Skip to content

Tor & I2P

How to add Tor and/or I2P to your Monero node

Assumptions

You possess:

  • Basic understanding of Linux administration
  • Root access to a Linux distribution
  • A Monero Node

Some commands assume Ubuntu but you can trivially translate them to your distribution.

Why use anonymity networks?

Why use anonymity networks? You will be able to connect your desktop and mobile Monero wallets to your own trusted Monero node, in a secure and private way over Tor or I2P.

Tor and I2P hidden services for wallet interface are useful for wallet users because it bypasses NAT and also works to mitigate MITM risks (which are very real). Hidden service connections are end-to-end encrypted and private by default.

Onion and I2P for P2P network is useful for other nodes as it allows them to relay transactions to your node (using --tx-proxy option).

What is the difference between I2P SOCKS and SAM?

SOCKS is a one-size-fits-all approach that makes use of i2pd server tunnels and a SOCKS5 proxy; this requires manual configuration of tunnels and may result in some metadata leakage.

SAM (Simple Anonymous Messaging) is a protocol that lets monerod manage its own I2P connections directly, with no manual setup required aside from having an I2P router running. This is the recommended way to run the Monero daemon over I2P.

However, at present, only SOCKS can be used for connecting to remote nodes from wallet software. SAM can still be used in conjunction with a full local node.

Node Configuration

The end goal

To enable the following services:

  • yourlongv3onionaddress.onion:18084 - onion P2P service (for other onion nodes)
  • yourlongv3onionaddress.onion:18089 - onion RPC service (for wallets connecting over Tor)

Onion service for P2P network is useful for other full node users as it allows them to broadcast transactions over Tor (using --tx-proxy option).

Onion service for wallet interface is useful for wallet users connecting over Tor because it mitigates Clearnet and Tor exit node MiTM risks (which are very real). By connecting wallet to an onion service, no MiTM attack is realistic because onion connections are end-to-end encrypted.

Why different P2P ports for clearnet and onion?

A: The data served by the Onion p2p port differs from clearnet P2P. A different port is required.

  1. Elevate to root:
    sudo su -
    
  2. 🔗 Install Tor

  3. Add the following lines to /etc/tor/torrc:

    HiddenServiceDir /var/lib/tor/monerod
    HiddenServicePort 18089 127.0.0.1:18089    # interface for wallet ("RPC")
    HiddenServicePort 18084 127.0.0.1:18084    # interface for P2P network
    

  4. Enable Tor service:
    systemctl enable tor
    systemctl restart tor
    
  5. View/Copy your new Onion Address:
    cat /var/lib/tor/monerod/hostname
    
  6. Copy the result into your Monero config file 🔗, enabling these options:
    anonymous-inbound=yourlongv3onionaddress.onion:18084,127.0.0.1:18084
    tx-proxy=tor,127.0.0.1:9050,disable_noise
    
    Replace yourlongv3onionaddress.onion with your onion address.
  7. The node is now available on Tor. You can check that the service is working by using curl:
    curl -x socks5h://127.0.0.1:9050 http://yourlongv3onionaddress.onion:18089/get_info
    
Backup Onion keys

You may want to backup your keys folder (/var/lib/tor/monerod) to secure control over your onion address.

How Tor onion services work?

A fresh onion address and corresponding key pair were created for you in /var/lib/tor/monero/.
This happens on restart whenever you add a new HiddenServiceDir to the /etc/tor/torrc config file.
The tor daemon will forward traffic from a virtual onion port to an actual localhost port, where some service is listening (in our case, this will be monerod).
A single onion address can offer multiple services at various virtual ports.

The end goal

To enable the following services:

  • yourlongb32i2paddress.b32.i2p:18085 - i2p P2P service (for other i2p nodes)
  • yourlongb32i2paddress.b32.i2p:18089 - i2p RPC service (for wallets connecting over i2p)

I2P service for P2P network is useful for other full node users as it allows them to broadcast transactions over I2P (using --tx-proxy option).

I2P service for wallet interface is useful for wallet users connecting over I2P because it mitigates Clearnet and Tor exit node MiTM risks (which are very real). By connecting wallet to an I2P service, no MiTM attack is realistic because I2P connections are end-to-end encrypted.

Why different P2P ports for clearnet and i2p?

A: The data served by the i2p p2p port differs from clearnet P2P. A different port is required

  1. Elevate to root:
    sudo su -
    
  2. Install i2pd:
    apt install apt-transport-https
    wget -q -O - https://repo.i2pd.xyz/.help/add_repo | bash -s -
    apt update
    apt install i2pd
    
  3. Create a server tunnel for the Monero P2P and RPC ports:
    cat << EOF > /etc/i2pd/tunnels.conf.d/monero-mainnet.conf
    [monero-node]
    type = server
    host = 127.0.0.1
    # Anonymous inbound port
    port = 18085
    inport = 0
    keys = monero-mainnet.dat
    
    [monero-rpc]
    type = server
    host = 127.0.0.1
    # Restricted RPC port
    port = 18089
    keys = monero-mainnet.dat
    EOF
    
  4. Restart i2pd:
    systemctl restart i2pd
    
  5. Find the new b32 address of the node:

    curl -s http://127.0.0.1:7070/?page=i2p_tunnels | grep -Eo "[a-zA-Z0-9./?=_%:-]*" | grep "18089"
    

    Go to the web console at 127.0.0.1:7070 -> I2P tunnels page.
    Look for Server tunnels and you will see an address like yourlongb32i2paddress.b32.i2p next to monero-node.

  6. Copy the result into your Monero config file 🔗, enabling these options:

    anonymous-inbound=yourlongb32i2paddress.b32.i2p,127.0.0.1:18085
    tx-proxy=i2p,127.0.0.1:4447,disable_noise
    

    Replace yourlongb32i2paddress.b32.i2p with your b32 address.

  7. The node is now available on i2p. You can check that the service is working by using curl:

    curl -x socks5h://127.0.0.1:4447 http://yourlongb32i2paddress.b32.i2p:18089/get_info
    

(Optional) Register short and memorable .i2p domain on reg.i2p

The end goal

To enable the following services:

  • yourlongb32i2paddress.b32.i2p:18085 - I2P P2P service (for other I2P nodes)
  • yourlongb32i2paddress.b32.i2p:18089 - I2P RPC service (for wallets connecting over I2P)

I2P service for the P2P network is useful for other full node users as it allows them to broadcast transactions over I2P (using the --tx-proxy or --i2p-sam options).

I2P service for the wallet interface is useful for wallet users connecting over I2P because it mitigates clearnet and Tor exit node MiTM risks (which are very real). By connecting the wallet to an I2P service, no MiTM attack is realistic because I2P connections are end-to-end encrypted.

Why different P2P ports for clearnet and I2P?

The data served by the I2P P2P port differs from that of clearnet P2P. A different port is required.

  1. Elevate to root:
    sudo su -
    
  2. Install i2pd:
    apt install apt-transport-https
    wget -q -O - https://repo.i2pd.xyz/.help/add_repo | bash -s -
    apt update
    apt install i2pd
    
  3. The SAM bridge is enabled by default for i2pd. If it's disabled for some reason, add the following to /etc/i2pd/i2pd.conf and restart i2pd:
    sam.enabled=true
    
    systemctl restart i2pd
    
  4. Add i2p-sam=127.0.0.1:7656 to your Monero config file 🔗:

    i2p-sam=127.0.0.1:7656
    

    This overrides the tx-proxy and anonymous-inbound options for I2P: monerod will connect to the SAM bridge, generate an I2P destination, and manage the inbound and outbound I2P connections automatically.

  5. Start monerod. To find the Base32 address of your hidden service, go to the SAM sessions page in the i2pd web console, click on the running session, and copy the .b32.i2p address.

Back up private destination key

You may want to back up the i2p_private_key file in the monerod data directory to retain control over your I2P address/destination.

(Optional) Register a short and memorable .i2p domain on reg.i2p

(Optional) Publish the node on monero.fail

Wallet Setup

To connect Monero nodes, you have to configure the wallet software:

  1. Navigate to: Settings -> Interface -> Socks5 proxy and set the values to IP Address = 127.0.0.1 and Port = 9050
  2. Navigate to: Settings -> Node -> Add remote node and set the values to Address = http://yourlongv3onionaddress.onion and Port = 18089

🔗 Monero GUI

Add the flags --proxy=127.0.0.1:9050 --daemon-address=http://yourlongv3onionaddress.onion:18089 --trusted-daemon

🔗 Monero CLI

  1. Navigate to: Settings -> Interface -> Socks5 proxy and set the values to IP Address = 127.0.0.1 and Port = 4447
  2. Navigate to: Settings -> Node -> Add remote node and set the values to Address = http://yourlongb32i2paddress.b32.i2p and Port = 18089

🔗 Monero GUI

Add the flags --proxy=127.0.0.1:4447 --daemon-address=http://yourlongb32i2paddress.b32.i2p:18089 --trusted-daemon

🔗 Monero CLI

If using a local node managed through the GUI, go to Settings > Networks (in 'Advanced' mode) and ensure the 'I2P' anonymity network option is checked. Upon restarting the daemon, transactions will be forwarded over I2P.

🔗 Monero GUI