Pages:
Author

Topic: Using Armory anonymously? (Read 11674 times)

legendary
Activity: 1400
Merit: 1013
June 09, 2014, 03:02:01 AM
#30
Okay, then that bring up a question for me. Is there a way to *only* try to route to other TOR hidden services? For example, if I didn't even want to leave via an exit node to the rest of the network?
-onlynet=tor

I have evidence of it failing to connect to an external IP using "-proxy:" from an error message here: (modified for anonymity of exit node)
Code:
Jun 06 13:34:11.449 [Notice] We tried for 15 seconds to connect to '[scrubbed]' using exit $ECC33AB15915C6E167A0EAEF9D4BD1A005B12F56~GoodBoy23 at 201.151.231.31. Retrying on a new circuit.
Right with -proxy, all connections are sent through it. If you used -onion you'd never see that message since you'd only be attempting to connect to hidden services.

I'm not sure this is needed for most people, but I think it'd be interesting to run a within-TOR-only node. Obviously this could be done by using the wiki for TOR services and only adding TOR IPs, but is there a way within the client to do only TOR-based IPs and avoid even exit nodes?
-onlynet=tor combined with -onion should do everything you need, except I'm not sure if there's a way to automatically bootstrap a Tor-only node. I always bootstrapped manually from known Tor nodes.
donator
Activity: 1419
Merit: 1015
June 09, 2014, 01:33:44 AM
#29
As far as I understand it, -proxy sends all connections through the proxy. -onion only send connections to Tor hidden services over the proxy, and connections to regular ipv4 peers bypass the proxy.

Okay, then that bring up a question for me. Is there a way to *only* try to route to other TOR hidden services? For example, if I didn't even want to leave via an exit node to the rest of the network?

I have evidence of it failing to connect to an external IP using "-proxy:" from an error message here: (modified for anonymity of exit node)
Code:
Jun 06 13:34:11.449 [Notice] We tried for 15 seconds to connect to '[scrubbed]' using exit $ECC33AB15915C6E167A0EAEF9D4BD1A005B12F56~GoodBoy23 at 201.151.231.31. Retrying on a new circuit.

I'm not sure this is needed for most people, but I think it'd be interesting to run a within-TOR-only node. Obviously this could be done by using the wiki for TOR services and only adding TOR IPs, but is there a way within the client to do only TOR-based IPs and avoid even exit nodes?
legendary
Activity: 1400
Merit: 1013
June 08, 2014, 10:28:35 PM
#28
I've heard some people say if you use -onion=127.0.0.1:9050 your client will never leave TOR, which might be best for anonymity purposes.
I'm pretty sure that's the opposite of true.

As far as I understand it, -proxy sends all connections through the proxy. -onion only send connections to Tor hidden services over the proxy, and connections to regular ipv4 peers bypass the proxy.

If you do this, however, I am not sure if the server will be accessible
Having your node accessible as a hidden service (something.onion) is just a matter of configuring your Tor nodes to publish the hidden service and redirect incoming connections to your node, and then using -externalip so that your node can tell its peers how to reach it.
donator
Activity: 1419
Merit: 1015
June 08, 2014, 09:34:41 PM
#27
My current line looks something like this:
bitcoin-qt.exe -proxy=127.0.0.1:9050 -externalip=j2l9w93j3jj32ss.onion -listen

I have not linked it to Armory yet, but presumably it should work. I've heard some people say if you use -onion=127.0.0.1:9050 your client will never leave TOR, which might be best for anonymity purposes. If you do this, however, I am not sure if the server will be accessible. Just whatever you do, don't forward port 8333 on your firewall or the anonymity goes away. Check out the "tor.md" file under Bitcoin\doc.

Someone more knowledgeable might be able to correct any mistakes I've made here.
member
Activity: 88
Merit: 76
May 30, 2014, 10:06:36 PM
#26
would connecting through a vpn add the same level of anonymity without having to add to or change any files/settings?

If you trust that your VPN operator isn't evil, and that they won't be compromised by cyberattack, and that they won't be compelled by legal (or extralegal) means to screw you, then a VPN is probably fine.  These are conditions that are not true for many people.  Tor isn't vulnerable to any of these points (although it's not perfect).  So, short answer, no, a VPN is not comparable to Tor in terms of anonymity.
newbie
Activity: 24
Merit: 0
May 30, 2014, 09:54:52 PM
#25
would connecting through a vpn add the same level of anonymity without having to add to or change any files/settings?
member
Activity: 88
Merit: 76
May 24, 2014, 10:42:52 PM
#24
That's an interesting point. You should try bind=127.0.0.1 instead of listen=1

Also, I would personally use Tails rather than just Tor, to guaranty all traffic goes through Tor.

Thanks for the advice, will try and report.

Tails is indeed the best solution, but IMO its not really conceived as a fully persistent distro. It needs to be run from USB which makes it very impractical to run a full node as I do.

Right now I use this solution when I want "full system going through tor": I route all my OS X traffic through tor using the Proxy settings on System Preferences/Advanced/Proxies. I've found it pretty good, meaning that everything really goes through Tor - to avoid any third party software "phoning home" without going through Tor I use Little Snitch, with which I block all connections that are not routed through Tor.

Summing up: Tor proxy in advanced network settings  + Little Snitch works very well on OS X.

For future reference, Whonix has a pretty good reputation.  It runs in a VM, and (in theory) nothing inside the VM can break out of Tor, even if root privileges inside the VM are totally compromised.  Whonix has a dedicated SOCKS port for Bitcoin-Qt use (192.168.0.10, port 9111), so your Bitcoin transactions won't be linked to your other applications via circuit sharing.  I would guess that Whonix is quite a bit safer than relying on Bitcoin-Qt and Armory to perfectly respect proxy settings.

More info:

https://www.whonix.org/
https://www.whonix.org/wiki/Money
https://www.whonix.org/wiki/Stream_Isolation
legendary
Activity: 1148
Merit: 1018
May 19, 2014, 04:31:12 AM
#23
How do I verify that Armory is running via TOR?

Thanks!

TOR use port 9150 not 9050, FYI.

Tor Browser Bundle uses port 9150, Tor daemon uses port 9050.

You need to verify that Bitcoin Core is running via Tor - you can do that easily by using Wireshark. If Bitcoin Core is running via Tor, then you are OK (Armory connects via Bitcoin Core only).

sr. member
Activity: 331
Merit: 250
May 18, 2014, 07:02:09 PM
#22
Do I have to disable uPNP first and then enable 127.0.0.1 via 9150 with SOCKS4 or 5? LMK!

Thanks!
sr. member
Activity: 331
Merit: 250
May 18, 2014, 06:21:49 PM
#21
How do I verify that Armory is running via TOR?

Thanks!

TOR use port 9150 not 9050, FYI.
legendary
Activity: 1232
Merit: 1094
January 13, 2014, 07:07:42 AM
#20
Bind=127.0.0.1 didn't work for armory, but I tried it alone - maybe I have also to enable to listen=1 for bind=127.0.0.1 to work? Will try that...

Bind = 127.0.0.1 should mean that only local processes can connect to your node.  This means that you can use listen=1 without having to worry about incoming connections.

You are guaranteed to have 8 outgoing connections and the 1 incoming connection from Armory.
legendary
Activity: 1148
Merit: 1018
January 13, 2014, 06:30:59 AM
#19
I think bind=127.0.0.1 would have the added advantage that only local connections would be possible.  External connections can't "see" localhost on another machine.

Activating listen mode would be required.

I tried bind=localhost and didn't work, Bitcoin-QT couldn't resolve it.

Bind=127.0.0.1 didn't work for armory, but I tried it alone - maybe I have also to enable to listen=1 for bind=127.0.0.1 to work? Will try that...
legendary
Activity: 1232
Merit: 1094
January 11, 2014, 02:43:38 PM
#18
I think bind=127.0.0.1 would have the added advantage that only local connections would be possible.  External connections can't "see" localhost on another machine.

Activating listen mode would be required.
legendary
Activity: 3766
Merit: 1364
Armory Developer
January 10, 2014, 11:05:52 PM
#17
The bind=127.0.0.1 thing did not work - the only way I've managed to run Bitcoin + armory + Tor is to start Bitcoin with the listen=1 argument.

Interesting, it works for me without using Tor. Try bind=localhost, maybe your host file resolves localhost to something else (IPv6?)
legendary
Activity: 1148
Merit: 1018
January 09, 2014, 03:08:51 PM
#16
The bind=127.0.0.1 thing did not work - the only way I've managed to run Bitcoin + armory + Tor is to start Bitcoin with the listen=1 argument.
legendary
Activity: 1148
Merit: 1018
January 05, 2014, 12:13:38 PM
#15
That's an interesting point. You should try bind=127.0.0.1 instead of listen=1

Also, I would personally use Tails rather than just Tor, to guaranty all traffic goes through Tor.

Thanks for the advice, will try and report.

Tails is indeed the best solution, but IMO its not really conceived as a fully persistent distro. It needs to be run from USB which makes it very impractical to run a full node as I do.

Right now I use this solution when I want "full system going through tor": I route all my OS X traffic through tor using the Proxy settings on System Preferences/Advanced/Proxies. I've found it pretty good, meaning that everything really goes through Tor - to avoid any third party software "phoning home" without going through Tor I use Little Snitch, with which I block all connections that are not routed through Tor.

Summing up: Tor proxy in advanced network settings  + Little Snitch works very well on OS X.
legendary
Activity: 3766
Merit: 1364
Armory Developer
January 03, 2014, 07:04:11 PM
#14
That's an interesting point. You should try bind=127.0.0.1 instead of listen=1

Also, I would personally use Tails rather than just Tor, to guaranty all traffic goes through Tor.
legendary
Activity: 1148
Merit: 1018
January 02, 2014, 05:22:30 AM
#13
You need to add listen=1 to your bitcoin.conf file.

Prudence would suggest that you make sure that other machines can't see your PC, but you should be behind a nat router anyway.  Just disable a port forward if you have one.

Very sorry to necro this thread guys, but I just recently started to run Bitcoin-QT through Tor to protect myself especially while using public WIFIs, etc. and I had to add the listen=1 line to the bitcoin.conf file to get armory to work with it...

Erebus, you say that "prudence would suggest that you make sure that other machines can't see your PC", but anyhow Bitcoin-QT listen to external connections by default unless a proxy (like Tor) is configured - right? Thus, adding listen=1 would just take Bitcoin-QT to its "default" behaviour regarding external connections...

Did I get it right?
newbie
Activity: 30
Merit: 0
May 26, 2013, 06:18:23 AM
#12
Ah, figured it out. Seems it's running!
newbie
Activity: 30
Merit: 0
May 26, 2013, 05:58:06 AM
#11
So do I understand correctly that for people using proxies (mainly for Tor), you *may* have to do any of the following:

  • (1) Create a bitcoin.conf file with listen=1  (C:\Users\username\AppData\Roaming\Bitcoin\bitcoin.conf or /home/user/.bitcoin/bitcoin.conf)
  • (2) Start Armory with --skip-online-check
  • (3) In some cases, change the port that Armory connects to (usually 8333, might be 9050 with Tor)

Does this cover it?  What else should I add to my list?

Thanks, I did 1 and 2, seems 3 is must. But how can I change the port connection when don't see it in setting options?
Pages:
Jump to: