Setup Monero Node with Stream Isolation

Hello, if you want to run a monero node via Tor you have currently two methods.

  1. Application Proxy Settings: Monero Anonymity Network

./monerod --tx-proxy tor,,10 --add-peer=[onionservice]:[port]

(1) transaction broadcasts (tx) go through Tor to onion peers
(2) blockchain sync goes through clearnet to seed nodes.
-> (2) is undesirable as public ip address gets exposed

  1. torsocks: Monero Using Tor

DNS_PUBLIC=tcp torsocks monerod --p2p-bind-ip --no-igd

(1) every outgoing connections goes through Tor to seed nodes and leave Tor on Tor exit node
-> this is undesirable as it could potentially lead to identity correlation

If you want to setup monero node on Whonix-Workstation and want to setup proper stream isolation I assume that the following setup is currently the preferred approach.

Starting monero node with custom socks ports prepared for custom installed applications without IsolateDestAddr and without IsolateDestPort.

./monerod --tx-proxy tor,,10 --add-peer=[onionservice]:[port]

(1) transaction broadcasts (tx) go through Tor via Whonix-Gateway to onion peers
(2) blockchain sync goes with Transport via Whonix-Gateway through Tor to seed nodes and leave Tor on Tor exit node
-> IP/DNS leaks prevented by Whonix-Gateway
-> stream isolation for (1)
-> no stream isolation for (2) unless there are no additional connections through Transport from same Whonix-Workstation. If there are additional connections through Transport from the same Whonix-Workstation you have to avoid that applications are connected to a kind of the same pseudonym to prevent identity correlation.

Do you agree?


Follow the instructions here to create a uwt stream isolation wrapper for Monero.

1 Like

Why is it beneficial to create uwt stream isolation wrapper for monero node instead of set up application SOCKS port and configure application to use that SOCKS port?

Example: ./monerod --tx-proxy tor,,10 --add-peer=[onionservice]:[port] would be the application SOCKS ports for monero configured in Whonix-Gateway /usr/share/tor/tor-service-defaults-torrc.

This approach is preconfigured for many preinstalled applications and described here: Stream Isolation: How to mitigate identity correlation and according to Tor Project the Common Way: Use the applications proxy settings. I assumed using separate SOCKS port is the default way to ensure stream isolation for applications in Whonix.

Unless you configured Tor to isolate streams by IP address (resource intensive and not a default AFAIK), you won’t be getting the anonymity you want.

Perhaps I did not express myself very well. I do not want to isolate streams by IP address.

I want to use the custom socks ports prepared in /usr/share/tor/tor-service-defaults-torrc for custom installed applications. In this case for monerod.

Therefore I wantet to use port 9153: ./monerod --tx-proxy tor,,10 --add-peer=[onionservice]:[port]

This is described as default here https://www.whonix.org/wiki/Stream_Isolation#How_to_mitigate_identity_correlation

Could you please clarify whats wrong with this approach as I am trying to follow the official instructions?

I read it carefully this time. Every Onion connection has isolated streams by default. Nothing else needs to be done.

For best protection against identity correlation:
^ by following these instructions, either proxy settings are adhered one way or another (socks proxy settings or socksifier such as torsocks) or no traffic at all.

What’s better, using a socksifier or proxy settings method? Nobody is researching that to my knowledge. In Whonix, the risk is traffic going through Tor’s TransPort (transparent torification) instead thorough a dedicated Tor SocksPort. That risk is way too theoretic, obscure to anyone making it a priority to work on.

I would expect something such as orjail might be better suited for torification (non-Whonix use case) or better stream isolation enforcement (Whonix use case). orjail / torsocks as kinda “mini Whonix netwoking”.

More on orjail:
Managing programs without Tor DNS Support / orjail


Therefore asking here will probably not make significant progress on stream isolation.

Thanks for your posts as this is a very interesting topic.

To apply this for running an monerod service using Whonix the approach of “Better Protection” is not applicable as “All applications not configured to use a SocksPort by socks proxy settings or forced to use a SocksPort by a socksifier will not be able to establish connections.”

Because according to Monero Anonymity Networks and Monero Reference using Whonix custom socks ports with ./monerod --tx-proxy tor,,10 --add-peer=[onionservice]:[port] still means that blockchain sync and forwarded transactions (those not originating from connected wallet) go still through clearnet to seed nodes.

Therefore if changing firewall settings according to “Better Protection” blockchain sync and forwarded transactions are not possible.

And using “Better Protection” configuration with this command DNS_PUBLIC=tcp torsocks monerod --p2p-bind-ip --no-igd will work, but every outgoing connections especially transactions goes through Tor to seed nodes and leave Tor on Tor exit node which is undesirable as it could potentially lead to identity correlation by leaving Tor exit nodes.

To summarize currently this is the most beneficial way to run monerod on Whonix: ./monerod --tx-proxy tor,,10 --add-peer=[onionservice]:[port]

Do you agree?

Independent from the above discussion and as conclusion: When running monerod (monero node) within an onion service operated on Whonix with

./monerod --tx-proxy tor,,10

Then according to
https://github.com/Whonix/anon-ws-disable-stacked-tor and https://www.whonix.org/wiki/Stream Isolation#Footnotes gets redirected to by anon-ws-disable-stacked-tor especially to prevent Tor on Tor scenarios.

Would it be beneficial to run ./monerod --tx-proxy tor,,10 instead?

What would be different in terms of security? What happens if we use port 9050 instead of 9153? Does any other whonix standard application use this port by default to get torified?

Port 9153 is custom socks port according to stream isolation page.

It might be.

9050, no.

Basically same but higher risk something else uses that port too without user knowing.


Hello Patrick,

Thank you very much for your response. Slowly I get a deeper understanding.

Please excuse me if it is obvious but is the “TransPort” port 9050 or another port (if it is another which and where is it documented)? Thank you.

As port 9153 is a custom socks port I assume that I found a mistake on the following page and section:
https://www.whonix.org/wiki/Dev/anon-ws-disable-stacked-tor#systemd-socket-proxyd_listening_port_redirection Here is stated that port 9153 is used by Tor Messenger and forwarded to Whonix Gateway. From my understanding this is not the case as on the streamline isolation page it is stated that 9153 can be used as custom socks port for own application.


Tor TransPort is port 9040 on Whonix-Gateway and cannot directly be accessed. System default networking (TCP) originating form Whonix-Workstation will be redirected to that port.


That is confusing indeed.
9153 in workstation was Tor Messenger default ControlPort being redirected to gateway 9051 ControlPort (actually control port filter proxy, onion-grater).
9153 on the gateway is a custom SocksPort.
A bit messy but no longer an issue since Tor Messenger was deprecated years ago.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]