<spanclass=nb>HiddenServicePort</span><spanclass=m>18081</span><spanclass=m>127.0.0.1</span>:18081 # interface for wallet (<spanclass=s2>"RPC"</span>)
<spanclass=nb>HiddenServicePort</span><spanclass=m>18083</span><spanclass=m>127.0.0.1</span>:18083 # interface for P2P network
</code></pre></div><detailsclass=info><summary>How Tor onion services work?</summary><p>The <code>tor</code> daemon will simply pass over the traffic from virtual onion port to actual localhost port, where some service is listening (in our case, this will be <code>monerod</code>). A single onion address can offer multiple services at various virtual ports. We will use this to expose both P2P and RPC <code>monerod</code> services on a single onion. You could host any number of onion addresses at single server or IP address but we won't need that here.</p></details><h2id=install-monero>Install Monero<aclass=headerlinkhref=#install-monerotitle="Permanent link">¶</a></h2><p>Create <code>monero</code> user and group <code>useradd --system monero</code></p><p>Create monero <strong>binaries</strong> directory (empty for now) <code>mkdir -p /opt/monero</code> and <code>chown -R monero:monero /opt/monero</code></p><p>Create monero <strong>data</strong> directory <code>mkdir -p /srv/monero</code> and <code>chown -R monero:monero /srv/monero</code></p><p>Create monero <strong>log</strong> directory <code>mkdir -p /var/log/monero</code> and <code>chown -R monero:monero /var/log/monero</code></p><p>Feel free to adjust above to your preferred conventions, just remember to adjust the paths accordingly.</p><p><ahref=/interacting/download-monero-binaries/>Download</a> and <ahref=/interacting/verify-monero-binaries/>verify</a> the file.</p><p>Extract <code>tar -xf monero-linux-x64-v0.17.1.9.tar.bz2</code> (adjust filename).</p><p>Move binaries to <code>/opt/monero/</code> with <code>mv monero-x86_64-linux-gnu-v0.17.1.9/* /opt/monero/</code> then <code>chown -R monero:monero /opt/monero</code></p><p>Create <code>/etc/monero.conf</code> as shown below and <strong>paste your values in placeholders</strong>.</p><p>Create <code>/etc/systemd/system/monero.service</code> as shown below.</p><p>Enable monero service with <code>systemctl enable monero</code> and restart it with <code>systemctl restart monero</code></p><p>Verify it is up <code>systemctl status monero</code></p><p>Verify it is working as intended <code>tail -n100 /var/log/monero/monero.log</code></p><h3id=etcmoneroconf>/etc/monero.conf<aclass=headerlinkhref=#etcmoneroconftitle="Permanent link">¶</a></h3><p>This is just an example configuration and it is by no means authoritative. Feel free to modify, see <ahref=/interacting/monerod-reference>monerod reference</a>.</p><p>Modify paths if you changed them.</p><p>Print your onion address with <code>cat /var/lib/tor/monero/hostname</code> and paste it to <code>anonymous-inbound</code> option.</p><divclass=highlight><pre><span></span><code><spanclass=c1># /etc/monero.conf</span>
<spanclass=c1># </span>
<spanclass=c1># Configuration file for monerod. For all available options see the MoneroDocs:</span>
<spanclass="l l-Scalar l-Scalar-Plain"># prune-blockchain=1</span><spanclass=c1># Pruning saves 2/3 of disk space w/o degrading functionality but contributes less to the network</span>
<spanclass=c1># sync-pruned-blocks=1 # Allow downloading pruned blocks instead of prunning them yourself</span>
<spanclass="l l-Scalar l-Scalar-Plain">log-level=0</span><spanclass=c1># Minimal logs, WILL NOT log peers or wallets connecting</span>
<spanclass="l l-Scalar l-Scalar-Plain">max-log-file-size=2147483648</span><spanclass=c1># Set to 2GB to mitigate log trimming by monerod; configure logrotate instead</span>
<spanclass="l l-Scalar l-Scalar-Plain">public-node=1</span><spanclass=c1># Advertise to other users they can use this node as a remote one for connecting their wallets</span>
<spanclass="l l-Scalar l-Scalar-Plain">confirm-external-bind=1</span><spanclass=c1># Open Node (confirm)</span>
<spanclass="l l-Scalar l-Scalar-Plain">rpc-bind-ip=0.0.0.0</span><spanclass=c1># Bind to all interfaces (the Open Node)</span>
<spanclass="l l-Scalar l-Scalar-Plain">rpc-bind-port=18081</span><spanclass=c1># Bind to default port (the Open Node)</span>
<spanclass="l l-Scalar l-Scalar-Plain">restricted-rpc=1</span><spanclass=c1># Obligatory for Open Node interface</span>
<spanclass="l l-Scalar l-Scalar-Plain">no-igd=1</span><spanclass=c1># Disable UPnP port mapping</span>
<spanclass="l l-Scalar l-Scalar-Plain">no-zmq=1</span><spanclass=c1># Disable ZMQ RPC server to decrease attack surface (it's not used)</span>
<spanclass="l l-Scalar l-Scalar-Plain">rpc-ssl=autodetect</span><spanclass=c1># Use TLS if client wallet supports it (the default behavior); the certificate will be generated on the fly on every restart</span>
<spanclass="l l-Scalar l-Scalar-Plain">max-txpool-weight=268435456</span><spanclass=c1># Maximum unconfirmed transactions pool size in bytes (here 256MB, default ~618MB)</span>
<spanclass="l l-Scalar l-Scalar-Plain">out-peers=64</span><spanclass=c1># This will enable much faster sync and tx awareness; the default 8 is suboptimal nowadays</span>
<spanclass="l l-Scalar l-Scalar-Plain">in-peers=64</span><spanclass=c1># The default is unlimited; we prefer to put a cap on this</span>
<spanclass="l l-Scalar l-Scalar-Plain">limit-rate-up=1048576</span><spanclass=c1># 1048576 kB/s == 1GB/s; a raise from default 2048 kB/s; contribute more to p2p network</span>
<spanclass="l l-Scalar l-Scalar-Plain">limit-rate-down=1048576</span><spanclass=c1># 1048576 kB/s == 1GB/s; a raise from default 8192 kB/s; allow for faster initial sync</span>
<spanclass="l l-Scalar l-Scalar-Plain"># Tor</span><spanclass="p p-Indicator">:</span><spanclass="l l-Scalar l-Scalar-Plain">add P2P seed nodes for the Tor network</span>
<spanclass="l l-Scalar l-Scalar-Plain">add-peer=rno75kjcw3ein6i446sqby2xkyqjarb75oq36ah6c2mribyklzhurpyd.onion:28083</span><spanclass=c1># it's mainnet despite the weird port, according to reddit</span>
<spanclass="l l-Scalar l-Scalar-Plain">add-peer=sqzrokz36lgkng2i2nlzgzns2ugcxqosflygsxbkybb4xn6gq3ouugqd.onion:18083</span><spanclass=c1># very flaky, works 1 in 3 times</span>
</code></pre></div><h2id=open-firewall-ports>Open firewall ports<aclass=headerlinkhref=#open-firewall-portstitle="Permanent link">¶</a></h2><p>If you use a firewall (and you should), open <code>18080</code> and <code>18081</code> ports for incoming TCP connections. These are for the incoming <strong>clearnet</strong> connections, P2P and RPC respectively.</p><p>You <strong>do not</strong> need to open any ports for Tor. The onion services work with virtual ports. The <code>tor</code> daemon does not directly accept incoming connections and so it needs no open ports.</p><p>For example, for popular ufw firewall, that would be:</p><divclass=highlight><pre><span></span><code>ufw allow <spanclass=m>18080</span>/tcp
ufw allow <spanclass=m>18081</span>/tcp
</code></pre></div><p>To verify, use <code>ufw status</code>. The output should be similar to the following (the <code>22</code> being default SSH port, unrelated to Monero):</p><divclass=highlight><pre><span></span><code>To Action From
</code></pre></div><h2id=testing>Testing<aclass=headerlinkhref=#testingtitle="Permanent link">¶</a></h2><h3id=on-server>On server<aclass=headerlinkhref=#on-servertitle="Permanent link">¶</a></h3><p>List all services listening on ports and make sure it is what you expect:</p><p><code>sudo netstat -lntpu</code></p><p>The output should include these (in any order); obviously the PID values will differ.</p><divclass=highlight><pre><span></span><code>Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
