Implement support for Tor Hidden Services and outbound connection establishment

[Roasbeef]

Currently, lnd isn't able to connect to other peers over Tor, nor able to set up a hidden service and use that address as its publicly accessible address. As not all users will want to, or be able to advetise a publicly routed IP address, support for Tor hidden services should be integrated into the daemon. In addition to solving a slew of NAT issues, Tor hidden services also hide the location of the advertising lnd node, and make the system much more private when in us.

The Tor control port should be used to detect a local Tor daemon, and automatically set up an hidden service which lnd will use as its sole listening interface (if specified by a command line option). These two libraries may be of interest (or we implement our own interface to the Tor control port):

• https://github.com/postfix/goControlTor
• https://github.com/subgraph/roflcoptor

Steps To Completion

• Add support for automatically setting up a hidden service over the Tor control port if a Tor daemon is detected locally.
• Add support for connecting to advertised onion addresses on the network via a SOCKS5 proxy. Care must be taken to ensure that we don't leak any IP information or somehow incorrectly attempt o resolve DNS over clear net.
• Add a new address type to the NodeAnnouncement p2p message. Both the current generation onion addresses, and the next generation (prop224 whenever they figure out what the encoding is) should be added.
• A special mode should be added to lnd which ensures that it only connects to other peers over Tor and solely listens on a created hidden service address.

[andrewshvv]

Hey @lostinblue ! Great to see that someone is willing to contribute in the project. The additional information which might be helpful for you.

[andrewshvv]

Oops 😁

[Roasbeef]

@lostinblue sounds like a plan, very excited to see this implemented! The networking/connection handling of lnd is similar to btcd which has already implemented this feature. As a result, you may want to take a look at their implementation (doesn't have auto hidden service though), as an initial point of reference.

[Crypt-iQ]

I would like to work on this.
I am not sure if @lostinblue is still working on this or not.

I think lnd should implement its own interface to Tor's control port. The first library does not have enough functionality and the second has too much for what lnd needs to do. Also the first library is a bit out of date. Plus implementing a new interface to Tor's control port isn't a huge undertaking.

[Crypt-iQ]

I've looked for a couple of hours, and though Tor now uses Ed25519, it does not yet use it for hidden services. No sources online that I could find indicated that it was possible or showed how to generate a hidden service with a Ed25519 secret key. I used the ControlPort's "ADD_ONION NEW:privkey Port=port" command with an Ed25519 key and received a 513 Invalid Key error. I also tried creating a hidden service via HiddenServiceDir & HiddenServicePort flags in my .torrc but to no avail. I also looked in Tor's documentation about the config file (https://www.torproject.org/docs/tor-manual.html.en) and found nothing about the next-gen hidden services. However, Ed25519 is mentioned quite a bit.

EDIT: If I am wrong, please tell me but I do not think Ed25519 is implemented yet for hidden services.

[Crypt-iQ]

I have several questions:

1. When creating the HS, do we need to store the private key? This would allow the same HS to be re-run at a later time. I know Bitcoin Core does this (https://github.com/bitcoin/bitcoin/blob/master/src/torcontrol.cpp#L507).
2. What sorts of authentication to Tor's ControlPort should be supported? Cookie authentication AND Password authentication?
3. Where would this code fit into the lnd codebase? Say we have a HS, will custom code need to be written that handles the connections to the HS and reads the wire protocol? Or is this code essentially already written and we can simply "plug it in"?

[Crypt-iQ]

Since v3 addresses were released, I'll resume my work on this. Should also make it so that people don't need to port forward anymore when running lightning-app