[VerusCoin.git] / doc / tor.md

*** Warning: Do not assume Tor support does the correct thing in Komodo; better Tor support is a future feature goal. ***

TOR SUPPORT IN ZCASH
====================

It is possible to run Komodo as a Tor hidden service, and connect to such services.

The following directions assume you have a Tor proxy running on port 9050. Many distributions default to having a SOCKS proxy listening on port 9050, but others may not. In particular, the Tor Browser Bundle defaults to listening on port 9150. See [Tor Project FAQ:TBBSocksPort](https://www.torproject.org/docs/faq.html.en#TBBSocksPort) for how to properly
configure Tor.


1. Run Komodo behind a Tor proxy
-------------------------------

The first step is running Komodo behind a Tor proxy. This will already make all
outgoing connections be anonymized, but more is possible.

	-proxy=ip:port  Set the proxy server. If SOCKS5 is selected (default), this proxy
	                server will be used to try to reach .onion addresses as well.

	-onion=ip:port  Set the proxy server to use for Tor hidden services. You do not
	                need to set this if it's the same as -proxy. You can use -noonion
	                to explicitly disable access to hidden service.

	-listen         When using -proxy, listening is disabled by default. If you want
	                to run a hidden service (see next section), you'll need to enable
	                it explicitly.

	-connect=X      When behind a Tor proxy, you can specify .onion addresses instead
	-addnode=X      of IP addresses or hostnames in these parameters. It requires
	-seednode=X     SOCKS5. In Tor mode, such addresses can also be exchanged with
	                other P2P nodes.

In a typical situation, this suffices to run behind a Tor proxy:

	./komodod -proxy=127.0.0.1:9050


2. Run a Komodo hidden server
----------------------------

If you configure your Tor system accordingly, it is possible to make your node also
reachable from the Tor network. Add these lines to your /etc/tor/torrc (or equivalent
config file):

	HiddenServiceDir /var/lib/tor/zcash-service/
	HiddenServicePort 7771 127.0.0.1:7771
	HiddenServicePort 17771 127.0.0.1:17771

The directory can be different of course, but (both) port numbers should be equal to
your komodod's P2P listen port (7771 by default).

	-externalip=X   You can tell Komodo about its publicly reachable address using
	                this option, and this can be a .onion address. Given the above
	                configuration, you can find your onion address in
	                /var/lib/tor/zcash-service/hostname. Onion addresses are given
	                preference for your node to advertize itself with, for connections
	                coming from unroutable addresses (such as 127.0.0.1, where the
	                Tor proxy typically runs).

	-listen         You'll need to enable listening for incoming connections, as this
	                is off by default behind a proxy.

	-discover       When -externalip is specified, no attempt is made to discover local
	                IPv4 or IPv6 addresses. If you want to run a dual stack, reachable
	                from both Tor and IPv4 (or IPv6), you'll need to either pass your
	                other addresses using -externalip, or explicitly enable -discover.
	                Note that both addresses of a dual-stack system may be easily
	                linkable using traffic analysis.

In a typical situation, where you're only reachable via Tor, this should suffice:

	./komodod -proxy=127.0.0.1:9050 -externalip=zctestseie6wxgio.onion -listen

(obviously, replace the Onion address with your own). It should be noted that you still
listen on all devices and another node could establish a clearnet connection, when knowing
your address. To mitigate this, additionally bind the address of your Tor proxy:

	./zcashd ... -bind=127.0.0.1

If you don't care too much about hiding your node, and want to be reachable on IPv4
as well, use `discover` instead:

	./komodod ... -discover

and open port 7771 on your firewall (or use -upnp).

If you only want to use Tor to reach onion addresses, but not use it as a proxy
for normal IPv4/IPv6 communication, use:

	./komodod -onion=127.0.0.1:9050 -externalip=zctestseie6wxgio.onion -discover


3. Automatically listen on Tor
--------------------------------

Starting with Tor version 0.2.7.1 it is possible, through Tor's control socket
API, to create and destroy 'ephemeral' hidden services programmatically.
Komodo has been updated to make use of this.

This means that if Tor is running (and proper authentication has been configured),
Komodo automatically creates a hidden service to listen on. Komodo will also use Tor
automatically to connect to other .onion nodes if the control socket can be
successfully opened. This will positively affect the number of available .onion
nodes and their usage.

This new feature is enabled by default if Komodo is listening (`-listen`), and
requires a Tor connection to work. It can be explicitly disabled with `-listenonion=0`
and, if not disabled, configured using the `-torcontrol` and `-torpassword` settings.
To show verbose debugging information, pass `-debug=tor`.

Connecting to Tor's control socket API requires one of two authentication methods to be 
configured. For cookie authentication the user running komodod must have write access 
to the `CookieAuthFile` specified in Tor configuration. In some cases this is 
preconfigured and the creation of a hidden service is automatic. If permission problems 
are seen with `-debug=tor` they can be resolved by adding both the user running tor and 
the user running komodod to the same group and setting permissions appropriately. On 
Debian-based systems the user running komodod can be added to the debian-tor group, 
which has the appropriate permissions. An alternative authentication method is the use 
of the `-torpassword` flag and a `hash-password` which can be enabled and specified in 
Tor configuration.


4. Connect to a Komodo hidden server
-----------------------------------

To test your set-up, you might want to try connecting via Tor on a different computer to just a
a single Komodo hidden server. Launch komodod as follows:

	./komodod -onion=127.0.0.1:9050 -connect=zctestseie6wxgio.onion

Now use komodo-cli to verify there is only a single peer connection.

	komodo-cli getpeerinfo

	[
	    {
	        "id" : 1,
	        "addr" : "zctestseie6wxgio.onion:17770",
	        ...
	        "version" : 170002,
	        "subver" : "/MagicBean:1.0.0/",
	        ...
	    }
	]

To connect to multiple Tor nodes, use:

	./komodod -onion=127.0.0.1:9050 -addnode=zctestseie6wxgio.onion -dnsseed=0 -onlynet=onion
Commit	Line	Data
c2b69c72	1	* Warning: Do not assume Tor support does the correct thing in Komodo; better Tor support is a future feature goal. *
fb537854	2
85cc6f5b	3	TOR SUPPORT IN ZCASH
85cc6f5b	4	====================
00a88745	5
c2b69c72	6	It is possible to run Komodo as a Tor hidden service, and connect to such services.
00a88745	7
ec8828af	8	The following directions assume you have a Tor proxy running on port 9050. Many distributions default to having a SOCKS proxy listening on port 9050, but others may not. In particular, the Tor Browser Bundle defaults to listening on port 9150. See [Tor Project FAQ:TBBSocksPort](https://www.torproject.org/docs/faq.html.en#TBBSocksPort) for how to properly
00a88745	9	configure Tor.
	10
	11
c2b69c72	12	1. Run Komodo behind a Tor proxy
85cc6f5b	13	-------------------------------
00a88745	14
c2b69c72	15	The first step is running Komodo behind a Tor proxy. This will already make all
5f8be1da	16	outgoing connections be anonymized, but more is possible.
00a88745	17
00a88745	18	-proxy=ip:port Set the proxy server. If SOCKS5 is selected (default), this proxy
00a88745	19	server will be used to try to reach .onion addresses as well.
4fbfebea	20
de9ca8e9	21	-onion=ip:port Set the proxy server to use for Tor hidden services. You do not
102518fd	22	need to set this if it's the same as -proxy. You can use -noonion
00a88745	23	to explicitly disable access to hidden service.
4fbfebea	24
00a88745	25	-listen When using -proxy, listening is disabled by default. If you want
	26	to run a hidden service (see next section), you'll need to enable
	27	it explicitly.
4fbfebea	28
00a88745	29	-connect=X When behind a Tor proxy, you can specify .onion addresses instead
	30	-addnode=X of IP addresses or hostnames in these parameters. It requires
	31	-seednode=X SOCKS5. In Tor mode, such addresses can also be exchanged with
	32	other P2P nodes.
	33
	34	In a typical situation, this suffices to run behind a Tor proxy:
	35
f37f614e	36	./komodod -proxy=127.0.0.1:9050
00a88745	37
00a88745	38
c2b69c72	39	2. Run a Komodo hidden server
85cc6f5b	40	----------------------------
00a88745	41
	42	If you configure your Tor system accordingly, it is possible to make your node also
	43	reachable from the Tor network. Add these lines to your /etc/tor/torrc (or equivalent
	44	config file):
	45
85cc6f5b	46	HiddenServiceDir /var/lib/tor/zcash-service/
c2b69c72 JDL	47	HiddenServicePort 7771 127.0.0.1:7771
c2b69c72 JDL	48	HiddenServicePort 17771 127.0.0.1:17771
00a88745	49
00a88745	50	The directory can be different of course, but (both) port numbers should be equal to
c2b69c72	51	your komodod's P2P listen port (7771 by default).
00a88745	52
c2b69c72	53	-externalip=X You can tell Komodo about its publicly reachable address using
00a88745	54	this option, and this can be a .onion address. Given the above
00a88745	55	configuration, you can find your onion address in
85cc6f5b	56	/var/lib/tor/zcash-service/hostname. Onion addresses are given
00a88745	57	preference for your node to advertize itself with, for connections
	58	coming from unroutable addresses (such as 127.0.0.1, where the
	59	Tor proxy typically runs).
4fbfebea	60
00a88745	61	-listen You'll need to enable listening for incoming connections, as this
00a88745	62	is off by default behind a proxy.
4fbfebea	63
00a88745	64	-discover When -externalip is specified, no attempt is made to discover local
	65	IPv4 or IPv6 addresses. If you want to run a dual stack, reachable
	66	from both Tor and IPv4 (or IPv6), you'll need to either pass your
	67	other addresses using -externalip, or explicitly enable -discover.
	68	Note that both addresses of a dual-stack system may be easily
	69	linkable using traffic analysis.
	70
	71	In a typical situation, where you're only reachable via Tor, this should suffice:
	72
f37f614e	73	./komodod -proxy=127.0.0.1:9050 -externalip=zctestseie6wxgio.onion -listen
00a88745	74
7f9e7a98 M	75	(obviously, replace the Onion address with your own). It should be noted that you still
	76	listen on all devices and another node could establish a clearnet connection, when knowing
	77	your address. To mitigate this, additionally bind the address of your Tor proxy:
	78
bcbcf143	79	./zcashd ... -bind=127.0.0.1
7f9e7a98 M	80
	81	If you don't care too much about hiding your node, and want to be reachable on IPv4
	82	as well, use `discover` instead:
00a88745	83
f37f614e	84	./komodod ... -discover
00a88745	85
c2b69c72	86	and open port 7771 on your firewall (or use -upnp).
00a88745	87
	88	If you only want to use Tor to reach onion addresses, but not use it as a proxy
	89	for normal IPv4/IPv6 communication, use:
	90
f37f614e	91	./komodod -onion=127.0.0.1:9050 -externalip=zctestseie6wxgio.onion -discover
85cc6f5b	92
85cc6f5b	93
2298877f WL	94	3. Automatically listen on Tor
	95	--------------------------------
	96
	97	Starting with Tor version 0.2.7.1 it is possible, through Tor's control socket
	98	API, to create and destroy 'ephemeral' hidden services programmatically.
c2b69c72	99	Komodo has been updated to make use of this.
2298877f	100
44040731	101	This means that if Tor is running (and proper authentication has been configured),
c2b69c72	102	Komodo automatically creates a hidden service to listen on. Komodo will also use Tor
44040731 NM	103	automatically to connect to other .onion nodes if the control socket can be
	104	successfully opened. This will positively affect the number of available .onion
	105	nodes and their usage.
2298877f	106
c2b69c72	107	This new feature is enabled by default if Komodo is listening (`-listen`), and
5aa2365e	108	requires a Tor connection to work. It can be explicitly disabled with `-listenonion=0`
	109	and, if not disabled, configured using the `-torcontrol` and `-torpassword` settings.
	110	To show verbose debugging information, pass `-debug=tor`.
2298877f	111
44040731	112	Connecting to Tor's control socket API requires one of two authentication methods to be
f37f614e	113	configured. For cookie authentication the user running komodod must have write access
44040731 NM	114	to the `CookieAuthFile` specified in Tor configuration. In some cases this is
	115	preconfigured and the creation of a hidden service is automatic. If permission problems
	116	are seen with `-debug=tor` they can be resolved by adding both the user running tor and
f37f614e JDL	117	the user running komodod to the same group and setting permissions appropriately. On
f37f614e JDL	118	Debian-based systems the user running komodod can be added to the debian-tor group,
44040731 NM	119	which has the appropriate permissions. An alternative authentication method is the use
	120	of the `-torpassword` flag and a `hash-password` which can be enabled and specified in
	121	Tor configuration.
	122
2298877f	123
c2b69c72	124	4. Connect to a Komodo hidden server
85cc6f5b	125	-----------------------------------
85cc6f5b	126
1f48a340	127	To test your set-up, you might want to try connecting via Tor on a different computer to just a
c2b69c72	128	a single Komodo hidden server. Launch komodod as follows:
85cc6f5b	129
f37f614e	130	./komodod -onion=127.0.0.1:9050 -connect=zctestseie6wxgio.onion
85cc6f5b	131
c2b69c72	132	Now use komodo-cli to verify there is only a single peer connection.
85cc6f5b	133
c2b69c72	134	komodo-cli getpeerinfo
5b07ee59	135
85cc6f5b	136	[
	137	{
	138	"id" : 1,
c2b69c72	139	"addr" : "zctestseie6wxgio.onion:17770",
85cc6f5b	140	...
5bd677f5 S	141	"version" : 170002,
5bd677f5 S	142	"subver" : "/MagicBean:1.0.0/",
85cc6f5b	143	...
	144	}
	145	]
1f48a340 JG	146
	147	To connect to multiple Tor nodes, use:
	148
f37f614e	149	./komodod -onion=127.0.0.1:9050 -addnode=zctestseie6wxgio.onion -dnsseed=0 -onlynet=onion