What's the current best way to run Bitcoin throught Tor?

[takuma sato]

Im trying to run bitcoin-qt with Tor (Knots but should be the same with Core) and I have seen different methods.

Some people use a method that involves opening first a tor-browser instance, then bitcoin-qt with these enabled on the bitcoin.conf file:

proxy=127.0.0.1:9050
listen=1
listenonion=1

But some use the tor service, and have to register some sort of cookie, I don't know something weird that also involves giving your login and password to this cookie.

I just want a way where I can have a linux desktop entry that starts bitcoin-qt with tor enabled, so I don't have to tweak the bitcoin.conf file each time I want to use clearnet or Tor.

Also I have Tor Browser already installed, but im not sure if I need to install it from the debian repository or otherwise it will not work or something.

I have found this tutorial, but he installs it from the apt repository, but I have already Tor Browser installed. Im not sure if this is relevant. My install from the .tar files is already checked with gpg and it's legit, so I wouldn't like to have to install this from the repository and do all of that if not needed.

https://www.youtube.com/watch?v=goTkOt8Rr1Q

When he uses "tor --version" on the terminal it doesn't work for me (bash: tor: command not found") so maybe im missing something that is not installed with the tor-browser .tar file?

Please let me know because it's just confusing the different methods I've seen. If someone has a step by step guide that is up to date please link it.

Edit: Upon further research, I was confusing Tor Browser, with Tor. I have Tor Browser installed, but not Tor, so I guess I could follow that tutorial to install it. I thought Tor Browser included the Tor service which you could run separately but you need to install it yourself. I still need a proper tutorial tho.

[Satofan44]

I don't know something weird that also involves giving your login and password to this cookie.

I don't think the password is necessary. According to the docs, that is an alternative authentication method. https://bitcoincoredocs.com/tor.html. It is either Cookie Authentication or Hashed ControlPassword.

Edit: Upon further research, I was confusing Tor Browser, with Tor. I have Tor Browser installed, but not Tor, so I guess I could follow that tutorial to install it. I thought Tor Browser included the Tor service which you could run separately but you need to install it yourself. I still need a proper tutorial tho.

Good, you've figured out your first mistake. That's why it is called Browser! It is a standalone project that uses TOR and is different from the global tor service. Which Linux version are you using?
Last time I did this for my servers I used something like this, check it out: https://ubuntuhandbook.org/index.php/2021/01/install-tor-tor-browser-ubuntu-20-10-20-04/. It should be pretty straightforward. Let me know if you manage to do it.

proxy=127.0.0.1:9050
listen=1
listenonion=1

But some use the tor service, and have to register some sort of cookie

There are two difference here:

• 1) TOR more as a "client" with a lower level of integration, which would be connecting through the proxy as you have written above. This method does not have any authentication.
• 2) Authenticated mode with access to the Tor control protocol, deeper integration with the service. This is where the cookie authentication would come into play.

I am not sure if I remember correctly, but in the first method you would not get a .onion address and in the second you would. You can check the debug log for information about this. I am no longer 100% confident, but I think that in the first case the node would not act as a full peer despite listen=1 but I must freshen up my knowledge about it. Perhaps someone else can confirm.
Did you read the Wiki entry? https://en.bitcoin.it/wiki/Setting_up_a_Tor_hidden_service

[flapduck]

First, Tor Browser != the Tor service. Bitcoin Core/Knots works best with the system Tor daemon, not the browser bundle. which is also why tor --version is not found.

Here's some setup steps for Linux:

Install Tor daemon and start it
sudo apt update && sudo apt install tor
sudo systemctl enable --now tor

Allow Core to talk to Tor's ControlPort (for your .onion address)
Edit /etc/tor/torrc and ensure these lines exist:

Code:

SocksPort 9050
ControlPort 9051
CookieAuthentication 1
CookieAuthFileGroupReadable 1

Add your user to Tor's group and restart:
sudo usermod -aG debian-tor $USER
newgrp debian-tor
sudo systemctl restart tor

Minimal bitcoin.conf for Tor

Code:

proxy=127.0.0.1:9050
listen=1
listenonion=1

optional if you want Tor-only outbound:

Code:

onlynet=onion

The "cookie" isn't a login/password. It's a local file Tor creates for ControlPort auth; adding yourself to debian-tor lets Core read it automatically. And if you want to use Tor Browser's SOCKS (127.0.0.1:9150), then Bitcoin can route outgoing traffic but won't manage a .onion listener because TB doesn't expose ControlPort by default. For a proper onion service, use the Tor daemon as above.

[takuma sato]

First, Tor Browser != the Tor service. Bitcoin Core/Knots works best with the system Tor daemon, not the browser bundle. which is also why tor --version is not found.

Here's some setup steps for Linux:

Install Tor daemon and start it
sudo apt update && sudo apt install tor
sudo systemctl enable --now tor

Allow Core to talk to Tor's ControlPort (for your .onion address)
Edit /etc/tor/torrc and ensure these lines exist:

Code:

SocksPort 9050
ControlPort 9051
CookieAuthentication 1
CookieAuthFileGroupReadable 1

Add your user to Tor's group and restart:
sudo usermod -aG debian-tor $USER
newgrp debian-tor
sudo systemctl restart tor

Minimal bitcoin.conf for Tor

Code:

proxy=127.0.0.1:9050
listen=1
listenonion=1

optional if you want Tor-only outbound:

Code:

onlynet=onion

The "cookie" isn't a login/password. It's a local file Tor creates for ControlPort auth; adding yourself to debian-tor lets Core read it automatically. And if you want to use Tor Browser's SOCKS (127.0.0.1:9150), then Bitcoin can route outgoing traffic but won't manage a .onion listener because TB doesn't expose ControlPort by default. For a proper onion service, use the Tor daemon as above.

For the install steps, what about the extra steps seen on the video? He follows this:

https://support.torproject.org/apt/

They say it's recommended to do this and I assume not do just "apt install tor"

Why and how can I enable Tor Package Repository in Debian?

The Tor Project maintains its own Debian package repository. Since Debian provides the LTS version of Tor, this might not always give you the latest stable Tor version. Therefore, it's recommended to install tor from our repository.

[Satofan44]

For the install steps, what about the extra steps seen on the video? He follows this:

https://support.torproject.org/apt/

They say it's recommended to do this and I assume not do just "apt install tor"

Why and how can I enable Tor Package Repository in Debian?

The Tor Project maintains its own Debian package repository. Since Debian provides the LTS version of Tor, this might not always give you the latest stable Tor version. Therefore, it's recommended to install tor from our repository.

Do it. It won't harm you in any case and it is officially recommended. Sometimes the included system repositories have very outdated software. For some types of software it is not that important whether you are on an earlier version or not, but for things like TOR it is very important to always be up to date.

[takuma sato]

I installed it from the Tor repository and got it working. I was able to run bitcoin-qt with Tor since it has the P on the GUI and im only connecting to .onion addresses in the Peers window. However, some things still not fully working it seems.

1) The RPC does not work when I use Tor for some reason. I try ./bitcoin-cli -datadir=path getnetworkinfo and it says:

error: timeout on transient error: Could not connect to the server 127.0.0.1:18332

Make sure the bitcoind server is running and that you are connecting to the correct RPC port.

There is no cookie so maybe I have the wrong settings on bitcoin.conf

For Tor, I comment everything except this:

rpcbind=127.0.0.1
server=1
proxy=127.0.0.1:9050
listen=1
listenonion=1
onlynet=onion

On some tutorials I saw they use bind= instead of rpcbind=, im not sure about that

For clearnet, commenting everything except this:

rpcbind=127.0.0.1
server=1
listen=0

Works, bitcoin-cli will run the commands and i see the cookie file. So it has to be something with the bitcoin.conf I guess that requires something specific for Tor

Another thing is, when I run with this the Tor setting settings I described, I don't see that an onion service is created. I think my node is not reachable. But I don't get it because from what I've heard BItcoin does not run with Tor unless your node is reachable when using Tor, but it was downloading blocks in Tor mode so I don't know.

Im supposed to see this in debug.log but not there:

tor: Got service ID XXXXXXXXXXX, advertising service XXXXXXXXXXX.onion:8333

And with getnetworkinfo I get this:

{
  "version": 290100,
  "subversion": "/Satoshi:29.1.0/Knots:20250903/",
  "protocolversion": 70016,
  "localservices": "some number here with a c and 2 numbers",
  "localservicesnames": [
    "NETWORK",
    "WITNESS",
    "NETWORK_LIMITED",
    "P2P_V2",
    "REPLACE_BY_FEE?"
  ],
  "localrelay": true,
  "timeoffset": 0,
  "networkactive": true,
  "connections": 0,
  "connections_in": 0,
  "connections_out": 0,
  "networks": [
    {
      "name": "ipv4",
      "limited": true,
      "reachable": false,
      "proxy": "127.0.0.1:9050",
      "proxy_randomize_credentials": true
    },
    {
      "name": "ipv6",
      "limited": true,
      "reachable": false,
      "proxy": "127.0.0.1:9050",
      "proxy_randomize_credentials": true
    },
    {
      "name": "onion",
      "limited": false,
      "reachable": true,
      "proxy": "127.0.0.1:9050",
      "proxy_randomize_credentials": true
    },
    {
      "name": "i2p",
      "limited": true,
      "reachable": false,
      "proxy": "",
      "proxy_randomize_credentials": false
    },
    {
      "name": "cjdns",
      "limited": true,
      "reachable": false,
      "proxy": "127.0.0.1:9050",
      "proxy_randomize_credentials": true
    }
  ],
  "relayfee": 0.00001000,
  "incrementalfee": 0.00001000,
  "localaddresses": [
  ],
  "warnings": [
  ]
}

Also I do not get the onion_v3_private_key file that the guy in the video gets in /.bitcoin so im not sure in which state Tor is being run.. I mean it's connecting to other peers with onion addresses only and it's downloading blocks... so in theory it's working. However im not sure what im missing with that there.
Is it that it's working fine but im not reachable to other people? But again, listen=1 is enabled (since from what I can read it wouldn't even work in Tor mode) but I get 10 in / 0 out for connections (it has 0 incoming connections on that getnetworkinfo because the node is fully synced and I guess once it's fully synced it barely needs 1 peer every x minutes to update blockchain). So im not sure what's up with this.

Btw, I get a clearnet IP with getnodeaddresses

Code:

[
  {
    "time": some number here,
    "services": some number here,
    "address": "some clearnet ip address here,
    "port": 8333,
    "network": "ipv4"
  }
]

I just would like to know what's up with these since im not sure if it's wrongly configured and im connecting to people with a clearnet IP while recieving .onion addresses or something.

[Satofan44]

I installed it from the Tor repository and got it working. I was able to run bitcoin-qt with Tor since it has the P on the GUI and im only connecting to .onion addresses in the Peers window. However, some things still not fully working it seems.

1) The RPC does not work when I use Tor for some reason. I try ./bitcoin-cli -datadir=path getnetworkinfo and it says:

error: timeout on transient error: Could not connect to the server 127.0.0.1:18332

Make sure the bitcoind server is running and that you are connecting to the correct RPC port.

There is no cookie so maybe I have the wrong settings on bitcoin.conf

TOR should not affect your connection to the RPC unless there a bug present. Can you please clarify whether you are trying to do this on testnet or mainnet? Just to make sure that there is no basic error or confusion here. 18332 is the RPC port for testnet. The mainnet port is 8332. A small reminder about .conf and CLI, do not update the .conf while the daemon is running. This may give you issues relating to configuration changes and may cause unnecessary confusion.

I will try to reproduce everything that you are doing. Can you please post complete configuration files (omit the passwords and such obviously)?

[takuma sato]

I installed it from the Tor repository and got it working. I was able to run bitcoin-qt with Tor since it has the P on the GUI and im only connecting to .onion addresses in the Peers window. However, some things still not fully working it seems.

1) The RPC does not work when I use Tor for some reason. I try ./bitcoin-cli -datadir=path getnetworkinfo and it says:

error: timeout on transient error: Could not connect to the server 127.0.0.1:18332

Make sure the bitcoind server is running and that you are connecting to the correct RPC port.

There is no cookie so maybe I have the wrong settings on bitcoin.conf

TOR should not affect your connection to the RPC unless there a bug present. Can you please clarify whether you are trying to do this on testnet or mainnet? Just to make sure that there is no basic error or confusion here. 18332 is the RPC port for testnet. The mainnet port is 8332. A small reminder about .conf and CLI, do not update the .conf while the daemon is running. This may give you issues relating to configuration changes and may cause unnecessary confusion.

I will try to reproduce everything that you are doing. Can you please post complete configuration files (omit the passwords and such obviously)?

Using rpcbind=127.0.0.1 works for clearnet, but does not work with tor, because it does not create the .cookie file. For it to work I had to comment #rpcbind=127.0.0.1 and add a line that is bind=127.0.0.1 otherwise it does not create the .cookie

Btw I tried again and now I see the onion_v3_private_key and I get the onion address on localaddresses so I believe tor is working properly now, im not sure what I was doing yesterday but I didn't see that file but I was seeing onion peers so not sure about that. Anyway looks like it's working now. Just wanted to see why you have to use bind and not rpcbind with tor.

And another question I have is about the "discover=0/1" option. Should you use this enabled or disabled when clearnet or with Tor? I asked AI and said

discover=1 (the default) enables local network peer discovery. Specifically:

    Bitcoin Core will query your machine's network interfaces to learn local IP addresses.
    It announces those addresses to peers (via peer-to-peer messages) so other nodes can attempt inbound connections to your node.
    It helps populate the node's address manager (addr) with reachable local addresses for NAT traversal and peer selection.

If you set discover=0, Core will not auto-detect or advertise your machine's local IPs — useful when you are behind Tor, NAT, or want to avoid leaking local network addresses.

I have tried with 0 and with 1 and I don't see a difference. It finds new peers either way. Im not sure what is doing. I just would like to know the ideal bitcoin.conf for maximun privacy.

As far as the bitcoin.conf settings, I posted them above.

[Satofan44]

Using rpcbind=127.0.0.1 works for clearnet, but does not work with tor, because it does not create the .cookie file. For it to work I had to comment #rpcbind=127.0.0.1 and add a line that is bind=127.0.0.1 otherwise it does not create the .cookie

Rpcbind does not do anything unless rpcallowip is also passed. Anyhow it should default to 127.0.0.1. https://www.mankier.com/1/bitcoind?#-rpcbind. In any case, interesting observations. You should try to reproduce these issues using the same steps. It would be worthwhile to report them if you can reproduce it.

Anyway looks like it's working now. Just wanted to see why you have to use bind and not rpcbind with tor.

You can ignore the rpcbind, it should be unrelated. The situation seems that bind=0.0.0.0 (which is the default) does not work with TOR for you, but bind=127.0.0.1 does. I think the bind triggered the TOR service setup because you also have listenonion=1 so it would trigger the bind of onion connections on this 127.0.0.1:8334.

And another question I have is about the "discover=0/1" option. Should you use this enabled or disabled when clearnet or with Tor? I asked AI and said

The answer is in the explanation. The default is discover=1 which means that it tries to uses local IP addresses too for peers. For TOR it is recommended to disable this if you want to avoid local network leaks.

I have tried with 0 and with 1 and I don't see a difference. It finds new peers either way. Im not sure what is doing. I just would like to know the ideal bitcoin.conf for maximun privacy.

It is supposed to find peers in both configuration options. If it does not, you have some issues.

As far as the bitcoin.conf settings, I posted them above.

You keep posting snippets here and there, post the whole currently used configuration.  

[takuma sato]

Using rpcbind=127.0.0.1 works for clearnet, but does not work with tor, because it does not create the .cookie file. For it to work I had to comment #rpcbind=127.0.0.1 and add a line that is bind=127.0.0.1 otherwise it does not create the .cookie

Rpcbind does not do anything unless rpcallowip is also passed. Anyhow it should default to 127.0.0.1. https://www.mankier.com/1/bitcoind?#-rpcbind. In any case, interesting observations. You should try to reproduce these issues using the same steps. It would be worthwhile to report them if you can reproduce it.

Anyway looks like it's working now. Just wanted to see why you have to use bind and not rpcbind with tor.

You can ignore the rpcbind, it should be unrelated. The situation seems that bind=0.0.0.0 (which is the default) does not work with TOR for you, but bind=127.0.0.1 does. I think the bind triggered the TOR service setup because you also have listenonion=1 so it would trigger the bind of onion connections on this 127.0.0.1:8334.

And another question I have is about the "discover=0/1" option. Should you use this enabled or disabled when clearnet or with Tor? I asked AI and said

The answer is in the explanation. The default is discover=1 which means that it tries to uses local IP addresses too for peers. For TOR it is recommended to disable this if you want to avoid local network leaks.

I have tried with 0 and with 1 and I don't see a difference. It finds new peers either way. Im not sure what is doing. I just would like to know the ideal bitcoin.conf for maximun privacy.

It is supposed to find peers in both configuration options. If it does not, you have some issues.

As far as the bitcoin.conf settings, I posted them above.

You keep posting snippets here and there, post the whole currently used configuration.  

After some testing looks like the .cookie file is being created with server=1 only, no need for rcpbind= or bind=

The problem is, for some reason bitcoin-cli does not work when testnet=1 is enabled

./bitcoin-cli -datadir=/home/takuma/software/.bitcoin getnetworkinfo
error: timeout on transient error: Could not connect to the server 127.0.0.1:8332

Make sure the bitcoind server is running and that you are connecting to the correct RPC port.
Use "bitcoin-cli -help" for more info.

But this works when I launch bitcoin-qt normally (I mean mainchain but also with Tor)

same bitcoin.conf

And im not posting snippets, im posting all uncommented options:

proxy=127.0.0.1:9050
server=1
listen=1
listenonion=1
onlynet=onion
discover=0

So why it does not work for testnet?

Edit: I just remembered you had to add -testnet=1 when using bitcoin-cli on testnet

So now it's working. achow101 said that you don't need to use any of the bind= or rcpbind= stuff by default and server=1 is good to go.