Set-up Guide for running Zcash on Tor (Ubuntu / Debian Linux Desktop)

Part 1 - Tor and nyx

N.B. This guide will enable the user to effectively run 2 versions of Tor on a single Linux desktop i.e. the Tor expert bundle (for Zcash) and the Tor Browser Bundle for browsing!

First we will install Tor (the expert bundle) and nyx.

EDIT: Arm is now nyx ! See: https://nyx.torproject.org/

Open a new Terminal

Ctrl + alt + T

sudo apt-get update

sudo apt-get dist-upgrade

Restart your system if necessary.

Add the correct package repository before you can fetch Tor. N.B. The provided example is for Ubuntu Trusty Tahr. You must add the correct package for your distribution from here:

echo 'deb http://deb.torproject.org/torproject.org trusty main' | sudo tee -a /etc/apt/sources.list.d/torproject.list

Then add the gpg key used to sign the packages by running the following commands at your command prompt:

gpg --keyserver keys.gnupg.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89

or

gpg --keyserver keyserver.ubuntu.com --recv 886DDD89

Export and add the key:

gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

Now update (again). However, this time you will see deb.torproject.org get ‘pinged’ a few times.

sudo apt-get update

Install Tor:

sudo apt-get install tor

We need to stop Tor to configure our torrc correctly.

sudo service tor stop

The Tor Project provides a keyring to ensure that everything is kept up-to-date. Lets install it.

sudo apt-get install deb.torproject.org-keyring

Now lets install nyx (our Tor cli controller) and confirm some extra Tor (related) packages for Zcash use.

sudo apt-get install tor-geoipdb apparmor-utils torsocks

EDIT: See (updated post below) :

We can now edit our torrc file for Zcash client use.

sudo nano /etc/tor/torrc

If you have never read the ‘default’ torrc then this would be a good opportunity to do just that. However, lets delete the example torrc by pressing and holding;

Ctrl + K

Now we can copy/paste our new Zcash on Tor (torrc) settings;

ClientOnly 1
SOCKSPort 9050
SOCKSPolicy accept 127.0.0.1/8
Log notice file /var/log/tor/notices.log
ControlPort 9051
HiddenServiceStatistics 0
ORPort 9001
LongLivedPorts 21,22,706,1863,5050,5190,5222,5223,6523,6667,6697,8300,8233
ExitPolicy reject *:*
DisableDebuggerAttachment 0

Note that LongLivedPorts are the ‘default’ Tor settings + the Zcash P2P port. This is because not having the default ports listed might make our client stand out!

To save the new torrc;

Ctrl + X

Y (yes)

and press the enter key i.e. File Name to Write: /etc/tor/torrc - is correct.

Now we can start Tor and run nyx (cli):

sudo service tor start

sudo -H -u debian-tor nyx

We can navigate nyx with our arrow keys. Pressing M will show the menu. Q Q to quit. R to reconnect etc., Note that Tor can also be stopped or restarted via the nyx menu.

At this juncture you can download and run the Tor Browser Bundle (for browsing separately)

You effectively have 2 versions of Tor running, again one for Zcash P2P and the other for secure Tor browsing. Note that;

TBB uses SOCKSPort = 9150 and ControlPort = 9151 (technically)

Tor Expert Bundle uses SOCKSPort = 9050 and ControlPort = 9051

Thus, Zcash on Tor will be configured to use port 9050 - keeping all of your Zcash on Tor P2P traffic entirely separate from your Tor browsing activities.

Is this really necessary? Yes … Tor Developer Isis Lovecruft lectures on anonymity systems at Radboud Universiteit - YouTube

4 Likes

Reserved for Part 2 - Zcash on Tor

N.B. If you already have Zcash installed then you can find Zcash on Tor (CLIENT Only) : zcash.conf settings via the thread post below;

Syncing the Zcash blockchain over Tor exclusively via addnode=.onion services. :heart_eyes:

2 Likes

Arm is now nyx !

See: https://nyx.torproject.org/

The above guide has been edited for nyx. Herewith, a basic guide for those already running Arm (now considered to be depreciated) and/or for those of you doing a fresh install.

sudo easy_install pip
sudo pip install nyx

or if easy_install is ‘missing’ you can install pip and nyx as follows:

sudo apt-get install python-pip
pip install --upgrade pip

EDIT: If pip install --upgrade pip will not upgrade and the command returns something similar to this :

Traceback (most recent call last):
File “/usr/bin/pip”, line xx, in
sys.exit(main())
File “/usr/lib/python2.7/dist-packages/pip/init.py”, line xxx, in main
locale.setlocale(locale.LC_ALL, ‘’)
File “/usr/lib/python2.7/locale.py”, line xxx, in setlocale
return _setlocale(category, locale)
locale.Error: unsupported locale setting

Then you need to run the following command and then do pip install --upgrade pip (again).

export LC_ALL=C

It is probably a good idea to add (confirm) the following packages:

pip install setuptools
pip install certifi
pip install urllib3[secure]

Then:

sudo pip install nyx

Now we can create the nyx config directory:

mkdir ~/.nyx/

and write some settings to the config:

sudo nano ~/.nyx/config

See: https://nyx.torproject.org/nyxrc.sample

I added:

acs_support false
resolve_processes true
show_addresses true

See: Nyx

"When alternate character support (ACS) is unavailable borders become characters like the picture above. This is a terminal bug.

Unfortunately there doesn’t seem to be a way for Nyx to automatically detect this. However, when it happens this can be easily corrected. Simply run reset. To tell Nyx not to use ACS borders simply add the following to your nyxrc…"

If the (old) Arm controller is still running then we can exit it now by hitting Q Q .

Now we can run the new nyx controller. At the prompt:

sudo -H -u debian-tor nyx

Nyx will probably start with the following ‘error’ message:

" No nyxrc loaded, using defaults. You can customize nyx by placing a configuration file at /var/lib/tor/.nyx/config "

However, we cannot edit the new config location with the set permissions until after its first run, so…

sudo nano /var/lib/tor/.nyx/config

and (again) add:

acs_support false
resolve_processes true
show_addresses true

When we return to the nyx screen. We can simply ‘reset’ Tor to ‘fix’ the presented ‘errors’. Note that this is the simplest method I found to work across platforms and releases. It may not be the most secure solution (according to Tor folks), although it does prevent a couple of ‘bugs’ and will slightly improve control performance in nyx with local caching.

See: Nyx does not have access to its cache folder unless it is run as root (#24508) ¡ Issues ¡ Legacy / Trac ¡ GitLab

and

See: Nyx

In general, nyx is a vast improvement over Arm and users should upgrade asap for increased Tor compatibility moving froward.

Hey @xyZcash - thanks for the guide!

I followed it as closely as possible. Nyx gives me warnings like this:

[WARN] Your application (using socks5 to port 8233) gave Tor a malformed hostname: [scrubbed]. Rejecting the connection. [57 duplicates hidden]

Does this mean I configures something incorrectly?

I also wonder if I started zcashd correctly. Using Debian binaries, I should stat it with /usr/bin/zcashd -proxy=127.0.0.1:9050, right? Or is there something I should/can add or do differently to ensure proper working?

Is this step:

and this step:

sudo apt-get install deb.torproject.org-keyring

redundant? If not, how are they different?

1 Like

Yes. It’s technically the same key(s), however installing the -keyring is a good idea to keep everything Tor up-to-date.

Having said that it’s not always advisable to install the -keyring in certain instances. For example, with the Zcash on Tor fully hidden_service nodes I remove the /etc/apt/sources.list.d/torproject.list repo lines after each upgrade. This prevents pinging the Tor project repos with every manual or unattended upgrade / updates etc., Simply replace the source.list lines when its time to update Tor!

" If you’re using Debian, just run

_ apt install tor _

as root.

Debian provides the LTS version of Tor. Note that this might not always give you the latest stable Tor version, but you will receive important security fixes. To make sure that you’re running the latest stable version of Tor, see option two below. "

I would still strongly recommend installing the latest Tor release, as per the original guide.

@xyZcash To what extent does this setup torify Zcash? Do the following also get routed through Tor?

  • transactions initiated by the client?
  • general transaction gossip (in both directions)?
  • shielded pool parameter downloads?
  • anything else I didn’t think of?

And why is there so little activity in these topics? I see some talk about the theory of transfer layer privacy, but why aren’t people interested in practicing it? Privacy should be the most important thing when using a privacy coin!

2 Likes