Monerod Hidden Service inside Qubes-Whonix

I have downloaded, verified and started running monerod correctly. It is running inside a whonix app qube (AppVM), and is able to connect to clearnet and Tor peers, and download the monero blockchain.

So far, so good.

The problem is trying to get monerod host its restricted-rpc as a hidden server. Here’s my current monerod.conf file:

#logging
max-log-file-size=0
log-file=/dev/null
#server
no-zmq=1
no-igd=1
# syncing
db-sync-mode=fastest:async:250000000bytes
max-concurrency=2
fast-block-sync=0
block-sync-size=0
disable-dns-checkpoints=1
# p2p
out-peers=32
in-peers=32
p2p-bind-ip=127.0.0.1
p2p-bind-port=18080
rpc-bind-ip=127.0.0.1
rpc-bind-port=18081
rpc-restricted-bind-ip=127.0.0.1
rpc-restricted-bind-port=18089
rpc-ssl=disabled
disable-rpc-ban=1
public-node=1
confirm-external-bind=1
# tor
proxy=127.0.0.1:9050
tx-proxy=tor,127.0.0.1:9050,16,disable_noise
anonymous-inbound=mymonerodservice.onion:18083,127.0.0.1:18083,16
pad-transactions=1

As you can see from the #tor section, I am currently using the default tor proxy 127.0.0.1:9050 inside the monerod-whonix-qube (AppVM).

Now, here’s my Tor User Config on sys-whonix

HiddenServiceDir /var/lib/tor/mymonerodservice/
HiddenServicePort 18083 <monerod-whonix-qube-IP>:18083
HiddenServicePort 18089 <monerod-whonix-qube-IP>:18089

After saving and exiting the Tor User Config file, I also used Tor Reload button on the Qubes Application Menu to reload the configuration. Afterwards, I got my mymonerodservice.onion URL by:

(sys-whonix) $ sudo cat /var/lib/tor/mymonerodservice/hostname

which goes into the abovementioned monerod.conf file.

On the monerod-whonix-qube (AppVM) I open the whonix firewall as following:

(monerod-whonix-qube) $ sudo mkdir -p /usr/local/etc/whonix_firewall.d/
(monerod-whonix-qube) $ sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf

and insert the following content into 50_user.conf file:

EXTERNAL_OPEN_PORTS+=" 18083 "
EXTERNAL_OPEN_PORTS+=" 18089 "

I save the file and quit. And reload the monerod-whonix-qube (AppVM)'s firewall:

(monerod-whonix-qube) $ sudo whonix_firewall

On the stdout I see bunch of OK status messages, and no errors.

QUESTIONS:

1. I am unable to reach my monerod RPC hidden service from outside. On an isolated, different whonix disposable qube, using torbrowser, I try to visit my URL: http://mymonerodservice.onion:18089/getinfo, yet, even after waiting 15 minutes for the tor network, the previous URL doesn’t resolve. In my monerod-whonix-qube, using torbrowser the URL http://127.0.0.1:18089/getinfo correctly fetches a json output containing the status of my monerod node. How do I get the RPC hidden server be reachable from the outside world?

2. Should I use the <sys-whonix-IP>:9153 value for the proxy and tx-proxy directives in my abovementioned monerod.conf file? Would that play nice with hosting a hidden service of my monerod RPC server on the monerod-whonix-qube (AppVM)? I tried using the <sys-whonix-IP>:9153 as I just mentioned, but I still couldn’t reach the RPC hidden server from outside.

That’s the problem. Listening on localhost only. Therfore Tor cannot reach it. Need to listen on 0.0.0.0.

I changed p2p-bind-ip=0.0.0.0. However, I am still unable to reach the http://mymonerodservice.onion:18089/getinfo.

Do I need to change other rpc-bind-ip and rpc-restricted-bind-ip , too?

EDIT: Yeah, it worked.

I have changed the following lines from the original monerod.conf file in my OP:

p2p-bind-ip=0.0.0.0
restricted-rpc-bind-ip=0.0.0.0

With these, I can reach the http://mymonerodservice.onion:18089/getinfo and get current sync status of my monero node inside qubes-whonix.

But why is this working? Can you explain what does 0.0.0.0 tell to monerod? Is this a safe setting, or am I letting monerod listen in on the whole local ports inside whonix qube? Also, should rpc-bind-ip stay at 127.0.0.1, while others have changed into 0.0.0.0? In the near future, I will use my monerod qubes-whonix qube for isolated monero daemon-wallet setup, so I will have to forward the 18081 port of monerod whonix qube to my monero wallet qube. So, considering this, should rpc-bind-ip keep staying at 127.0.0.1?

There’s only 1 network interface in the workstation. Either you open the port or you don’t.

Somehow whatever shall be able to reach the port needs to be, well, able to reach it.

rpc safety is application specific. Mostly bad idea to let strangers use rpc unless you know what you are doing.

I really don’t understand what you are saying. Your first two lines are quite cryptic to me.

I put restricted-rpc-bind-ip=127.0.0.1, and I was under the impression that that meant “this localhost,” or “this machine.” But you seem to be saying this is not so. What does 0.0.0.0 signify for the qubes-whonix qube (appvm)?

Also, what is the significance of p2p-bind-ip=0.0.0.0, as you said

Before you, I was putting p2p-bind-ip=127.0.0.1, and monerod inside qubes-whonix qube (appvm) was able to make peer connections and sync the blockchain. Can you clarify these things?

How you can listen on localhost and expect the gateway’s Tor be able to reach it? Not possible.

0.0.0.0 means all IPv4 network interfaces. Of course this is only inside the VM where you’re using it. To see all network interfaces run “sudo ifconfig”. Since there is only one it’s simpler to say “all network interfaces” rather than bothering listening on the hardcoded local IP address.

Qubes adds another layer of complexity. Qubes qrexec maybe wouldn’t be called “open a port” but it is quite similar. It can forward a port from one VM to another without a virtual network card required. This is through Qubes qrexec. In both cases it results in a port that is under some conditions reachable from either an onion or another VM depending on your setup.

Your job is to think about what port should be reachable from where/what and then make it work by either opening ports over network or forwarding ports over qrexec.

I don’t understand. In my monerod qube (qubes-whonix appvm), I haven’t issued a qrexec command (yet). Why is qrexec relevant to my point? My setup is pretty vanilla. I have outlined my setup in the OP in this thread. There are no qrexec commands involved, as you can see in that post.

Ok then forget about qrexec.

You want the port to be reachable then open it on the interface where it should be reachable.

You cannot listen on localhost only.

Look, I already do that, with the file 50_user.conf:

EXTERNAL_OPEN_PORTS+=" 18089 "

In accordance, the restricted-rpc-bind-port=18089 and the Tor User config contains the line, HiddenServicePort 18089 <monerod-whonix-qube-IP>:18089. So, everything is OK port-wise. The only problem is when I setup restricted-rpc-bind-ip=127.0.0.1. This is not a “port,” it is an IP. In my mind, that meant (up to now) “this computer.” This is the reason I don’t understand the significance of putting 0.0.0.0 instead of 127.0.0.1. What does 0.0.0.0 specify in this case that 127.0.0.1 doesn’t?

You want it reachable from onion: listen 0.0.0.0 (all interfaces)

You want it reachable from localhost only: use 127.0.0.1 or even better unix domain socket files (if supported by the application)

If not needed at all: disable, if possible

I don’t get this point. The Tor User Config clearly forwards the onion:18089 port to the <monerod-whonix-qube-IP>:18089. So, the onion:18089 connection gets forwarded to the localhost of the monerod-whonix-qube. Am I understanding this wrong?

Tor on gateway can only try to connect to the applications on workstation listening on eth0 external network interfaces but not to workstation localhost. Therefore application in workstation must not listen on localhost but on eth0.

Alright. That’s an interesting tidbit about the whonix-gateway + whonix-workstation interplay.

Documented here just now:
Setup Overview