monero-project/monero-docs
monero-project/monero-docs
2
1
Fork 0
mirror of https://github.com/monero-project/monero-docs.git synced 2024-12-22 03:29:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

monerod: tor and i2p guides

Browse source 
Co-authored-by: plowsof <77655812+plowsof@users.noreply.github.com>
Co-authored-by: HardenedSteel <19209715+HardenedSteel@users.noreply.github.com>
This commit is contained in:
nahuhh 2024-09-29 20:28:26 +00:00
parent c5637de9b5
commit 0666f2af51
9 changed files with 547 additions and 419 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

82
docs/en/interacting/monero-config-file.md
View file

@ -1,5 +1,12 @@
---
title: Monero Configuration File
configfile: "~/.bitmonero/bitmonero.conf"
datadir: "~/.bitmonero"
logfile: "log-file=~/.bitmonero"
maxlogsize: ""
publicnode: "#public-node=1 # Advertise to other users they can use this node for connecting their wallets"
---
# Monero Configuration File
@ -13,25 +20,25 @@ To use a specific config file add `--config-file` option:
The `--config-file` option is available for:
* `monerod`
* `monero-wallet-cli`
* `monero-wallet-rpc`
* `monero-gen-trusted-multisig`
- `monerod`
- `monero-wallet-cli`
- `monero-wallet-rpc`
- `monero-gen-trusted-multisig`
## Syntax
* `option-name=value`
* `valueless-option-name=1` for options that don't expect value
* `# comment`
* whitespace is ignored
- `option-name=value`
- `valueless-option-name=1` for options that don't expect value
- `# comment`
- whitespace is ignored
## Reference
All configuration options are the same as command line options for the binary.
* [monerod reference](../interacting/monerod-reference.md)
* [monero-wallet-cli reference](../interacting/monero-wallet-cli-reference.md)
* [monero-wallet-rpc reference](../interacting/monero-wallet-rpc-reference.md)
- [monerod reference](../interacting/monerod-reference.md)
- [monero-wallet-cli reference](../interacting/monero-wallet-cli-reference.md)
- [monero-wallet-rpc reference](../interacting/monero-wallet-rpc-reference.md)
Skip the `--` from `--option-name`.
@ -41,62 +48,33 @@ Example:
translates to:
```ini
log-level=4
stagenet=1 # use value "1" to enable the value-less options like --stagenet
## Examples
```
## Templates
### `monerod.conf`
This config is tailored for production server usage.
# /etc/monero/monerod.conf
# Data directory (blockchain db and indices)
data-dir=/home/monero/.monero # Remember to create the monero user first
# Log file
log-file=/var/log/monero/monerod.log
max-log-file-size=0 # Prevent monerod from managing the log files; we want logrotate to take care of that
# P2P full node
p2p-bind-ip=0.0.0.0 # Bind to all interfaces (the default)
p2p-bind-port=18080 # Bind to default port
# RPC open node
rpc-bind-ip=0.0.0.0 # Bind to all interfaces
rpc-bind-port=18081 # Bind on default port
confirm-external-bind=1 # Open node (confirm)
restricted-rpc=1 # Prevent unsafe RPC calls
no-igd=1 # Disable UPnP port mapping
# Slow but reliable db writes
db-sync-mode=safe
# Emergency checkpoints set by MoneroPulse operators will be enforced to workaround potential consensus bugs
# Check https://monerodocs.org/infrastructure/monero-pulse/ for explanation and trade-offs
enforce-dns-checkpointing=1
out-peers=64 # This will enable much faster sync and tx awareness; the default 8 is suboptimal nowadays
in-peers=1024 # The default is unlimited; we prefer to put a cap on this
limit-rate-up=1048576 # 1048576 kB/s == 1GB/s; a raise from default 2048 kB/s; contribute more to p2p network
limit-rate-down=1048576 # 1048576 kB/s == 1GB/s; a raise from default 8192 kB/s; allow for faster initial sync
This config is tailored for desktop usage on [mainnet :link:](../infrastructure/networks.md#mainnet)
{% include 'monerod_template' %}
### `monero-wallet-cli.conf`
This config is tailored for desktop usage on [stagenet](../infrastructure/networks.md#stagenet).
This config is tailored for desktop usage on [stagenet :link:](../infrastructure/networks.md#stagenet).
# $HOME/.bitmonero/stagenet/monero-wallet-cli.conf
```ini
# ~/.bitmonero/stagenet/monero-wallet-cli.conf
# Pick network
stagenet=1
# Connect to a remote full node
daemon-address=monero-stagenet.exan.tech:38081
untrusted-daemon=1
daemon-address=YOUR.NODE.IP:38081
#trusted-daemon=1
# Log file
log-file=/tmp/monero-wallet-cli.log
# wallet-file=/home/YOUR-USER/.bitmonero/stagenet/wallets/MoneroExampleStagenetWallet
# wallet-file=~/.bitmonero/stagenet/wallets/MoneroExampleStagenetWallet
```

247
docs/en/running-node/monerod-systemd.md Normal file
View file

@ -0,0 +1,247 @@
---
title: Running a Monero Node via Systemd
config: (#monerod-config)
configfile: "/etc/monero/monerod.conf"
datadir: "/var/lib/monero/bitmonero"
logfile: "log-file=/var/log/monero/monero.log"
maxlogsize: "max-log-file-size=2147483648 # Set to 2GB to mitigate log trimming by monerod; configure logrotate instead"
txproxyi2p:
txproxytor:
publicnode: "#public-node=1 # Advertise to other users they can use this node for connecting their wallets"
---
# Running Monerod via Systemd
!!! success "The end goal"
You will publicly offer the following services, where xxx.yyy.zzz.vvv is your server IP address.
* xxx.yyy.zzz.vvv:18080 - clearnet P2P service (for other nodes)
* xxx.yyy.zzz.vvv:18089 - clearnet RPC service (for wallets)
## Why run this specific setup?
You will be able to connect your desktop and mobile Monero wallets to your own trusted Monero node,
in a secure and private way over Tor.
**Running as a systemd service** will allow your node to always remain synced, as opposed to intermittently running node.
**Public RPC service** - The `public-node` config option will broadcast your RPC port to your peers, providing a service for anyone to use your node to connect their wallets to the Monero network.
This is useful to users who don't run their own nodes. You may enable it by removing the `#` from `#public-node` in the config.
??? warning "Public RPC may be resource intensive"
Providing Public RPC via the flag `public-node=1` may use a sizeable amount of resources on your PC.
## Assumptions
You possess:
- Basic understanding of Linux administration
- Root access to a Linux server
- _Recommended_ 4 GB+ RAM
- _Recommended_ available SSD storage of
- **{{ multiply(lmdb_size_full, 2.5) }} GB+** for the full node
- **{{ multiply(lmdb_size_pruned, 2.5) }} GB+** for the pruned
!!! note "Current blockchain size as of {{ lmdb_size_updated }}"
The current blockchain sizes are approximately:
Full node: **{{ lmdb_size_full }} GB**
Pruned node: **{{ lmdb_size_pruned }} GB**
Some commands assume Ubuntu but you will easily translate them to your distribution.
## Install Monero
1. Create `monero` user and group:
``` Bash
useradd --system monero
```
2. Create monero **config**, **data** and **log** directories:
``` Bash
mkdir -p /etc/monero # config
mkdir -p /var/lib/monero # blockchain
mkdir -p /var/log/monero # logs
chown monero:monero /etc/monero
chown monero:monero /var/lib/monero
chown monero:monero /var/log/monero
```
Feel free to adjust above to your preferred conventions, just remember to adjust the paths in the `systemd` and `monerod` config files accordingly.
3. [Download](../interacting/download-monero-binaries.md) and [verify](../interacting/verify-monero-binaries.md) the archive.
4. Extract the binaries (adjust filename if necessary):
``` Bash
tar -xvf monero-linux-x64-{{ cli_vers }}.tar.bz2
rm monero-linux-x64-{{ cli_vers }}.tar.bz2
```
5. Move binaries to /usr/local/bin/:
``` Bash
mv monero-x86_64-linux-gnu-{{ cli_vers }}/* /usr/local/bin/.
chown monero:monero /usr/local/bin/monero*
```
### Monerod Config
6. Create `/etc/monero/monerod.conf` as shown below:
{% include 'monerod_template' %}
### Systemd
7. Create `/etc/systemd/system/monerod.service` as shown below.
``` INI
# /etc/systemd/system/monerod.service
[Unit]
Description=Monero Daemon
After=network-online.target
[Service]
ExecStart=/usr/local/bin/monerod --detach --config-file /etc/monero/monerod.conf --pidfile /run/monero/monerod.pid
ExecStartPost=/bin/sleep 0.1
PIDFile=/run/monero/monerod.pid
Type=forking
Restart=on-failure
RestartSec=30
User=monero
Group=monero
RuntimeDirectory=monero
StandardOutput=journal
StandardError=journal
[Install]
WantedBy=multi-user.target
```
8. Enable the monerod service:
``` Bash
systemctl daemon-reload
systemctl enable monerod
systemctl restart monerod
```
9. Verify it is up:
``` Bash
systemctl status monerod
```
9. Verify it is working as intended:
``` Bash
tail -n100 /var/log/monero/monero.log
```
### Open firewall ports
If you use a firewall (and you should), open `18080` and `18089` ports for incoming TCP connections.
These are for the incoming **clearnet** connections, P2P and RPC respectively.
You **do not** need to open any ports for Tor.
For example, for popular ufw firewall, that would be:
``` Bash
ufw allow 18080/tcp
ufw allow 18089/tcp
```
To verify, use `ufw status`. The output should be similar to the following (the `22` being default SSH port, unrelated to Monero):
```
To Action From
-- ------ ----
22/tcp LIMIT Anywhere
18080/tcp ALLOW Anywhere
18089/tcp ALLOW Anywhere
22/tcp (v6) LIMIT Anywhere (v6)
18080/tcp (v6) ALLOW Anywhere (v6)
18089/tcp (v6) ALLOW Anywhere (v6)
```
## Tor & I2P
??? tip "Tor Setup"
{% include 'tor_template' %}
??? tip "I2P Setup"
{% include 'i2pd_template' %}
### Testing
??? "Testing"
**On server**
List all services listening on ports and make sure it is what you expect:
``` Bash
sudo netstat -lntpu
```
The output should include these (in any order); obviously the PID values will differ.
```
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
...
tcp 0 0 0.0.0.0:18080 0.0.0.0:* LISTEN 259255/monerod
tcp 0 0 0.0.0.0:18089 0.0.0.0:* LISTEN 259255/monerod
tcp 0 0 127.0.0.1:18084 0.0.0.0:* LISTEN 259255/monerod
tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 258786/tor
```
**On client machine**
Finally, we want to test connections from your client machine.
Install `tor` and `torsocks` on your laptop, you will want them anyway for Monero wallet.
Just for testing, you will also need `nmap` and `proxychains`.
Test **clearnet P2P** connection:
`nmap -Pn -p 18080 YOUR_IP_ADDRESS_HERE`
Test **clearnet RPC** connection:
``` Bash
curl --digest -X POST http://YOUR_IP_ADDRESS_HERE:18089/json_rpc -d '{"jsonrpc":"2.0","id":"0","method":"get_info"}' -H 'Content-Type: application/json'
```
Test **onion P2P** connection (skip if you don't have proxychains):
``` Bash
proxychains nmap -Pn -p 18084 YOUR_ONION_ADDRESS_HERE.onion
```
Test **onion RPC** connection:
``` Bash
curl -x socks5h://127.0.0.1:9050 --digest -X POST http://YOUR_ONION_ADDRESS_HERE.onion:18089/json_rpc -d '{"jsonrpc":"2.0","id":"0","method":"get_info"}' -H 'Content-Type: application/json'`
```
### Debugging
??? Debugging
Tor:
- Status: `systemctl status tor@default`
- Logs: `journalctl -xe --unit tor@default`
Monerod:
- Status: `systemctl status monero`
- Logs: `tail -n100 /var/log/monero/monero.log`
- Logs more info: change `log-level=0` to `log-level=1` in `monero.conf` (remember to revert once solved)

68
docs/en/running-node/monerod-tori2p.md Normal file
View file

@ -0,0 +1,68 @@
---
title: Tor and I2P
config: (../interacting/monero-config-file.md#monerodconf)
---
!!! note ""
How to add Tor and/or I2P to your Monero node
### Assumptions
You possess:
- Basic understanding of Linux administration
- Root access to a Linux distribution
- A Monero Node
Some commands assume Ubuntu but you can trivially translate them to your distribution.
??? question "Why use anonymity networks?"
**Why use anonymity networks?**
You will be able to connect your desktop and mobile Monero wallets to your own trusted Monero node,
in a secure and private way over Tor or I2P.
**Tor and I2P hidden services for wallet interface** are useful for wallet users because it bypasses [NAT](https://tailscale.com/blog/how-nat-traversal-works) and also works to mitigate MITM risks (which are very real). Hidden service connections are end-to-end encrypted and private by default.
**Onion and I2P for P2P network** is useful for other nodes as it allows them to relay transactions to your node (using `--tx-proxy` option).
### Node Configuration
=== "Tor"
{% include 'tor_template' %}
=== "I2P"
{% include 'i2pd_template' %}
!!! note "(Optional) Publish the node on [monero.fail](https://monero.fail)"
## Wallet Setup
To connect Monero nodes, you have to configure the wallet software:
=== "Tor"
=== "Monero GUI"
1. Navigate to: `Settings -> Interface -> Socks5 proxy` and set the values to `IP Address = 127.0.0.1` and `Port = 9050`
2. Navigate to: `Settings -> Node -> Add remote node` and set the values to `Address = http://yourlongv3onionaddress.onion` and `Port = 18089`
[:link: _Monero GUI_](../interacting/monero-wallet-gui-reference.md)
=== "Monero CLI"
Add the flags `--proxy=127.0.0.1:9050 --daemon-address=http://yourlongv3onionaddress.onion:18089 --trusted-daemon`
[:link: _Monero CLI_](../interacting/monero-wallet-cli-reference.md)
=== "I2P"
=== "Monero GUI"
1. Navigate to: `Settings -> Interface -> Socks5 proxy` and set the values to `IP Address = 127.0.0.1` and `Port = 4447`
2. Navigate to: `Settings -> Node -> Add remote node` and set the values to `Address = http://yourlongb32i2paddress.b32.i2p` and `Port = 18089`
[:link: _Monero GUI_](../interacting/monero-wallet-gui-reference.md)
=== "Monero CLI"
Add the flags `--proxy=127.0.0.1:4447 --daemon-address=http://yourlongb32i2paddress.b32.i2p:18089 --trusted-daemon`
[:link: _Monero CLI_](../interacting/monero-wallet-cli-reference.md)

354
docs/en/running-node/open-node-tor-onion.md
View file

@ -1,354 +0,0 @@
---
title: Running Monero Open Node with Tor Onion Support
---
# Running Monero Open Node + Tor Onion
!!! success "The end goal"
You will publicly offer the following services, where xxx.yyy.zzz.vvv is your server IP address.
* xxx.yyy.zzz.vvv:18080 - clearnet P2P service (for other nodes)
* xxx.yyy.zzz.vvv:18089 - clearnet RPC service (for wallets)
* yourlongv3onionaddress.onion:18084 - onion P2P service (for other onion nodes)
* yourlongv3onionaddress.onion:18089 - onion RPC service (for wallets connecting over Tor)
??? info "P2P ports"
Q: Why different P2P ports for clearnet and onion?
A: The data served by the Onion differs from clearnet P2P. A different port is required
??? warning "May be resource intensive"
Providing a Public RPC may use a sizeable amount of resources on your PC.
If you have concerns about data/bandwidth, CPU or RAM usage, you may disable the `public-node` setting by commenting [#] or deleting the line from the [config](#config)
## Why run this specific setup?
You will be able to connect your desktop and mobile Monero wallets to your own trusted Monero node,
in a secure and private way over Tor.
**Running as a systemd service** will allow your node to always remain synced, as opposed to intermittently running node.
**Serving blocks and transactions** in Monero P2P network helps new users to bootstrap and sync up their nodes.
It also strenghtens Monero P2P network against DDoS attacks and network partitioning.
**Open wallet inteface** - The `public-node` config option allows anyone to connect their wallets to Monero network through your node.
This is useful to users who don't run their own nodes.
**Tor onion for wallet interface** is useful for wallet users connecting over Tor because it mitigates Clearnet and Tor exit node MiTM risks (which are very real). By connecting wallet to an onion service, no MiTM attack is realistic because onion connections are end-to-end encrypted.
**Tor onion for P2P network** is useful for other full node users as it allows them to broadcast transactions over Tor (using `--tx-proxy` option).
## Assumptions
You possess:
- Basic understanding of Linux administration
- Root access to a Linux server
- _Recommended_ 4 GB+ RAM
- _Recommended_ available SSD storage of
- **{{ multiply(lmdb_size_full, 2.5) }} GB+** for the full node
- **{{ multiply(lmdb_size_pruned, 2.5) }} GB+** for the pruned.
!!! note "Current blockchain size as of {{ lmdb_size_updated }}"
The current blockchain sizes are approximately:
Full node: **{{ lmdb_size_full }} GB**
Pruned node: **{{ lmdb_size_pruned }} GB**
Some commands assume Ubuntu but you will easily translate them to your distribution.
## Install Tor
1. [Install Tor](https://support.torproject.org/apt)
2. Elevate to root:
``` Bash
sudo su -
```
3. Add the following lines to `/etc/tor/torrc`:
``` ApacheConf
HiddenServiceDir /var/lib/tor/monerod
HiddenServicePort 18089 127.0.0.1:18089 # interface for wallet ("RPC")
HiddenServicePort 18084 127.0.0.1:18084 # interface for P2P network
```
4. Enable tor service:
``` Bash
systemctl enable tor
systemctl restart tor
```
5. Verify the Tor is running:
``` Bash
systemctl status tor@default
```
6. View/Copy your new Onion Address:
``` Bash
cat /var/lib/tor/monerod/hostname
```
??? info "Backup Onion keys"
You may want to backup your keys folder (`/var/lib/tor/monerod`) to secure control over your onion address.
??? info "How Tor onion services work?"
A fresh onion address and corresponding key pair were created for you in /var/lib/tor/monero/.
This happens on restart whenever you add a new `HiddenServiceDir` to the `/etc/tor/torrc` config file.
The tor daemon will forward traffic from a virtual onion port to an actual localhost port, where some service is listening (in our case, this will be `monerod`).
A single onion address can offer multiple services at various virtual ports.
## Install Monero
1. Create `monero` user and group:
``` Bash
useradd --system monero
```
2. Create monero **config**, **data** and **log** directories:
``` Bash
mkdir -p /etc/monero # config
mkdir -p /var/lib/monero # blockchain
mkdir -p /var/log/monero # logs
chown monero:monero /etc/monero
chown monero:monero /var/lib/monero
chown monero:monero /var/log/monero
```
Feel free to adjust above to your preferred conventions, just remember to adjust the paths in the `systemd` and `monerod` config files accordingly.
3. [Download](../interacting/download-monero-binaries.md) and [verify](../interacting/verify-monero-binaries.md) the archive.
4. Extract the binaries (adjust filename if necessary):
``` Bash
tar -xvf monero-linux-x64-{{ cli_vers }}.tar.bz2
rm monero-linux-x64-{{ cli_vers }}.tar.bz2
```
5. Move binaries to /usr/local/bin/:
``` Bash
mv monero-x86_64-linux-gnu-{{ cli_vers }}/* /usr/local/bin/.
chown monero:monero /usr/local/bin/monero*
```
### **Monerod Config**
6. Create `/etc/monero/monerod.conf` as shown below and **replace `PASTE_YOUR_ONION_HOSTNAME` with your Onion address**.
``` YAML
# /etc/monero/monerod.conf
#
# Configuration file for monerod. For all available options see the MoneroDocs:
# https://docs.getmonero.org/interacting/monerod-reference/
# Data directory (blockchain db and indices)
data-dir=/var/lib/monero/bitmonero
# Optional pruning
#prune-blockchain=1 # Pruning saves 2/3 of disk space w/o degrading functionality but contributes less to the network
#sync-pruned-blocks=1 # Allow downloading pruned blocks instead of prunning them yourself
# Centralized services
check-updates=disabled # Do not check DNS TXT records for a new version
enable-dns-blocklist # Block known malicious nodes
# Log file
log-file=/var/log/monero/monero.log
log-level=0 # Minimal logs, WILL NOT log peers or wallets connecting
max-log-file-size=2147483648 # Set to 2GB to mitigate log trimming by monerod; configure logrotate instead
# P2P full node
#p2p-bind-ip=0.0.0.0 # Bind to all interfaces (the default)
#p2p-bind-port=18080 # Bind to default port
#no-igd=1 # Disable UPnP port mapping
# RPC open node
public-node=1 # Advertise to other users they can use this node for connecting their wallets
rpc-restricted-bind-ip=0.0.0.0 # Bind to all interfaces (the Open Node)
rpc-restricted-bind-port=18089 # Bind to a new RESTICTED port (the Open Node)
# RPC TLS
rpc-ssl=autodetect # Use TLS if client wallet supports it (Default); A new certificate will be regenerated every restart
# ZMQ
#zmq-rpc-bind-ip=127.0.0.1 # Default 127.0.0.1
#zmq-rpc-bind-port=18082 # Default 18082
zmq-pub=tcp://127.0.0.1:18083 # ZMQ pub
#no-zmq=1 # Disable ZMQ RPC server
# Mempool size
max-txpool-weight=2684354560 # Maximum unconfirmed transactions pool size in bytes (here ~2.5GB, default ~618MB)
# Database sync mode
#db-sync-mode=safe:sync # Slow but reliable db writes
# Network limits
out-peers=24 # This will enable much faster sync and tx awareness; the default 8 is suboptimal nowadays
in-peers=48 # The default is unlimited; we prefer to put a cap on this
limit-rate-up=1048576 # 1048576 kB/s == 1GB/s; a raise from default 2048 kB/s; contribute more to p2p network
limit-rate-down=1048576 # 1048576 kB/s == 1GB/s; a raise from default 8192 kB/s; allow for faster initial sync
# Tor/I2P: broadcast transactions originating from connected wallets over Tor/I2P (does not concern relayed transactions)
tx-proxy=tor,127.0.0.1:9050,16,disable_noise # Tor
#tx-proxy=i2p,127.0.0.1:4447,16.disable_noise # I2P
# Tor/I2P: tell monerod your onion address so it can be advertised on P2P network
anonymous-inbound=PASTE_YOUR_ONION_HOSTNAME:18084,127.0.0.1:18084,64
#anonymous-inbound=PASTE_YOUR_I2P_HOSTNAME,127.0.0.1:18085,64
# Tor: be forgiving to connecting wallets; suggested by http://xmrguide42y34onq.onion/remote_nodes
disable-rpc-ban=1
```
### Systemd
7. Create `/etc/systemd/system/monerod.service` as shown below.
``` INI
# /etc/systemd/system/monerod.service
[Unit]
Description=Monero Daemon
After=network-online.target
[Service]
ExecStart=/usr/local/bin/monerod --detach --config-file /etc/monero/monerod.conf --pidfile /run/monero/monerod.pid
ExecStartPost=/bin/sleep 0.1
PIDFile=/run/monero/monerod.pid
Type=forking
Restart=on-failure
RestartSec=30
User=monero
Group=monero
RuntimeDirectory=monero
StandardOutput=journal
StandardError=journal
[Install]
WantedBy=multi-user.target
```
8. Enable the monerod service:
``` Bash
systemctl daemon-reload
systemctl enable monerod
systemctl restart monerod
```
9. Verify it is up:
``` Bash
systemctl status monerod
```
9. Verify it is working as intended:
``` Bash
tail -n100 /var/log/monero/monero.log
```
## Open firewall ports
If you use a firewall (and you should), open `18080` and `18089` ports for incoming TCP connections.
These are for the incoming **clearnet** connections, P2P and RPC respectively.
You **do not** need to open any ports for Tor.
For example, for popular ufw firewall, that would be:
``` Bash
ufw allow 18080/tcp
ufw allow 18089/tcp
```
To verify, use `ufw status`. The output should be similar to the following (the `22` being default SSH port, unrelated to Monero):
```
To Action From
-- ------ ----
22/tcp LIMIT Anywhere
18080/tcp ALLOW Anywhere
18089/tcp ALLOW Anywhere
22/tcp (v6) LIMIT Anywhere (v6)
18080/tcp (v6) ALLOW Anywhere (v6)
18089/tcp (v6) ALLOW Anywhere (v6)
```
## Testing
### On server
List all services listening on ports and make sure it is what you expect:
``` Bash
sudo netstat -lntpu
```
The output should include these (in any order); obviously the PID values will differ.
```
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
...
tcp 0 0 0.0.0.0:18080 0.0.0.0:* LISTEN 259255/monerod
tcp 0 0 0.0.0.0:18089 0.0.0.0:* LISTEN 259255/monerod
tcp 0 0 127.0.0.1:18084 0.0.0.0:* LISTEN 259255/monerod
tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 258786/tor
```
### On client machine
Finally, we want to test connections from your client machine.
Install `tor` and `torsocks` on your laptop, you will want them anyway for Monero wallet.
Just for testing, you will also need `nmap` and `proxychains`.
Test **clearnet P2P** connection:
`nmap -Pn -p 18080 YOUR_IP_ADDRESS_HERE`
Test **clearnet RPC** connection:
`curl --digest -X POST http://YOUR_IP_ADDRESS_HERE:18089/json_rpc -d '{"jsonrpc":"2.0","id":"0","method":"get_info"}' -H 'Content-Type: application/json'`
Test **onion P2P** connection (skip if you don't have proxychains):
`proxychains nmap -Pn -p 18084 YOUR_ONION_ADDRESS_HERE.onion`
Test **onion RPC** connection:
`curl -x socks5h://127.0.0.1:9050 --digest -X POST http://YOUR_ONION_ADDRESS_HERE.onion:18089/json_rpc -d '{"jsonrpc":"2.0","id":"0","method":"get_info"}' -H 'Content-Type: application/json'`
## Debugging
Tor:
* Status: `systemctl status tor@default`
* Logs: `journalctl -xe --unit tor@default`
Monerod:
* Status: `systemctl status monero`
* Logs: `tail -n100 /var/log/monero/monero.log`
* Logs more info: change `log-level=0` to `log-level=1` in `monero.conf` (remember to revert once solved)

70
docs/macros/includes/i2pd_template Normal file
View file

@ -0,0 +1,70 @@
!!! success "The end goal"
To enable the following services:
* yourlongb32i2paddress.b32.i2p:18085 - i2p P2P service (for other i2p nodes)
* yourlongb32i2paddress.b32.i2p:18089 - i2p RPC service (for wallets connecting over i2p)
**I2P service for P2P network** is useful for other full node users as it allows them to broadcast transactions over I2P (using `--tx-proxy` option).
**I2P service for wallet interface** is useful for wallet users connecting over I2P because it mitigates Clearnet and Tor exit node MiTM risks (which are very real). By connecting wallet to an I2P service, no MiTM attack is realistic because I2P connections are end-to-end encrypted.
??? question "Why different P2P ports for clearnet and i2p?"
A: The data served by the i2p p2p port differs from clearnet P2P. A different port is required
1. Elevate to root:
``` Bash
sudo su -
```
2. Install i2pd:
``` Bash
apt install apt-transport-https
wget -q -O - https://repo.i2pd.xyz/.help/add_repo | bash -s -
apt update
apt install i2pd
```
3. Create a server tunnel for the Monero P2P and RPC ports:
``` ini
cat << EOF > /etc/i2pd/tunnels.conf.d/monero-mainnet.conf
[monero-node]
type = server
host = 127.0.0.1
# Anonymous inbound port
port = 18085
inport = 0
keys = monero-mainnet.dat
[monero-rpc]
type = server
host = 127.0.0.1
# Restricted RPC port
port = 18089
keys = monero-mainnet.dat
EOF
```
4. Restart i2pd:
``` Bash
systemctl restart i2pd
```
5. Find the new b32 address of the node:
=== "Terminal"
``` Bash
curl -s http://127.0.0.1:7070/?page=i2p_tunnels | grep -Eo "[a-zA-Z0-9./?=_%:-]*" | grep "18085"`
```
=== "Web console"
Go to the web console at 127.0.0.1:7070 -> [I2P tunnels page](http://127.0.0.1:7070/?page=i2p_tunnels).
Look for Server tunnels and you will see an address like **_`yourlongb32i2paddress.b32.i2p`_** next to **`monero-node`**.
6. Copy the result into your Monero [**config file** :link:{ title="Monerod Config" }]{{ config }}, enabling these options:
``` ini
anonymous-inbound=yourlongb32i2paddress.b32.i2p,127.0.0.1:18085
tx-proxy=i2p,127.0.0.1:4447,disable_noise
```
Replace `yourlongb32i2paddress.b32.i2p` with your b32 address.
7. The node is now available on i2p. You can check that the service is working by using curl:
``` Bash
curl -x socks5h://127.0.0.1:4447 http://yourlongb32i2paddress.b32.i2p:18089/get_info
```
!!! note "(Optional) Register short and memorable .i2p domain on [reg.i2p](http://reg.i2p)"

66
docs/macros/includes/monerod_template Normal file
View file

@ -0,0 +1,66 @@
```ini
# {{ configfile }}
#
# Configuration file for monerod. For all available options see the MoneroDocs:
# https://docs.getmonero.org/interacting/monerod-reference/
# Data directory (blockchain db and indices)
data-dir={{ datadir }} # Blockchain storage location
# Optional pruning
#prune-blockchain=1 # Pruning saves 2/3 of disk space w/o degrading functionality but contributes less to the network
#sync-pruned-blocks=1 # Allow downloading pruned blocks instead of prunning them yourself
# Centralized services
check-updates=disabled # Do not check DNS TXT records for a new version
enable-dns-blocklist=1 # Block known malicious nodes
# Log file
{{ logfile }}
log-level=0 # Minimal logs, WILL NOT log peers or wallets connecting
{{ maxlogsize }}
# P2P full node
#p2p-bind-ip=0.0.0.0 # Bind to all interfaces (the default)
#p2p-bind-port=18080 # Bind to default port
#no-igd=1 # Disable UPnP port mapping
# RPC open node
{{ publicnode }}
rpc-restricted-bind-ip=0.0.0.0 # Bind to all interfaces (the Open Node)
rpc-restricted-bind-port=18089 # Bind to a new RESTICTED port (the Open Node)
# RPC TLS
rpc-ssl=autodetect # Use TLS if client wallet supports it (Default); A new certificate will be regenerated every restart
# ZMQ
#zmq-rpc-bind-ip=127.0.0.1 # Default 127.0.0.1
#zmq-rpc-bind-port=18082 # Default 18082
zmq-pub=tcp://127.0.0.1:18083 # ZMQ pub
#no-zmq=1 # Disable ZMQ RPC server
# Mempool size
max-txpool-weight=2684354560 # Maximum unconfirmed transactions pool size in bytes (here ~2.5GB, default ~618MB)
# Database sync mode
#db-sync-mode=safe:sync # Slow but reliable db writes
# Network limits
out-peers=24 # This will enable much faster sync and tx awareness; the default 8 is suboptimal nowadays
in-peers=48 # The default is unlimited; we prefer to put a cap on this
limit-rate-up=1048576 # 1048576 kB/s == 1GB/s; a raise from default 2048 kB/s; contribute more to p2p network
limit-rate-down=1048576 # 1048576 kB/s == 1GB/s; a raise from default 8192 kB/s; allow for faster initial sync
# Tor/I2P: broadcast transactions originating from connected wallets over Tor/I2P (does not concern relayed transactions)
#tx-proxy=i2p,127.0.0.1:4447,16.disable_noise # I2P
#tx-proxy=tor,127.0.0.1:9050,16,disable_noise # Tor
# Tor/I2P: tell monerod your onion address so it can be advertised on P2P network
#anonymous-inbound=PASTE_YOUR_I2P_HOSTNAME,127.0.0.1:18085,64 # I2P
#anonymous-inbound=PASTE_YOUR_ONION_HOSTNAME:18084,127.0.0.1:18084,64 # Tor
# Tor: be forgiving to connecting wallets
disable-rpc-ban=1
```

52
docs/macros/includes/tor_template Normal file
View file

@ -0,0 +1,52 @@
!!! success "The end goal"
To enable the following services:
* yourlongv3onionaddress.onion:18084 - onion P2P service (for other onion nodes)
* yourlongv3onionaddress.onion:18089 - onion RPC service (for wallets connecting over Tor)
**Onion service for P2P network** is useful for other full node users as it allows them to broadcast transactions over Tor (using `--tx-proxy` option).
**Onion service for wallet interface** is useful for wallet users connecting over Tor because it mitigates Clearnet and Tor exit node MiTM risks (which are very real). By connecting wallet to an onion service, no MiTM attack is realistic because onion connections are end-to-end encrypted.
??? question "Why different P2P ports for clearnet and onion?"
A: The data served by the Onion p2p port differs from clearnet P2P. A different port is required.
1. Elevate to root:
``` Bash
sudo su -
```
2. [:link: Install Tor](https://support.torproject.org/apt/#apt_tor-deb-repo)
3. Add the following lines to `/etc/tor/torrc`:
``` ApacheConf
HiddenServiceDir /var/lib/tor/monerod
HiddenServicePort 18089 127.0.0.1:18089 # interface for wallet ("RPC")
HiddenServicePort 18084 127.0.0.1:18084 # interface for P2P network
```
4. Enable Tor service:
``` Bash
systemctl enable tor
systemctl restart tor
```
5. View/Copy your new Onion Address:
``` Bash
cat /var/lib/tor/monerod/hostname
```
6. Copy the result into your Monero [**config file** :link:{ title="Monerod Config" }]{{ config }}, enabling these options:
``` ini
anonymous-inbound=yourlongv3onionaddress.onion,127.0.0.1:18084
tx-proxy=tor,127.0.0.1:9050,disable_noise
```
Replace `yourlongv3onionaddress.onion` with your onion address.
7. The node is now available on Tor. You can check that the service is working by using curl:
``` Bash
curl -x socks5h://127.0.0.1:9050 http://yourlongv3onionaddress.onion:18089/get_info
```
??? info "Backup Onion keys"
You may want to backup your keys folder (`/var/lib/tor/monerod`) to secure control over your onion address.
??? info "How Tor onion services work?"
A fresh onion address and corresponding key pair were created for you in /var/lib/tor/monero/.
This happens on restart whenever you add a new `HiddenServiceDir` to the `/etc/tor/torrc` config file.
The tor daemon will forward traffic from a virtual onion port to an actual localhost port, where some service is listening (in our case, this will be `monerod`).
A single onion address can offer multiple services at various virtual ports.

9
mkdocs.yml
View file

@ -20,11 +20,10 @@ nav:
- Monerod:
- Flags: 'interacting/monerod-reference.md'
- Setup Guide:
# - I2P: 'running-node/open-node-tor-onion.md' TODO
- Tor: 'running-node/open-node-tor-onion.md'
- Systemd: 'running-node/open-node-tor-onion.md'
- Tor & I2P: 'running-node/monerod-tori2p.md'
- Sample Configs:
- VPS: 'interacting/monero-config-file.md'
# - Home: 'interacting/moneord-tori2p.md' # TODO
- Home: 'interacting/monero-config-file.md'
- Wallets:
- monero-wallet-gui: 'interacting/monero-wallet-gui-reference.md'
- monero-wallet-cli: 'interacting/monero-wallet-cli-reference.md'
@ -172,6 +171,8 @@ markdown_extensions:
- pymdownx.inlinehilite
- pymdownx.superfences # nest code blocks inside codeblocks
- pymdownx.snippets # insert content from other files
- pymdownx.tabbed:
alternate_style: true
- tables
plugins:

4
po/running-node-open-node-tor-onion.md.cfg → po/running-node-monerod-systemd.md.cfg
View file

@ -1,5 +1,5 @@
[po4a_langs] es it pl fr ar ru de nl pt tr zh zh-TW nb
[po4a_paths] ../weblate/en/running-node/open-node-tor-onion.md.pot $lang:../weblate/$lang/running-node/open-node-tor-onion.md.po
[po4a_paths] ../weblate/en/running-node/monerod-systemd.md.pot $lang:../weblate/$lang/running-node/monerod-systemd.md.po
[options] opt:"--keep=0"
[options] opt:"--localized-charset=UTF-8"
@ -10,4 +10,4 @@
[po4a_alias:markdown] text opt:"--option markdown"
[type: markdown] ../docs/en/running-node/open-node-tor-onion.md $lang:../docs/$lang/running-node/open-node-tor-onion.md
[type: markdown] ../docs/en/running-node/monerod-systemd.md $lang:../docs/$lang/running-node/monerod-systemd.md