Bitcoin Core onion-grater profile

Patrick · November 30, 2018, 11:45am

Patrick · December 20, 2020, 6:27am

https://github.com/Whonix/onion-grater/pull/7

qubenix · January 1, 2021, 1:56pm

I realized that this profile can be simplified, but I’m wondering what you think about it @Patrick.

This is how I’ve been running. Is it too permissive like this?

---
- exe-paths:
    - '*'
  users:
    - '*'
  hosts:
    - '*'
  commands:
    ADD_ONION:
      ## {{{ bitcoind onion service
      - pattern:     'NEW:(\S+) Port=(\S+),127.0.0.1:(\S+)'
        replacement: 'NEW:{} Port={},{client-address}:{} Flags=DiscardPK'
      ## }}}

Patrick · January 1, 2021, 2:37pm

No opinion yet. Since you maintain this, please do as you think this can be best maintained.

onion-grater/40_bitcoind.yml at master · Whonix/onion-grater · GitHub

Patrick · January 2, 2021, 7:20am

https://github.com/Whonix/onion-grater/pull/8

nyxnor · September 8, 2022, 3:26pm

I don’t see why this pattern is beneficial?

It is allowing services to be created to any port to be used instead of only 8333.

Ok, so the person wants to create a restest and testnet service, they would need to edit the config, or the config should use all the default ports, eg. 18333 for testnet.

But the default ports can be hardcoded, if a person uses a non default port, then they are already configuring the service diffferently.

My proposal is to implement all default ports patterns so the above can be avoided.

Of course the service is only reachable after port is opened on the firewall. But I think the control port should not allow all ports, only the whitelisted ports.

Seeing the examples
onion-grater/usr/share/doc/onion-grater-merger/examples at master · Whonix/onion-grater · GitHub

None is allowing all ports, only onionshare that has a huge range, but that is onionshare default to have that range and search for open ports.

nyxnor · September 8, 2022, 3:35pm

bitcoind -help

  -port=<port>
       Listen for connections on <port>. Nodes not using the default ports
       (default: 8333, testnet: 18333, signet: 38333, regtest: 18444)
       are unlikely to get incoming connections. Not relevant for I2P
       (see doc/i2p.md).

So the ports are: 8333, 18333, 38333, 18444

Any counter arguments to this?

Patrick · September 9, 2022, 10:53am

Not from me.

## Maintained by: https://forums.whonix.org/u/qubenix <qubenix@riseup.net>

@qubenix?

https://github.com/Whonix/onion-grater/blob/master/usr/share/doc/onion-grater-merger/examples/40_bitcoind.yml

Revert simplify 40_bitcoind.yml · Whonix/onion-grater@9539d88 · GitHub?

nyxnor · September 29, 2022, 10:04pm

Removed the maintained by qubenix, he has not been active since january and did not reply on time.

Did not put my name because I am using default configuration, there is no need to be dependent on me.

“Complicated” the ports to only use defaults instead of allowing any port to be used.

nyxnor · September 30, 2022, 8:26am

wait a little bit before merging, I’m correcting something

nyxnor · September 30, 2022, 10:13am

Good to go now.

Corrected the binding ports.

Bitcoind binds onions to: P2P_port + 1.

This is the request:

ADD_ONION NEW:ED25519-V3 Port=8333,127.0.0.1:8334

sudo netstat -tulnp | grep bitcoin

tcp        0      0 0.0.0.0:8333            0.0.0.0:*               LISTEN      1564026/bitcoind    
tcp        0      0 127.0.0.1:8334          0.0.0.0:*               LISTEN      1564026/bitcoind    
tcp        0      0 127.0.0.1:8332          0.0.0.0:*               LISTEN      1564026/bitcoind    
tcp6       0      0 :::8333                 :::*                    LISTEN      1564026/bitcoind    
tcp6       0      0 ::1:8332                :::*                    LISTEN      1564026/bitcoind

Mainnet;

RPC: 8332
P2P: 8333
bind onion p2p port: 8334

The virtual port is still 8333, but they use a different binding port for onion.

Just saying this so it is easier to debug next time.

I did not choose/configure these ports, this are the default ports.

Patrick · October 1, 2022, 2:05pm

Thanks! Merged.

nyxnor · October 2, 2022, 7:22pm

Ok, there is a problem with the current pattern.

Bitcoin onion-grater profile is only necessary if you want to listen=1 for incoming connections, this means relaying blocks on the p2p network.

Bitcoind does indeed start the onion binding port on 127.0.0.1:8334. This means that it isn’t reachable on $(qubesdb-read /qubes-ip):8334.

It would be reachable on that interface if the onion binding port was 0.0.0.0:8334 or the $(qubesdb-read /qubes-ip):8334, but the first option 0.0.0.0:8334 is better because it does not depend on knowing the qubes ip and updating it.

So if you want to listen for incoming connections, you need to set on the bitcoin.conf:

listen=1
## although this is the default binding address:port,
## it is necessary to set it for it to listen on multiple addresses
## if not set, only 0.0.0.0:8334 would be binded and the default
## bind address and port would not be used
bind=0.0.0.0:8333
bind=0.0.0.0:8334=onion

and opening external port 8334 on the workstation.

This also means that I need to update the onion-grater profile to overwrite the client add onion address with regex to match every address (0.0.0.0 and 127.0.0.01 should be modified to {client-address}). Something like (\S+), will test later.

You can test this is the case for example with nginx by listening on 127.0.0.1:82, only that address will be reachable and not the qubes ip and same port.

nyxnor · October 2, 2022, 8:13pm

https://www.whonix.org/wiki/Onion_Services#cite_note-11

(I don’t really understand how to print the link and not the title of the page with discourse…)

Just like apache only listening on 127.0.0.1, its traffic needs to be redirected to the Workstation listening interface. The thing is that by default nginx starts with 0.0.0.0 (all interfaces).

And using sudo ncat -l 0.0.0.0 8334 -c 'ncat 127.0.0.1 8334' but that is just dumb and prone to mistakes of forgetting about it, better to set in the bitcoin.conf.

So yeah, changing the bitcoin.conf to bind=0.0.0.0:8334=onion is necessary.

And I believe it is reasonable for bitcoind default to 127.0.0.1 for onion connections and not 0.0.0.0, because it could leak server info, but not for Whonix, as it is isolated network with the Gateway.

nyxnor · October 2, 2022, 8:54pm

Used the same pattern as 40_wayhay.yml

nyxnor · October 2, 2022, 9:35pm

Note the first listening address 8333 is only necessary if you want applications to use that address. This is useful for qubes if you want to bind 8333 to another qube and have a pruned node on one qube and a full on another, without the need to set rpc for the other node, thus minimizing risks when possible.

So in the end, it is good to have 8333 always set because that is default bitcoind behavior that most applications will be expecting.

And the reason to set a different port for onion 8334 is:

default bitcoind configuration (except the address 127.0.0.1 which needs to be changed to 0.0.0.0)
correctly tagging incoming connections to that separate port as onion, thus making it very clear it is not coming from localhost. Useful for debugging, logs, verification etc.

Patrick · October 3, 2022, 8:24am

Makes sense.

(Avoid Oneboxing for Anchored Links + Created Improve oneboxing for anchored links - feature - Discourse Meta just now. To discuss this further, would be best to post there or create a new forum thread here.)

nyxnor · October 3, 2022, 11:55am

Ok. So I don’t believe there is a problem with my onion-grater profile, but something strange happens.

github.com/bitcoin/bitcoin

retry add onion after tor's controller closed connection

opened 10:35PM - 02 Oct 22 UTC

nyxnor

Bug

I am running Bitcoind on Qubes-Whonix. Whonix-Gateway is where tor resides, and every tor controller's command made by Whonix-Workstation to Whonix-Gateway is filtered by a proxy called onion-grater (upstream development is made by Tails OS) From this point on I will be referring to tor's controller simply by "control" or "controller". If the control connection is closed by restarting onion-grater to apply new rules (even not regarding the bitcoind.yml) file, bitcoind will remove the current onion and won't be able to set it as address again. ``` RemoveLocal(myonion.onion:8333) tor: No supported authentication method ``` and `bitcoin-cli -netinfo` ``` Local addresses: n/a ``` and of course none of my nodes listening to this address will continue working. ADD_ONION command works the first time but not the second. The problem occurs because bitcoind does not give time for the controller to restart the second time, so the authentication is not "available yet". In fact, tor is not being reloaded or restarted, only the proxy, which is what bitcoind sees as the controller. This happens because I am using bitcoind tor controller feature to send ADD_ONION. If I set the onion service manually on the gateway, I wouldn't have this problem, but then the problem would be: - it wouldn't be pragmatically deleted, although I am rewriting it with `Flag=DiscardPK` anyway - it would stay as a file on the Gateway and the onion address would need to be manually inserted into the bitcoin.conf **Expected behavior** I expect that after bitcoind can't authenticate to the controller, it tries again after some time. This way, I can restart my controller without needing to restart bitcoind for it to get a onion listening address again. **Actual behavior** Bitcoind removes current listening onion hostname and not retry to authenticate to the controller. **To reproduce** This is difficult to reproduce on normal systems. First, Qubes may not interfere, so you could try to reproduce on Whonix KVM or Virtualbox or Tails OS (probably). If you can't test on that setup, I would try to simple close the controller connection on a normal system and then see what bitcoind does to the listening onion address. Also you need to add the bitcoind onion-grater profile, I don't know if Tails has, but for Whonix, I am using https://github.com/Whonix/onion-grater/blob/9addd1d6dd9671b18e5415a196b92d7f6ee5846c/usr/share/doc/onion-grater-merger/examples/40_bitcoind.yml It is not the current Whonix onion-grater profile but it is the correct one and will be merged upstream soon. If that is the case, add that profile to `/usr/local/etc/onion-grater-merger.d/40_bitcoind.yml` Also set in the `bitcoin.conf` the onion binding to `bind=0.0.0.0:8334=onion` and not `127.0.0.1`. This makes the service listen on the Whonix internal interface and does not affect security. Restart bitcoind to apply changes. You will also have to open the port on the Whonix-Workstation firewall. ``` $ sudo mkdir -p /usr/local/etc/whonix_firewall.d $ echo "EXTERNAL_OPEN_PORTS+=" 8334 " | tee -a /usr/local/etc/whonix_firewall.d/50_user.conf` $ sudo whonix_firewall ``` To view onion-grater logs, you need to enable debug mode on the Whonix-Gateway: ``` $ echo "[Service] ## Clear onion-grater default file '/lib/systemd/system/onion-grater.service'. ExecStart= ## Enable debug mode. ExecStart=/usr/lib/onion-grater --listen-interface eth1 --debug " | tee /usr/lib/systemd/system/onion-grater.service.d/50_user.conf $ sudo systemctl daemon-reload $ sudo systemctl restart onion-grater ``` Then after adding the profile, enabling onion-grater debug mode, restarting onion-grater and bitcoind, test if the address is reachable externally. Use the bitcoid option `connect=address.onion`, so you are sure it is connecting. If it is, restart onion-grater. ``` $ sudo systemctl restart onion-grater ``` On the bitcoin debug.logs, you should see the same error I saw above about removing onion address and not able to authenticate to the controller. But that is not entirely correct, because I can issue an ADD_ONION manually and it will accept, but bitcoind does not try to issue ADD_ONION a second time. ``` host onion-grater[149562]: 10.137.0.31:54044 (filter: 30_autogenerated): -> PROTOCOLINFO 1 host onion-grater[149562]: 10.137.0.31:54044 (filter: 30_autogenerated): <- 250-PROTOCOLINFO 1 host onion-grater[149562]: 10.137.0.31:54044 (filter: 30_autogenerated): <- 250-AUTH METHODS=NULL host onion-grater[149562]: 10.137.0.31:54044 (filter: 30_autogenerated): <- 250-VERSION Tor="0.4.7.10" host onion-grater[149562]: 10.137.0.31:54044 (filter: 30_autogenerated): <- 250 OK host onion-grater[149562]: 10.137.0.31:54044 (filter: 30_autogenerated): -> AUTHENTICATE host onion-grater[149562]: 10.137.0.31:54044 (filter: 30_autogenerated): <- 250 OK ``` The controller actually lets bitcoind authenticate, as seen from the onion-grater logs above. But I don't understand why bitcoind says it can't authenticate. The ip doesn't matter, it is internal ip. What you should expect from onion-grater logs is the following: ``` host onion-grater[149562]: 10.137.0.31:43566 (filter: 30_autogenerated): -> AUTHENTICATE host onion-grater[149562]: 10.137.0.31:43566 (filter: 30_autogenerated): <- 250 OK host onion-grater[149562]: 10.137.0.31:43566 (filter: 30_autogenerated): -> ADD_ONION NEW:ED25519-V3 Port=8333,0.0.0.0:8334 host onion-grater[149562]: 10.137.0.31:43566 (filter: 30_autogenerated): rewrote command: host onion-grater[149562]: ADD_ONION NEW:ED25519-V3 Port=8333,0.0.0.0:8334 host onion-grater[149562]: to: host onion-grater[149562]: ADD_ONION NEW:ED25519-V3 Port=8333,10.137.0.31:8334 Flags=DiscardPK host onion-grater[149562]: 10.137.0.31:43566 (filter: 30_autogenerated): <- (multi-line) host onion-grater[149562]: 250-ServiceID=myonionhostnamewithoutonion host onion-grater[149562]: 250 OK host onion-grater[149562]: 10.137.0.31:43566 (filter: 30_autogenerated): -> QUIT host onion-grater[149562]: 10.137.0.31:43566 (filter: 30_autogenerated): <- 250 closing connection host onion-grater[149562]: 10.137.0.31:43566 (filter: 30_autogenerated) disconnected: client quit ``` You could try on Whonix with `tor-ctrl` to authenticate after restarting onion-grater and it will work: ``` $ tor-ctrl ADD_ONION NEW:ED25519-V3 Port=8333,0.0.0.0:8334 ``` and it will authenticate. But for some unknown reason bitcoind does not reauthenticate to the controller. I understand that once the contoller connection closes, the commands send to the controller are not valid anymore. But bitcoind should be able to reauthenticate once it loses connection. **System information** System information was already described above. I understand this may be difficult debug because it requires a system with onion-grater. But it does not rely on Whonix or Tails or onion-grater package to fix this, as they are only restarting to read the new configuration, but bitcoind understand that as a connection that must be closed forever. If you read all this and is open to make bitcoind retry to authenticate cleanly, I am open to help debug and instruct how to reproduce.

Sometimes when restarting onion-grater, bitcoind gets a ServiceID, sometimes it can’t authenticate although onion-grater replied correctly that it could authenticate.

Patrick · October 3, 2022, 12:15pm

I am not sure upstream will accept the bug report because of the mention of onion-grater. Their position could be “that needs to be fixed in onion-grater than”. If the issue could be re-produced without onion-grater and only with Tor, then the argument be much stronger. Could this be reproduced by simply reloading or restarting Tor?
From my experience, bug reports generally, with such complexity have very low chance of being acted on by upstream.

nyxnor · October 3, 2022, 12:22pm

Unfortunately no. I tested on a debian qube running bitcoind with local tor, this does not occurr.

I tried to make the bug “simpler” but it does not happen without onion-grater. This does not mean its onion-grater fault, because it replies correctly. But maybe bitcoind doesn’t wait for it to reply? Not sure.

Tested on debian by restarting tor, as that is the way to close the control connection as there is no proxy. Bitcoind can always add onion. But on Whonix with onion-grater, it does not always works, don’t know why.