I've been running a Bitcoin Core full node as a Tor hidden service for a while now. It’s hosted on a virtual Linux server with a big provider.
Now I’m looking to set up some watch-only wallets with a local bitcoind on my laptop that will connect to this full node. The idea is to generate unsigned transactions using these wallets and then send previously signed transactions out to the network.
Most importantly, I want to keep my real IP address from being exposed to the Bitcoin network. I’m planning on using VPN software on my laptop too, but I don’t want to just rely on that.
Here’s the configuration I’ve put together:
Do you think this setup is good enough to keep my real IP hidden from the Bitcoin network (even without the VPN), while I use my wallets locally?
Is there a better way to go about achieving my goals?
Using a full node for privacy
11 replies 497 views
Perhaps a better idea might be to run an electrum server next to bitcoind, and then run electrum on your laptop.
gr3g.0rbitHero Member
Posts: 1025 · Reputation: 2646
#3May 16, 2025, 02:37 AM
Although you're exclusively connected to your full node in the virtual Linux server and prevents inbound connections,
that node may still advertise your IP through addr message or when it receive getaddr message from its peers.
But I'm not sure if any of your config makes a difference on how the remote node create the addr message though.
Ref: developer.bitcoin.org/reference/p2p_networking.html#addr
You might as well as configure Bitcoin Core (on your laptop) only using Tor. That way, you can avoid trusting VPN provider you use.
That way, OP also can avoid rescan blockchain if you add address or wallet which already has balance.
I see.
I have placed the full node behind the Tor network. My bitcoin.conf on my full node now:
I have set up Tor on my server accordingly. The bitcoind now only listens locally. It just works.
I would therefore use SSH port forwarding on my laptop for the connect. Something like this
Whereby 28333 is forwarded to 8333 on my full node. That should work, right?
I just wonder if my real IP@home can be leaked via DNS or some other detail. That's why I don't dare to start bitcoind at home yet.
I think I'll use a VPN with kill switch to be on the safe side.
HyperRavenFull Member
Posts: 175 · Reputation: 633
#6May 18, 2025, 03:51 PM
Looks good, but you should still connect to your node through TOR.
If you want to prevent your IPs from being leaked or your activities from being tracked by ISPs or any adversary, you should use Bitcoin Core with Tor on watch-only computer. Using VPNs, proxies or SSH tunneling may not provide sufficient privacy or safeguards against traffic analysis assuming that you want complete privacy. Using it over clearnet also guarantees that your ISP will be able to monitor your every move; connections are not encrypted between Bitcoin nodes.
When using TOR and running on onion network, there is virtually no privacy benefit on connecting to the node on your server besides complicating the whole process. The setup guide for running your node over TOR is here: https://github.com/bitcoin/bitcoin/blob/master/doc/tor.md.
Why not -addnode instead of -connect, if I may ask? You will most likely want to add other nodes to connect to, like Tor onion nodes and such, in the event that your server node becomes inaccessible or goes down for some reason. But you will at least be able to control which nodes you will get inbound and outbound connections to, instead of showing your IP address to the entire network.
PS. dns=0 and dnsseed=0 completely shuts down the DNS system in Core, so your IP won't be leaked though that way.
Since you concerned about that, bad VPN provider or configuration can lead to either IPv4, IPv6 and DNS leaks.
Yeah, stay away from VPNs. Unless you are running your own home-made VPN using OpenVPN or Wireguard, with some of your own servers, which seems overkill to me, you can't really trust any providers to not store and ultimately leak the logs to somebody, whether it be intentionally or through a hack. Especially just using it for Bitcoin Core is overkill, and VPNs and Tor used together comes with a few privacy risks.
I have now started like this for testing. I might switch later.
Thanks for the tip!
HyperRavenFull Member
Posts: 175 · Reputation: 633
#11May 21, 2025, 03:11 PM
Using connect makes sure Bitcoin Core only uses the nodes that you've specified while addnode would preferably try those nodes but will connect to others if they fail. If I'm not mistaken, both would propagate your IP address to others through addr messages. However, addnode would likely not enhance your privacy at all, as compared to not running addnode at all.
Thanks again for your comments.
I have now successfully implemented this. The VPN was very helpful because I was temporarily connected directly to the Bitcoin network due to a configuration error.
However, you don't need a VPN for the finished (very simple) setup.
C L I E N T S I D E
Configuration of the Bitcoin Daemon on my local system:
SSH Config on my local system (replace strings in capital letters with your own values):
The connection is then simply made with
S E R V E R S I D E
Configuration of the Bitcoin Daemon on my server (replace ONION_ADDR with your own value):
/etc/tor/torrc on my server
/etc/tor/torsocks.conf on my server
After you have restarted TOR, you will find your ONION_ADDR under
Related topics
- Issues connecting Bitcoin Full Node 3
- Using Cold Electrum with Core in watch mode 11
- Full RBF insights 6
- Bitcoin Core displaying coins (UTXOs) in a new tab 13
- Are you in favor of BIP-110? Let's get a Bitcoin poll going. 0
- Erlay seems to have some issues here’s a better proposal for a bitcoin protocol without invites 3