Tor & I2P
How to add Tor and/or I2P to your Monero node
Assumptions¶
You possess:
- Basic understanding of Linux administration
- Root access to a Linux distribution
- A Monero Node
Some commands assume Ubuntu but you can trivially translate them to your distribution.
Why use anonymity networks?
Why use anonymity networks? You will be able to connect your desktop and mobile Monero wallets to your own trusted Monero node, in a secure and private way over Tor or I2P.
Tor and I2P hidden services for wallet interface are useful for wallet users because it bypasses NAT and also works to mitigate MITM risks (which are very real). Hidden service connections are end-to-end encrypted and private by default.
Onion and I2P for P2P network is useful for other nodes as it allows them to relay transactions to your node (using --tx-proxy option).
What is the difference between I2P SOCKS and SAM?
SOCKS is a one-size-fits-all approach that makes use of i2pd server tunnels and a SOCKS5 proxy; this requires manual configuration of tunnels and may result in some metadata leakage.
SAM (Simple Anonymous Messaging) is a protocol that lets monerod manage its own I2P connections directly, with no manual setup required aside from having an I2P router running. This is the recommended way to run the Monero daemon over I2P.
However, at present, only SOCKS can be used for connecting to remote nodes from wallet software. SAM can still be used in conjunction with a full local node.
Node Configuration¶
The end goal
To enable the following services:
- yourlongv3onionaddress.onion:18084 - onion P2P service (for other onion nodes)
- yourlongv3onionaddress.onion:18089 - onion RPC service (for wallets connecting over Tor)
Onion service for P2P network is useful for other full node users as it allows them to broadcast transactions over Tor (using --tx-proxy option).
Onion service for wallet interface is useful for wallet users connecting over Tor because it mitigates Clearnet and Tor exit node MiTM risks (which are very real). By connecting wallet to an onion service, no MiTM attack is realistic because onion connections are end-to-end encrypted.
Why different P2P ports for clearnet and onion?
A: The data served by the Onion p2p port differs from clearnet P2P. A different port is required.
- Elevate to root:
sudo su - -
Add the following lines to
/etc/tor/torrc:HiddenServiceDir /var/lib/tor/monerod HiddenServicePort 18089 127.0.0.1:18089 # interface for wallet ("RPC") HiddenServicePort 18084 127.0.0.1:18084 # interface for P2P network - Enable Tor service:
systemctl enable tor systemctl restart tor - View/Copy your new Onion Address:
cat /var/lib/tor/monerod/hostname - Copy the result into your Monero config file
, enabling these options:
Replaceanonymous-inbound=yourlongv3onionaddress.onion:18084,127.0.0.1:18084 tx-proxy=tor,127.0.0.1:9050,disable_noiseyourlongv3onionaddress.onionwith your onion address. - The node is now available on Tor. You can check that the service is working by using curl:
curl -x socks5h://127.0.0.1:9050 http://yourlongv3onionaddress.onion:18089/get_info
Backup Onion keys
You may want to backup your keys folder (/var/lib/tor/monerod) to secure control over your onion address.
How Tor onion services work?
A fresh onion address and corresponding key pair were created for you in /var/lib/tor/monero/.
This happens on restart whenever you add a new HiddenServiceDir to the /etc/tor/torrc config file.
The tor daemon will forward traffic from a virtual onion port to an actual localhost port, where some service is listening (in our case, this will be monerod).
A single onion address can offer multiple services at various virtual ports.
The end goal
To enable the following services:
- yourlongb32i2paddress.b32.i2p:18085 - i2p P2P service (for other i2p nodes)
- yourlongb32i2paddress.b32.i2p:18089 - i2p RPC service (for wallets connecting over i2p)
I2P service for P2P network is useful for other full node users as it allows them to broadcast transactions over I2P (using --tx-proxy option).
I2P service for wallet interface is useful for wallet users connecting over I2P because it mitigates Clearnet and Tor exit node MiTM risks (which are very real). By connecting wallet to an I2P service, no MiTM attack is realistic because I2P connections are end-to-end encrypted.
Why different P2P ports for clearnet and i2p?
A: The data served by the i2p p2p port differs from clearnet P2P. A different port is required
- Elevate to root:
sudo su - - Install i2pd:
apt install apt-transport-https wget -q -O - https://repo.i2pd.xyz/.help/add_repo | bash -s - apt update apt install i2pd - Create a server tunnel for the Monero P2P and RPC ports:
cat << EOF > /etc/i2pd/tunnels.conf.d/monero-mainnet.conf [monero-node] type = server host = 127.0.0.1 # Anonymous inbound port port = 18085 inport = 0 keys = monero-mainnet.dat [monero-rpc] type = server host = 127.0.0.1 # Restricted RPC port port = 18089 keys = monero-mainnet.dat EOF - Restart i2pd:
systemctl restart i2pd -
Find the new b32 address of the node:
curl -s http://127.0.0.1:7070/?page=i2p_tunnels | grep -Eo "[a-zA-Z0-9./?=_%:-]*" | grep "18089"Go to the web console at 127.0.0.1:7070 -> I2P tunnels page.
Look for Server tunnels and you will see an address likeyourlongb32i2paddress.b32.i2pnext tomonero-node. -
Copy the result into your Monero config file
, enabling these options:
anonymous-inbound=yourlongb32i2paddress.b32.i2p,127.0.0.1:18085 tx-proxy=i2p,127.0.0.1:4447,disable_noiseReplace
yourlongb32i2paddress.b32.i2pwith your b32 address. -
The node is now available on i2p. You can check that the service is working by using curl:
curl -x socks5h://127.0.0.1:4447 http://yourlongb32i2paddress.b32.i2p:18089/get_info
(Optional) Register short and memorable .i2p domain on reg.i2p
The end goal
To enable the following services:
- yourlongb32i2paddress.b32.i2p:18085 - I2P P2P service (for other I2P nodes)
- yourlongb32i2paddress.b32.i2p:18089 - I2P RPC service (for wallets connecting over I2P)
I2P service for the P2P network is useful for other full node users as it allows them to broadcast transactions over I2P (using the --tx-proxy or --i2p-sam options).
I2P service for the wallet interface is useful for wallet users connecting over I2P because it mitigates clearnet and Tor exit node MiTM risks (which are very real). By connecting the wallet to an I2P service, no MiTM attack is realistic because I2P connections are end-to-end encrypted.
Why different P2P ports for clearnet and I2P?
The data served by the I2P P2P port differs from that of clearnet P2P. A different port is required.
- Elevate to root:
sudo su - - Install i2pd:
apt install apt-transport-https wget -q -O - https://repo.i2pd.xyz/.help/add_repo | bash -s - apt update apt install i2pd - The SAM bridge is enabled by default for i2pd. If it's disabled for some reason, add the following to
/etc/i2pd/i2pd.confand restart i2pd:sam.enabled=truesystemctl restart i2pd -
Add
i2p-sam=127.0.0.1:7656to your Monero config file:
i2p-sam=127.0.0.1:7656This overrides the
tx-proxyandanonymous-inboundoptions for I2P:monerodwill connect to the SAM bridge, generate an I2P destination, and manage the inbound and outbound I2P connections automatically. -
Start
monerod. To find the Base32 address of your hidden service, go to the SAM sessions page in the i2pd web console, click on the running session, and copy the.b32.i2paddress.
Back up private destination key
You may want to back up the i2p_private_key file in the monerod data directory to retain control over your I2P address/destination.
(Optional) Register a short and memorable .i2p domain on reg.i2p
(Optional) Publish the node on monero.fail
Wallet Setup¶
To connect Monero nodes, you have to configure the wallet software:
- Navigate to:
Settings -> Interface -> Socks5 proxyand set the values toIP Address = 127.0.0.1andPort = 9050 - Navigate to:
Settings -> Node -> Add remote nodeand set the values toAddress = http://yourlongv3onionaddress.onionandPort = 18089
Add the flags --proxy=127.0.0.1:9050 --daemon-address=http://yourlongv3onionaddress.onion:18089 --trusted-daemon
- Navigate to:
Settings -> Interface -> Socks5 proxyand set the values toIP Address = 127.0.0.1andPort = 4447 - Navigate to:
Settings -> Node -> Add remote nodeand set the values toAddress = http://yourlongb32i2paddress.b32.i2pandPort = 18089
Add the flags --proxy=127.0.0.1:4447 --daemon-address=http://yourlongb32i2paddress.b32.i2p:18089 --trusted-daemon
If using a local node managed through the GUI, go to Settings > Networks (in 'Advanced' mode) and ensure the 'I2P' anonymity network option is checked. Upon restarting the daemon, transactions will be forwarded over I2P.