Monerod Hidden Service inside Qubes-Whonix

I have downloaded, verified and started running monerod correctly. It is running inside a whonix app qube (AppVM), and is able to connect to clearnet and Tor peers, and download the monero blockchain.

So far, so good.

The problem is trying to get monerod host its restricted-rpc as a hidden server. Here’s my current monerod.conf file:

# syncing
# p2p
# tor

As you can see from the #tor section, I am currently using the default tor proxy inside the monerod-whonix-qube (AppVM).

Now, here’s my Tor User Config on sys-whonix

HiddenServiceDir /var/lib/tor/mymonerodservice/
HiddenServicePort 18083 <monerod-whonix-qube-IP>:18083
HiddenServicePort 18089 <monerod-whonix-qube-IP>:18089

After saving and exiting the Tor User Config file, I also used Tor Reload button on the Qubes Application Menu to reload the configuration. Afterwards, I got my mymonerodservice.onion URL by:

(sys-whonix) $ sudo cat /var/lib/tor/mymonerodservice/hostname

which goes into the abovementioned monerod.conf file.

On the monerod-whonix-qube (AppVM) I open the whonix firewall as following:

(monerod-whonix-qube) $ sudo mkdir -p /usr/local/etc/whonix_firewall.d/
(monerod-whonix-qube) $ sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf

and insert the following content into 50_user.conf file:


I save the file and quit. And reload the monerod-whonix-qube (AppVM)'s firewall:

(monerod-whonix-qube) $ sudo whonix_firewall

On the stdout I see bunch of OK status messages, and no errors.


  1. I am unable to reach my monerod RPC hidden service from outside. On an isolated, different whonix disposable qube, using torbrowser, I try to visit my URL: http://mymonerodservice.onion:18089/getinfo, yet, even after waiting 15 minutes for the tor network, the previous URL doesn’t resolve. In my monerod-whonix-qube, using torbrowser the URL correctly fetches a json output containing the status of my monerod node. How do I get the RPC hidden server be reachable from the outside world?

  2. Should I use the <sys-whonix-IP>:9153 value for the proxy and tx-proxy directives in my abovementioned monerod.conf file? Would that play nice with hosting a hidden service of my monerod RPC server on the monerod-whonix-qube (AppVM)? I tried using the <sys-whonix-IP>:9153 as I just mentioned, but I still couldn’t reach the RPC hidden server from outside.

That’s the problem. Listening on localhost only. Therfore Tor cannot reach it. Need to listen on


I changed p2p-bind-ip= However, I am still unable to reach the http://mymonerodservice.onion:18089/getinfo.

Do I need to change other rpc-bind-ip and rpc-restricted-bind-ip , too?

EDIT: Yeah, it worked.

I have changed the following lines from the original monerod.conf file in my OP:


With these, I can reach the http://mymonerodservice.onion:18089/getinfo and get current sync status of my monero node inside qubes-whonix.

But why is this working? Can you explain what does tell to monerod? Is this a safe setting, or am I letting monerod listen in on the whole local ports inside whonix qube? Also, should rpc-bind-ip stay at, while others have changed into In the near future, I will use my monerod qubes-whonix qube for isolated monero daemon-wallet setup, so I will have to forward the 18081 port of monerod whonix qube to my monero wallet qube. So, considering this, should rpc-bind-ip keep staying at

There’s only 1 network interface in the workstation. Either you open the port or you don’t.

Somehow whatever shall be able to reach the port needs to be, well, able to reach it.

rpc safety is application specific. Mostly bad idea to let strangers use rpc unless you know what you are doing.


I really don’t understand what you are saying. Your first two lines are quite cryptic to me.

I put restricted-rpc-bind-ip=, and I was under the impression that that meant “this localhost,” or “this machine.” But you seem to be saying this is not so. What does signify for the qubes-whonix qube (appvm)?

Also, what is the significance of p2p-bind-ip=, as you said

Before you, I was putting p2p-bind-ip=, and monerod inside qubes-whonix qube (appvm) was able to make peer connections and sync the blockchain. Can you clarify these things?

How you can listen on localhost and expect the gateway’s Tor be able to reach it? Not possible. means all IPv4 network interfaces. Of course this is only inside the VM where you’re using it. To see all network interfaces run “sudo ifconfig”. Since there is only one it’s simpler to say “all network interfaces” rather than bothering listening on the hardcoded local IP address.

Qubes adds another layer of complexity. Qubes qrexec maybe wouldn’t be called “open a port” but it is quite similar. It can forward a port from one VM to another without a virtual network card required. This is through Qubes qrexec. In both cases it results in a port that is under some conditions reachable from either an onion or another VM depending on your setup.

Your job is to think about what port should be reachable from where/what and then make it work by either opening ports over network or forwarding ports over qrexec.

1 Like

I don’t understand. In my monerod qube (qubes-whonix appvm), I haven’t issued a qrexec command (yet). Why is qrexec relevant to my point? My setup is pretty vanilla. I have outlined my setup in the OP in this thread. There are no qrexec commands involved, as you can see in that post.

Ok then forget about qrexec.

You want the port to be reachable then open it on the interface where it should be reachable.

You cannot listen on localhost only.

1 Like

Look, I already do that, with the file 50_user.conf:


In accordance, the restricted-rpc-bind-port=18089 and the Tor User config contains the line, HiddenServicePort 18089 <monerod-whonix-qube-IP>:18089. So, everything is OK port-wise. The only problem is when I setup restricted-rpc-bind-ip= This is not a “port,” it is an IP. In my mind, that meant (up to now) “this computer.” This is the reason I don’t understand the significance of putting instead of What does specify in this case that doesn’t?

You want it reachable from onion: listen (all interfaces)

You want it reachable from localhost only: use or even better unix domain socket files (if supported by the application)

If not needed at all: disable, if possible

1 Like

I don’t get this point. The Tor User Config clearly forwards the onion:18089 port to the <monerod-whonix-qube-IP>:18089. So, the onion:18089 connection gets forwarded to the localhost of the monerod-whonix-qube. Am I understanding this wrong?

Tor on gateway can only try to connect to the applications on workstation listening on eth0 external network interfaces but not to workstation localhost. Therefore application in workstation must not listen on localhost but on eth0.


Alright. That’s an interesting tidbit about the whonix-gateway + whonix-workstation interplay.

Documented here just now:
Setup Overview