Monero full node with incoming Onion Service inside Whonix-Workstation

monero-user · April 2, 2022, 2:38pm

Hello,

Monero comes pre-installed in Whonix Workstation.

I have installed a full node (monerod) and it is now fully in synch (that is, it has downloaded all the blockchain). I have successfully set up a RPC onion service, which works great.

However I am having troubles setting up a p2p onion service. I believe my issues are Whonix (configuration) specific, this is why I am asking here.

QUESTION: How to run a p2p onion service in the Whonix Gateway?

I have:

Setup in the Whonix gateway a onion service by adding the lines:

HiddenServiceDir /var/lib/tor/monero-p2p/
HiddenServicePort 18083 10.152.152.11:18083  # onion-p2p
HiddenServiceVersion 3

and have setup the firewall in the workstation for allowing incoming traffic to port 18083. I have checked that the service works (by launching a http server listening at 18083 in the Workstation, which is correctly reachable from the TOR browser).

So the basic hidden service setup is done correctly. The problems I have are monero (configuration) specific.

Following the documentation here (https://monerodocs.org/running-node/open-node-tor-onion/) and here (https://github.com/monero-project/monero/blob/master/docs/ANONYMITY_NETWORKS.md) , I have edited the ~/.bitmonero/bitmonero.conf configuration file adding the following lines:

tx-proxy=tor,10.152.152.11:9050,10

anonymous-inbound = myonionaddress.onion:18083,0.0.0.0:18083,10

the first line should (?) point monerod to the socks proxy used to send stuff over TOR. I am not sure if this line is correct in the context of Whonix Gateway, where all traffic goes automatically through the proxy.

The second line should inform the rest of the network on how to find my hidden address, and specify where to listen (0.0.0.0:18083).

I can verify with ss -l | grep 18083) that monerod correctly listens on this port.

RESULTS: with the above configuration, when I check the status of monerod I get: 12(out)+0(in) connections. In other words, nobody manages to connect to me.

Also checking with the service (https://www.ditatompel.com/monero/remote-node), it can’t see my onion service up.

HELP: Please help. My node works fine, but I’d like to contribute to the network by accepting remote connections to allow others to synchronize. If anybody has successfully done this in Whonix, please help

Patrick · April 3, 2022, 9:51am

skills

Set up monero incoming onion connections outside of Whonix.
Setting up an onion service inside of Whonix.

Do you have these skills yet? If not, I recommend to get these skills as it might help to resolve this issue.

monero-user · April 3, 2022, 10:04am

Hi Patrick, thanks for the quick answer.

yes, as I mentioned in my question, the onion service is set up correctly. If I just run a http server at 18083 in the WW (instead of monerod) then the onion service is reachable from the Tor Browser.

Furthermore I have correctly set up the onion service for the RPC service of monerod (typically at port 18081).

I haven’t actually tried this outside of Whonix. You are right.

However I asked in the #monero channel (IRC , libera.chat), and they pointed me to the guides I linked: (https://monerodocs.org/running-node/open-node-tor-onion/) and here (https://github.com/monero-project/monero/blob/master/docs/ANONYMITY_NETWORKS.md)

I followed the above guides, but couldn’t find a whonix specific guide.

I’d be happy to make one once I manage to get this up and running.

Patrick · April 4, 2022, 10:34am

As far as I know, monero does not access Tor control protocol which is good, makes things simpler. Otherwise if monero needs Tor control protocol access that could be an issue and make things more complicated. (onion-grater: a Tor Control Port Filter Proxy)

Using onion domain supposedly?
(Using localhost is a helpful test but not needed if onion domain is already reachable.)

I suppose onion domain is functional:
In that case, Whonix seems to work as expected.

I suggest to set this up test-wise without Whonix being involved. This is because Generic Bug Reproduction seems the only realistic path to resolve this issue.

monero-user · April 4, 2022, 1:04pm

Indeed I believe it does not.

Yes, onion domain accessed from an entirely different network via Tor. No localhost tests.

Ok Thanks again for your help.
I’ll keep experimenting. If/when I find a solution I will post here my findings.

Patrick · April 6, 2022, 10:20am

(I don’t know the user. Just a general disclaimer. One should be careful whom to PM and what advice they follow.)