Lightning with Tor
Improve your Lightning Network privacy and connectivity with Tor

Overview

This tutorial explains how to install and run Tor with LND. This allows you to connect to the Lightning Network without revealing your IP address and therefore your location. As an added bonus, Lightning nodes on Tor can accept incoming connections from other nodes on Tor even if they are behind one or more routers and do not have a publicly-accessible IP address.
Note that your privacy can be compromised if you do not also connect your backend node—bitcoind or btcd—to Tor. bitcoind will automatically seek out a Tor connection with a default configuration, but btcd requires some configuration.

Install Tor

Linux
1
$ sudo apt install tor
Copied!
OSX
1
$ brew install tor
Copied!
Verify installation
1
$ tor --version
Copied!
Add Tor Configuration to torrc
  • Linux: /etc/tor/torrc
  • OSX: /usr/local/etc/tor/torrc
1
SOCKSPort 9050
2
Log notice stdout
3
ControlPort 9051
4
CookieAuthentication 1
Copied!

Run Tor

On any platform, this will work:
1
$ tor
Copied!
If you are on Ubuntu or Arch Linux and you use systemctl:
1
sudo systemctl enable tor.service
2
sudo systemctl start tor.service
3
sudo systemctl status tor.service
Copied!

Configuring Your Node

LND with Tor

Enable LND to connect to Tor:
  • tor.active allows LND to route through Tor
  • tor.v3 sets up a v3 onion service
  • tor.streamisolation will create a new circuit for each connection
  • listen to localhost to prevent unintentional leaking of identifying information
    1
    $ lnd --tor.active --tor.v3 --listen=localhost --tor.streamisolation
    Copied!
    or update your lnd.conf:
1
[Tor]
2
tor.active=true
3
tor.v3=true
4
tor.streamisolation=true
5
listen=localhost
Copied!
Linux Permissions Issues
If you are on Ubuntu or Arch Linux, you may encounter a "cookie authentication error" when LND attempts to connect to Tor:
2019-02-18 01:23:27.503 [ERR] SRVR: unable to start server: unable to retrieve authentication cookie: open /var/lib/tor/control_auth_cookie: permission denied
You will need to make it possible for your user that runs LND to access the control cookie.
Check and see what user is running Tor:
ps aux | grep tor
Now see what the permissions are on the control cookie listed in the error:
ls -lA /path/to/tor/cookie
Debian and Ubuntu
Debian and Ubuntu's Tor control cookie is in /var/run/tor/control.authcookie and is readable by the debian-tor user and group. If you run LND with your regular user, try adding your regular user to the debian-tor group:
sudo usermod -a -G debian-tor yourusername
Log out and log back in again or run sudo su - yourusername to update your groups, then try running LND again and see if it can connect to Tor.
Arch Linux
Arch Linux's Tor control cookie is in /var/lib/tor/control_auth_cookie and is only readable by the tor user. One option is to add your user to the tor group and change the permissions on the directory to make it readable by members of the tor group:
1
sudo usermod -a -G tor yourusername
2
sudo chmod 750 /var/lib/tor
3
sudo chmod 740 /var/lib/tor/control_auth_cookie
Copied!
Tor for multi-LND systems
If you want to run multiple instances of LND simulaneously on the same machine and have them use different Tor Hidden Service addresses, add this to lnd.conf (a new private key will automatically be created if the file specified here does not exist):
1
tor.privatekeypath=<yourpath>/v3_onion_private_key
Copied!
Broadcasting Tor Address and Public IP
You can connect to Tor and also broadcast a public IP address so that your node can serve as a gateway between the Tor and public networks. THIS DOES NOT PROVIDE YOU WITH ANY OF TOR'S PRIVACY ADVANTAGES. To this, modify your lnd.conf:
1
listen=localhost:<your port, default 9735>
2
externalip=<your public IP or domain name>:<your port, default 9735>
Copied!
You will then need to configure a reverse proxy from that externalip address and port to localhost at that port specified in listen.
If you are running a version of LND newer than this addition, skip the reverse proxy and use this in your lnd.conf:
1
listen=localhost:<your port, default 9735>
2
externalip=<your public IP or domain name>:<your port, default 9735>
Copied!
Verifying LND success
You have LND configured correctly when you see this message when LND starts:
2019-02-18 05:34:47.906 [INF] SRVR: Proxying all network traffic via Tor (stream_isolation=true)! NOTE: Ensure the backend node is proxying over Tor as well
Verify LND Node Information
Get your public key
1
$ lncli getinfo | grep identity_pubkey
2
3
"identity_pubkey": "0346095e50ed1f8cf4dbda1fca442cd2ebccf082912e33c1c2e19868f1f56a190a",
Copied!
Get node information about your public key
1
$ lncli getnodeinfo 0346095e50ed1f8cf4dbda1fca442cd2ebccf082912e33c1c2e19868f1f56a190a
2
3
{
4
"node": {
5
"last_update": 1548783346,
6
"pub_key": "0346095e50ed1f8cf4dbda1fca442cd2ebccf082912e33c1c2e19868f1f56a190a",
7
"alias": "0346095e50ed1f8cf4db",
8
"addresses": [
9
{
10
"network": "tcp",
11
"addr": "b53ztxul4vdcktgcgmvcvgjigi2vq2hy4ah6wg7frqpiiesdoxozx3ad.onion:9735"
12
}
13
],
14
"color": "#3399ff"
15
},
16
"num_channels": 7,
17
"total_capacity": "11732911"
18
}
Copied!
Verify that your addr is an onion address (ending in '.onion' as above)

BTCD with Tor

Setup is not as self-explanatory as LND, so read the official Tor guide for BTCD:
btcd/configuring_tor.md at master · btcsuite/btcd
GitHub
It looks like BTCD does not support v3 onion services:
TOR: Add support for prop224 · Issue #1070 · btcsuite/btcd
GitHub
If you're a Golang person, submit a PR!

Connect to Tor Nodes

Connecting to a Tor node is the same as connecting to any other node: [email protected]:port
Example:
1
lncli connect 034[email protected]b53ztxul4vdcktgcgmvcvgjigi2vq2hy4ah6wg7frqpiiesdoxozx3ad.onion:9735
2
lncli openchannel --node_key 0346095e50ed1f8cf4dbda1fca442cd2ebccf082912e33c1c2e19868f1f56a190a --local_amt 20000
Copied!
Alternatively:
1
lncli openchannel --node_key 0346095e50ed1f8cf4dbda1fca442cd2ebccf082912e33c1c2e19868f1f56a190a --connect b53ztxul4vdcktgcgmvcvgjigi2vq2hy4ah6wg7frqpiiesdoxozx3ad.onion:9735 --local_amt 20000
Copied!
Looking for Tor nodes to connect to? 1ML has a filter for that:
Lightning Nodes - Top Capacity - Tor Onion Service | 1ML - Lightning Network Search and Analysis Engine - Bitcoin mainnet

Reference

Last modified 2yr ago