Using Armory anonymously?

[omegaflare]

How do I verify that Armory is running via TOR?

Thanks!

TOR use port 9150 not 9050, FYI.

[omegaflare]

Do I have to disable uPNP first and then enable 127.0.0.1 via 9150 with SOCKS4 or 5? LMK!

Thanks!

[Rampion]

How do I verify that Armory is running via TOR?

Thanks!

TOR use port 9150 not 9050, FYI.

Tor Browser Bundle uses port 9150, Tor daemon uses port 9050.

You need to verify that Bitcoin Core is running via Tor - you can do that easily by using Wireshark. If Bitcoin Core is running via Tor, then you are OK (Armory connects via Bitcoin Core only).

[biolizard89]

That's an interesting point. You should try bind=127.0.0.1 instead of listen=1

Also, I would personally use Tails rather than just Tor, to guaranty all traffic goes through Tor.

Thanks for the advice, will try and report.

Tails is indeed the best solution, but IMO its not really conceived as a fully persistent distro. It needs to be run from USB which makes it very impractical to run a full node as I do.

Right now I use this solution when I want "full system going through tor": I route all my OS X traffic through tor using the Proxy settings on System Preferences/Advanced/Proxies. I've found it pretty good, meaning that everything really goes through Tor - to avoid any third party software "phoning home" without going through Tor I use Little Snitch, with which I block all connections that are not routed through Tor.

Summing up: Tor proxy in advanced network settings  + Little Snitch works very well on OS X.

For future reference, Whonix has a pretty good reputation.  It runs in a VM, and (in theory) nothing inside the VM can break out of Tor, even if root privileges inside the VM are totally compromised.  Whonix has a dedicated SOCKS port for Bitcoin-Qt use (192.168.0.10, port 9111), so your Bitcoin transactions won't be linked to your other applications via circuit sharing.  I would guess that Whonix is quite a bit safer than relying on Bitcoin-Qt and Armory to perfectly respect proxy settings.

More info:

https://www.whonix.org/
https://www.whonix.org/wiki/Money
https://www.whonix.org/wiki/Stream_Isolation

[xe99]

would connecting through a vpn add the same level of anonymity without having to add to or change any files/settings?

[biolizard89]

would connecting through a vpn add the same level of anonymity without having to add to or change any files/settings?

If you trust that your VPN operator isn't evil, and that they won't be compromised by cyberattack, and that they won't be compelled by legal (or extralegal) means to screw you, then a VPN is probably fine.  These are conditions that are not true for many people.  Tor isn't vulnerable to any of these points (although it's not perfect).  So, short answer, no, a VPN is not comparable to Tor in terms of anonymity.

[Raize]

My current line looks something like this:
bitcoin-qt.exe -proxy=127.0.0.1:9050 -externalip=j2l9w93j3jj32ss.onion -listen

I have not linked it to Armory yet, but presumably it should work. I've heard some people say if you use -onion=127.0.0.1:9050 your client will never leave TOR, which might be best for anonymity purposes. If you do this, however, I am not sure if the server will be accessible. Just whatever you do, don't forward port 8333 on your firewall or the anonymity goes away. Check out the "tor.md" file under Bitcoin\doc.

Someone more knowledgeable might be able to correct any mistakes I've made here.

[justusranvier]

I've heard some people say if you use -onion=127.0.0.1:9050 your client will never leave TOR, which might be best for anonymity purposes.

I'm pretty sure that's the opposite of true.

As far as I understand it, -proxy sends all connections through the proxy. -onion only send connections to Tor hidden services over the proxy, and connections to regular ipv4 peers bypass the proxy.

If you do this, however, I am not sure if the server will be accessible

Having your node accessible as a hidden service (something.onion) is just a matter of configuring your Tor nodes to publish the hidden service and redirect incoming connections to your node, and then using -externalip so that your node can tell its peers how to reach it.

[Raize]

As far as I understand it, -proxy sends all connections through the proxy. -onion only send connections to Tor hidden services over the proxy, and connections to regular ipv4 peers bypass the proxy.

Okay, then that bring up a question for me. Is there a way to *only* try to route to other TOR hidden services? For example, if I didn't even want to leave via an exit node to the rest of the network?

I have evidence of it failing to connect to an external IP using "-proxy:" from an error message here: (modified for anonymity of exit node)

Code:

Jun 06 13:34:11.449 [Notice] We tried for 15 seconds to connect to '[scrubbed]' using exit $ECC33AB15915C6E167A0EAEF9D4BD1A005B12F56~GoodBoy23 at 201.151.231.31. Retrying on a new circuit.

I'm not sure this is needed for most people, but I think it'd be interesting to run a within-TOR-only node. Obviously this could be done by using the wiki for TOR services and only adding TOR IPs, but is there a way within the client to do only TOR-based IPs and avoid even exit nodes?

[justusranvier]

Okay, then that bring up a question for me. Is there a way to *only* try to route to other TOR hidden services? For example, if I didn't even want to leave via an exit node to the rest of the network?

-onlynet=tor

I have evidence of it failing to connect to an external IP using "-proxy:" from an error message here: (modified for anonymity of exit node)

Code:

Jun 06 13:34:11.449 [Notice] We tried for 15 seconds to connect to '[scrubbed]' using exit $ECC33AB15915C6E167A0EAEF9D4BD1A005B12F56~GoodBoy23 at 201.151.231.31. Retrying on a new circuit.

Right with -proxy, all connections are sent through it. If you used -onion you'd never see that message since you'd only be attempting to connect to hidden services.

I'm not sure this is needed for most people, but I think it'd be interesting to run a within-TOR-only node. Obviously this could be done by using the wiki for TOR services and only adding TOR IPs, but is there a way within the client to do only TOR-based IPs and avoid even exit nodes?

-onlynet=tor combined with -onion should do everything you need, except I'm not sure if there's a way to automatically bootstrap a Tor-only node. I always bootstrapped manually from known Tor nodes.