Tor

Algonode uses only two tor containers:

1. tor: for bitcoin rpc communication with other nodes for blockchain sync
2. lnd-tor: lnd node to communicate with other nodes via onion netowork

All the other services are accessible through fully qualified URLs routed by traefik. The configuration of the VPN to reach the host is outside of the scope of this document.

1. Tor Containers

Umbrel uses tor for p2p communication with other nodes on the network and creates a tor side car for every service that needs exposed web interface:

sudo docker container ls --format "{{.ID}}\t{{.Names}}\t{{.Size}}" | column -t | grep tor 

c3198e6b2f14  lightning_tor_1                 24.7MB  (virtual  319MB)
b04ed29facab  electrs_tor_1                   24.7MB  (virtual  319MB)
60b090f9ba9a  bitcoin_tor_1                   24.7MB  (virtual  319MB)
605c3a3bbf49  tor_proxy                       25.2MB  (virtual  320MB)

• lightning_tor_1, electrs_tor_1: used for web interface
• bitcoin_tor_1: statically defined services for bitcoin server sync (port 8334) and bitcoin rpc service (8332)
• tor_proxy: used by lnd uses tor active to dynamically configure tor.
  When tor.active=1 is set, LND:
  • Connects to the Tor control port (9051)
  • Creates an ephemeral Tor hidden service for the peer-to-peer port (9735) so other nodes can connect to you via a .onion address
  • Optionally routes all outbound connections over Tor, depending on other flags (like tor.streamisolation, tor.skip-proxy-for-clearnet-targets, or tor.socks)

Algonode removed all the container services and only the bitcoin tor P2P remains for bitcoind and lnd services.

2. Security

2.1 Use CookieAuthentication

Umbrel uses convoluted shell scripts that create the torrc files.

The Control Password is in

• Hashed form inside ~/umbrel/app-data/bitcoin/torrc

  ~/umbrel/app-data/bitcoin/torrc

  SocksPort 0.0.0.0:9050
  ControlPort 0.0.0.0:9051
  CookieAuthentication 1
  CookieAuthFileGroupReadable 1
  HashedControlPassword 16:39AF5EEFA4FC1D986022FDFB13663669FE50FB6DE9A3B4FE4FC7D82010 # moneyprintergobrrr
  
  # Bitcoin Core P2P Hidden Service
  HiddenServiceDir /data/app-bitcoin-p2p
  HiddenServicePort 8333 10.21.21.8:8334
  
  # Bitcoin Core RPC Hidden Service
  HiddenServiceDir /data/app-bitcoin-rpc
  HiddenServicePort 8332 10.21.21.8:8332
  

• Text form inside ~/umbrel/app-data/bitcoin/data/bitcoin/umbrel-bitcoin.conf

  # Tor control <ip:port> and password to use when onion listening enabled.
  torcontrol=10.21.22.2:9051
  torpassword=moneyprintergobrrr
  

Algonode

• Removes HashedControlPassword and use CookieAuthFile instead:

  ./appconfig/tor/torrc

  SocksPort 0.0.0.0:9050
  ControlPort 0.0.0.0:9051
  CookieAuthentication 1
  CookieAuthFile /data/tor/control_auth_cookie
  CookieAuthFileGroupReadable 1
  # HashedControlPassword 16:39AF5EEFA4FC1D986022FDFB13663669FE50FB6DE9A3B4FE4FC7D82010 # moneyprintergobrrr 
  
  # Bitcoin Core P2P Hidden Service
  HiddenServiceDir /data/app-bitcoin-p2p
  HiddenServicePort 8333 10.21.22.8:8334  # bitcoin node listens on port 8334 for connections from onion network
  
  ## Will not be using bitcoin node over tor
  # # Bitcoin Core RPC Hidden Service
  # HiddenServiceDir /data/app-bitcoin-rpc
  # HiddenServicePort 8332 10.21.22.8:8332
  

• Remove torpassword from bitcoin.conf (umbrel-bitcoin.conf) and mount the volume with the cookie instead for authentication.

2.2 lnd-tor hardending

1. Added --tor.streamisolation: to use separate ciruits for each node connection

2.3 tor-watchdog

Added another container tor-watchdog which is a simple alpine container with docker-cli and curl to check the tor container and restart if it gets stuck.

References

• https://github.com/bitcoin/bitcoin/blob/master/doc/tor.md
• https://barneybuffet.github.io/docker-tor/
• https://github.com/morian/tor-client-docker
• https://en.bitcoin.it/wiki/Setting_up_a_Tor_hidden_service
• https://docs.lightning.engineering/lightning-network-tools/lnd/configuring_tor