Tor & I2P
How to add Tor and/or I2P to your Monero node
Assumptions¶
You possess:
- Basic understanding of Linux administration
- Root access to a Linux distribution
- A Monero Node
Some commands assume Ubuntu but you can trivially translate them to your distribution.
Why use anonymity networks?
Why use anonymity networks? You will be able to connect your desktop and mobile Monero wallets to your own trusted Monero node, in a secure and private way over Tor or I2P.
Tor and I2P hidden services for wallet interface are useful for wallet users because it bypasses NAT and also works to mitigate MITM risks (which are very real). Hidden service connections are end-to-end encrypted and private by default.
Onion and I2P for P2P network is useful for other nodes as it allows them to relay transactions to your node (using --tx-proxy option).
Node Configuration¶
The end goal
To enable the following services:
- yourlongv3onionaddress.onion:18084 - onion P2P service (for other onion nodes)
- yourlongv3onionaddress.onion:18089 - onion RPC service (for wallets connecting over Tor)
Onion service for P2P network is useful for other full node users as it allows them to broadcast transactions over Tor (using --tx-proxy option).
Onion service for wallet interface is useful for wallet users connecting over Tor because it mitigates Clearnet and Tor exit node MiTM risks (which are very real). By connecting wallet to an onion service, no MiTM attack is realistic because onion connections are end-to-end encrypted.
Why different P2P ports for clearnet and onion?
A: The data served by the Onion p2p port differs from clearnet P2P. A different port is required.
- Elevate to root:
sudo su - -
Add the following lines to
/etc/tor/torrc:HiddenServiceDir /var/lib/tor/monerod HiddenServicePort 18089 127.0.0.1:18089 # interface for wallet ("RPC") HiddenServicePort 18084 127.0.0.1:18084 # interface for P2P network - Enable Tor service:
systemctl enable tor systemctl restart tor - View/Copy your new Onion Address:
cat /var/lib/tor/monerod/hostname - Copy the result into your Monero config file
, enabling these options: Replaceanonymous-inbound=yourlongv3onionaddress.onion:18084,127.0.0.1:18084 tx-proxy=tor,127.0.0.1:9050,disable_noiseyourlongv3onionaddress.onionwith your onion address. - The node is now available on Tor. You can check that the service is working by using curl:
curl -x socks5h://127.0.0.1:9050 http://yourlongv3onionaddress.onion:18089/get_info
Backup Onion keys
You may want to backup your keys folder (/var/lib/tor/monerod) to secure control over your onion address.
How Tor onion services work?
A fresh onion address and corresponding key pair were created for you in /var/lib/tor/monero/.
This happens on restart whenever you add a new HiddenServiceDir to the /etc/tor/torrc config file.
The tor daemon will forward traffic from a virtual onion port to an actual localhost port, where some service is listening (in our case, this will be monerod).
A single onion address can offer multiple services at various virtual ports.
The end goal
To enable the following services:
- yourlongb32i2paddress.b32.i2p:18085 - i2p P2P service (for other i2p nodes)
- yourlongb32i2paddress.b32.i2p:18089 - i2p RPC service (for wallets connecting over i2p)
I2P service for P2P network is useful for other full node users as it allows them to broadcast transactions over I2P (using --tx-proxy option).
I2P service for wallet interface is useful for wallet users connecting over I2P because it mitigates Clearnet and Tor exit node MiTM risks (which are very real). By connecting wallet to an I2P service, no MiTM attack is realistic because I2P connections are end-to-end encrypted.
Why different P2P ports for clearnet and i2p?
A: The data served by the i2p p2p port differs from clearnet P2P. A different port is required
- Elevate to root:
sudo su - - Install i2pd:
apt install apt-transport-https wget -q -O - https://repo.i2pd.xyz/.help/add_repo | bash -s - apt update apt install i2pd - Create a server tunnel for the Monero P2P and RPC ports:
cat << EOF > /etc/i2pd/tunnels.conf.d/monero-mainnet.conf [monero-node] type = server host = 127.0.0.1 # Anonymous inbound port port = 18085 inport = 0 keys = monero-mainnet.dat [monero-rpc] type = server host = 127.0.0.1 # Restricted RPC port port = 18089 keys = monero-mainnet.dat EOF - Restart i2pd:
systemctl restart i2pd -
Find the new b32 address of the node:
curl -s http://127.0.0.1:7070/?page=i2p_tunnels | grep -Eo "[a-zA-Z0-9./?=_%:-]*" | grep "18085"`Go to the web console at 127.0.0.1:7070 -> I2P tunnels page.
Look for Server tunnels and you will see an address likeyourlongb32i2paddress.b32.i2pnext tomonero-node. -
Copy the result into your Monero config file
, enabling these options:anonymous-inbound=yourlongb32i2paddress.b32.i2p,127.0.0.1:18085 tx-proxy=i2p,127.0.0.1:4447,disable_noiseReplace
yourlongb32i2paddress.b32.i2pwith your b32 address. -
The node is now available on i2p. You can check that the service is working by using curl:
curl -x socks5h://127.0.0.1:4447 http://yourlongb32i2paddress.b32.i2p:18089/get_info
(Optional) Register short and memorable .i2p domain on reg.i2p
(Optional) Publish the node on monero.fail
Wallet Setup¶
To connect Monero nodes, you have to configure the wallet software:
- Navigate to:
Settings -> Interface -> Socks5 proxyand set the values toIP Address = 127.0.0.1andPort = 9050 - Navigate to:
Settings -> Node -> Add remote nodeand set the values toAddress = http://yourlongv3onionaddress.onionandPort = 18089
Add the flags --proxy=127.0.0.1:9050 --daemon-address=http://yourlongv3onionaddress.onion:18089 --trusted-daemon
- Navigate to:
Settings -> Interface -> Socks5 proxyand set the values toIP Address = 127.0.0.1andPort = 4447 - Navigate to:
Settings -> Node -> Add remote nodeand set the values toAddress = http://yourlongb32i2paddress.b32.i2pandPort = 18089
Add the flags --proxy=127.0.0.1:4447 --daemon-address=http://yourlongb32i2paddress.b32.i2p:18089 --trusted-daemon