|
@ -1,54 +1,54 @@ |
|
|
# Setting up TOR with c-lightning |
|
|
# Setting up TOR with c-lightning |
|
|
|
|
|
|
|
|
to use tor you have to have tor installed an running. |
|
|
To use any Tor features with c-lightning you must have Tor installed and running. |
|
|
|
|
|
|
|
|
```bash |
|
|
```bash |
|
|
sudo apt install tor |
|
|
sudo apt install tor |
|
|
``` |
|
|
``` |
|
|
then `/etc/init.d/tor start` or `sudo systemctl start tor` Depending |
|
|
then `/etc/init.d/tor start` or `sudo systemctl start tor` depending |
|
|
on your system configuration. |
|
|
on your system configuration. |
|
|
|
|
|
|
|
|
If new to tor you might not change the default setting. |
|
|
Most default setting should be sufficient. |
|
|
|
|
|
|
|
|
To keep The safe default with minimal harassment (See [Tor FAQ]) |
|
|
To keep a safe configuration for minimal harassment (See [Tor FAQ]) |
|
|
just check that this line is present in the file: |
|
|
just check that this line is present in the Tor config file `/etc/tor/torrc`: |
|
|
|
|
|
|
|
|
`ExitPolicy reject *:* # no exits allowed` |
|
|
`ExitPolicy reject *:* # no exits allowed` |
|
|
|
|
|
|
|
|
this does not affect c-lightning connect, listen, etc.. |
|
|
This does not affect c-lightning connect, listen, etc.. |
|
|
It will only prevent that you become a full exitpoint. |
|
|
It will only prevent your node from becoming a Tor exit node. |
|
|
Only enable this if you are sure about the implications. |
|
|
Only enable this if you are sure about the implications. |
|
|
|
|
|
|
|
|
If we don't want to create .onion addresses this should be enough. |
|
|
If you don't want to create .onion addresses this should be enough. |
|
|
|
|
|
|
|
|
There are several way by which a c-lightning node can accept or make connections over Tor. |
|
|
There are several ways by which a c-lightning node can accept or make connections over Tor. |
|
|
|
|
|
|
|
|
The node can be reached over Tor by connecting to its .onion address. |
|
|
The node can be reached over Tor by connecting to its .onion address. |
|
|
|
|
|
|
|
|
To provide the node with a .onion address is possible to: |
|
|
To provide the node with a .onion address you can: |
|
|
|
|
|
|
|
|
* create a **non-persistent** address with an auto service or |
|
|
* create a **non-persistent** address with an auto service or |
|
|
|
|
|
|
|
|
* create a **persistent** address with an hidden service. |
|
|
* create a **persistent** address with a hidden service. |
|
|
|
|
|
|
|
|
#### Creation of an auto service for non-persistent .onion addresses |
|
|
#### Creation of an auto service for non-persistent .onion addresses |
|
|
|
|
|
|
|
|
To provide the node a non-persistent .onion address |
|
|
To provide the node a non-persistent .onion address it |
|
|
is necessary to access the Tor auto service. These types of addresses change |
|
|
is necessary to access the Tor auto service. These types of addresses change |
|
|
each time the Tor service is restarted. |
|
|
each time the Tor service is restarted. |
|
|
|
|
|
|
|
|
*NOTE:If the node is required to be reachable only by **persistent** .onion addresses, this |
|
|
*NOTE:If the node is required to be reachable only by **persistent** .onion addresses, this |
|
|
part can be skipped and it is necessary to set up an hidden service with the steps |
|
|
part can be skipped and it is necessary to set up a hidden service with the steps |
|
|
outlined in the next section.* |
|
|
outlined in the next section.* |
|
|
|
|
|
|
|
|
To create and use the auto service follow this steps: |
|
|
To create and use the auto service follow these steps: |
|
|
|
|
|
|
|
|
Edit the Tor config file `/etc/tor/torrc` |
|
|
Edit the Tor config file `/etc/tor/torrc` |
|
|
|
|
|
|
|
|
You can configure the service authenticated by cookie or by password: |
|
|
You can configure the service authenticated by cookie or by password: |
|
|
|
|
|
|
|
|
##### Service authenticated by cookie |
|
|
##### Service authenticated by cookie |
|
|
We add the following lines in the `/etc/tor/torrc` file: |
|
|
Add the following lines in the `/etc/tor/torrc` file: |
|
|
|
|
|
|
|
|
```` |
|
|
```` |
|
|
ControlPort 9051 |
|
|
ControlPort 9051 |
|
@ -58,13 +58,14 @@ CookieAuthFileGroupReadable 1 |
|
|
|
|
|
|
|
|
##### Service authenticated by password |
|
|
##### Service authenticated by password |
|
|
|
|
|
|
|
|
In alternative to the CookieFile authentication. you can set the authentication |
|
|
Alternatively, you can set the authentication |
|
|
to the service with a password by following theses steps: |
|
|
to the service with a password by following these steps: |
|
|
|
|
|
|
|
|
1. Create an hash of your password with |
|
|
1. Create a hash of your password with |
|
|
``` |
|
|
``` |
|
|
tor --hash-password yourpassword |
|
|
tor --hash-password yourpassword |
|
|
``` |
|
|
``` |
|
|
|
|
|
|
|
|
This returns a line like |
|
|
This returns a line like |
|
|
|
|
|
|
|
|
`16:533E3963988E038560A8C4EE6BBEE8DB106B38F9C8A7F81FE38D2A3B1F` |
|
|
`16:533E3963988E038560A8C4EE6BBEE8DB106B38F9C8A7F81FE38D2A3B1F` |
|
@ -74,39 +75,39 @@ This returns a line like |
|
|
ControlPort 9051 |
|
|
ControlPort 9051 |
|
|
HashedControlPassword 16:533E3963988E038560A8C4EE6BBEE8DB106B38F9C8A7F81FE38D2A3B1F |
|
|
HashedControlPassword 16:533E3963988E038560A8C4EE6BBEE8DB106B38F9C8A7F81FE38D2A3B1F |
|
|
```` |
|
|
```` |
|
|
Save the file. |
|
|
|
|
|
|
|
|
|
|
|
To activate these changes: |
|
|
Save the file and restart the Tor service. In linux: |
|
|
|
|
|
|
|
|
`/etc/init.d/tor restart` |
|
|
`/etc/init.d/tor restart` or `sudo systemctl start tor` depending |
|
|
|
|
|
on the configuration of your system. |
|
|
|
|
|
|
|
|
The auto service will be used by adding `--addr=autotor:127.0.0.1:9051` if we |
|
|
The auto service is used by adding `--addr=autotor:127.0.0.1:9051` if you |
|
|
want the address to be public or `--bind-addr=autotor:127.0.0.1:9051` if we |
|
|
want the address to be public or `--bind-addr=autotor:127.0.0.1:9051` if you |
|
|
don't want to publish it. |
|
|
don't want to publish it. |
|
|
|
|
|
|
|
|
In the case the auto service is authenticated through the password, it will |
|
|
In the case where the auto service is authenticated through a password, it will |
|
|
be necessary to add the option `--tor-service-password=yourpassword` (not the hash). |
|
|
be necessary to add the option `--tor-service-password=yourpassword` (not the hash). |
|
|
|
|
|
|
|
|
The created non-persistent .onion address wil be shown by the `lightning-cli getinfo`command. |
|
|
The created non-persistent .onion address wil be shown by the `lightning-cli getinfo`command. |
|
|
The others nodes will be able to `connect` to this .onion address through the |
|
|
The others nodes will be able to `connect` to this .onion address through the |
|
|
9735 port. |
|
|
9735 port. |
|
|
|
|
|
|
|
|
#### Creation of an hidden service for a persistent .onion address |
|
|
#### Creation of a hidden service for a persistent .onion address |
|
|
|
|
|
|
|
|
To have a persistent .onion address other nodes can connect to, it |
|
|
To have a persistent .onion address other nodes can connect to, it |
|
|
is necessary to set up a [Tor Hidden Service]. |
|
|
is necessary to set up a [Tor Hidden Service]. |
|
|
|
|
|
|
|
|
*NOTE: In the case only non-persistent addresses are required, |
|
|
*NOTE: In the case where only non-persistent addresses are required, |
|
|
you don't have to create the hidden service and you can skip this part.* |
|
|
you don't have to create the hidden service and you can skip this part.* |
|
|
|
|
|
|
|
|
To do that we will add these lines in the `/etc/tor/torrc`file: |
|
|
Add these lines in the `/etc/tor/torrc` file: |
|
|
|
|
|
|
|
|
```` |
|
|
```` |
|
|
HiddenServiceDir /var/lib/tor/lightningd-service_v2/ |
|
|
HiddenServiceDir /var/lib/tor/lightningd-service_v2/ |
|
|
HiddenServicePort 1234 127.0.0.1:9735 |
|
|
HiddenServicePort 1234 127.0.0.1:9735 |
|
|
```` |
|
|
```` |
|
|
|
|
|
|
|
|
If we want to create a version 3 address, we will add also `HiddenServiceVersion 3` so |
|
|
If you want to create a version 3 address, you must also add `HiddenServiceVersion 3` so |
|
|
the whole section will be: |
|
|
the whole section will be: |
|
|
|
|
|
|
|
|
```` |
|
|
```` |
|
@ -127,16 +128,16 @@ on the configuration of your system. |
|
|
You will find the newly created address with: |
|
|
You will find the newly created address with: |
|
|
|
|
|
|
|
|
``` |
|
|
``` |
|
|
sudo cat /var/lib/tor/var/lib/tor/lightningd-service_v2/hostname |
|
|
sudo cat /var/lib/tor/lightningd-service_v2/hostname |
|
|
``` |
|
|
``` |
|
|
or |
|
|
or |
|
|
``` |
|
|
``` |
|
|
sudo cat /var/lib/tor/var/lib/tor/lightningd-service_v3/hostname |
|
|
sudo cat /var/lib/tor/lightningd-service_v3/hostname |
|
|
``` |
|
|
``` |
|
|
in the |
|
|
in the |
|
|
case of a version 3 Tor address. |
|
|
case of a version 3 Tor address. |
|
|
|
|
|
|
|
|
Now we are able to create: |
|
|
Now you are able to create: |
|
|
|
|
|
|
|
|
* Non-persistent version 2 .onion address via auto service (temp-v2) |
|
|
* Non-persistent version 2 .onion address via auto service (temp-v2) |
|
|
|
|
|
|
|
|