Updated tutorial: Running a Monero(XMR) fullnode and remote connection through Tor

Hi,

I've made this tutorial on how to set up and run a Monero node over tor and also how to connect wallets through tor to .onion remote node.

Hope someone finds it usefull

https://medium.com/@kic0/running-a-monero-node-over-tor-49c3de49eda8


Comments


[3 Points] Elisa-Yamaha:

This could come in useful, thanks!


[2 Points] blahbloop69:

I'm assuming this is if u want full anonymity for transaction?

Plan on buying monero just to invest and sit on. Maybe might be useful if I plan on cashing out without being tracked.


[2 Points] dashbash777:

Yes that's a great one! It helped me a lot :)

NOTE: like kic0 said his guide shows us how to run a monero node AS A TOR SERVICE which even your friends can connect to REMOTELY (assuming proper firewall rules). His article's audience is not necessarily users of the Tails operating system.

In constrast, if you only want to run a Monero Node privately on Tails, then read on.

You don't need to Torify the monero daemon in order to only use it by yourself. In fact if you add a Tor service your intent should be to eventually share your node with your pals, so each one of you do not have to run your own node.

kic0, would you please comment on why you created a Tor service so the community would not be confused (targeting Tails OS users vs. any Linux OS with Tor).

If you want to run your own private node that only you personally want to use on localhost, then there are some slight changes that need to be made in order to make the setup more secure.

Though the developers' intent is not to explain the Tails OS, refer to the main monero docs on github. Search for "Using Tor". The page that you see is technically coming from their README.md file. They provide a firewall rule change which is needed to get your node working on Tails. Without this change the wallet won't be able to connect to your localhost monero node. As the readme specifies, run:

sudo iptables -I OUTPUT 2 -p tcp -d 127.0.0.1 -m tcp --dport 18081 -j ACCEPT

Tails is so stringent that it doesn't even allow outgoing connections to localhost without explicit rules. Gotta love it ;-)

The readme.md documentation left out TORSOCKS_ALLOW_INBOUND from the final command line that they've shown. Also notice the it doesn't include the --hide-my-ip argument either, which kic0's article does include. So in total, here's what I personally execute:

DNS_PUBLIC=tcp \
TORSOCKS_ALLOW_INBOUND=1 \
  torsocks ./monerod \
  --no-igd \
  --rpc-bind-ip 127.0.0.1 \
  --p2p-bind-ip 127.0.0.1 \
  --data-dir /some/path/on/my/machine/.bitmonero \
  --hide-my-port
  --block-sync-size 5

EDIT: The smaller block size (default is 20?) helps with TCP timeout errors.

Without the --data-dir arg, all the monero files will go to your home dir (/home/amnesia). That's not a good thing because you won't have room for its 40GB file which gets generated (named data.mdb). My home dir is about 7.7 GB on Tails. I even had problems trying to put it in ~/Persistent, even tough I had over 40GB of space, so I ended up using an external, encrypted drive. Also notice this command does not include --detach. That means it won't jump to the background. Instead you'll be able to see its logs and use its command line interface in your terminal. Once it's started just type "help" (without quotes). The commands I normally use are "sync_info" (shows me the other servers I'm connected to), "status" and "print_height".

The files that get automatically generated by running monerod are:

/some/path/on/my/machine/.bitmonero./bitmonero.log
/some/path/on/my/machine/.bitmonero./lmdb
/some/path/on/my/machine/.bitmonero./lmdb/data.mdb
/some/path/on/my/machine/.bitmonero./lmdb/lock.mdb
/some/path/on/my/machine/.bitmonero./p2pstate.bin

Also, I don't use the command line wallet (cli) that is shown in the readme. I use the GUI like kic0. Here's my command line:

./monero-wallet-gui --daemon-host 127.0.0.1

You don't need torsocks here because your client is connecting to localhost (your own computer). It's not trying to connect to any onion links within the Tor network (in fact, it cannot unless you wrap it with torsocks). This is in contrast to kic0's article where his intent is to create a node available to others within the Tor network. However we used torsocks earlier to run monerod (the daemon) so that it can connect to the public monero blockchain (its peer nodes). However do remember we're using Tor, so it's not your real IP address that is exposed, rather, a Tor exit node.

Notice too that I immediately force the client to connect to localhost (the --daemon 127.0.0.1 argument) because sometimes when you run the client/wallet for the first time it tries to run its own daemon. I already have a different installation of monerod executed and waiting for connections on localhost (that huge command we saw above). So if you're going with my setup, make sure you have monerod launched and ready first, then run your wallet. Both the CLI and GUI wallet clients have their own monero daemon (file = monerod), but I downloaded and installed two different packages.

Since the time that I downloaded my packages, I can see that the main download page no longer has the bare-bones version of monero (which contains only the daemon, and not the wallet commands). Technically it's still available on their github releases page as the current release file named monero-linux-x64-v0.11.1.0.tar.bz2. I personally am comfortable downloading from github, but that's not something I want to recommend to the general public (you guys).

In other words, I have two different installations:

  1. monero-linux-x64-v0.11.1.0.tar.bz2 (which I use for running the daemon alone)
  2. monero-gui-linux-x64-v0.11.1.0.tar.bz2 (which I use as my wallet)

I launch the daemon, then I go to my other dir and launch my wallet separately. I would imagine it's possible to use just the GUI package and achieve the same thing, or even download two copies of the GUI and do the same, since the GUI also includes the daemon (TODO: someone should investigate, or maybe I will later).

When running monerod I get various torsocks errors. Sometimes I can send XMR successfully, but sometimes my wallet hangs on "synchronizing" with the daemon, and this may be attributed to the below errors. Anyone else seeing errors?

ERROR torsocks[16678]: General SOCKS server failure (in socks5_recv_connect_reply() at socks5.c:533)
ERROR torsocks[16678]: Connection timed out (in socks5_recv_connect_reply() at socks5.c:553)
ERROR torsocks[16678]: Host unreachable (in socks5_recv_connect_reply() at socks5.c:545)

If you plan to use only the GUI package and not split packages like me, check out the following file to see if you're getting any socks errors:

/some/path/on/my/machine/to/monero-gui-v0.11.1.0/monero-wallet-gui.log

In addition, there is a suggestion to delete the p2pstate.bin file on every run of monerod, for improved security. And as that post points out once you use Tor for your Monero node, do not run that same node on clearnet.

Moving along. If you ever find that your GUI wallet seems to be hanging, restarting everything can always help. First close your wallet. It's going to say "hey buddy the daemon is still running, want me to kill it for you?" I answer back, "It's okay, don't do that" because I'm going to stop the daemon myself.

In order to stop the daemon I run the "save" command (not sure if it's needed), then "exit" on the command line. Sometimes exit takes a really long time because the Tor network sucks? If you've waited too long, you'll have to do a linux kill command. Given the logs I've shown above the monero daemon's linux process ID is 16678. Open a second terminal and run "kill -9 16678", but replace "16678" with your ID.

All done folks!

Without kic0's article I would have been pretty lost. And I only found his article and the monero readme at the end of my search (wish I found it sooner :)

I know this is a long and unorganized post but if someone is willing to simplify and organize the information here and on kic0's article then the community will greatly benefit.

Sound like a good idea /u/wombat2combat ?

Other interesting reads:


[2 Points] dashbash777:

I didn't cover how to import blockchain.raw, should you want to do that. We have a choice to make:

  1. Either bootup on Tails and run the monero daemon without the blockchain "database" on your drive (file = data.mdb),
  2. Or download most of the blockchain on clearnet and use your Monero software on Tails from that point forward.

As of Jan 5, 2018 the Monero blockchain is roughly 40G. If you understand the risks then go ahead and download it on clearnet: https://downloads.getmonero.org/blockchain.raw

Then boot to Tails and import the file:

./monero-blockchain-import --verify 0 --input-file /path/to/blockchain.raw

Just make sure you don't run the monero command on clearnet. That's when you should already be on Tails.

With that clearnet cheat you save yourself downloading something like 80% of the blockchain. If it's in the clear, what will your ISP, VPN or Tor Exit Nodes see? Well given that we all use https here (SSL), no, they will not know that you downloaded that file. Why? Because even URLs are encrypted when you use HTTPS. They just know you're using getmonero.org. However the getmonero.org server will be able to see that your IP downloaded the file.

This clearnet download can be debated for so long because there are all sorts of OPSEC points to still consider, such as using an encrypted hard drive, clearing your browser/bash/shell history, ensuring those files are securely deleted and not just going to the browser and saying "clear history", etc. You could always DBAN the drive later, but this is another topic and I've spoken on it too much already. Someone can create another post for that :)