Skip to content

Add Tor Hidden Service instructions to Full Node guide #4609

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
refined-element wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add Tor Hidden Service instructions to Full Node guide #4609

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
212 changes: 212 additions & 0 deletions en/full-node.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1284,6 +1284,218 @@ instructions, please [open an issue.](https://github.com/bitcoin-dot-org/bitcoin

<div class="toccontent-block boxexpand expanded" markdown="1">

## Running as a Tor Hidden Service

Running your Bitcoin full node as a Tor hidden service provides enhanced privacy by hiding your node's IP address from the network. This also allows users behind restrictive firewalls or NAT to run accessible full nodes without port forwarding.

### Why Run a Tor Hidden Service?

- **Privacy**: Your home IP address is not exposed to the Bitcoin network
- **Censorship resistance**: Tor makes it harder for ISPs or governments to block your node
- **No port forwarding required**: Hidden services work behind NAT without router configuration
- **Support network diversity**: Tor nodes help users who can only connect via Tor

### Installing Tor

<div class="box" markdown="1">
*Linux Instructions*

Install Tor from your distribution's package manager:

{% highlight bash %}
## Debian/Ubuntu
sudo apt update
sudo apt install tor

## Fedora
sudo dnf install tor

## Arch Linux
sudo pacman -S tor
{% endhighlight %}

Enable and start the Tor service:

{% highlight bash %}
sudo systemctl enable tor
sudo systemctl start tor
{% endhighlight %}

</div>

<div class="box" markdown="1">
*Windows Instructions*

1. Download the Tor Expert Bundle from the [Tor Project website](https://www.torproject.org/download/tor/)
2. Extract it to a permanent location (e.g., `C:\Tor`)
3. Open a Command Prompt as Administrator
4. Navigate to the Tor directory and run: `tor.exe --service install`
Comment on lines +1331 to +1332
Copy link

Copilot AI Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Windows installation instructions suggest running tor.exe --service install from the command line, but this requires administrative privileges and installs Tor as a Windows service. However, there's no guidance on how to configure the torrc file before installing the service, or how to start/stop the service after installation. Consider adding steps to configure torrc first, and instructions on managing the service (e.g., using net start tor and net stop tor).

Suggested change
3. Open a Command Prompt as Administrator
4. Navigate to the Tor directory and run: `tor.exe --service install`
3. Create or edit a Tor configuration file (`torrc`) in a suitable location (for example, `C:\Tor\Data\Tor\torrc`) and add your desired settings.
4. Open a Command Prompt as Administrator.
5. Navigate to the Tor directory and install Tor as a Windows service:
`tor.exe --service install`
6. After installation, you can manage the Tor service from an Administrator Command Prompt using:
* Start: `net start tor`
* Stop: `net stop tor`
You can also manage the service via the Windows “Services” management console (`services.msc`).

Copilot uses AI. Check for mistakes.

Alternatively, if you have the Tor Browser installed, you can configure it to run in the background.

</div>

<div class="box" markdown="1">
*macOS Instructions*

Install Tor using Homebrew:

{% highlight bash %}
brew install tor
{% endhighlight %}

Start Tor as a service:

{% highlight bash %}
brew services start tor
{% endhighlight %}

</div>

### Configuring the Tor Hidden Service

You need to edit the Tor configuration file (`torrc`) to create a hidden service for your Bitcoin node.

<div class="box" markdown="1">
*Linux*

The torrc file is typically located at `/etc/tor/torrc`. Edit it with root privileges:

{% highlight bash %}
sudo nano /etc/tor/torrc
{% endhighlight %}

</div>

<div class="box" markdown="1">
*Windows*

The torrc file is in your Tor installation directory. Edit it with a text editor running as Administrator.

</div>

<div class="box" markdown="1">
*macOS*

The torrc file is at `/opt/homebrew/etc/tor/torrc` (Apple Silicon) or `/usr/local/etc/tor/torrc` (Intel).

{% highlight bash %}
nano /opt/homebrew/etc/tor/torrc
{% endhighlight %}

</div>

Add the following lines to create a hidden service for Bitcoin:

HiddenServiceDir /var/lib/tor/bitcoin-service/
HiddenServicePort 8333 127.0.0.1:8333

Comment on lines +1389 to +1392
Copy link

Copilot AI Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The HiddenServiceDir path /var/lib/tor/bitcoin-service/ is correct for Linux, but on macOS when using Homebrew, the Tor data directory should typically be under /usr/local/var/lib/tor/ (Intel) or /opt/homebrew/var/lib/tor/ (Apple Silicon). This inconsistency will cause issues when macOS users try to find their hidden service hostname file at line 1412. Consider adding a platform-specific note or updating the path for macOS users.

Suggested change
HiddenServiceDir /var/lib/tor/bitcoin-service/
HiddenServicePort 8333 127.0.0.1:8333
**Linux**
HiddenServiceDir /var/lib/tor/bitcoin-service/
HiddenServicePort 8333 127.0.0.1:8333
**macOS (Apple Silicon, Homebrew default)**
HiddenServiceDir /opt/homebrew/var/lib/tor/bitcoin-service/
HiddenServicePort 8333 127.0.0.1:8333
**macOS (Intel, Homebrew default)**
HiddenServiceDir /usr/local/var/lib/tor/bitcoin-service/
HiddenServicePort 8333 127.0.0.1:8333

Copilot uses AI. Check for mistakes.
On Windows, use a path like `C:\Tor\bitcoin-service\` instead.

After editing, restart Tor:

{% highlight bash %}
## Linux
sudo systemctl restart tor

## macOS
brew services restart tor
Copy link

Copilot AI Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The instructions for restarting Tor after editing the torrc file are provided only for Linux and macOS, but not for Windows. Windows users who install Tor as a service need instructions on how to restart it (e.g., using net stop tor followed by net start tor in an Administrator Command Prompt, or using the Services management console). Add Windows-specific instructions for restarting the Tor service.

Suggested change
brew services restart tor
brew services restart tor
## Windows
:: From an Administrator Command Prompt:
net stop tor
net start tor
:: Or use the Services management console (services.msc)

Copilot uses AI. Check for mistakes.
{% endhighlight %}

Tor will automatically create your hidden service directory and generate your `.onion` address. Find your address with:

{% highlight bash %}
## Linux
sudo cat /var/lib/tor/bitcoin-service/hostname

## macOS
cat /var/lib/tor/bitcoin-service/hostname
Copy link

Copilot AI Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instructions for viewing the hidden service hostname are provided for Linux and macOS but not for Windows. Windows users need to know how to view their .onion address (e.g., using type C:\Tor\bitcoin-service\hostname in Command Prompt or opening the file in Notepad). Add Windows-specific instructions.

Suggested change
cat /var/lib/tor/bitcoin-service/hostname
cat /var/lib/tor/bitcoin-service/hostname
## Windows (Command Prompt)
type C:\Tor\bitcoin-service\hostname

Copilot uses AI. Check for mistakes.
Comment on lines +1411 to +1412
Copy link

Copilot AI Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The command to view the hidden service hostname on macOS specifies /var/lib/tor/bitcoin-service/hostname, but this path is inconsistent with the macOS Tor data directory. When Tor is installed via Homebrew on macOS, the hidden service directory should be located under /usr/local/var/lib/tor/ (Intel) or /opt/homebrew/var/lib/tor/ (Apple Silicon). Update this command to use the correct macOS path or add a note about the platform-specific location.

Copilot uses AI. Check for mistakes.
{% endhighlight %}

Your address will look like: `abc123...xyz.onion`

### Configuring Bitcoin Core for Tor

Add the following lines to your Bitcoin Core configuration file (`bitcoin.conf`):

## Enable listening for incoming connections
listen=1

## Connect through the Tor SOCKS proxy
proxy=127.0.0.1:9050

## Bind to localhost for the hidden service
bind=127.0.0.1

## Tell Bitcoin Core about your onion address (replace with your actual .onion address)
externalip=youronionaddress.onion

## Only connect to .onion addresses (optional, for maximum privacy)
#onlynet=onion
Comment on lines +1421 to +1434
Copy link

Copilot AI Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The bitcoin.conf configuration uses double hash marks (##) for comments, but Bitcoin Core's configuration file format uses single hash marks (#) for comments. This is inconsistent with Bitcoin Core's standard configuration format and could confuse users. Change all ## to # in the configuration examples.

Copilot uses AI. Check for mistakes.

If you want your node to connect to both regular IPv4/IPv6 nodes AND Tor nodes, use this configuration instead:

listen=1
bind=127.0.0.1
proxy=127.0.0.1:9050
externalip=youronionaddress.onion

## Explicitly allow connections to IPv4 and onion networks
Copy link

Copilot AI Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The configuration comment uses double hash marks (##) but Bitcoin Core's configuration file format uses single hash marks (#). Change ## to # for consistency with Bitcoin Core's standard configuration format.

Copilot uses AI. Check for mistakes.
onlynet=ipv4
onlynet=onion
Comment on lines +1436 to +1445
Copy link

Copilot AI Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The configuration uses bind=127.0.0.1 which binds Bitcoin Core only to localhost. This is correct for a Tor-only setup, but for the dual configuration (IPv4 + Tor) shown in the second example, this may prevent IPv4 connections from working properly unless users also configure port forwarding to localhost. Consider clarifying that bind=127.0.0.1 is specifically for the hidden service and that users running dual-stack should understand the implications, or provide a more complete dual-stack configuration example.

Copilot uses AI. Check for mistakes.

Copy link

Copilot AI Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The "Verifying Your Hidden Service" section begins with "After restarting Bitcoin Core" but there are no explicit instructions to restart Bitcoin Core after modifying bitcoin.conf. While experienced users may understand this is necessary, adding an explicit instruction to restart Bitcoin Core after saving the bitcoin.conf changes would improve clarity for novice users.

Suggested change
After saving your changes to `bitcoin.conf`, restart Bitcoin Core to apply the new Tor settings.

Copilot uses AI. Check for mistakes.
### Verifying Your Hidden Service

After restarting Bitcoin Core, verify your Tor hidden service is working:

{% highlight bash %}
bitcoin-cli getnetworkinfo
{% endhighlight %}

Look for the `localaddresses` section in the output. You should see your `.onion` address listed:

"localaddresses": [
{
"address": "youronionaddress.onion",
"port": 8333,
"score": 4
}
]

You can also check that Tor connections are working by looking at your peer connections:

{% highlight bash %}
bitcoin-cli getpeerinfo | grep "\.onion"
{% endhighlight %}

If you see other `.onion` addresses in your peer list, your node is successfully connecting through Tor.

### Troubleshooting

**Tor service not running**: Ensure Tor is started and check its status:
{% highlight bash %}
sudo systemctl status tor
{% endhighlight %}

**Hidden service directory permissions**: Tor requires specific permissions on the hidden service directory. If you see permission errors, the directory should be owned by the Tor user (usually `debian-tor` on Debian/Ubuntu or `tor` on other systems):
{% highlight bash %}
sudo chown -R debian-tor:debian-tor /var/lib/tor/bitcoin-service/
sudo chmod 700 /var/lib/tor/bitcoin-service/
{% endhighlight %}

**Bitcoin Core can't connect through proxy**: Verify Tor is listening on port 9050:
{% highlight bash %}
ss -tlnp | grep 9050
{% endhighlight %}

Comment on lines +1475 to +1490
Copy link

Copilot AI Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The troubleshooting section provides only Linux-specific commands (systemctl status tor, ss -tlnp | grep 9050). Windows and macOS users experiencing issues won't be able to use these commands. Consider adding platform-specific alternatives (e.g., for Windows: checking Services.msc for Tor service status, using netstat -an | findstr 9050 to check if Tor is listening).

Suggested change
**Tor service not running**: Ensure Tor is started and check its status:
{% highlight bash %}
sudo systemctl status tor
{% endhighlight %}
**Hidden service directory permissions**: Tor requires specific permissions on the hidden service directory. If you see permission errors, the directory should be owned by the Tor user (usually `debian-tor` on Debian/Ubuntu or `tor` on other systems):
{% highlight bash %}
sudo chown -R debian-tor:debian-tor /var/lib/tor/bitcoin-service/
sudo chmod 700 /var/lib/tor/bitcoin-service/
{% endhighlight %}
**Bitcoin Core can't connect through proxy**: Verify Tor is listening on port 9050:
{% highlight bash %}
ss -tlnp | grep 9050
{% endhighlight %}
**Tor service not running**: Ensure Tor is started and check its status.
*On Linux (systemd-based distributions):*
{% highlight bash %}
sudo systemctl status tor
{% endhighlight %}
*On Windows:*
- If you installed Tor as a service, open `services.msc` and check that the **Tor** service is running.
- If you use Tor Browser, make sure Tor Browser is open and connected.
*On macOS (Homebrew installation):*
{% highlight bash %}
brew services list | grep tor
{% endhighlight %}
**Hidden service directory permissions**: Tor requires specific permissions on the hidden service directory. If you see permission errors, the directory should be owned by the Tor user (usually `debian-tor` on Debian/Ubuntu or `tor` on other systems):
{% highlight bash %}
sudo chown -R debian-tor:debian-tor /var/lib/tor/bitcoin-service/
sudo chmod 700 /var/lib/tor/bitcoin-service/
{% endhighlight %}
**Bitcoin Core can't connect through proxy**: Verify Tor is listening on port 9050.
*On Linux:*
{% highlight bash %}
ss -tlnp | grep 9050
{% endhighlight %}
*On Windows (Command Prompt):*
{% highlight bash %}
netstat -an | findstr 9050
{% endhighlight %}
*On Windows (PowerShell):*
{% highlight bash %}
Get-NetTCPConnection -LocalPort 9050
{% endhighlight %}
*On macOS:*
{% highlight bash %}
netstat -an | grep 9050
{% endhighlight %}

Copilot uses AI. Check for mistakes.
**No incoming Tor connections**: Hidden services can take up to 30 minutes to be fully published. Be patient and check again later.

For additional help, please consult the [Bitcoin Core documentation](https://github.com/bitcoin/bitcoin/blob/master/doc/tor.md) or ask in the [Bitcoin community](/en/community).

</div>

<div class="toccontent-block boxexpand expanded" markdown="1">

## Configuration Tuning

This section contains advice about how to change your Bitcoin Core
Expand Down
Loading