bitcoind – How can I setup Bitcoin to be anonymous with Tor?

This is not a thorough schooling on Tor and only shows how to configure it to work together with Bitcoin Core.

Bitcoin Core includes Tor integration

When Tor is correctly setup on your system, Bitcoin Core automatically identifies Tor and creates an anonymous service. Little configuration is required to be ‘off the grid’ and, just a tiny bit more to be completely anonymous if that is important to you, with none of your Bitcoin traffic reaching out onto the public internet.

Using these steps you can be anonymous in only five minutes.

With the full privacy setup, transactions will of course still be broadcast but will only be broadcast actually onto the public internet by other Bitcoin nodes. With the standard ‘off-the-grid’ Tor setup, your Bitcoin traffic will be routed through the anonymous Tor network before reaching the public internet and other Bitcoin nodes on and off the Tor network to be effectively untraceable.

Setting Up Bitcoin Core and Tor

These instructions work on Fedora 23>29 and assume a default setup of Bitcoin Core v0.15.1 and Tor v0.2.7.1 or newer (and have been tested to work with Bitcoin Core v0.16.0 on Fedora 27 with Tor v0.3.1.9). Fedora is a modern operating system that will run on most standard modern hardware. The configuration is the same on Windows, but the instructions are different. There are some instructions for setting up Tor on Windows here.

Further instructions for other *nix based systems are available here. NOTE: You do not need to configure your Tor client as a relay or exit node for Tor to operate, so you can skip the step for ‘Put the configuration file /etc/tor/torrc place:’ in that guide. You will still need to use all of the following steps in this guide.

  1. Setup Tor

    1. Install the tor package:

      sudo dnf install tor
      
    2. Start the tor daemon and make sure it starts at boot:

      sudo systemctl enable tor
      sudo systemctl start tor
      
  2. Figure out where your torrc file is (/etc/tor/torrc is one possibility).

  3. Open the torrc file to edit:

    xhost +local: ## skip if earlier than v29 only needed for Wayland
    sudo gedit /etc/tor/torrc
    

    or

    sudo nano /etc/tor/torrc
    
  4. Add these lines to your torrc (or ensure that they are uncommented):

    ControlPort 9051
    CookieAuthentication 1
    CookieAuthFileGroupReadable 1
    
  5. You need to figure out what group tor is using. On Fedora 23 it is toranon. Run the following command:

    ps -eo user,group,comm |egrep 'tor' |awk '{print "tor group: " $2}'
    
  6. You need to figure out what user bitcoind or bitcoin-qt is running as. Run the following command while Bitcoin is running:

    ps -eo user,group,comm |egrep 'bitcoind|bitcoin-qt' |awk '{print "Bitcoin user: " $1}'
    
  7. Run the following command as root, which adds your Bitcoin user to the tor group. Replace TOR_GROUP and BITCOIN_USER with the actual information found above:

    sudo usermod -a -G TOR_GROUP BITCOIN_USER
    

If you don’t modify any other settings, Bitcoin Core will usually connect over the regular Internet, but will also allow connections to and from the hidden Tor service.

  1. So that Bitcoin Core wil only connect via Tor (for standard ‘off-the-grid’ setup), add these lines to bitcoin.conf. In Bitcoin Core, go to Settings -> Options -> Open Configuration File. Bitcoin Core uses Tor stream isolation by default:

    proxy=127.0.0.1:9050 #If you use Windows, this could possibly be 127.0.0.1:9150 in some cases.
    listen=1
    bind=127.0.0.1
    
  2. (optional) If you like, you can add some onion service peer nodes to connect to. This will help especially if you do all of the following optional configurations. Add the following lines to your bitcoin.conf file. Bitcoin Core will only connect to a maximum of eight of these at any one time randomly, depending which ones are online:

    #Add seed nodes
    seednode=wxvp2d4rspn7tqyu.onion
    seednode=bk5ejfe56xakvtkk.onion
    seednode=bpdlwholl7rnkrkw.onion
    seednode=hhiv5pnxenvbf4am.onion
    seednode=4iuf2zac6aq3ndrb.onion
    seednode=nkf5e6b7pl4jfd4a.onion
    seednode=xqzfakpeuvrobvpj.onion
    seednode=tsyvzsqwa2kkf6b2.onion
    
    #And/or add some nodes
    addnode=gyn2vguc35viks2b.onion
    addnode=kvd44sw7skb5folw.onion
    addnode=nkf5e6b7pl4jfd4a.onion
    addnode=yu7sezmixhmyljn4.onion
    addnode=3ffk7iumtx3cegbi.onion
    addnode=3nmbbakinewlgdln.onion
    addnode=4j77gihpokxu2kj4.onion
    addnode=546esc6botbjfbxb.onion
    addnode=5at7sq5nm76xijkd.onion
    addnode=77mx2jsxaoyesz2p.onion
    addnode=7g7j54btiaxhtsiy.onion
    addnode=a6obdgzn67l7exu3.onion
    addnode=ab64h7olpl7qpxci.onion
    addnode=am2a4rahltfuxz6l.onion
    addnode=azuxls4ihrr2mep7.onion
    addnode=bitcoin7bi4op7wb.onion
    addnode=bitcoinostk4e4re.onion
    addnode=bk7yp6epnmcllq72.onion
    addnode=bmutjfrj5btseddb.onion
    addnode=ceeji4qpfs3ms3zc.onion
    addnode=clexmzqio7yhdao4.onion
    addnode=gb5ypqt63du3wfhn.onion
    addnode=h2vlpudzphzqxutd.onion
    addnode=n42h7r6oumcfsbrs.onion:4176
    addnode=ncwk3lutemffcpc4.onion
    addnode=okdzjarwekbshnof.onion
    addnode=pjghcivzkoersesd.onion
    addnode=rw7ocjltix26mefn.onion
    addnode=uws7itep7o3yinxo.onion
    addnode=vk3qjdehyy4dwcxw.onion
    addnode=vqpye2k5rcqvj5mq.onion
    addnode=wpi7rpvhnndl52ee.onion
    

If you additionally want Bitcoin Core to only connect out to Tor hidden services and not even to connect to IPv4/IPv6 nodes on the public internet via the Tor network proxy:

  1. (optional) Also add this to bitcoin.conf for full anonymity (not particularly recommended)*:

    onlynet=onion
    

*Note: Bitcoin Core will still query for peer addresses via DNS lookup if low on addresses. This also can be disabled using the next option. However, it is possible your node may not be able to find any other nodes to connect to.

*Note: Bitcoin Core v0.15.1 currently seems to make some outbound IPv4 connections at node startup even when onlynet=onion, none have been observed after initial startup. These connections should be made via your onion proxy, however, using the next option has been observed to prevent them.

  1. (optional) (advanced) If you also want to disable DNS lookup to query for peer addresses then also add the following to bitcoin.conf (not particularly recommended) note: if you use this option your node may be unable to find peers until you add some good peers with the addnode= parameter.:

    dnsseed=0
    dns=0
    
  2. Restart tor:

    sudo systemctl stop tor
    sudo systemctl start tor
    
  3. Log out of your user, log back in (this is so that your new user group permissions are effective, I do not know what user you are running Bitcoin Core on).

  4. Restart Bitcoin Core. Since Tor version 0.2.7.1 and newer the Bitcoin Core GUI version called bitcoin-qt automatically registers your Tor hidden service and makes it reachable on the onion network. For the command line version of Bitcoin Core, bitcoind, add the following parameter to your command line:

    >bitcoind -listenonion
    

No port forwarding is necessary for everything to work with Tor including incoming connections via the Tor hidden service, you do not need to forward any ports for Bitcoin Core or Tor for this.

If you want your Bitcoin node still publicly reachable via the public internet for incoming connections you will still need to forward port 8333 for Bitcoin Core.

Checking everything is working

There are only two things to check that all is working. Checking peer info in the debug window of bitcoin-qt, you should see that connections to IPv4/IPv6 peers now have some extra connected ‘via’ info along with the peer address when you click on a peer. Onion addresses only route via Tor.

Checking the same thing via console or CLI for getnetworkinfo, you should see for each network type the proxy info and, checking with getpeerinfo you should see that the addrlocal info is a remote address for each peer. Onion peers do not have addrlocal and just have their onion service name for addr.

The second thing to check is that your onion service for inbound Tor connections is up and all configuration is in place. Have a look in your debug.log file, you should see a few entries after the most recent node restart that match the following:

2018-02-10 06:31:48 InitParameterInteraction: parameter interaction: -proxy set -> setting -upnp=0
2018-02-10 06:31:48 InitParameterInteraction: parameter interaction: -proxy set -> setting -discover=0
...
2018-02-10 06:32:13 Bound to 127.0.0.1:8333
...
2018-02-10 06:32:13 torcontrol thread start
2018-02-10 06:32:13 tor: Got service ID {onion}, advertising service {onion}.onion:8333
2018-02-10 06:32:13 AddLocal({onion}.onion:8333,4)

The advertising service information is your onion service address.

In the debug.log, connections to onion peers will only look like the following but still show up in the peers tab of the debug window on bitcoin-qt:

2018-02-10 06:34:07 receive version message: /Satoshi:0.15.1/: version 70015, blocks=508469, us=(::):0, peer=7

It is not necessary to configure port forwarding on your modem/router for Tor to operate. If you are behind a restrictive firewall it may be necessary to configure outbound connections to allow Tor to connect out to other Tor nodes. Tor can be configured to only connect out using port 80/443 if that helps. See Appendix 1 – Monitoring Tor for nyx and access to full Tor configuration options.

It is difficult to be completely anonymous since the sender and the receiver know, however, you can obfuscate your transaction origin so that your data cannot be traced by IP address without breaching the Tor network. Do some research, onlynet=onion is more secure.

Additionally, there has been research(1)(2) done on graphing the blockchain in an attempt to trace all BTC to their origin, potentially identifying source<-wallet<-purchase and depending on the combination of UTXOs potentially identifying wallet balances or wallet balance subsets. Data linkage is a privacy issue we may all be concerned about, this article discusses the use of bitcoin mixers, and this series of tweets.

Done! Enjoy being anonymous!

Appendix 1 – Monitoring Tor

You can monitor (and further tweak/break) Tor using nyx.

There are several installation methods available. On Fedora 27:

sudo dnf install nyx

To start nyx simply type nyx in the console and it will connect to Tor if it is running.

Footnotes

Once correctly configured, most synchronisation issues are to do with your hardware. See this answer for more information.

There are more configuration options available, and additional ways you can support the Tor network. Please see the several pages available here for information.

Thanks to en.bitcoin.it for your excellent guide that got me started on this.

Additional information is available from the bitcoin project here.

For an even higher level of anonymity, it is possible to configure Tor as a DNS resolver and, configure your system network configuration to use Tor to resolve DNS queries.

*by default, Tor will participate in the Tor network.

bitcoind – Insight package: Cannot connect to local nodes on testnet

I have a local blockchain network based on bitcoin that runs on my local machine.
I updated the bitcore.config.json file to support my nodes.

When I’m trying to see the blocks at the browser at localhost:8200, I’m receiving this error:

Error: connect ECONNREFUSED 127.0.0.1:3000
at TCPConnectWrap.afterConnect (as oncomplete) (net.js:1107:14)

I’m starting the Insight client by: npm run insight NETWORK=testnet

(bitcoin.conf)

...
# Options only for testnet
(test)
connect=127.0.0.1:17002
#connect=127.0.0.1:8200
#connect=127.0.0.1:8082
#connect=127.0.0.1:3000
#connect=127.0.0.1:24181
rpcconnect=127.0.0.1
rpcport=18001
listen=1
port=17001
rpcuser=liork
rpcpassword=irock
txindex=1
...

bitcoind – Address starting with 2, what mode I am in?

I am using https://github.com/freewil/bitcoin-testnet-box to run bitcoind in docker to test signing of transactions.

make start tells me the bitcoind is started without -regtest flag. See https://github.com/freewil/bitcoin-testnet-box/blob/master/Makefile#L13

When I run bitcoin-cli -datadir=1 getblockchaininfo, I indeed see "chain": "regtest" in output, so both the nodes are running in regression test mode, I believe.

If I generate an address for either of these 2 nodes, I get an address starting with 2:

tester@4df64413049e ~/bitcoin-testnet-box$ make address1
bitcoin-cli -datadir=1  getnewaddress
2N4DTeBWDF9yaF9TJVGcgcZDM7EQtsGwFjX
tester@4df64413049e ~/bitcoin-testnet-box$ make address2
bitcoin-cli -datadir=2  getnewaddress
2MwxP8fyh9MFqKnZXZuqt3ZYByhLpNVoiX3

make getinfo tells me its not testnet either:

tester@4df64413049e ~/bitcoin-testnet-box$ make getinfo
bitcoin-cli -datadir=1  -getinfo
{
  "version": 170100,
  "protocolversion": 70015,
  "walletversion": 169900,
  "balance": 0.00000000,
  "blocks": 0,
  "timeoffset": 0,
  "connections": 1,
  "proxy": "",
  "difficulty": 4.656542373906925e-10,
  "testnet": false,
  "keypoololdest": 1599940906,
  "keypoolsize": 1000,
  "paytxfee": 0.00000000,
  "relayfee": 0.00001000,
  "warnings": ""
}
bitcoin-cli -datadir=2  -getinfo
{
  "version": 170100,
  "protocolversion": 70015,
  "walletversion": 169900,
  "balance": 0.00000000,
  "blocks": 0,
  "timeoffset": 0,
  "connections": 1,
  "proxy": "",
  "difficulty": 4.656542373906925e-10,
  "testnet": false,
  "keypoololdest": 1599940906,
  "keypoolsize": 1000,
  "paytxfee": 0.00000000,
  "relayfee": 0.00001000,
  "warnings": ""
}

So what mode I am running these bitcoin nodes as? If I was to trust the output that its not testmode but somehow regression test mode, shouldn’t the address start with 1 if its really regtest mode or with m/n if its testnet mode?

Also, when I dump the private key for any of such address and try to derive the P2PKH address from it, it doesn’t match. Same code works fine with address and key taken from mainnet. What’s going on?

bitcoin core – Stopping bitcoind on mac

One of my kids while learning more about bitcoin started bitcoind on my mac. Now I am unable to stop it. In my activity monitor, it shows a process named “bitcoind”. I have stopped that process from the activity monitor various times but that doesn’t help. It starts again after some time or in the next boot session. It has been taking a lot of my laptop space (>100gb). I am running low on space and I need to stop it now. This has been happening regularly. As a temporary solution, I used to go to /Users/(name)/Library/Application Support/ and delete the “Bitcoin” folder from there. But that’s no proper solution to end it completely. I have tried a bunch of stuff using bitcoin-cli in the terminal. However, I am unable to stop it.

Running
bitcoin-cli stop returns error: couldn't connect to server: unknown (code -1) (make sure server is running and you are connecting to the correct RPC port).

Can someone please tell me what should I do to stop the bitcoind?

Depends: libgcc-s1 (>=3.0) but it is not installable (Bitcoind wallet dependency problem on Debian)

On Debian I successfully compiled .bitcoind without a wallet, but now I need the wallet.

./configure tells me I need Berkeley CXX headers. Searching for how to do this on Debian brings up a bunch of Ubuntu answers saying to do either

sudo apt-get install libdb4.8-dev libdb4.8++ libdb4.8++-dev

after having added a PPA, or

wget http://download.oracle.com/berkeley-db/db-4.8.30.zip
unzip db-4.8.30.zip
cd db-4.8.30
cd build_unix/
../dist/configure --prefix=/usr/local --enable-cxx
make
make install

Both solutions throw errors. I’m focusing on the 1st solution.

The first solution throws this error:

The following packages have unmet dependencies:
 libdb4.8++ : Depends: libgcc-s1 (>= 3.0) but it is not installable

I’m not sure, but I assume this may be an Ubuntu vs. Debian issue? How can I bypass it?

json rpc – bitcoind RPC methods missing on Debian

Originally I installed .bitcoind using --disable-wallet then I later recompiled it with wallet. Not sure if that’s to blame or how to troubleshoot.

Commands like this work:

bitcoin-cli getbestblockhash

0000000000000000000a40b6716fdd46ba98e238c58d3d686c653eeeb94aa759

but several others do not:

bitcoin-cli gettransaction "1075db55d416d3ca199f55b6084e2115b9345e16c5cf302fc80e9d5fbf5d48d"
error code: -32601
error message:
Method not found

bitcoin-cli getbalance
>error code: -32601
>error message:
>Method not found

Using curl, i.e.

curl --user bitcoinuser --data-binary '{"jsonrpc": "1.0", "id":"curltest", "method": "getinfo", "params": [] }' -H 'content-type: text/plain;' http://127.0.0.1:8332

also results in “method not found”.

bitcoin core – bitcoind: How to get rawblock data with ZeroMQ

I am trying to use the zeromq api for bitcoind to get rawblock but its not working with the code I’ve provided below. I am able to get hashtx and rawtx if I remove the filter but not hashblock and rawblock. Not sure if this is an important detail or not but my bitcoind is still syncing so I’m not sure if those topics are only triggered when bitcoind has synced up.

// Implementation of ZeroMQ in node.js.
// From the maintainers of the ZeroMQ protocol.
var zmq = require("zeromq");

// Create a subscriber socket.
const sock = new zmq.Subscriber();
var addr = "tcp://127.0.0.1:28332";

// Initiate connection to TCP socket.
sock.connect(addr);

// Subscribe to receive messages for a specific topic.
// This can be "rawblock", "hashblock", "rawtx", or "hashtx".
sock.subscribe("rawblock");

(async () => {
  for await (const (topic, msg) of sock) {
    console.log(topic.toString())
  }
})();

My bitcoin.conf file looks like:

server=1
txindex=1

# (zeromq)
zmqpubhashblock=tcp://127.0.0.1:28332
zmqpubhashtx=tcp://127.0.0.1:28332
zmqpubrawblock=tcp://127.0.0.1:28332
zmqpubrawtx=tcp://127.0.0.1:28332

bitcoind – Run bitcoin and Omni on same machine

You can specify the rpcport in your bitcoin.conf. You should only need to change it for either Bitcoin or Omni, not for both.

As for selecting a port number, it’s largely arbitrary. Just make sure it’s not being used by another program on the machine. Additionally, if you choose a port below <= 1024, you will need super user access to run the program, so I would suggest picking something higher.

bitcoin core – Can’t connect to Bitcoind remotely

I am running a Bitcoin Cash node on my server, and starting it like this:

start bitcoind.exe --server=1 --rpcuser=user --rpcpassword=password --rest=1 --rpcport=8332 --datadir=F:Bitcoin --bind=10.1.0.4 --testnet=1 --rpcallowip=0.0.0.0/0

The node runs, and I can connect to it locally.

However, I can’t connect to it remotely, from my C# application, using the BitcoinLib library:

ICoinService coinService = new BitcoinService(ConfigurationManager.AppSettings("Bitcoin_DaemonUrl"), ConfigurationManager.AppSettings("Bitcoin_RpcUsername"),
ConfigurationManager.AppSettings("Bitcoin_RpcPassword"), ConfigurationManager.AppSettings("WalletPassword"));

I am getting this error:

BitcoinLib: There was a problem sending the request to the wallet.
System: Unable to connect to the remote server.

I have created inbound/outbound rules in the server’s firewall settings, allowing access to the 8332 port, and I think that --rpcallowip=0.0.0.0/0 should allow all IPs to connect to my node… So I really don’t know what the problem is.

Edit: I can’t access the node from https://bitnodes.earn.com/ either.

Update: the node has finished reindexing blocks, and I still can’t connect to it remotely.

Launch bitcoind at startup on Ubuntu

To start bitcoind at startup on a system using systemd, use the service configuration provided in contrib/init/ from the root of the bitcoin-core repository.

You can then manage bitcoind as any other systemd service (and possibly have some other rely on it, such as a Lightning Network implementation’s service).

systemctl start bitcoind
systemctl stop bitcoind
# This enables launching the service at startup
systemctl enable bitcoind