[VerusCoin.git] / doc / tor.md

*** Warning: Do not assume Tor support does the correct thing in Zcash; better Tor support is a future feature goal. ***

TOR SUPPORT IN ZCASH
====================

It is possible to run Zcash as a Tor hidden service, and connect to such services.

The following directions assume you have a Tor proxy running on port 9050. Many distributions default to having a SOCKS proxy listening on port 9050, but others may not. In particular, the Tor Browser Bundle defaults to listening on a random port. See [Tor Project FAQ:TBBSocksPort](https://www.torproject.org/docs/faq.html.en#TBBSocksPort) for how to properly
configure Tor.


1. Run Zcash behind a Tor proxy
-------------------------------

The first step is running Zcash behind a Tor proxy. This will already make all
outgoing connections be anonymized, but more is possible.

	-proxy=ip:port  Set the proxy server. If SOCKS5 is selected (default), this proxy
	                server will be used to try to reach .onion addresses as well.

	-onion=ip:port  Set the proxy server to use for Tor hidden services. You do not
	                need to set this if it's the same as -proxy. You can use -noonion
	                to explicitly disable access to hidden service.

	-listen         When using -proxy, listening is disabled by default. If you want
	                to run a hidden service (see next section), you'll need to enable
	                it explicitly.

	-connect=X      When behind a Tor proxy, you can specify .onion addresses instead
	-addnode=X      of IP addresses or hostnames in these parameters. It requires
	-seednode=X     SOCKS5. In Tor mode, such addresses can also be exchanged with
	                other P2P nodes.

In a typical situation, this suffices to run behind a Tor proxy:

	./zcashd -proxy=127.0.0.1:9050


2. Run a Zcash hidden server
----------------------------

If you configure your Tor system accordingly, it is possible to make your node also
reachable from the Tor network. Add these lines to your /etc/tor/torrc (or equivalent
config file):

	HiddenServiceDir /var/lib/tor/zcash-service/
	HiddenServicePort 8233 127.0.0.1:8233
	HiddenServicePort 18233 127.0.0.1:18233

The directory can be different of course, but (both) port numbers should be equal to
your zcashd's P2P listen port (8233 by default).

	-externalip=X   You can tell Zcash about its publicly reachable address using
	                this option, and this can be a .onion address. Given the above
	                configuration, you can find your onion address in
	                /var/lib/tor/zcash-service/hostname. Onion addresses are given
	                preference for your node to advertize itself with, for connections
	                coming from unroutable addresses (such as 127.0.0.1, where the
	                Tor proxy typically runs).

	-listen         You'll need to enable listening for incoming connections, as this
	                is off by default behind a proxy.

	-discover       When -externalip is specified, no attempt is made to discover local
	                IPv4 or IPv6 addresses. If you want to run a dual stack, reachable
	                from both Tor and IPv4 (or IPv6), you'll need to either pass your
	                other addresses using -externalip, or explicitly enable -discover.
	                Note that both addresses of a dual-stack system may be easily
	                linkable using traffic analysis.

In a typical situation, where you're only reachable via Tor, this should suffice:

	./zcashd -proxy=127.0.0.1:9050 -externalip=zctestseie6wxgio.onion -listen

(obviously, replace the Onion address with your own). If you don't care too much
about hiding your node, and want to be reachable on IPv4 as well, additionally
specify:

	./zcashd ... -discover

and open port 8233 on your firewall (or use -upnp).

If you only want to use Tor to reach onion addresses, but not use it as a proxy
for normal IPv4/IPv6 communication, use:

	./zcashd -onion=127.0.0.1:9050 -externalip=zctestseie6wxgio.onion -discover


3. Connect to a Zcash hidden server
-----------------------------------

To test your set-up, you might want to try connecting via Tor on a different computer to just a
a single Zcash hidden server. Launch zcashd as follows:

	./zcashd -onion=127.0.0.1:9050 -connect=zctestseie6wxgio.onion

Now use zcash-cli to verify there is only a single peer connection.

	zcash-cli getpeerinfo

	[
	    {
	        "id" : 1,
	        "addr" : "zctestseie6wxgio.onion:18233",
	        ...
	        "version" : 170002,
	        "subver" : "/MagicBean:1.0.0/",
	        ...
	    }
	]

To connect to multiple Tor nodes, use:

	./zcashd -onion=127.0.0.1:9050 -addnode=zctestseie6wxgio.onion -dnsseed=0 -onlynet=onion
Commit	Line	Data
fb537854 NW	1	* Warning: Do not assume Tor support does the correct thing in Zcash; better Tor support is a future feature goal. *
fb537854 NW	2
85cc6f5b	3	TOR SUPPORT IN ZCASH
85cc6f5b	4	====================
00a88745	5
85cc6f5b	6	It is possible to run Zcash as a Tor hidden service, and connect to such services.
00a88745	7
	8	The following directions assume you have a Tor proxy running on port 9050. Many distributions default to having a SOCKS proxy listening on port 9050, but others may not. In particular, the Tor Browser Bundle defaults to listening on a random port. See [Tor Project FAQ:TBBSocksPort](https://www.torproject.org/docs/faq.html.en#TBBSocksPort) for how to properly
	9	configure Tor.
	10
	11
85cc6f5b	12	1. Run Zcash behind a Tor proxy
85cc6f5b	13	-------------------------------
00a88745	14
85cc6f5b	15	The first step is running Zcash behind a Tor proxy. This will already make all
5f8be1da	16	outgoing connections be anonymized, but more is possible.
00a88745	17
00a88745	18	-proxy=ip:port Set the proxy server. If SOCKS5 is selected (default), this proxy
00a88745	19	server will be used to try to reach .onion addresses as well.
4fbfebea	20
de9ca8e9	21	-onion=ip:port Set the proxy server to use for Tor hidden services. You do not
102518fd	22	need to set this if it's the same as -proxy. You can use -noonion
00a88745	23	to explicitly disable access to hidden service.
4fbfebea	24
00a88745	25	-listen When using -proxy, listening is disabled by default. If you want
	26	to run a hidden service (see next section), you'll need to enable
	27	it explicitly.
4fbfebea	28
00a88745	29	-connect=X When behind a Tor proxy, you can specify .onion addresses instead
	30	-addnode=X of IP addresses or hostnames in these parameters. It requires
	31	-seednode=X SOCKS5. In Tor mode, such addresses can also be exchanged with
	32	other P2P nodes.
	33
	34	In a typical situation, this suffices to run behind a Tor proxy:
	35
85cc6f5b	36	./zcashd -proxy=127.0.0.1:9050
00a88745	37
00a88745	38
85cc6f5b	39	2. Run a Zcash hidden server
85cc6f5b	40	----------------------------
00a88745	41
	42	If you configure your Tor system accordingly, it is possible to make your node also
	43	reachable from the Tor network. Add these lines to your /etc/tor/torrc (or equivalent
	44	config file):
	45
85cc6f5b	46	HiddenServiceDir /var/lib/tor/zcash-service/
3985a40d JG	47	HiddenServicePort 8233 127.0.0.1:8233
3985a40d JG	48	HiddenServicePort 18233 127.0.0.1:18233
00a88745	49
00a88745	50	The directory can be different of course, but (both) port numbers should be equal to
85cc6f5b	51	your zcashd's P2P listen port (8233 by default).
00a88745	52
85cc6f5b	53	-externalip=X You can tell Zcash about its publicly reachable address using
00a88745	54	this option, and this can be a .onion address. Given the above
00a88745	55	configuration, you can find your onion address in
85cc6f5b	56	/var/lib/tor/zcash-service/hostname. Onion addresses are given
00a88745	57	preference for your node to advertize itself with, for connections
	58	coming from unroutable addresses (such as 127.0.0.1, where the
	59	Tor proxy typically runs).
4fbfebea	60
00a88745	61	-listen You'll need to enable listening for incoming connections, as this
00a88745	62	is off by default behind a proxy.
4fbfebea	63
00a88745	64	-discover When -externalip is specified, no attempt is made to discover local
	65	IPv4 or IPv6 addresses. If you want to run a dual stack, reachable
	66	from both Tor and IPv4 (or IPv6), you'll need to either pass your
	67	other addresses using -externalip, or explicitly enable -discover.
	68	Note that both addresses of a dual-stack system may be easily
	69	linkable using traffic analysis.
	70
	71	In a typical situation, where you're only reachable via Tor, this should suffice:
	72
8908b299	73	./zcashd -proxy=127.0.0.1:9050 -externalip=zctestseie6wxgio.onion -listen
00a88745	74
	75	(obviously, replace the Onion address with your own). If you don't care too much
	76	about hiding your node, and want to be reachable on IPv4 as well, additionally
	77	specify:
	78
85cc6f5b	79	./zcashd ... -discover
00a88745	80
3985a40d	81	and open port 8233 on your firewall (or use -upnp).
00a88745	82
	83	If you only want to use Tor to reach onion addresses, but not use it as a proxy
	84	for normal IPv4/IPv6 communication, use:
	85
8908b299	86	./zcashd -onion=127.0.0.1:9050 -externalip=zctestseie6wxgio.onion -discover
85cc6f5b	87
	88
	89	3. Connect to a Zcash hidden server
	90	-----------------------------------
	91
1f48a340 JG	92	To test your set-up, you might want to try connecting via Tor on a different computer to just a
1f48a340 JG	93	a single Zcash hidden server. Launch zcashd as follows:
85cc6f5b	94
8908b299	95	./zcashd -onion=127.0.0.1:9050 -connect=zctestseie6wxgio.onion
85cc6f5b	96
	97	Now use zcash-cli to verify there is only a single peer connection.
	98
	99	zcash-cli getpeerinfo
5b07ee59	100
85cc6f5b	101	[
	102	{
	103	"id" : 1,
5b07ee59	104	"addr" : "zctestseie6wxgio.onion:18233",
85cc6f5b	105	...
5bd677f5 S	106	"version" : 170002,
5bd677f5 S	107	"subver" : "/MagicBean:1.0.0/",
85cc6f5b	108	...
	109	}
	110	]
1f48a340 JG	111
	112	To connect to multiple Tor nodes, use:
	113
	114	./zcashd -onion=127.0.0.1:9050 -addnode=zctestseie6wxgio.onion -dnsseed=0 -onlynet=onion