Tor Support in Zcash¶
Tor can be used to provide a layer of network anonymity for Zcash users. Additionally, Zcash users may chose to connect only to Tor hidden services, and also to expose their own Tor hidden service to allow users to connect to them over the Tor network.
0. Install Tor¶
The easiest way to install Tor is to use the Tor Browser Bundle. For headless installs, you probably want to install the Tor daemon. The Tor Project provides instructions for doing this on common Linux distributions. Note that the Tor Browser Bundle exposes a SOCKS listener on tcp/9150 by default, while the Tor daemon exposes the SOCKS listener on tcp/9050. For the purposes of the example below, we’ll assume that you’re using the Tor daemon and that the SOCKS listener is on tcp/9050.
1. Run zcashd over Tor¶
Configuring zcashd to use a Tor SOCKS proxy will route all outgoing connections over Tor.
$ zcashd -proxy=127.0.0.1:9050
Yay! Your zcashd node is now leveraging the Tor network to connect to other zcashd nodes. But there’s more fun to be had. By creating a Tor Hidden Service, you can help promote privacy for Zcash users by advertising your node’s .onion address to other Tor Zcash users.
3. Dynamically Configure Onion Service (Optional)¶
Starting with Tor version 0.2.7.1 it is possible, through Tor’s control socket API, to create and destroy ‘ephemeral’ hidden services programmatically. zcashd has been updated to make use of this.
This configuration could be used instead of manually configuring the Onion service as in step 2 above.
If Tor is running (and proper authentication has been configured), zcashd automatically creates a hidden service to listen on. zcashd will also use Tor automatically to connect to other .onion nodes if the control socket can be successfully opened.
This new feature is enabled by default if zcashd is listening (-listen
) and requires a Tor connection to work. It can be explicitly disabled with -listenonion=0
and, if not disabled, configured using the -torcontrol
and -torpassword
settings. To show verbose debugging information, pass -debug=tor
.
Connecting to Tor’s control socket API requires one of two authentication methods to be configured:
- Cookie authentication, which requires write access to the
CookieAuthFile
specified in Tor configuration. In some cases, this is preconfigured and the creation of a hidden service is automatic. If permission problems are seen with-debug=tor
they can be resolved by adding both the user running tor and the user running zcashd to the same group and setting permissions appropriately. On Debian-based systems the user running zcashd can be added to the debian-tor group, which has the appropriate permissions.- Authentication with the
-torpassword
flag and ahash-password
, which can be enabled and specified in Tor configuration.
On Debian systems, where Tor is installed via APT, you can trivially permit zcashd to connect to the Tor socket by adding the zcash user to the debian-tor
group.
sudo usermod -aG debian-tor zcash
When properly configured, this will allow zcashd to automatically connect to the Tor control socket API and configure an ephemeral hidden service.
zcashd -debug=tor
Feb 11 15:26:20.323 INFO main: tor: Got service ID tweustb4j6o3u5x7, advertizing service tweustb4j6o3u5x7.onion:8233
Feb 11 15:26:20.323 DEBUG tor: tor: Cached service private key to /home/zcash/.zcash/onion_private_key
Feb 11 15:26:20.323 INFO main: AddLocal(tweustb4j6o3u5x7.onion:8233,4)
...
Feb 11 15:26:47.565 INFO main: ProcessMessages: advertizing address tweustb4j6o3u5x7.onion:8233
4. Connect to a single Zcash Onion server¶
This invocation will start zcashd and connect via Tor to a single zcashd onion server.
Launch zcashd as follows:
zcashd -onion=127.0.0.1:9050 -connect=ynizm2wpla6ec22q.onion
-onion=ip:port
: Use SOCKS5 proxy to reach peers via Tor hidden services. This must match the port IP and port on which your Tor listener is configured.-connect=<hostname|ip>
: Connect only to the specified node(s); -noconnect or -connect=0 alone to disable automatic connections
Now use zcash-cli to verify there is only a single peer connection.
zcash-cli getpeerinfo
[
{
"id": 1,
"addr": "ynizm2wpla6ec22q.onion",
...
"version": 170013,
"subver": "/MagicBean:4.2.0/",
"inbound": false,
...
}
]
4. Connect to multiple Zcash Onion servers¶
This invocation will start zcashd, skip DNS seeding, connect via Tor to a multiple zcashd onion servers, and also advertise your Onion server to other Tor capable Zcash nodes.
Launch zcashd as follows:
export MY_ONION_HOSTNAME=`sudo cat /var/lib/tor/zcash_hidden_service_v2/hostname`
zcashd -listen -onion=127.0.0.1:9050 -addnode=ynizm2wpla6ec22q.onion -dnsseed=0 -onlynet=onion -externalip=$MY_ONION_HOSTNAME -bind=127.0.0.1
zcashd flags used:
-onion=ip:port
: Use SOCKS5 proxy to reach peers via Tor hidden services. This must match the port IP and port on which your Tor listener is configured.-addnode=<host|ip>
: Add a node to connect to and attempt to keep the connection open-externalip=<ip|onion>
: sets the publicly routable address that zcashd will advertise to other zcash nodes. This can be an IPv4, IPv6 or .onion address. Onion addresses are given preference for advertising and connections. Onionv3 addresses are not yet supported.-listen
: Enable listening for incoming connections with this flag; listening is off by default, but is needed in order for Tor to connect to zcashd.-bind=<ip>
: Bind (only) to this IP. Will bind to all interfaces by default iflisten=1
andbind
is not set.-onlynet=<net>
: Only connect to nodes in network <net> (ipv4, ipv6 or onion)