mirror of
https://github.com/dashpay/dash.git
synced 2024-12-25 20:12:57 +01:00
merge bitcoin#20757: tor.md and -onlynet help updates
This commit is contained in:
parent
f003f00e9a
commit
052b2d0dc1
153
doc/tor.md
153
doc/tor.md
@ -16,14 +16,19 @@ outgoing connections, but more is possible.
|
|||||||
|
|
||||||
-proxy=ip:port Set the proxy server. If SOCKS5 is selected (default), this proxy
|
-proxy=ip:port Set the proxy server. If SOCKS5 is selected (default), this proxy
|
||||||
server will be used to try to reach .onion addresses as well.
|
server will be used to try to reach .onion addresses as well.
|
||||||
|
You need to use -noonion or -onion=0 to explicitly disable
|
||||||
|
outbound access to onion services.
|
||||||
|
|
||||||
-onion=ip:port Set the proxy server to use for Tor onion services. You do not
|
-onion=ip:port Set the proxy server to use for Tor onion services. You do not
|
||||||
need to set this if it's the same as -proxy. You can use -noonion
|
need to set this if it's the same as -proxy. You can use -onion=0
|
||||||
to explicitly disable access to onion services.
|
to explicitly disable access to onion services.
|
||||||
|
Note: Only the -proxy option sets the proxy for DNS requests;
|
||||||
|
with -onion they will not route over Tor, so use -proxy if you
|
||||||
|
have privacy concerns.
|
||||||
|
|
||||||
-listen When using -proxy, listening is disabled by default. If you want
|
-listen When using -proxy, listening is disabled by default. If you want
|
||||||
to run an onion service (see next section), you'll need to enable
|
to manually configure an onion service (see section 3), you'll
|
||||||
it explicitly.
|
need to enable it explicitly.
|
||||||
|
|
||||||
-connect=X When behind a Tor proxy, you can specify .onion addresses instead
|
-connect=X When behind a Tor proxy, you can specify .onion addresses instead
|
||||||
-addnode=X of IP addresses or hostnames in these parameters. It requires
|
-addnode=X of IP addresses or hostnames in these parameters. It requires
|
||||||
@ -33,7 +38,11 @@ outgoing connections, but more is possible.
|
|||||||
-onlynet=onion Make outgoing connections only to .onion addresses. Incoming
|
-onlynet=onion Make outgoing connections only to .onion addresses. Incoming
|
||||||
connections are not affected by this option. This option can be
|
connections are not affected by this option. This option can be
|
||||||
specified multiple times to allow multiple network types, e.g.
|
specified multiple times to allow multiple network types, e.g.
|
||||||
ipv4, ipv6, or onion.
|
ipv4, ipv6 or onion. If you use this option with values other
|
||||||
|
than onion you *cannot* disable onion connections; outgoing onion
|
||||||
|
connections will be enabled when you use -proxy or -onion. Use
|
||||||
|
-noonion or -onion=0 if you want to be sure there are no outbound
|
||||||
|
onion connections over the default proxy or your defined -proxy.
|
||||||
|
|
||||||
An example how to start the client if the Tor proxy is running on local host on
|
An example how to start the client if the Tor proxy is running on local host on
|
||||||
port 9050 and only allows .onion nodes to connect:
|
port 9050 and only allows .onion nodes to connect:
|
||||||
@ -44,8 +53,99 @@ In a typical situation, this suffices to run behind a Tor proxy:
|
|||||||
|
|
||||||
./dashd -proxy=127.0.0.1:9050
|
./dashd -proxy=127.0.0.1:9050
|
||||||
|
|
||||||
|
## 2. Automatically create a Dash Core onion service
|
||||||
|
|
||||||
## 2. Run a Dash Core hidden server
|
Dash Core makes use of Tor's control socket API to create and destroy
|
||||||
|
ephemeral onion services programmatically. This means that if Tor is running and
|
||||||
|
proper authentication has been configured, Dash Core automatically creates an
|
||||||
|
onion service to listen on. The goal is to increase the number of available
|
||||||
|
onion nodes.
|
||||||
|
|
||||||
|
This feature is enabled by default if Dash Core is listening (`-listen`) and
|
||||||
|
it requires a Tor connection to work. It can be explicitly disabled with
|
||||||
|
`-listenonion=0`. If it is not disabled, it can be configured using the
|
||||||
|
`-torcontrol` and `-torpassword` settings.
|
||||||
|
|
||||||
|
To see verbose Tor information in the dashd debug log, pass `-debug=tor`.
|
||||||
|
|
||||||
|
### Control Port
|
||||||
|
|
||||||
|
You may need to set up the Tor Control Port. On Linux distributions there may be
|
||||||
|
some or all of the following settings in `/etc/tor/torrc`, generally commented
|
||||||
|
out by default (if not, add them):
|
||||||
|
|
||||||
|
```
|
||||||
|
ControlPort 9051
|
||||||
|
CookieAuthentication 1
|
||||||
|
CookieAuthFileGroupReadable 1
|
||||||
|
```
|
||||||
|
|
||||||
|
Add or uncomment those, save, and restart Tor (usually `systemctl restart tor`
|
||||||
|
or `sudo systemctl restart tor` on most systemd-based systems, including recent
|
||||||
|
Debian and Ubuntu, or just restart the computer).
|
||||||
|
|
||||||
|
On some systems (such as Arch Linux), you may also need to add the following
|
||||||
|
line:
|
||||||
|
|
||||||
|
```
|
||||||
|
DataDirectoryGroupReadable 1
|
||||||
|
```
|
||||||
|
|
||||||
|
### Authentication
|
||||||
|
|
||||||
|
Connecting to Tor's control socket API requires one of two authentication
|
||||||
|
methods to be configured: cookie authentication or dashd's `-torpassword`
|
||||||
|
configuration option.
|
||||||
|
|
||||||
|
#### Cookie authentication
|
||||||
|
|
||||||
|
For cookie authentication, the user running dashd must have read access to
|
||||||
|
the `CookieAuthFile` specified in the Tor configuration. In some cases this is
|
||||||
|
preconfigured and the creation of an onion service is automatic. Don't forget to
|
||||||
|
use the `-debug=tor` dashd configuration option to enable Tor debug logging.
|
||||||
|
|
||||||
|
If a permissions problem is seen in the debug log, e.g. `tor: Authentication
|
||||||
|
cookie /run/tor/control.authcookie could not be opened (check permissions)`, it
|
||||||
|
can be resolved by adding both the user running Tor and the user running
|
||||||
|
dashd to the same Tor group and setting permissions appropriately.
|
||||||
|
|
||||||
|
On Debian-derived systems, the Tor group will likely be `debian-tor` and one way
|
||||||
|
to verify could be to list the groups and grep for a "tor" group name:
|
||||||
|
|
||||||
|
```
|
||||||
|
getent group | cut -d: -f1 | grep -i tor
|
||||||
|
```
|
||||||
|
|
||||||
|
You can also check the group of the cookie file. On most Linux systems, the Tor
|
||||||
|
auth cookie will usually be `/run/tor/control.authcookie`:
|
||||||
|
|
||||||
|
```
|
||||||
|
stat -c '%G' /run/tor/control.authcookie
|
||||||
|
```
|
||||||
|
|
||||||
|
Once you have determined the `${TORGROUP}` and selected the `${USER}` that will
|
||||||
|
run dashd, run this as root:
|
||||||
|
|
||||||
|
```
|
||||||
|
usermod -a -G ${TORGROUP} ${USER}
|
||||||
|
```
|
||||||
|
|
||||||
|
Then restart the computer (or log out) and log in as the `${USER}` that will run
|
||||||
|
dashd.
|
||||||
|
|
||||||
|
#### `torpassword` authentication
|
||||||
|
|
||||||
|
For the `-torpassword=password` option, the password is the clear text form that
|
||||||
|
was used when generating the hashed password for the `HashedControlPassword`
|
||||||
|
option in the Tor configuration file.
|
||||||
|
|
||||||
|
The hashed password can be obtained with the command `tor --hash-password
|
||||||
|
password` (refer to the [Tor Dev
|
||||||
|
Manual](https://2019.www.torproject.org/docs/tor-manual.html.en) for more
|
||||||
|
details).
|
||||||
|
|
||||||
|
|
||||||
|
## 3. Manually create a Dash Core onion service
|
||||||
|
|
||||||
If you configure your Tor system accordingly, it is possible to make your node also
|
If you configure your Tor system accordingly, it is possible to make your node also
|
||||||
reachable from the Tor network. Add these lines to your /etc/tor/torrc (or equivalent
|
reachable from the Tor network. Add these lines to your /etc/tor/torrc (or equivalent
|
||||||
@ -101,7 +201,7 @@ for normal IPv4/IPv6 communication, use:
|
|||||||
./dashd -onion=127.0.0.1:9050 -externalip=ssapp53tmftyjmjb.onion -discover
|
./dashd -onion=127.0.0.1:9050 -externalip=ssapp53tmftyjmjb.onion -discover
|
||||||
|
|
||||||
|
|
||||||
## 3. List of known Dash Core Tor relays
|
## 3.1. List of known Dash Core Tor relays
|
||||||
|
|
||||||
Note: All these nodes are hosted by masternodehosting.com
|
Note: All these nodes are hosted by masternodehosting.com
|
||||||
|
|
||||||
@ -116,45 +216,10 @@ Note: All these nodes are hosted by masternodehosting.com
|
|||||||
* ys5upbdeotplam3y.onion
|
* ys5upbdeotplam3y.onion
|
||||||
* fijy6aikzxfea54i.onion
|
* fijy6aikzxfea54i.onion
|
||||||
|
|
||||||
|
## 4. Privacy recommendations
|
||||||
|
|
||||||
## 4. Automatically listen on Tor
|
- Do not add anything but Dash Core ports to the onion service created in section 3.
|
||||||
|
|
||||||
Starting with Tor version 0.2.7.1 it is possible, through Tor's control socket
|
|
||||||
API, to create and destroy 'ephemeral' onion services programmatically.
|
|
||||||
Dash Core has been updated to make use of this.
|
|
||||||
|
|
||||||
This means that if Tor is running (and proper authentication has been configured),
|
|
||||||
Dash Core automatically creates a onion service to listen on. This will positively
|
|
||||||
affect the number of available .onion nodes.
|
|
||||||
|
|
||||||
This new feature is enabled by default if Dash Core is listening (`-listen`), and
|
|
||||||
requires a Tor connection to work. It can be explicitly disabled with `-listenonion=0`
|
|
||||||
and, if not disabled, configured using the `-torcontrol` and `-torpassword` settings.
|
|
||||||
To show verbose debugging information, pass `-debug=tor`.
|
|
||||||
|
|
||||||
Connecting to Tor's control socket API requires one of two authentication methods to be
|
|
||||||
configured. It also requires the control socket to be enabled, e.g. put `ControlPort 9051`
|
|
||||||
in `torrc` config file. For cookie authentication the user running dashd must have read
|
|
||||||
access to the `CookieAuthFile` specified in Tor configuration. In some cases this is
|
|
||||||
preconfigured and the creation of an onion service is automatic. If permission problems
|
|
||||||
are seen with `-debug=tor` they can be resolved by adding both the user running Tor and
|
|
||||||
the user running dashd to the same group and setting permissions appropriately. On
|
|
||||||
Debian-based systems the user running dashd can be added to the debian-tor group,
|
|
||||||
which has the appropriate permissions. Before starting dashd you will need to re-login
|
|
||||||
to allow debian-tor group to be applied. Otherwise you will see the following notice: "tor:
|
|
||||||
Authentication cookie /run/tor/control.authcookie could not be opened (check permissions)"
|
|
||||||
on debug.log.
|
|
||||||
|
|
||||||
An alternative authentication method is the use
|
|
||||||
of the `-torpassword=password` option. The `password` is the clear text form that
|
|
||||||
was used when generating the hashed password for the `HashedControlPassword` option
|
|
||||||
in the tor configuration file. The hashed password can be obtained with the command
|
|
||||||
`tor --hash-password password` (read the tor manual for more details).
|
|
||||||
|
|
||||||
## 5. Privacy recommendations
|
|
||||||
|
|
||||||
- Do not add anything but Dash Core ports to the onion service created in section 2.
|
|
||||||
If you run a web service too, create a new onion service for that.
|
If you run a web service too, create a new onion service for that.
|
||||||
Otherwise it is trivial to link them, which may reduce privacy. Onion
|
Otherwise it is trivial to link them, which may reduce privacy. Onion
|
||||||
services created automatically (as in section 3) always have only one port
|
services created automatically (as in section 2) always have only one port
|
||||||
open.
|
open.
|
||||||
|
@ -580,7 +580,7 @@ void SetupServerArgs(NodeContext& node)
|
|||||||
argsman.AddArg("-maxtimeadjustment", strprintf("Maximum allowed median peer time offset adjustment. Local perspective of time may be influenced by peers forward or backward by this amount. (default: %u seconds)", DEFAULT_MAX_TIME_ADJUSTMENT), ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION);
|
argsman.AddArg("-maxtimeadjustment", strprintf("Maximum allowed median peer time offset adjustment. Local perspective of time may be influenced by peers forward or backward by this amount. (default: %u seconds)", DEFAULT_MAX_TIME_ADJUSTMENT), ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION);
|
||||||
argsman.AddArg("-maxuploadtarget=<n>", strprintf("Tries to keep outbound traffic under the given target (in MiB per 24h). Limit does not apply to peers with 'download' permission. 0 = no limit (default: %d)", DEFAULT_MAX_UPLOAD_TARGET), ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION);
|
argsman.AddArg("-maxuploadtarget=<n>", strprintf("Tries to keep outbound traffic under the given target (in MiB per 24h). Limit does not apply to peers with 'download' permission. 0 = no limit (default: %d)", DEFAULT_MAX_UPLOAD_TARGET), ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION);
|
||||||
argsman.AddArg("-onion=<ip:port>", "Use separate SOCKS5 proxy to reach peers via Tor onion services, set -noonion to disable (default: -proxy)", ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION);
|
argsman.AddArg("-onion=<ip:port>", "Use separate SOCKS5 proxy to reach peers via Tor onion services, set -noonion to disable (default: -proxy)", ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION);
|
||||||
argsman.AddArg("-onlynet=<net>", "Make outgoing connections only through network <net> (ipv4, ipv6 or onion). Incoming connections are not affected by this option. This option can be specified multiple times to allow multiple networks.", ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION);
|
argsman.AddArg("-onlynet=<net>", "Make outgoing connections only through network <net> (ipv4, ipv6 or onion). Incoming connections are not affected by this option. This option can be specified multiple times to allow multiple networks. Warning: if it is used with ipv4 or ipv6 but not onion and the -onion or -proxy option is set, then outbound onion connections will still be made; use -noonion or -onion=0 to disable outbound onion connections in this case.", ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION);
|
||||||
argsman.AddArg("-peerblockfilters", strprintf("Serve compact block filters to peers per BIP 157 (default: %u)", DEFAULT_PEERBLOCKFILTERS), ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION);
|
argsman.AddArg("-peerblockfilters", strprintf("Serve compact block filters to peers per BIP 157 (default: %u)", DEFAULT_PEERBLOCKFILTERS), ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION);
|
||||||
argsman.AddArg("-peerbloomfilters", strprintf("Support filtering of blocks and transaction with bloom filters (default: %u)", DEFAULT_PEERBLOOMFILTERS), ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION);
|
argsman.AddArg("-peerbloomfilters", strprintf("Support filtering of blocks and transaction with bloom filters (default: %u)", DEFAULT_PEERBLOOMFILTERS), ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION);
|
||||||
argsman.AddArg("-peertimeout=<n>", strprintf("Specify p2p connection timeout in seconds. This option determines the amount of time a peer may be inactive before the connection to it is dropped. (minimum: 1, default: %d)", DEFAULT_PEER_CONNECT_TIMEOUT), ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION);
|
argsman.AddArg("-peertimeout=<n>", strprintf("Specify p2p connection timeout in seconds. This option determines the amount of time a peer may be inactive before the connection to it is dropped. (minimum: 1, default: %d)", DEFAULT_PEER_CONNECT_TIMEOUT), ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION);
|
||||||
|
Loading…
Reference in New Issue
Block a user