Below are instructions (for various popular operating systems) for installing Tor and configuring Bitcoin Knots to be a “reachable” node. Confirm by looking up your node’s new .onion address from BitNodes.io). Click “Details” to expand the relevant section.

Windows (11)

Set-ExecutionPolicy Bypass -Scope Process -Force

iwr https://community.chocolatey.org/install.ps1 -UseBasicParsing | iex

choco install tor -y

$torExe  = 'C:\ProgramData\chocolatey\lib\tor\tools\tor\tor.exe'
$torBase = 'C:\ProgramData\tor'
$torrc   = "$torBase\torrc"
New-Item -Force -ItemType Directory "$torBase\data" | Out-Null
Set-Content -Encoding ASCII $torrc @"
DataDirectory $torBase\data
ControlPort   9051
CookieAuthentication 1
CookieAuthFileGroupReadable 1
"@
icacls $torBase /grant "NT AUTHORITY\LOCAL SERVICE:(OI)(CI)F" /T
& $torExe --service install --options -f $torrc
sc.exe config tor start= auto
sleep 20
$cookie = 'C:\ProgramData\tor\data\control_auth_cookie'
icacls $cookie /grant "$($env:USERNAME):(R)"

torcontrol=127.0.0.1:9051
proxy=127.0.0.1:9050
listen=1
listenonion=1

getnetworkinfo

MacOS (Sequoia)

brew install tor
brew services start tor

sudo tee -a "$(brew --prefix)/etc/tor/torrc" >/dev/null <<'EOF'
ControlPort 9051
CookieAuthentication 1
CookieAuthFileGroupReadable 1
EOF
brew services restart tor

proxy=127.0.0.1:9050
listen=1
listenonion=1

getnetworkinfo

Linux (Debian / Ubuntu / Linux Mint / Pop!_OS / RaspOS)

sudo apt update && sudo apt install tor -y
sudo systemctl enable --now tor

sudo tee -a /etc/tor/torrc >/dev/null <<'EOF'
ControlPort 9051
CookieAuthentication 1
CookieAuthFileGroupReadable 1
EOF
sudo systemctl restart tor

sudo usermod -aG debian-tor $USER

proxy=127.0.0.1:9050
listen=1
listenonion=1

bitcoin-cli getnetworkinfo | grep ".onion"

Linux (Arch / Manjaro / EndeavourOS / Garuda)

sudo pacman -Syu tor
sudo systemctl enable --now tor.service

sudo tee -a /etc/tor/torrc >/dev/null <<'EOF'
ControlPort 9051
CookieAuthentication 1
CookieAuthFileGroupReadable 1
EOF
sudo systemctl restart tor.service

sudo usermod -aG tor $USER

proxy=127.0.0.1:9050
listen=1
listenonion=1

bitcoin-cli getnetworkinfo | grep ".onion"

Linux (RHEL / CentOS / Rocky / Alma)

# Enable EPEL (RHEL/CentOS/Rocky/Alma)
sudo dnf install -y epel-release

# Add Tor Project’s repo
sudo tee /etc/yum.repos.d/tor.repo >/dev/null <<'EOF'
[tor]
name=Tor for Enterprise Linux $releasever - $basearch
baseurl=https://rpm.torproject.org/centos/$releasever/$basearch
enabled=1
gpgcheck=1
gpgkey=https://rpm.torproject.org/centos/public_gpg.key
cost=100
EOF

# Install and start Tor
sudo dnf install -y tor
sudo systemctl enable --now tor.service

sudo tee -a /etc/tor/torrc >/dev/null <<'EOF'
ControlPort 9051
CookieAuthentication 1
CookieAuthFileGroupReadable 1
EOF
sudo systemctl restart tor.service

sudo usermod -aG toranon "$USER"

proxy=127.0.0.1:9050
listen=1
listenonion=1

bitcoin-cli getnetworkinfo | grep ".onion"

I have been trying to follow your guide and setup knots on ubuntu. I had a working install of knots but when I went to #4 Enable RPC server my node hangs on exit and I have to reboot to recover this happens everytime not. What should I do?

That is strange. You don’t actually need to enable the RPC server (it is only needed for step 6 to use bitcoin-cli) Instead, you can get your .onion address a different way. After skipping step 4 and completing step 5:

Shut down Bitcoin Knots and restart it, then open Window > Console and enter:

getnetworkinfo

And look under “localaddresses” for the .onion address

Dear Paul!
Love your videos and topics here!
Anyway… I have sort of a noob question…
If i dont`t want to run my node over Tor. How do i go back from that? Is it just to remove everything in the bitcoin.conf file exept “server=1”, or do i have to do more?
Do i have to do any changes in Sparrow?
I run Ubuntu
Is privacy the only difference running over Tor or are there other benefits?

Thanks

Yes, reverting the bitcoin.conf changes is sufficient to stop knots from being reachable on Tor. There shouldn’t be any changes to Sparrow, although I didn’t cover Sparrow in my videos, so depends on how you connnected it. Since you posted this on the Windows/Mac/Linux thread, I assume you are just connecting Sparrow to bitcoin-qt on the same computer via localhost. Tor would not be a factor in that setup.

Thanks!
Yeah I thought that would be sufficient too, but it still says I am connected trought Tor when I search for it at bitnodes.io… Will it take some time to update? I did a reboot of the computer after changing the config file…

Hmm, I hadn’t really checked on caching, I suppose that is possible. With the listenonion and proxy configurations gone, it should not be reachable anymore.

I suppose you could always uninstall Tor if you aren’t using it for anything else:

sudo apt-get remove --purge tor

Then reboot again.

Well, I uninstalled Tor and that certainly made a difference… Now it is not reachable when Im searching the IP (both IPV4/6).. But I believe it is still running OK tought.. Again, sorry for the newbie questions.. Im in the learning stage of node-running…

I have already installed Tor Browser but by downloading the files, not with “apt install tor”
Does this matter?

Also, if don’t want to run tor always on boot in the background, and only when I need it, what should one do?

There’s also an option called onlynet=onion to only use onion peers, this way your IP wouldn’t leak if you don’t always run tor in the background and forget to start tor before opening Bitcoin Knots (or it closes during using Bitcoin Knots, im not sure if Knots would fallback to clearnet connections of this happened).

In addition, this guy uses apt-transport whatever this is:

I think you need the tor service to support Tor peers, but I could be wrong about that. You would need to do some research on how to create hidden services (the .onion address for peers to connect to) from Tor Browser if it is supported.

If you use the service as I outlined here in this thread, then you can simply type “sudo systemctl disable tor” to prevent it from running automatically.

The run “sudo systemctl start tor” when you want to run it, and “sudo systemctl stop tor” when you are done with it. You could create two executable scripts (one for start one for stop) to double-click on if you want to avoid typing in the terminal every time.

Yeah I think what i have installed is not Tor but Tor Browser, and looks like I could just follow that tutorial on the video, it shouldn’t overwrite Tor Browser.

Tor is not installed because when I tried “tor --version” the terminal said command not found, so it’s not gonna work unless I install it.

sudo usermod -aG debian-tor $USER

Does this create a debian-tor group? if I run “groups” I have no debian-tor group.

Which distro are you running?

Debian. I have installed it following the instructions in here instead as recommended by Tor. As of right now, Debian repository is installing a previous version, so this works better to get the latest one.

Anyway, I got tor working, and checking in htop, if you look for tor-service, it shows it’s being run by user “debian-tor”. Interesting since in the GUI (gnome-system-monitor) it shows as the regular user, so htop is showing something there, perhaps some Linux magic thing where it runs tor in an isolated user… but it’s on the “user” column. I don’t see a way to have a “groups” column in htop, in any case, if you run “groups debian-tor” you get “debian tor : debian tor”, this means Tor installs some sort of user and group of special type to run tor isolated like that I guess. So this is why

sudo usermod -aG debian-tor $USER

works even tho one does not create a debian-tor group during these steps. Im assuming adding yourself to that group is safe. That is what they say on the bitcoin core docs:

Once you have determined the ${TORGROUP} and selected the ${USER} that will run bitcoind, run this as root:

usermod -a -G ${TORGROUP} ${USER

https://github.com/bitcoin/bitcoin/blob/master/doc/tor.md

Ok, I haven’t dug into it too much. I just know the group is different on different distros (debian-tor being the one for Debian, Raspian, Ubuntu, Mint, etc). On Mint I do see the group “debian-tor” when I type “groups” from my user. Note that group additions do not apply to the current session (requires logging out then back in after changing group memberships)

Something worth noting as well is that your tutorial and the video tutorial do not use this line which is used in Bitcoin Core documentation when editing the torrc file:

ControlPort 9051
CookieAuthentication 1
CookieAuthFileGroupReadable 1
DataDirectoryGroupReadable 1

Not sure about that.

Interesting. I’ve never used that one myself. It seems like it gives a little more permissive access to the internal data of tor (as opposed to restricting the group to just reading the cookie). I don’t think it is needed by Core or Knots (they just need the ControlPort exposed and read access to the cookie for authentication).

I got it working but I noticed that if I use rpcbind=127.0.0.1 then the cookie is not created and bitcoin-cli doesn’t work with Tor, I have to use bind=127.0.0.1 instead. Do you know what is this? It’s supposed to work like that?

My idea now is that when I want to use regular internet I will be using these on bitcoin.conf:

server=1
rcpbind=127.0.0.1

Nothing else on bitcoin.conf

And when I want Tor, I uncomment this and comment the 2 above:

onlynet=onion
listen=1
listenonion=1
proxy=127.0.0.1:9050
server=1
bind=127.0.0.1

Im just not sure about rpcbind and bind but like I said, if I use rpcbind, it works with normal internet but not Tor

Another question I have is that I don’t get the onion_v3_private_key file that you can can see on the video tutorial. What is going on with that?

Also, running getnodeaddress gives a regular IP address:

[
{
“time”: some number here,
“services”: some number here,
“address”: "some clearnet ip address here,
“port”: 8333,
“network”: “ipv4”
}
]

Shouldn’t the node have an onion address?

Results for getnetworkinfo:

{
“version”: 290100,
“subversion”: “/Satoshi:29.1.0/Knots:20250903/”,
“protocolversion”: 70016,
“localservices”: “some number here with a c and 2 numbers”,
“localservicesnames”: [
“NETWORK”,
“WITNESS”,
“NETWORK_LIMITED”,
“P2P_V2”,
“REPLACE_BY_FEE?”
],
“localrelay”: true,
“timeoffset”: 0,
“networkactive”: true,
“connections”: 0,
“connections_in”: 0,
“connections_out”: 0,
“networks”: [
{
“name”: “ipv4”,
“limited”: true,
“reachable”: false,
“proxy”: “127.0.0.1:9050”,
“proxy_randomize_credentials”: true
},
{
“name”: “ipv6”,
“limited”: true,
“reachable”: false,
“proxy”: “127.0.0.1:9050”,
“proxy_randomize_credentials”: true
},
{
“name”: “onion”,
“limited”: false,
“reachable”: true,
“proxy”: “127.0.0.1:9050”,
“proxy_randomize_credentials”: true
},
{
“name”: “i2p”,
“limited”: true,
“reachable”: false,
“proxy”: “”,
“proxy_randomize_credentials”: false
},
{
“name”: “cjdns”,
“limited”: true,
“reachable”: false,
“proxy”: “127.0.0.1:9050”,
“proxy_randomize_credentials”: true
}
],
“relayfee”: 0.00001000,
“incrementalfee”: 0.00001000,
“localaddresses”: [
],
“warnings”: [
]
}

As far as I can see, everything except “onion” is enabled, and all my peers are onion addresses.
What I don’t understand is, why I don’t get that key on my folder and what are the implications?

And why do I have to use bind=127.0.0.1 instead of rcpbind=127.0.0.1 when running Tor for bitcoin-cli to work? (because if I use rcpbind= instead of bind= when launching with Tor I get no cookie file)

Btw, testnet gives an error I use bind=

“Error: Config setting for -bind only applied on test network when in [test] section”

So I cannot use Tor with RPC commands on testnet.

Edit: This last thing was solved by adding bind= below [test] which is required for some reason.
Edit2: Okay so I just opened bitcoin-qt in testnet and now it’s having the onion_v3_private_key in there and getnetworkaddress gives on “localaddresses”

address: “a .onion address”
port: 18333
score: 4

I have tried in the main chain and it’s also working and created that onion_v3_private_key file and I get a the onion address on the localaddresses

So looks like Tor is fully working properly now. Still curious as to why you have to use bind= and not rpcbind= for the RPI commands to work with bitcoin-cli

Also what do you think of using discover=0 or 1? I asked chatGPT but again im not sure if it’s yapping or this is legit:

discover=1 (the default) enables local network peer discovery. Specifically:

Bitcoin Core will query your machine's network interfaces to learn local IP addresses.
It announces those addresses to peers (via peer-to-peer messages) so other nodes can attempt inbound connections to your node.
It helps populate the node's address manager (addr) with reachable local addresses for NAT traversal and peer selection.

If you set discover=0, Core will not auto-detect or advertise your machine’s local IPs — useful when you are behind Tor, NAT, or want to avoid leaking local network addresses.

Most likely reason for no .onion address is Knots not properly reaching or authenticating with the Tor control port. You’ve probably done most of this already, but if I were troubleshooting the issue, I would follow the below process:

Shut down Knots, and then in terminal, type “groups”. Make sure you see “debian-tor” listed. If not, run this:

sudo usermod -aG debian-tor $USER

And then log out and back in (or reboot). Check again in terminal if “groups” now shows “debian-tor”.

Next, double check /etc/tor/torrc contains these lines, and that there are no duplicates on there:

ControlPort 9051
CookieAuthentication 1
CookieAuthFileGroupReadable 1

Then restart Tor (or reboot):

sudo systemctl restart tor

Then check the status of the tor service:

sudo systemctl status tor

If it is running fine, then start Knots (bitcoin-qt) Make sure you ssee the capital letter “P” in the window footer indicating the proxy is connected. If so, see if the .onion address is returned:

bitcoin-cli getnetworkinfo | grep ".onion"

Yeah, I did edit the post and said how now im seeing the onion file plus I get the onion address on localaddresses, and in the information tab it also says Local Addresses: “onion address here”

So it seems to be working fine. To sum my questions up now would be:

-why do you need bind= and not rpcbind= for RCP to work with Tor
-should you use discover=0 with tor? what does this setting even do?
-any other interesting bitcoin.conf settings to improve privacy etc if they exist

Also, how many incoming connections is it normal to get? Right now im In: 1 / Out: 10

And in Peers window, there is an IP that says

127.0.0.1.52706 and Type is blank, not sure about what’s going on with that, plus there’s some kind of weird user agent, what is this? Permissions says: bloomfilter
Network: unroutable