What's new

HowTo setup masternode or staker wallet behind tor.

boldsuck

New Pivian
I run server as a hobby and English is not my native language. Improvements and help is welcome.
There are many ways to do everything on UNIX systems. This is one of them. Use at your own risk!
(This is a work in process. I will do the Tor setup again. Tor multiple instances vs. one Tor process and multiple pivxd mn.) Last Edit: 18.04.2020

1. We need a VPS or bare metal root server.
And one IPv4 or IPv6 per master node! In this example, 2 IPv4 and 2 IPv6 are dual stack. Adding more IP's should be self-explanatory.
Examples are for Debian or debian derivatives. (Ubuntu, etc.)

2. Generate a strong ssh key with a passphrase. (On your machine at home):
~$ ssh-keygen -t rsa -b 4096 -o -a 100 # Very compatible.
~$ ssh-keygen -o -a 100 -t ed25519 # Recommended! Faster in authentication & very secure.

Let's go, login to your server:
~$ ssh [email protected]

Change the root password after the first login!
~$ passwd

Create a user:
(Replace '$USER' with your desired username in all example commands, e.g. pivx)
~$ adduser user

Open a second terminal on your machine at home and copy your public ssh key to the server:
~$ ssh-copy-id -p 22 [email protected]
[email protected]:~$ ssh-copy-id -p 22 [email protected]
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:

Number of key(s) added: 1

Now try logging into the machine, with: "ssh -p '22' '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

[email protected]:~$ ssh -p '22' '[email protected]'
Enter passphrase for key '/home/user/.ssh/id_ed25519':
Linux localhost 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u2 (2019-08-08) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
[email protected]:~$ exit
If the user login works with the SSH key then you can close the 2nd terminal.
~$ exit

To verify in the 1st terminal :
~$ grep "Accepted publickey for user" /var/log/auth.log

Every next time you log in, you will be asked for your SSH key passphrase:
No more password is sent over the network! You enter the password for your private ssh key that is on your laptop.
~$ ssh [email protected]
On your machine at home make an alias for lazy SSH logins in .bashrc
Example: ( alias mn1='ssh [email protected]' )
Then you just have to type 'mn1' into the terminal to connect to the server ;-)
On a private computer which you trust 'SSH-AskPass' is your friend.
Switch to root:
(If sudo is set up later we can put 'sudo' before every command and no longer have to work as root)
Use 'su -' since Debian Buster! I've added an alias to user's .bashrc to avoid making mistakes. ( alias su='su -' )
~$ su -


Back in the 1st terminal change or add the following sshd default settings:
~$ nano /etc/ssh/sshd_config
save a file = [CTRL]+O
quit the editor = [CTRL]+X
Code:
# Authentication:
AllowUsers user
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
X11Forwarding no
~$ service sshd reload # Reload will not drop existing connections.


In case you want to change the hostname:
~$ hostname hostname.domain.tld
~$ nano /etc/hostname
~$ nano /etc/hosts

Most hosters only have one IPv4 configured. Configure IPv6 and possibly other IPv4.
~$ nano /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback
#iface lo inet6 loopback

# The primary network interface Attention! Adjust interface name: enp2s0
allow-hotplug enp2s0
iface enp2s0 inet static
address 203.0.113.11
netmask 255.255.255.255
gateway 203.0.113.1
up ip addr add 203.0.113 .12/32 dev enp2s0 label enp2s0:0
down ip addr del 203.0.113.12/32 dev enp2s0 label enp2s0:0
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 127.0.0.1 ns1-provider ns2-provider
dns-search your-domain.tld

iface enp2s0 inet6 static
# If you're lucky that's enough:
#address 2001:db8:abc:a00::2
#netmask 64
#gateway 2001:db8:abc:a00::1 or gateway fe80::1
# IPv6 and gateway are often in different subnets. For newbies, I think one of the most common pitfalls with IPv6:
# Provider specifies IPv6 2001:db8:abc:a09/64 and gateway 2001:db8:abc:a00::1
address 2001:db8:abc:a09::2
netmask 64
up ip -6 addr add 2001:db8:abc:a09::3/128 dev enp2s0
post-up ip -6 route add 2001:db8:abc:a00::1 dev enp2s0
post-up ip -6 route add default via 2001:db8:abc:a00::1
pre-down ip -6 route del default via2001:db8:abc:a00::1
pre-down ip -6 route del 2001:db8:abc:a00::1 dev enp2s0
down ip -6 addr del 2001:db8:abc:a09::3/128 dev enp2s0
dns-nameservers ::1 ns1-provider ns2-provider

Update software:
~$ apt update && apt full-upgrade
We need these packages:
(apt has been https capable since Debian 10 (buster) & apt-transport-https is only a dummy.)
~$ apt install lsb-release gpg wget apt-transport-https

Add official Tor repository:
~$ echo "deb https://deb.torproject.org/torproject.org `lsb_release -cs` main" >> /etc/apt/sources.list
And add the repo key:
~$ wget -O - https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | apt-key add -

Reread software package lists:
~$ apt update
Install missing software:
~$ apt install deb.torproject.org-keyring tor nyx tor-geoipdb tor-instances unattended-upgrades apt-listchanges sudo fail2ban iptables-persistent unbound ntp

Add user account to the sudo group:
~$ usermod -aG sudo user

Configure automatic updates:
cp /usr/share/unattended-upgrades/20auto-upgrades /etc/apt/apt.conf.d/20auto-upgrades

Configure unbound validating, recursive, caching DNS resolver :
~$ mv /etc/resolv.conf.bak
~$ nano /etc/resolv.conf
If unbound is installed, we only need this one line:
nameserver 127.0.0.1

Configure firewall (Examples, adjust IPs and Ports):
~$ nano /etc/iptables/rules.v4
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

## Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0.
-A INPUT -i lo -j ACCEPT

## Allow incoming SSH, only on one IP:
-A INPUT -p tcp -d the.ser.ver.ip --dport 22 -j ACCEPT

## Allow Tor-Bridge ORPort, ListenAddr:
-A INPUT -p tcp -d the.ser.ver.ip --dport 443 -j ACCEPT
-A INPUT -p tcp -d the.ser.ver.ip --dport 8080 -j ACCEPT
## Allow pivxd-1:
-A INPUT -p tcp -d the.ser.ver.ip --dport 51472 -j ACCEPT
## Allow pivxd-2:
-A INPUT -p tcp -d the.ser.ver.ip2 --dport 51472 -j ACCEPT

## ratelimit ICMP echo, allow all others
-A INPUT -p icmp --icmp-type echo-request -m limit --limit 2/s -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -j DROP
-A INPUT -p icmp -j ACCEPT

## to log denied packets uncomment this line
#-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP

COMMIT
~$ nano /etc/iptables/rules.v6
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

## Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT

## Allow incoming SSH, only on one IP:
-A INPUT -p tcp -d 2001:DB8::2 --dport 22 -j ACCEPT

## Allow Tor-Bridge ORPort, ListenAddr:
-A INPUT -p tcp -d 2001:DB8::2 --dport 443 -j ACCEPT
-A INPUT -p tcp -d 2001:DB8::2 --dport 8080 -j ACCEPT
## Allow pivxd-1:
-A INPUT -p tcp -d 2001:DB8::2 --dport 51472 -j ACCEPT
## Allow pivxd-2:
-A INPUT -p tcp -d 2001:DB8::3 --dport 51472 -j ACCEPT

## ratelimit ICMP echo, allow all others
-A INPUT -p ipv6-icmp --icmpv6-type echo-request -m limit --limit 2/s -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type echo-request -j DROP
-A INPUT -p ipv6-icmp -j ACCEPT

## to log denied packets uncomment this line
#-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP

COMMIT
~$ chmod 600 /etc/iptables/rules.v4
~$ chmod 600 /etc/iptables/rules.v6
~$ iptables-restore < /etc/iptables/rules.v4
~$ ip6tables-restore < /etc/iptables/rules.v6

~$ systemctl stop tor

~$ tor-instance-create 00
~$ tor-instance-create 01
~$ ...
~$ systemctl enable [email protected]
~$ systemctl enable [email protected]
~$ ...
~$ systemctl mask [email protected]

Configure tor:
I list the config for the 2nd tor instance and pivxd deamon here. So that the difference to the default settings can be seen.
~$ nano /etc/tor/instances/01/torrc
Code:
# This is the tor configuration file for tor instance 01.
#
# To start/reload/etc this instance, run "systemctl start [email protected]" (or reload, or..).
# This instance will run as user _tor-01; its data directory is /var/lib/tor-instances/01.

## ControlPort and authentication cookie for tor-arm, nyx, pivxd
## Start nyx: ~$ sudo -u _tor-01 nyx -i 9052
## Hint: alias to user's .bashrc ( alias nyx01='sudo -u _tor-01 nyx -i 9052' )
ControlPort 9052
#CookieAuthentication 1

## Tor opens a socks proxy on port 9050 by default -- even if you don't configure one below.
SocksPort 9150

## Entry policies to allow/deny SOCKS requests based on IP address.
## First entry that matches wins. If no SocksPolicy is set, we accept
## all (and only) requests that reach a SocksPort. Untrusted users who
## can access your SocksPort may be able to learn about the connections
## you make.
SocksPolicy accept 127.0.0.1
SocksPolicy reject *

AutomapHostsOnResolve 1
#AutomapHostsSuffixes .exit,.onion
LongLivedPorts 51472
~$ systemctl start [email protected]
or '~$ reboot' to see if everything is ok

Download and set up the PIVX Core wallet

Get the latest release from: https://github.com/pivx-project/pivx/releases & adapt the version in the following examples!
You can use the following directories for this:
/home/$user, /opt or /usr/local (I use here as an example: /home/pivx/pivx-4.0.2)

~$ su pivx
~$ cd /home/pivx
~$ wget https://github.com/PIVX-Project/PIVX/releases/download/v4.0.2/pivx-4.0.2-x86_64-linux-gnu.tar.gz
~$ wget https://github.com/PIVX-Project/PIVX/releases/download/v4.0.2/SHA256SUMS.asc

Verification of the binary files should be done prior to extracting, installing, or using the software!
~$ sha256sum -c SHA256SUMS.asc 2>&1 | grep OK

~$ tar -xvzf pivx-4.0.2-x86_64-linux-gnu.tar.gz

Delete downloaded files. ( -i =Prompt before every removal. type 'y' and 'ENTER')
~$ rm -i pivx-4.0.2-x86_64-linux-gnu.tar.gz && rm -i SHA256SUMS.asc
~$ /home/pivx/pivx-4.0.2/bin/pivxd -daemon &

I synchronize the blockchain on a masternode and do not load the snapshot.
It takes a few hours! You can copy them if several masternodes are set up.

Now, how to torify it:

1. Adding both the user running Tor and the user running pivxd to the same group:
Example! (Replace user, pivx)
~$ /home/pivx/pivx-4.0.2/bin/pivx-cli stop
~$ usermod -aG _tor-00 user
~$ usermod -aG _tor-01 pivx
~$ /home/pivx/pivx-4.0.2/bin/pivxd -daemon &

2. If everything works you will find your .onion address in the pivxd debug log ;-)
~$ grep "tor: Got service ID" /home/user/.pivx/debug.log

Set up masternode or staker wallet:

~$ nano /home/user/.pivx/pivx.conf
Code:
## pivx.conf configuration file.
# Network-related settings:

# Connect via a SOCKS5 proxy
proxy=127.0.0.1:9150

# Use separate SOCKS5 proxy to reach peers via Tor hidden services (default: -proxy)
onion=127.0.0.1:9150

# Tor control port to use if onion listening enabled (default: 127.0.0.1:9051)
torcontrol=127.0.0.1:9052

# Listening mode, enabled by default except when 'connect' is being used
listen=1

# Maximum number of inbound+outbound connections. (default: 125)
maxconnections=256

daemon=1
logtimestamps=1

# Bind to given address and always listen on it. Use [host]:port notation for IPv6
# TCP port: (default: 51472 or testnet: 51474)
bind=the.ser.ver.ip2
bind=[2001:DB8::3]:51472
onlynet=onion
externalip=vvitroeopey3h7i2.onion
masternode=1
masternodeaddr=vvitroeopey3h7i2.onion:51472
masternodeprivkey=91v..............................................8K

#
# JSON-RPC options (for controlling a running Pivx/pivxd process)
#

# server=1 tells Pivx-QT to accept JSON-RPC commands,
# it is also read by pivxd to determine if RPC should be enabled.
server=1

# By default, only RPC connections from localhost are allowed.
# NOTE: opening up the RPC port to hosts outside your local trusted network is NOT RECOMMENDED,
# because the rpcpassword is transmitted over the network unencrypted.
#rpcallowip=[::1]
#rpcallowip=127.0.0.1

# If pivxd is run with the "-server" flag (set by default), and no rpcpassword is set, it will use a special cookie file for authentication.
#rpcuser=user
#rpcpassword=Mn1AkgiekiVe45bA

On the main computer we have to put our .onion address in the masternode.conf.
Example: mn1 vvitroeopey3h7i2.onion:51472 93HaYBVUCYjEMeeH1Y4sBGLALQZE1Yc1K64xiqgX37tGBDQL8Xg 2bcd3c84c84f87eaa86e4e56834c92927a07f9e18718810b92e0d0324456a67c 0

Sample init scripts:

Useful commands:
~$ /home/pivx/pivx-4.0.2/bin/pivx-cli getnetworkinfo
~$ /home/pivx/pivx-4.0.2/bin/pivx-cli getmasternodestatus
Sometimes the masternode cannot be started from the controller wallet. You can also enter this command directly on the masternode:
~$ /home/pivx/pivx-4.0.2/bin/pivx-cli startmasternode local false

~$ fail2ban-client status sshd
~$ fail2ban-client set sshd banip 123.123.123.123
~$ fail2ban-client set sshd unbanip 123.123.123.123
~$ iptables -S -v
~$ ip6tables -S -v
~$ iptables -L -v
~$ ip6tables -L -v

Other useful packages:
~$ apt install man htop nullmailer logcheck logcheck-database

Intel & AMD CPUs support a native AES crypto acceleration. You can check if AES-NI is enabled:
~$ cat /proc/cpuinfo | grep aes

If your server has IPMI, you can activate it yourself in the BIOS ;-)
 
Last edited:

Eric_Stanek

Administrator
At the beginning, you state;

We need a VPN or bare metal root server.

I think you mean VPS.


In the file, nano /etc/iptables/rules.v4 , there is this reference.

the.ser.ver.ip2

Is that the server of where I am connecting from via SSH, or the VPS server? I am actually running a bare metal server, and it is on the LAN. So, is the IP I need to enter the public IP (WAN) or internal network IP (LAN)?

Do you have instructions for Fedora? I know Debian well, but prefer to stick with Fedora on this machine.
 

Eric_Stanek

Administrator
Probably best to leave Firewall and SSH access details, and PIVX installation to another Tutorial to make this one more clear.

Every set of instructions I see on the web to run multiple instances of Tor for multiple MN daemons, are extremely different. I'm sure everyone runs into that issue.

Should be organized like this:

Step 1: Installing Tor.

Step 2: Testing Tor installation.

Step 3: Configuring Tor for 2 instances.

Step 4: Testing 2 Tor instances running at the same time.

Step 5: Preparing Data Directories for each PIVX instance.

Step 6: Preparing Masternode.conf on controller wallet.

Step 7: Starting 2 instances of PIVX over Tor.

Step 8: Stopping specific instance of PIVX.

Make it dead simple.

Hope this helps!
 

boldsuck

New Pivian
At the beginning, you state;

We need a VPN or bare metal root server.

I think you mean VPS.
o_O Oh, yes. I changed it.
In the file, nano /etc/iptables/rules.v4 , there is this reference.

the.ser.ver.ip2

Is that the server of where I am connecting from via SSH, or the VPS server? I am actually running a bare metal server, and it is on the LAN. So, is the IP I need to enter the public IP (WAN) or internal network IP (LAN)?
Do you have instructions for Fedora? I know Debian well, but prefer to stick with Fedora on this machine.
Yes, that's the IP on the server. Your internal network IP (LAN) is right.
I only allow SSH access from WAN to one IPv4 and one IPV6. I forbid everything from WAN in and only open the ports that are needed.
SSH only from LAN is more secure. If only you are alone in the LAN, you can possibly allow everything. ( -A INPUT -s 192.168.0.1 -j ACCEPT )
(I only have bare metal servers, Supermicro blades 23-32, - € /month 16-32GB RAM. Traffic: umlimited) I have backup access via the IPMI interface over the LAN from the provider in the data center.

Code:
-A INPUT -s 192.168.0.1 -p tcp -d the.ser.ver.ip --dport 22 -i eth0 -j ACCEPT
--append INPUT --source IP --protocol tcp --destination IP --destnation_port 22 --interface eth0

Starting with Debian Buster, nf_tables is the default backend when using iptables. I have to switch to nft rules soon.

My last rpm based distri was from SuSe Linux AG from Nürnberg Germany. Before Novell bought it and renamed it to openSUSE. I only briefly looked at RedHat, Fedora, CentOS.

Probably best to leave Firewall and SSH access details, and PIVX installation to another Tutorial to make this one more clear.

Every set of instructions I see on the web to run multiple instances of Tor for multiple MN daemons, are extremely different. I'm sure everyone runs into that issue.

Should be organized like this:

Step 1: Installing Tor.

Step 2: Testing Tor installation.

Step 3: Configuring Tor for 2 instances.

Step 4: Testing 2 Tor instances running at the same time.

Step 5: Preparing Data Directories for each PIVX instance.

Step 6: Preparing Masternode.conf on controller wallet.

Step 7: Starting 2 instances of PIVX over Tor.

Step 8: Stopping specific instance of PIVX.

Make it dead simple.

Hope this helps!
The nice instances create script is specifically for Debian/Ubuntu with systemd service only. Other OS or old ones with sysinit must be set up 'by hand'. We have to rewrite that for the pivxd ;-)
The Tor Project created this for 1GB and 10GB interfaces because Tor is not ¹really multicore aware. A Tor-relay or Tor-exit has several 10,000 in & out connections.
Adonis asked a good question on the Discord Channel. I created a Tor instance for mainnet, one for testnet and one for a Tor bridge. However, you can run several pivxd over one Tor process. That is probably easier.
I'm doing an extra tutorial for the Tor installation. I'll start with Step 1-4.
For a quick and easy setup. SSH, Firewall & Tor I adapted a script for Debian 9 + 10. https://github.com/boldsuck/tor-relay-bootstrap (I have to change 'apt install' back to 'apt-get'. Use apt interactive and apt-get in scripts, is recommended.

It is difficult to write instructions for different systems. It starts with the systemd script. Adonis has one for rasberry. For Ubuntu 18 and Debian 9 + 10 this is correct from the PIVX githup. 64-Bit-ARM (AArch64) != 64-Bit-PC (AMD64)
Many program paths have changed from Debian 9 to 10.
/bin → /usr/bin
/sbin → /usr/sbin
/lib → /usr/lib
/run → /var/run
That's why almost all PIVX mn instructions are in '/home/user/' as user accounts and not service accounts.

¹On a quad core, however, a tor process is divided into several threads.

293
 
Top