffices to run behind a Tor proxy: +To see verbose Tor information in the pivxd debug log, pass `-debug=tor`. + +### Control Port + +You may need to set up the Tor Control Port. On Linux distributions there may be +some or all of the following settings in `/etc/tor/torrc`, generally commented +out by default (if not, add them): + +``` +ControlPort 9051 +CookieAuthentication 1 +CookieAuthFileGroupReadable 1 +``` + +Add or uncomment those, save, and restart Tor (usually `systemctl restart tor` +or `sudo systemctl restart tor` on most systemd-based systems, including recent +Debian and Ubuntu, or just restart the computer). + +On some systems (such as Arch Linux), you may also need to add the following +line: + +``` +DataDirectoryGroupReadable 1 +``` + +### Authentication + +Connecting to Tor's control socket API requires one of two authentication +methods to be configured: cookie authentication or pivxd's `-torpassword` +configuration option. + +#### Cookie authentication - ./pivxd -proxy=127.0.0.1:9050 +For cookie authentication, the user running pivxd must have read access to +the `CookieAuthFile` specified in the Tor configuration. In some cases this is +preconfigured and the creation of an onion service is automatic. Don't forget to +use the `-debug=tor` pivxd configuration option to enable Tor debug logging. +If a permissions problem is seen in the debug log, e.g. `tor: Authentication +cookie /run/tor/control.authcookie could not be opened (check permissions)`, it +can be resolved by adding both the user running Tor and the user running +pivxd to the same Tor group and setting permissions appropriately. -## 2. Run a PIVX Core hidden server +On Debian-derived systems, the Tor group will likely be `debian-tor` and one way +to verify could be to list the groups and grep for a "tor" group name: -If you configure your Tor system accordingly, it is possible to make your node also -reachable from the Tor network. Add these lines to your /etc/tor/torrc (or equivalent -config file): *Needed for Tor version 0.2.7.0 and older versions of Tor only. For newer -versions of Tor see [Section 3](#3-automatically-listen-on-tor).* +``` +getent group | cut -d: -f1 | grep -i tor +``` - HiddenServiceDir /var/lib/tor/pivx-service/ - HiddenServiceVersion 2 - HiddenServicePort 51472 127.0.0.1:51472 - HiddenServicePort 61472 127.0.0.1:61472 +You can also check the group of the cookie file. On most Linux systems, the Tor +auth cookie will usually be `/run/tor/control.authcookie`: -The directory can be different of course, but (both) port numbers should be equal to -your pivxd's P2P listen port (51472 by default). +``` +stat -c '%G' /run/tor/control.authcookie +``` - -externalip=X You can tell pivx about its publicly reachable address using - this option, and this can be a v2 .onion address (v3 .onion - addresses are not supported by the PIVX network). Given the above - configuration, you can find your .onion address in - /var/lib/tor/pivx-service/hostname. For connections - coming from unroutable addresses (such as 127.0.0.1, where the - Tor proxy typically runs), .onion addresses are given - preference for your node to advertise itself with. +Once you have determined the `${TORGROUP}` and selected the `${USER}` that will +run pivxd, run this as root: - -listen You'll need to enable listening for incoming connections, as this - is off by default behind a proxy. +``` +usermod -a -G ${TORGROUP} ${USER} +``` - -discover When -externalip is specified, no attempt is made to discover local - IPv4 or IPv6 addresses. If you want to run a dual stack, reachable - from both Tor and IPv4 (or IPv6), you'll need to either pass your - other addresses using -externalip, or explicitly enable -discover. - Note that both addresses of a dual-stack system may be easily - linkable using traffic analysis. +Then restart the computer (or log out) and log in as the `${USER}` that will run +pivxd. + +#### `torpassword` authentication + +For the `-torpassword=password` option, the password is the clear text form that +was used when generating the hashed password for the `HashedControlPassword` +option in the Tor configuration file. + +The hashed password can be obtained with the command `tor --hash-password +password` (refer to the [Tor Dev +Manual](https://2019.www.torproject.org/docs/tor-manual.html.en) for more +details). + + +## 3. Manually create a PIVX Core onion service + +You can also manually configure your node to be reachable from the Tor network. +Add these lines to your `/etc/tor/torrc` (or equivalent config file): + + HiddenServiceDir /var/lib/tor/pivx-service/ + HiddenServicePort 51472 127.0.0.1:51472 + +The directory can be different of course, but virtual port numbers should be equal to +your pivxd's P2P listen port (51472 by default), and target addresses and ports +should be equal to binding address and port for inbound Tor connections (127.0.0.1:51472 by default). + + -externalip=X You can tell pivx about its publicly reachable addresses using + this option, and this can be an onion address. Given the above + configuration, you can find your onion address in + /var/lib/tor/pivx-service/hostname. For connections + coming from unroutable addresses (such as 127.0.0.1, where the + Tor proxy typically runs), onion addresses are given + preference for your node to advertise itself with. + + You can set multiple local addresses with -externalip. The + one that will be rumoured to a particular peer is the most + compatible one and also using heuristics, e.g. the address + with the most incoming connections, etc. + + -listen You'll need to enable listening for incoming connections, as this + is off by default behind a proxy. + + -discover When -externalip is specified, no attempt is made to discover local + IPv4 or IPv6 addresses. If you want to run a dual stack, reachable + from both Tor and IPv4 (or IPv6), you'll need to either pass your + other addresses using -externalip, or explicitly enable -discover. + Note that both addresses of a dual-stack system may be easily + linkable using traffic analysis. In a typical situation, where you're only reachable via Tor, this should suffice: - ./pivxd -proxy=127.0.0.1:9050 -externalip=pivxzj6l4cvo2fxy.onion -listen + ./pivxd -proxy=127.0.0.1:9050 -externalip=7zvj7a2imdgkdbg4f2dryd5rgtrn7upivr5eeij4cicjh65pooxeshid.onion -listen (obviously, replace the .onion address with your own). It should be noted that you still listen on all devices and another node could establish a clearnet connection, when knowing your address. To mitigate this, additionally bind the address of your Tor proxy: - ./pivxd ... -bind=127.0.0.1 + ./pivxd ... -bind=127.0.0.1 If you don't care too much about hiding your node, and want to be reachable on IPv4 as well, use `discover` instead: - ./pivxd ... -discover + ./pivxd ... -discover and open port 51472 on your firewall (or use port mapping, i.e., `-upnp` or `-natpmp`). If you only want to use Tor to reach .onion addresses, but not use it as a proxy for normal IPv4/IPv6 communication, use: - ./pivxd -onion=127.0.0.1:9050 -externalip=pivxzj6l4cvo2fxy.onion -discover - -## 3. Automatically listen on Tor - -Starting with Tor version 0.2.7.1 it is possible, through Tor's control socket -API, to create and destroy 'ephemeral' hidden services programmatically. -PIVX Core has been updated to make use of this. - -This means that if Tor is running (and proper authentication has been configured), -PIVX Core automatically creates a hidden service to listen on. This will positively -affect the number of available .onion nodes. - -This new feature is enabled by default if PIVX Core is listening (`-listen`), and -requires a Tor connection to work. It can be explicitly disabled with `-listenonion=0` -and, if not disabled, configured using the `-torcontrol` and `-torpassword` settings. -To show verbose debugging information, pass `-debug=tor`. - -Connecting to Tor's control socket API requires one of two authentication methods to be -configured. It also requires the control socket to be enabled, e.g. put `ControlPort 9051` -in `torrc` config file. For cookie authentication the user running pivxd must have read -access to the `CookieAuthFile` specified in Tor configuration. In some cases this is -preconfigured and the creation of a hidden service is automatic. If permission problems -are seen with `-debug=tor` they can be resolved by adding both the user running Tor and -the user running pivxd to the same group and setting permissions appropriately. On -Debian-based systems the user running pivxd can be added to the debian-tor group, -which has the appropriate permissions. - -An alternative authentication method is the use -of the `-torpassword=password` option. The `password` is the clear text form that -was used when generating the hashed password for the `HashedControlPassword` option -in the tor configuration file. The hashed password can be obtained with the command -`tor --hash-password password` (read the tor manual for more details). + ./pivxd -onion=127.0.0.1:9050 -externalip=7zvj7a2imdgkdbg4f2dryd5rgtrn7upivr5eeij4cicjh65pooxeshid.onion -discover ## 4. Privacy recommendations -- Do not add anything but PIVX Core ports to the hidden service created in section 2. - If you run a web service too, create a new hidden service for that. - Otherwise it is trivial to link them, which may reduce privacy. Hidden - services created automatically (as in section 3) always have only one port +- Do not add anything but PIVX Core ports to the onion service created in section 3. + If you run a web service too, create a new onion service for that. + Otherwise it is trivial to link them, which may reduce privacy. Onion + services created automatically (as in section 2) always have only one port open.