Bitcoin Forum

When you create blockchain wallets through Tor and manage them only through Tor, I understood you are very anonymous. (ofcourse you need to make sure not to receive or send coins on that address that comes from people or companies that know who you are.)

But how do I achieve the same anonymity with Armory? 

I'm not technically advanced but do I understand correctly that when using Armory it's comparable to using blockchain wallet via normal browser (ie: not very anonymous since your ip can be known)?

From what I understand Armory, needs the standard bitcoin client to be running.
I could be wrong, but if that is running via Tor, it would also apply for Armory.

I've never tested it, I never considered trying to using it via Tor, but you have given me an idea to test it.

Armory uses bitcoin-qt to broadcast transactions for it, so if you've configured the standard client to connect via Tor then any transactions Armory creates will be anonymized.

Thanks a lot :)

I succeeded in connecting bitcoin-qt through the Tor network. :) But Armory opens in 'offline mode' because 'bitcoin-qt is not running'.

However, bitcoin-qt is running and even shows the green checkmark and says it's connected via 8 active connections.

Do you or anyone else have an idea how to solve this?

That sounds like the same issue I had during testing.

I'm not sure if I set it up right.

You need to add listen=1 to your bitcoin.conf file.

Prudence would suggest that you make sure that other machines can't see your PC, but you should be behind a nat router anyway.  Just disable a port forward if you have one.

Thanks for the Tip, it does indeed work now, with Armory.

So do I understand correctly that for people using proxies (mainly for Tor), you *may* have to do any of the following:

• (1) Create a bitcoin.conf file with listen=1  (C:\Users\username\AppData\Roaming\Bitcoin\bitcoin.conf or /home/user/.bitcoin/bitcoin.conf)
• (2) Start Armory with --skip-online-check
• (3) In some cases, change the port that Armory connects to (usually 8333, might be 9050 with Tor)

Does this cover it?  What else should I add to my list?

Thank you so much! That worked.

Your second tip is chinese to me. How do I know that I am behind a nat router? I don't even know where to check that. Let alone disable a port forward. Do I have to somehow connect to my router, the box from my internet service provider?

Thanks, I did 1 and 2, seems 3 is must. But how can I change the port connection when don't see it in setting options?

Ah, figured it out. Seems it's running!

Very sorry to necro this thread guys, but I just recently started to run Bitcoin-QT through Tor to protect myself especially while using public WIFIs, etc. and I had to add the listen=1 line to the bitcoin.conf file to get armory to work with it...

Erebus, you say that "prudence would suggest that you make sure that other machines can't see your PC", but anyhow Bitcoin-QT listen to external connections by default unless a proxy (like Tor) is configured - right? Thus, adding listen=1 would just take Bitcoin-QT to its "default" behaviour regarding external connections...

Did I get it right?

That's an interesting point. You should try bind=127.0.0.1 instead of listen=1

Also, I would personally use Tails rather than just Tor, to guaranty all traffic goes through Tor.

Thanks for the advice, will try and report.

Tails is indeed the best solution, but IMO its not really conceived as a fully persistent distro. It needs to be run from USB which makes it very impractical to run a full node as I do.

Right now I use this solution when I want "full system going through tor": I route all my OS X traffic through tor using the Proxy settings on System Preferences/Advanced/Proxies. I've found it pretty good, meaning that everything really goes through Tor - to avoid any third party software "phoning home" without going through Tor I use Little Snitch, with which I block all connections that are not routed through Tor.

Summing up: Tor proxy in advanced network settings  + Little Snitch works very well on OS X.

The bind=127.0.0.1 thing did not work - the only way I've managed to run Bitcoin + armory + Tor is to start Bitcoin with the listen=1 argument.

Interesting, it works for me without using Tor. Try bind=localhost, maybe your host file resolves localhost to something else (IPv6?)

I think bind=127.0.0.1 would have the added advantage that only local connections would be possible.  External connections can't "see" localhost on another machine.

Activating listen mode would be required.

I tried bind=localhost and didn't work, Bitcoin-QT couldn't resolve it.

Bind=127.0.0.1 didn't work for armory, but I tried it alone - maybe I have also to enable to listen=1 for bind=127.0.0.1 to work? Will try that...

Bind = 127.0.0.1 should mean that only local processes can connect to your node.  This means that you can use listen=1 without having to worry about incoming connections.

You are guaranteed to have 8 outgoing connections and the 1 incoming connection from Armory.

How do I verify that Armory is running via TOR?

Thanks!

TOR use port 9150 not 9050, FYI.

Do I have to disable uPNP first and then enable 127.0.0.1 via 9150 with SOCKS4 or 5? LMK!

Thanks!

Tor Browser Bundle uses port 9150, Tor daemon uses port 9050.

You need to verify that Bitcoin Core is running via Tor - you can do that easily by using Wireshark. If Bitcoin Core is running via Tor, then you are OK (Armory connects via Bitcoin Core only).

For future reference, Whonix has a pretty good reputation.  It runs in a VM, and (in theory) nothing inside the VM can break out of Tor, even if root privileges inside the VM are totally compromised.  Whonix has a dedicated SOCKS port for Bitcoin-Qt use (192.168.0.10, port 9111), so your Bitcoin transactions won't be linked to your other applications via circuit sharing.  I would guess that Whonix is quite a bit safer than relying on Bitcoin-Qt and Armory to perfectly respect proxy settings.

More info:

https://www.whonix.org/
https://www.whonix.org/wiki/Money
https://www.whonix.org/wiki/Stream_Isolation

would connecting through a vpn add the same level of anonymity without having to add to or change any files/settings?

If you trust that your VPN operator isn't evil, and that they won't be compromised by cyberattack, and that they won't be compelled by legal (or extralegal) means to screw you, then a VPN is probably fine.  These are conditions that are not true for many people.  Tor isn't vulnerable to any of these points (although it's not perfect).  So, short answer, no, a VPN is not comparable to Tor in terms of anonymity.

My current line looks something like this:
bitcoin-qt.exe -proxy=127.0.0.1:9050 -externalip=j2l9w93j3jj32ss.onion -listen

I have not linked it to Armory yet, but presumably it should work. I've heard some people say if you use -onion=127.0.0.1:9050 your client will never leave TOR, which might be best for anonymity purposes. If you do this, however, I am not sure if the server will be accessible. Just whatever you do, don't forward port 8333 on your firewall or the anonymity goes away. Check out the "tor.md" file under Bitcoin\doc.

Someone more knowledgeable might be able to correct any mistakes I've made here.

I'm pretty sure that's the opposite of true.

As far as I understand it, -proxy sends all connections through the proxy. -onion only send connections to Tor hidden services over the proxy, and connections to regular ipv4 peers bypass the proxy.

Having your node accessible as a hidden service (something.onion) is just a matter of configuring your Tor nodes to publish the hidden service and redirect incoming connections to your node, and then using -externalip so that your node can tell its peers how to reach it.

Okay, then that bring up a question for me. Is there a way to *only* try to route to other TOR hidden services? For example, if I didn't even want to leave via an exit node to the rest of the network?

I have evidence of it failing to connect to an external IP using "-proxy:" from an error message here: (modified for anonymity of exit node)

I'm not sure this is needed for most people, but I think it'd be interesting to run a within-TOR-only node. Obviously this could be done by using the wiki for TOR services and only adding TOR IPs, but is there a way within the client to do only TOR-based IPs and avoid even exit nodes?

-onlynet=tor

Right with -proxy, all connections are sent through it. If you used -onion you'd never see that message since you'd only be attempting to connect to hidden services.

-onlynet=tor combined with -onion should do everything you need, except I'm not sure if there's a way to automatically bootstrap a Tor-only node. I always bootstrapped manually from known Tor nodes.