[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Setup Monero Node with Stream Isolation

Hello, if you want to run a monero node via Tor you have currently two methods.

  1. Application Proxy Settings: Monero Anonymity Network

./monerod --tx-proxy tor,127.0.0.1:9050,10 --add-peer=[onionservice]:[port]

(1) transaction broadcasts (tx) go through Tor to onion peers
(2) blockchain sync goes through clearnet to seed nodes.
-> (2) is undesirable as public ip address gets exposed

  1. torsocks: Monero Using Tor

DNS_PUBLIC=tcp torsocks monerod --p2p-bind-ip 127.0.0.1 --no-igd

(1) every outgoing connections goes through Tor to seed nodes and leave Tor on Tor exit node
-> this is undesirable as it could potentially lead to identity correlation

If you want to setup monero node on Whonix-Workstation and want to setup proper stream isolation I assume that the following setup is currently the preferred approach.

Starting monero node with custom socks ports prepared for custom installed applications without IsolateDestAddr and without IsolateDestPort.

./monerod --tx-proxy tor,10.152.152.10:9153,10 --add-peer=[onionservice]:[port]

(1) transaction broadcasts (tx) go through Tor via Whonix-Gateway to onion peers
(2) blockchain sync goes with Transport via Whonix-Gateway through Tor to seed nodes and leave Tor on Tor exit node
-> IP/DNS leaks prevented by Whonix-Gateway
-> stream isolation for (1)
-> no stream isolation for (2) unless there are no additional connections through Transport from same Whonix-Workstation. If there are additional connections through Transport from the same Whonix-Workstation you have to avoid that applications are connected to a kind of the same pseudonym to prevent identity correlation.

Do you agree?

Thanks.

Follow the instructions here to create a uwt stream isolation wrapper for Monero.

1 Like

Why is it beneficial to create uwt stream isolation wrapper for monero node instead of set up application SOCKS port and configure application to use that SOCKS port?

Example: ./monerod --tx-proxy tor,10.152.152.10:9153,10 --add-peer=[onionservice]:[port]

10.152.152.10:9153 would be the application SOCKS ports for monero configured in Whonix-Gateway /usr/share/tor/tor-service-defaults-torrc.

This approach is preconfigured for many preinstalled applications and described here: Stream Isolation: How to mitigate identity correlation and according to Tor Project the Common Way: Use the applications proxy settings. I assumed using separate SOCKS port is the default way to ensure stream isolation for applications in Whonix.

Unless you configured Tor to isolate streams by IP address (resource intensive and not a default AFAIK), you won’t be getting the anonymity you want.

Perhaps I did not express myself very well. I do not want to isolate streams by IP address.

I want to use the custom socks ports prepared in /usr/share/tor/tor-service-defaults-torrc for custom installed applications. In this case for monerod.

Therefore I wantet to use port 9153: ./monerod --tx-proxy tor,10.152.152.10:9153,10 --add-peer=[onionservice]:[port]

This is described as default here https://www.whonix.org/wiki/Stream_Isolation#How_to_mitigate_identity_correlation

Could you please clarify whats wrong with this approach as I am trying to follow the official instructions?

I read it carefully this time. Every Onion connection has isolated streams by default. Nothing else needs to be done.

For best protection against identity correlation:
https://www.whonix.org/wiki/Stream_Isolation#Better_Protection
^ by following these instructions, either proxy settings are adhered one way or another (socks proxy settings or socksifier such as torsocks) or no traffic at all.

What’s better, using a socksifier or proxy settings method? Nobody is researching that to my knowledge. In Whonix, the risk is traffic going through Tor’s TransPort (transparent torification) instead thorough a dedicated Tor SocksPort. That risk is way too theoretic, obscure to anyone making it a priority to work on.

I would expect something such as orjail might be better suited for torification (non-Whonix use case) or better stream isolation enforcement (Whonix use case). orjail / torsocks as kinda “mini Whonix netwoking”.

More on orjail:
Managing programs without Tor DNS Support / orjail

Non-trivial.

Therefore asking here will probably not make significant progress on stream isolation.

Thanks for your posts as this is a very interesting topic.

To apply this for running an monerod service using Whonix the approach of “Better Protection” is not applicable as “All applications not configured to use a SocksPort by socks proxy settings or forced to use a SocksPort by a socksifier will not be able to establish connections.”

Because according to Monero Anonymity Networks and Monero Reference using Whonix custom socks ports with ./monerod --tx-proxy tor,10.152.152.10:9153,10 --add-peer=[onionservice]:[port] still means that blockchain sync and forwarded transactions (those not originating from connected wallet) go still through clearnet to seed nodes.

Therefore if changing firewall settings according to “Better Protection” blockchain sync and forwarded transactions are not possible.

And using “Better Protection” configuration with this command DNS_PUBLIC=tcp torsocks monerod --p2p-bind-ip 127.0.0.1 --no-igd will work, but every outgoing connections especially transactions goes through Tor to seed nodes and leave Tor on Tor exit node which is undesirable as it could potentially lead to identity correlation by leaving Tor exit nodes.

To summarize currently this is the most beneficial way to run monerod on Whonix: ./monerod --tx-proxy tor,10.152.152.10:9153,10 --add-peer=[onionservice]:[port]

Do you agree?

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]