Using a full node for privacy

11 replies 497 views
0xMaxiFull Member
Posts: 87 · Reputation: 378
#1May 14, 2025, 03:32 AM
I've been running a Bitcoin Core full node as a Tor hidden service for a while now. It’s hosted on a virtual Linux server with a big provider. Now I’m looking to set up some watch-only wallets with a local bitcoind on my laptop that will connect to this full node. The idea is to generate unsigned transactions using these wallets and then send previously signed transactions out to the network. Most importantly, I want to keep my real IP address from being exposed to the Bitcoin network. I’m planning on using VPN software on my laptop too, but I don’t want to just rely on that. Here’s the configuration I’ve put together: Do you think this setup is good enough to keep my real IP hidden from the Bitcoin network (even without the VPN), while I use my wallets locally? Is there a better way to go about achieving my goals?
5 Reply Quote Share
paul2017Senior Member
Posts: 218 · Reputation: 1426
#2May 14, 2025, 07:26 AM
Perhaps a better idea might be to run an electrum server next to bitcoind, and then run electrum on your laptop.
0 Reply Quote Share
gr3g.0rbitHero Member
Posts: 1025 · Reputation: 2646
#3May 16, 2025, 02:37 AM
Although you're exclusively connected to your full node in the virtual Linux server and prevents inbound connections, that node may still advertise your IP through addr message or when it receive getaddr message from its peers. But I'm not sure if any of your config makes a difference on how the remote node create the addr message though. Ref: developer.bitcoin.org/reference/p2p_networking.html#addr
7 Reply Quote Share
hash_bossLegendary
Posts: 1166 · Reputation: 5261
#4May 16, 2025, 05:09 AM
You might as well as configure Bitcoin Core (on your laptop) only using Tor. That way, you can avoid trusting VPN provider you use. That way, OP also can avoid rescan blockchain if you add address or wallet which already has balance.
2 Reply Quote Share
0xMaxiFull Member
Posts: 87 · Reputation: 378
#5May 18, 2025, 02:06 PM
I see. I have placed the full node behind the Tor network. My bitcoin.conf on my full node now: I have set up Tor on my server accordingly. The bitcoind now only listens locally. It just works.  I would therefore use SSH port forwarding on my laptop for the connect. Something like this Whereby 28333 is forwarded to 8333 on my full node. That should work, right? I just wonder if my real IP@home can be leaked via DNS or some other detail. That's why I don't dare to start bitcoind at home yet. I think I'll use a VPN with kill switch to be on the safe side.
2 Reply Quote Share
HyperRavenFull Member
Posts: 175 · Reputation: 633
#6May 18, 2025, 03:51 PM
Looks good, but you should still connect to your node through TOR. If you want to prevent your IPs from being leaked or your activities from being tracked by ISPs or any adversary, you should use Bitcoin Core with Tor on watch-only computer. Using VPNs, proxies or SSH tunneling may not provide sufficient privacy or safeguards against traffic analysis assuming that you want complete privacy. Using it over clearnet also guarantees that your ISP will be able to monitor your every move; connections are not encrypted between Bitcoin nodes. When using TOR and running on onion network, there is virtually no privacy benefit on connecting to the node on your server besides complicating the whole process. The setup guide for running your node over TOR is here: https://github.com/bitcoin/bitcoin/blob/master/doc/tor.md.
0 Reply Quote Share
LuckyCoinLegendary
Posts: 832 · Reputation: 4795
#7May 21, 2025, 03:20 AM
Why not -addnode instead of -connect, if I may ask? You will most likely want to add other nodes to connect to, like Tor onion nodes and such, in the event that your server node becomes inaccessible or goes down for some reason. But you will at least be able to control which nodes you will get inbound and outbound connections to, instead of showing your IP address to the entire network. PS. dns=0 and dnsseed=0 completely shuts down the DNS system in Core, so your IP won't be leaked though that way.
1 Reply Quote Share
hash_bossLegendary
Posts: 1166 · Reputation: 5261
#8May 21, 2025, 06:26 AM
Since you concerned about that, bad VPN provider or configuration can lead to either IPv4, IPv6 and DNS leaks.
2 Reply Quote Share
LuckyCoinLegendary
Posts: 832 · Reputation: 4795
#9May 21, 2025, 09:25 AM
Yeah, stay away from VPNs. Unless you are running your own home-made VPN using OpenVPN or Wireguard, with some of your own servers, which seems overkill to me, you can't really trust any providers to not store and ultimately leak the logs to somebody, whether it be intentionally or through a hack. Especially just using it for Bitcoin Core is overkill, and VPNs and Tor used together comes with a few privacy risks.
4 Reply Quote Share
0xMaxiFull Member
Posts: 87 · Reputation: 378
#10May 21, 2025, 01:32 PM
I have now started like this for testing. I might switch later. Thanks for the tip!
0 Reply Quote Share
HyperRavenFull Member
Posts: 175 · Reputation: 633
#11May 21, 2025, 03:11 PM
Using connect makes sure Bitcoin Core only uses the nodes that you've specified while addnode would preferably try those nodes but will connect to others if they fail. If I'm not mistaken, both would propagate your IP address to others through addr messages. However, addnode would likely not enhance your privacy at all, as compared to not running addnode at all.
3 Reply Quote Share
0xMaxiFull Member
Posts: 87 · Reputation: 378
#12May 21, 2025, 05:43 PM
Thanks again for your comments. I have now successfully implemented this. The VPN was very helpful because I was temporarily connected directly to the Bitcoin network due to a configuration error. However, you don't need a VPN for the finished (very simple) setup. C L I E N T  S I D E Configuration of the Bitcoin Daemon on my local system: SSH Config on my local system (replace strings in capital letters with your own values): The connection is then simply made with S E R V E R  S I D E Configuration of the Bitcoin Daemon on my server (replace ONION_ADDR with your own value): /etc/tor/torrc on my server /etc/tor/torsocks.conf on my server After you have restarted TOR, you will find your ONION_ADDR under
3 Reply Quote Share

Related topics