Question: Is there a way to check and make sure you're properly connecting over Tor so you don't accidentally shoot yourself in the foot?

[durbanpoison]

How can a user triple-check to make sure that they are set up properly to install zcash, update zcash, and run zcash over Tor exclusively?

BOUNTY
I am offering 0.025 ZEC to the first person to give the correct answer to this question. Bounties will only be paid out to z-addresses.

[l0sec]

Hi,

Great you are trying to write such a howto ! I've spend a lot of time trying to figure out how to run zcashd via Tor, howtos like yours are very helpfull :) I am not using Debian, but info below seems to be generic for most linux distros.

If you want to have a zcashd node running completely in Tor network, check this how to: https://btcz.rocks/documents/tutorial-tor-node.pdf (just skip their script, interesting things begin from chapter 6).
As a result you can achive this:
zcash-cli getnetworkinfo
"networks": [
{
"name": "ipv4",
"limited": true,
"reachable": false,
"proxy": "127.0.0.1:9050",
"proxy_randomize_credentials": true
},
{
"name": "ipv6",
"limited": true,
"reachable": false,
"proxy": "127.0.0.1:9050",
"proxy_randomize_credentials": true
},
{
"name": "onion",
"limited": false,
"reachable": true,
"proxy": "127.0.0.1:9050",
"proxy_randomize_credentials": true
}
],
..
"localaddresses":
"address": "<your_onion_service_addr>.onion",
"port": 8233,

and then zcash-cli getpeerinfo will show only onion peers like these:
"addr": "dbixrkj54tgh4y5g6.onion:8233"
"addr": "uq2dffsf4455sz77l.onion:8233"

Printouts like these prove you are completely in Tor (there shouldn't have any IPv4 or IPv6 addresses in getpeerinfo !)

To achieve it you need the following in your zcash.conf

addnode=zcmaintvsivr7pcn.onion
rpcuser=username
rpcpassword=xxxxxxxxxxxxxx
torcontrol=127.0.0.1:9051
torpassword=<your_tor_control_password>
proxy=127.0.0.1:9050 
dnsseed=0
externalip=<your_tor_service_addr>.onion
listen=1
onlynet=onio

and the following in your /etc/tor/torrc

User tor
PIDFile /var/run/tor/tor.pid
Log notice syslog
DataDirectory /var/lib/tor/data
ControlPort 9051
HashedControlPassword <pass_hex, just use `tor --hash-password "your_pass_string"`>

HiddenServiceDir /var/lib/tor/zcash-service/
HiddenServicePort 8233 127.0.0.1:8233
HiddenServicePort 18233 127.0.0.1:18233

LongLivedPorts 9033

Now as for downloading zcashd and fetching parameters, if you really want to do it securely, I do not think that using some repo (is it official?) from Tor network is a good idea. I prefer to fetch the source and compile it myself, using git, see https://github.com/zcash/zcash/wiki/1.0-User-Guide#fetch-the-software-and-parameter-files. Before running git you can make it use Tor proxy:

git config --global http.proxy 'socks5://127.0.0.1:9050'

When it comes to fetching parameters for zcashd, I can see their script it is using wget or ipfs. For wget try setting your env to use the proxy before executing ./zcutil/fetch-params.sh

export http_proxy="http://127.0.0.1:9050" (not working with Tor socks, see post below)
export https_proxy="https://127.0.0.1:9050" (not working with Tor socks, see post below)

I do not know how to use proxy with ipfs, so just do not install it ;-)

So I suppose this covers install, update and run.

Just one more comment from me:

• fetching parameters and running zcashd node for the first time through Tor may take a lot of time, after all the zcash blockchain is about 16G at the moment, and Tor is not about downloading such big chunks of data. And actually is it really that important to cover downloading the public accessible data (zcash node soft, blockchain and parameters )? Running transactions later on when you have everything installed and downloaded is a different story of course :)

Hope you'll find this info useful ;-)
Regards

[durbanpoison]

Thanks @l0sec!

and then zcash-cli getpeerinfo will show only onion peers like these...

This answers the main question of this issue. And your comments led me to solve #3 and #6 as well. If you would like to claim the 0.075 ZEC bounty for helping to close these issues please share a z-addr here.

Running this command myself, I noticed I had some ipv4 nodes connected. At first I was startled, thinking I might not be connecting over Tor. But I discovered that I was connecting to these nodes over Tor, but I hadn't added the onlynet=onion argument to my zcash.conf file. So already your help has yielded fruits to improve the guide!

That said, right now my guide is written so that the node is only a listening node. Your instructions also contain information for making the node reachable so that it can upload blockchain data to peers. I have elected not to do this because I don't want my node to be too chatty, but others might not care and might even want to help give back to the network. So I will add instructions for making the node reachable as an option should users be interested.

Again, a helpful improvement to the guide. Thank you!

Now as for downloading zcashd and fetching parameters, if you really want to do it securely, I do not think that using some repo (is it official?) from Tor network is a good idea.

The method suggested in my guide (draft version found in the README of this repo) is also secure, to the best of my knowledge. First we download the "official" Zcash signing key over HTTPS. (Although now I wonder how we can do this step over Tor, see: #6) Then we add the "official" Zcash apt Tor repo to our sources list. From now on we will only download Zcash over Tor from the official hidden service repo, and we will check the GPG signature using the official signing key we downloaded over HTTPS.

I don't think there's anything wrong with compiling from source, especially with the instructions for doing so over Tor as you suggested. But for my own understanding may I ask why you think your way is more secure than the way I have just described?

And actually is it really that important to cover downloading the public accessible data (zcash node soft, blockchain and parameters )?

Yes, one of the goals of this guide is to ensure that the user's IP address is never exposed to any services associated with Zcash.

[l0sec]

Hi Durbanpoison !

Ok, I get it, you want to secure all communication related to zcash, even downloading soft, keys, etc.

Sorry I mislead you a bit on the matter of wget. Actually it is not so simple as just to export http_proxy to be pointing to Tor, as Tor usese SOCKS, and wget is using http proxy. There are ways to add another layer over Tor SOCKS to translate it to http proxy (like https://www.codevoila.com/post/16/convert-socks-proxy-to-http-proxy-using-polipo), but it seems to be overkill. But you can use curl instead which supports SOCKS :)

curl ipinfo.io/ip
a.b.c.d <- your public IP
export http_proxy="SOCKS5://127.0.0.1:9050"

Make sure it uses Tor network:

curl ipinfo.io/ip
89.234.157.254 <- some Tor IP

And then instead of wget -qO - https://apt.z.cash/zcash.asc run:
curl https://apt.z.cash/zcash.asc --output zcash.asc
This should solve issue #6 :-)

Coming back to your question "why" about compilation from source, I do not have strong arguments, I suppose it is the most direct way of getting the software without intermediaries like repository you mentioned (I am not saying this repo is not secure). Moreover it is straight forward to give git the proxy option
git config --global http.proxy 'socks5://127.0.0.1:9050' before cloning zcashd, to hide all communication. Of course this method required that you fulfill zcashd dependencies without apt.
Note I made a mistake before, in previous post, I have edited it to be correct, we need to pass socks5, as Tor will not work with http proxy for git.

To sum up:

• downloading of zcashd can be done by onion repository, as you wrote, or by git cloning via Tor socks and then compiling.
• fetching the keys can be done via curl which supports the Tor socks (see above)
• fetching zcash parameters - wget can be replaced by curl in fetch-params.sh, or additional http over socks layer can be added with help of polipo (I haven't test it though). Or maybe ipfs allows easier way, but I do not know the tool.

Here is my z-addr :-)
zcg2LJhH9WiLovw6G9nzmC6RKsAtBULA7DnK3AnjEfWv6rT2HujJjBsb3HLdAZouXyGjGDVCFt6wJTvNUxdk29JuMGXAA3A

Regards

[durbanpoison]

Sorry I mislead you a bit on the matter of wget. Actually it is not so simple as just to export http_proxy to be pointing to Tor, as Tor usese SOCKS, and wget is using http proxy. There are ways to add another layer over Tor SOCKS to translate it to http proxy (like https://www.codevoila.com/post/16/convert-socks-proxy-to-http-proxy-using-polipo), but it seems to be overkill. But you can use curl instead which supports SOCKS :)

It's ok. It led me down an interesting learning path. I ended up using Privoxy to achieve more or less the same thing. I'll think about your suggestion to use curl and consider whether that would be a simpler yet equally secure/private approach. You can see the changes I made here:

https://github.com/durbanpoison/zcash-tor/blob/master/README.md#install-and-run-zcash

[durbanpoison]

(Waiting on a blockchain sync then I will pay out the bounty.)

[durbanpoison]

@l0sec bounty sent

[l0sec]

bounty received :)
Thanks and good luck !