Spin up a Monero node with Tor and I2P hidden service support using Docker.
I created this project as a solution for running your own Monero node in light of recent developments in Monero OpSec best practices, as I felt current solutions were lacking in their considerations for security and design. CMN provides a (more) hardened, light(er)weight solution for spinning up your own Monero node to avoid feds, skids, and YouTubers analyzing your time on the Monero blockchain. I have also designed this project with extensibility in mind, and provide quite a few configuration options for individuals wanting to spin up a Monero node.
This project is based upon the work of lalanza808/docker-monero-node
The simplest way to use this project is as follows:
- Clone the repository
- Copy
env.exampleto.envand edit it. The defaults should work fine. - Copy
compose.example.yamltocompose.yaml. This shouldn't require edits. - Run
docker compose buildto build the images. - Run
docker compose up --detachto start your node. - ???
- Profit!
To view node status, you can run docker compose logs --no-log-prefix monerod.
The bulk of configuration for this project should be possible via the .env.
file. You can also edit compose.yaml if you understand what you're doing.
90% of configuration for the included services is done via their config files
in their respective directories under dockerfiles. These include:
dockerfiles/monerod/bitmonero.confdockerfiles/tor/torrcdockerfiles/i2pd/i2pd.conf
You can edit these files and run docker compose build to re-build the images
to apply any changes.
| Service | Port | Scope | Description | Notes |
|---|---|---|---|---|
| monerod | 18080 | global | P2P Network | Default for Monero nodes. |
| monerod | 18089 | global | Restricted JSON-RPC | Change to host machine in compose.yaml if you wish to only expose your node over hidden services. |
| i2pd | 58618 | global | I2P listen port | Hardcoded I2PD listen port this for server environments. |
| monerod | 18081 | compose network | Unrestricted JSON-RPC | Default for Monero nodes. |
| i2pd | 4447 | compose network | I2PD SOCKS5 proxy | Used for Monero's tx-proxy over the I2P network. |
| tor | 9050 | compose network | Tor SOCKS5 proxy | Used for Monero's tx-proxy over the Tor network. |
| monerod | 18084 | tor network | P2P Network (over Tor) | Forwarded over the Tor network by the Tor client. |
| monerod | 18085 | i2p network | P2P (over I2P) | Forwarded over the I2P network by I2PD. |
- Docker Compose will open ports in your firewall for global ports by default.
- 'compose network' ports are available to all services in
compose.yaml - tor/i2p network ports are managed by tor/i2pd. You don't need to forward anything.
I have taken several precautions for securing containers and data in the design of this project. These include:
- As few ports are forwarded from containers to the host machine as possible.
- Git commit and tag PGP signatures are checked during the monerod build step.
- Only a few
EXPOSEdirectives are used across Dockerfiles.- See comments about why
EXPOSE 9050is disabled in the Tor Dockerfile.
- See comments about why
- Where possible (Tor, PurpleI2P), packages are installed from official repos.
- Docker images are built locally rather than pulled from external sources.
- ZMQ messaging is disabled as the official Monero docs recommend.
- Transaction padding is enabled by default to prevent traffic analysis.
- Cloudflare's
1.1.1.1DNS resolver is used in order to parse DNSSEC records.- This is important for features like
enforce-dns-checkpointingto work. - I tried several better resolvers (LibreOps, OpenNIC), but none worked.
- If you are aware of a better libre resolver, please open a pull request!
- This is important for features like
- The peer ban list from Boog900/monero-ban-list is used by default.
- The global peer ban list is enabled by default (
--enable-dns-blocklist) - DNS checkpointing is enabled by default (
--enforce-dns-checkpointing)
- Create functionality for backing up named volumes example
- Improve functionality for testing hidden service availability
- Add feature to automatically publish nodes to monero.fail
- Add functionality for publishing under a clearnet domain with CORS
- Add functionality for using a "vanity" I2P URL via reg.i2p