lndcurrently has complete support for using Lightning over Tor. Usage of Lightning over Tor is valuable as routing nodes no longer need to potentially expose their location via their advertised IP address. Additionally, leaf nodes can also protect their location by using Tor for anonymous networking to establish connections.
lndsupports both types of onion services: v2 and v3.
lnd's Lightning protocol traffic is tunneled over Tor. Users must ensure that when also running a Bitcoin full-node, that it is also proxying all traffic over Tor. If using the
lnd, then it will automatically also default to Tor usage if active within
torlocally before starting up
lnd. Depending on how you installed Tor, you'll find the configuration file at
/usr/local/etc/tor/torrc. Here's an example configuration file that we'll be using for the remainder of the tutorial:
tordaemon has started and it has finished bootstrapping, you'll see this in the logs:
lndwith the relevant arguments:
lndto route all outbound and inbound connections through Tor.
--tor.socksargument should point to the interface that the
Tordaemon is listening on to proxy connections. The
--tor.dnsflag is required in order to be able to properly automatically bootstrap a set of peer connections. The
tordaemon doesn't currently support proxying
SRVqueries over Tor. So instead, we need to connect directly to the authoritative DNS server over TCP, in order query for
SRVrecords that we can use to bootstrap our connections.
lndautomatically creating an onion service. A path to save the onion service's private key can be specified with the
lndto communicate with the Tor daemon securely, it must first establish an authenticated connection.
lndsupports the following Tor control authentication methods (arguably, from most to least secure):
SAFECOOKIE: This authentication method relies on a cookie created and
CookieAuthentication 1in its configuration file.
HASHEDPASSWORD: This authentication method is stateless as it relies on a
lndnode. The password hash can be obtained through
tor --hash-password PASSWORD, which should then be
. Finally, to use it withinlnd
, the--tor.password` flag
NULL: To bypass any authentication at all, this scheme can be used instead.
lndor configuration options to
lnd. Specifying which type should be used can easily be done by either using the
tor.v3flag. To prevent unintentional leaking of identifying information, it is also necessary to add the flag
v3_onion_private_keydepending on the type of onion service used in
lnd's base directory. This will allow
lndto recreate the same hidden service upon restart. If you wish to generate a new onion service, you can simply delete this file. The path to this private key file can also be modified with the