title: Running Monero Open Node with Tor Onion Support
---
# Running Monero Open Node + Tor Onion
!!! success "Powerful setup"
This is great contribution to Monero network and also a pretty sophisticated personal setup. If you are a beginner, you don't need this.
!!! info "The end goal"
You will publicly offer the following services, where xxx.yyy.zzz.vvv is your server IP address.
* xxx.yyy.zzz.vvv:18080 - clearnet P2P service (for other nodes)
* xxx.yyy.zzz.vvv:18081 - clearnet RPC service (for wallets)
* yourlongv3onionaddress.onion:18083 - onion P2P service (for other onion nodes)
* yourlongv3onionaddress.onion:18081 - onion RPC service (for wallets connecting over Tor)
Why different P2P ports for clearnet and onion? This is a `monerod` requirement.
!!! warning "Broadcasting bad transactions from your IP"
As with any public data broadcast or relay service, "bad traffic" or in this case "bad transactions" may appear to originate from your server IP address from an outside observer perspective - even though they really originate from a remote wallet user. This is a potential risk you need to keep in mind.
## Why run this specific setup?
You will be able to connect your desktop and mobile Monero wallets to your own trusted Monero node,
in a secure and private way over Tor. Your node will be always ready w/o delays (always synced up, contrary to intermittently running node on a laptop).
**Serving blocks and transactions** in Monero P2P network helps new users to bootstrap and sync up their nodes.
It also strenghtens Monero P2P network against DDoS attacks and network partitioning.
**Open wallet inteface** (the "RPC") allows anyone to connect their wallets to Monero network through your node.
This is useful for beginner users who don't run their own nodes yet.
**Tor onion for wallet interface** is useful for wallet users connecting over Tor because it mitigates Tor exit nodes MiTM risks (which are very real). By connecting wallet to an onion service, no MiTM attack is realistic because within the Tor network connections are end-to-end TLS-ed.
**Tor onion for P2P network** is useful for other full node users as it allows them to broadcast transactions over Tor (using `--tx-proxy` option).
## Assumptions
You understand basic Linux administration. You seek Monero specific guidance.
You have root access to a Linux server with 2GB+ RAM and 120GB+ SSD (or 50GB+ for the pruned node version). This is current for Jan 2021.
Some commands assume Ubuntu but you will easily translate them to your distribution.
Enable tor service with `systemctl enable tor` and restart it via `systemctl restart tor`
Verify the Tor is up `systemctl status tor@default`
A fresh onion address and corresponding key pair got created for you by the `tor` daemon in `/var/lib/tor/monero/`. You may want to backup these to secure control over your onion address. This happens on restart whenever you add new `HiddenServiceDir` to `torrc` config.
Monero daemon itself is not necessary at this point. The onion services (AKA hidden services) will just wait until localhost `monerod` shows up at specified ports 18081 and 18083.
HiddenServicePort 18081 127.0.0.1:18081 # interface for wallet ("RPC")
HiddenServicePort 18083 127.0.0.1:18083 # interface for P2P network
```
??? info "How Tor onion services work?"
The `tor` daemon will simply pass over the traffic from virtual onion port to actual localhost port, where some service is listening (in our case, this will be `monerod`). A single onion address can offer multiple services at various virtual ports. We will use this to expose both P2P and RPC `monerod` services on a single onion. You could host any number of onion addresses at single server or IP address but we won't need that here.
## Install Monero
Create `monero` user and group `useradd --system monero`
Create monero **binaries** directory (empty for now) `mkdir -p /opt/monero` and `chown -R monero:monero /opt/monero`
Move binaries to `/opt/monero/` with `mv monero-x86_64-linux-gnu-v0.17.1.9/* /opt/monero/` then `chown -R monero:monero /opt/monero`
Create `/etc/monero.conf` as shown below and **paste your values in placeholders**.
Create `/etc/systemd/system/monero.service` as shown below.
Enable monero service with `systemctl enable monero` and restart it with `systemctl restart monero`
Verify it is up `systemctl status monero`
Verify it is working as intended `tail -n100 /var/log/monero/monero.log`
### /etc/monero.conf
This is just an example configuration and it is by no means authoritative. Feel free to modify, see [monerod reference](/interacting/monerod-reference).
Modify paths if you changed them.
Print your onion address with `cat /var/lib/tor/monero/hostname` and paste it to `anonymous-inbound` option.
If you use a firewall (and you should), open `18080` and `18081` ports for incoming TCP connections. These are for the incoming **clearnet** connections, P2P and RPC respectively.
You **do not** need to open any ports for Tor. The onion services work with virtual ports. The `tor` daemon does not directly accept incoming connections and so it needs no open ports.
For example, for popular ufw firewall, that would be:
``` Bash
ufw allow 18080/tcp
ufw allow 18081/tcp
```
To verify, use `ufw status`. The output should be similar to the following (the `22` being default SSH port, unrelated to Monero):
* Logs more info: change `log-level=0` to `log-level=1` in `monero.conf` (remember to revert once solved)
## Further improvements
### Periodic restarts
It's likely worthwhile to add peridic auto-restarting to both `tor` and `monerod` every couple hours. Neither daemon is perfect; they can get stuck or leak memory in edge case situations,
like the recent attacks on Tor v3 or DDoS attacks on the Monero network. One possible way would be to use systemd timers.