What's new

HowTo setup masternode or staker wallet behind tor.


New Pivian
I run server as a hobby and English is not my native language. Improvements and help is welcome.
There are many ways to do everything on UNIX systems. This is one of them. Use at your own risk!

1. We need a VPN or bare metal root server.
Examples are for Debian or debian derivatives. (Ubuntu, etc.)

2. Generate a strong ssh key with a passphrase. (On your machine at home):
~$ ssh-keygen -t rsa -b 4096 -o -a 100 # Very compatible.
~$ ssh-keygen -o -a 100 -t ed25519 # Recommended! Faster in authentication & very secure.

Let's go, login to your server:
~$ ssh [email protected]

Change the root password after the first login!
~$ passwd

Create a user:
(Replace '$user' with your desired username in all example commands, e.g. pivx)
~$ adduser user

Open a second terminal on your machine at home and copy your public ssh key to the server:
~$ ssh-copy-id -p 22 [email protected]
[email protected]:~$ ssh-copy-id -p 22 [email protected]
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:

Number of key(s) added: 1

Now try logging into the machine, with: "ssh -p '22' '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

[email protected]:~$ ssh -p '22' '[email protected]'
Enter passphrase for key '/home/user/.ssh/id_ed25519':
Linux localhost 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u2 (2019-08-08) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
[email protected]:~$ exit
If the user login works with the SSH key then you can close the 2nd terminal.
~$ exit

To verify in the 1st terminal :
~$ grep "Accepted publickey for user" /var/log/auth.log

Every next time you log in, you will be asked for your SSH key passphrase:
No more password is sent over the network! You enter the password for your private ssh key that is on your laptop.
~$ ssh [email protected]
On your machine at home make an alias for lazy SSH logins in .bashrc
Example: ( alias mn1='ssh [email protected]' )
Then you just have to type 'mn1' into the terminal to connect to the server ;-)
On a private computer which you trust 'SSH-AskPass' is your friend.
Switch to root:
(If sudo is set up later we can put 'sudo' before every command and no longer have to work as root)
Use 'su -' since Debian Buster! I've added an alias to user's .bashrc to avoid making mistakes. ( alias su='su -' )
~$ su -

Back in the 1st terminal change or add the following sshd default settings:
~$ nano /etc/ssh/sshd_config
AllowUsers user
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
X11Forwarding no
~$ service sshd reload # Reload will not drop existing connections.

In case you want to change the hostname:
~$ hostname hostname.domain.tld
~$ nano /etc/hostname
~$ nano /etc/hosts

Most hosters only have one IPv4 configured. Configure IPv6 and possibly other IPv4.
~$ nano /etc/network/interfaces

Update software:
~$ apt update && apt full-upgrade
We need these packages:
(apt has been https capable since Debian 10 (buster) & apt-transport-https is only a dummy.)
~$ apt install lsb-release gpg apt-transport-https

Add official Tor repository:
~$ echo "deb https://deb.torproject.org/torproject.org `lsb_release -cs` main" >> /etc/apt/sources.list
And add the repo key:
~$ wget -O - https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | apt-key add -

Reread software package lists:
~$ apt update
Install missing software:
~$ apt install deb.torproject.org-keyring tor nyx tor-geoipdb tor-instances unattended-upgrades apt-listchanges sudo fail2ban iptables-persistent unbound

Add user account to the sudo group:
~$ usermod -aG sudo user

Configure automatic updates:
cp /usr/share/unattended-upgrades/20auto-upgrades /etc/apt/apt.conf.d/20auto-upgrades

Configure firewall (Examples, adjust IPs and Ports):
~$ nano /etc/iptables/rules.v4

## Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0.
-A INPUT -i lo -j ACCEPT

## Allow incoming SSH, only on one IP:
-A INPUT -p tcp -d the.ser.ver.ip --dport 22 -j ACCEPT

## Allow Tor-Bridge ORPort, ListenAddr:
-A INPUT -p tcp -d the.ser.ver.ip --dport 443 -j ACCEPT
-A INPUT -p tcp -d the.ser.ver.ip --dport 8080 -j ACCEPT
## Allow pivxd-1:
-A INPUT -p tcp -d the.ser.ver.ip --dport 51472 -j ACCEPT
## Allow pivxd-2:
-A INPUT -p tcp -d the.ser.ver.ip2 --dport 51472 -j ACCEPT

## ratelimit ICMP echo, allow all others
-A INPUT -p icmp --icmp-type echo-request -m limit --limit 2/s -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -j DROP
-A INPUT -p icmp -j ACCEPT

## to log denied packets uncomment this line
#-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

-A INPUT -m state --state INVALID -j DROP

~$ nano /etc/iptables/rules.v6

## Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT

## Allow incoming SSH, only on one IP:
-A INPUT -p tcp -d 2001:DB8::2 --dport 22 -j ACCEPT

## Allow Tor-Bridge ORPort, ListenAddr:
-A INPUT -p tcp -d 2001:DB8::2 --dport 443 -j ACCEPT
-A INPUT -p tcp -d 2001:DB8::2 --dport 8080 -j ACCEPT
## Allow pivxd-1:
-A INPUT -p tcp -d 2001:DB8::2 --dport 51472 -j ACCEPT
## Allow pivxd-2:
-A INPUT -p tcp -d 2001:DB8::3 --dport 51472 -j ACCEPT

## ratelimit ICMP echo, allow all others
-A INPUT -p ipv6-icmp --icmpv6-type echo-request -m limit --limit 2/s -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type echo-request -j DROP
-A INPUT -p ipv6-icmp -j ACCEPT

## to log denied packets uncomment this line
#-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

-A INPUT -m state --state INVALID -j DROP

~$ chmod 600 /etc/iptables/rules.v4
~$ chmod 600 /etc/iptables/rules.v6
~$ iptables-restore < /etc/iptables/rules.v4
~$ ip6tables-restore < /etc/iptables/rules.v6

~$ systemctl stop tor

~$ tor-instance-create 00
~$ tor-instance-create 01
~$ ...
~$ systemctl enable [email protected]
~$ systemctl enable [email protected]
~$ ...
~$ systemctl mask [email protected]

Configure tor:
I list the config for the 2nd tor instance and pivxd deamon here. So that the difference to the default settings can be seen.
~$ nano /etc/tor/instances/01/torrc
# This is the tor configuration file for tor instance 01.
# To start/reload/etc this instance, run "systemctl start [email protected]" (or reload, or..).
# This instance will run as user _tor-01; its data directory is /var/lib/tor-instances/01.

## ControlPort and authentication cookie for tor-arm, nyx, pivxd
## Start nyx: ~$ sudo -u _tor-01 nyx -i 9052
## Hint: alias to user's .bashrc ( alias nyx01='sudo -u _tor-01 nyx -i 9052' )
ControlPort 9052
#CookieAuthentication 1

## Tor opens a socks proxy on port 9050 by default -- even if you don't configure one below.
SocksPort 9150

## Entry policies to allow/deny SOCKS requests based on IP address.
## First entry that matches wins. If no SocksPolicy is set, we accept
## all (and only) requests that reach a SocksPort. Untrusted users who
## can access your SocksPort may be able to learn about the connections
## you make.
SocksPolicy accept
SocksPolicy reject *

AutomapHostsOnResolve 1
#AutomapHostsSuffixes .exit,.onion
LongLivedPorts 51472
~$ systemctl start [email protected]
or '~$ reboot' to see if everything is ok

Download and set up the PIVX Core wallet

Get the latest release from: https://github.com/pivx-project/pivx/releases & adapt the version in the following examples!
You can use the following directories for this:
/home/$user, /opt or /usr/local (I use here as an example: /home/pivx/pivx-4.0.2)

~$ su pivx
~$ cd /home/pivx
~$ wget https://github.com/PIVX-Project/PIVX/releases/download/v4.0.2/pivx-4.0.2-x86_64-linux-gnu.tar.gz
~$ wget https://github.com/PIVX-Project/PIVX/releases/download/v4.0.2/SHA256SUMS.asc

Verification of the binary files should be done prior to extracting, installing, or using the software!
~$ sha256sum -c SHA256SUMS.asc 2>&1 | grep OK

~$ tar -xvzf pivx-4.0.2-x86_64-linux-gnu.tar.gz

Delete downloaded files. ( -i =Prompt before every removal. type 'y' and 'ENTER')
~$ rm -i pivx-4.0.2-x86_64-linux-gnu.tar.gz && rm -i SHA256SUMS.asc
~$ /home/pivx/pivx-4.0.2/bin/pivxd -daemon &

I synchronize the blockchain on a masternode and do not load the snapshot.
It takes a few hours! You can copy them if several masternodes are set up.

Now, how to torify it:

1. Adding both the user running Tor and the user running pivxd to the same group:
Example! (Replace user, pivx)
~$ /home/pivx/pivx-4.0.2/bin/pivx-cli stop
~$ usermod -aG _tor-00 user
~$ usermod -aG _tor-01 pivx
~$ /home/pivx/pivx-4.0.2/bin/pivxd -daemon &

2. If everything works you will find your .onion address in the pivxd debug log ;-)
~$ grep "tor: Got service ID" /home/user/.pivx/debug.log

Set up masternode or staker wallet:

~$ nano /home/user/.pivx/pivx.conf
## pivx.conf configuration file.
# Network-related settings:

# Connect via a SOCKS5 proxy

# Use separate SOCKS5 proxy to reach peers via Tor hidden services (default: -proxy)

# Tor control port to use if onion listening enabled (default:

# Listening mode, enabled by default except when 'connect' is being used

# Maximum number of inbound+outbound connections. (default: 125)


# Bind to given address and always listen on it. Use [host]:port notation for IPv6
# TCP port: (default: 51472 or testnet: 51474)

# JSON-RPC options (for controlling a running Pivx/pivxd process)

# server=1 tells Pivx-QT to accept JSON-RPC commands,
# it is also read by pivxd to determine if RPC should be enabled.

# By default, only RPC connections from localhost are allowed.
# NOTE: opening up the RPC port to hosts outside your local trusted network is NOT RECOMMENDED,
# because the rpcpassword is transmitted over the network unencrypted.

# If pivxd is run with the "-server" flag (set by default), and no rpcpassword is set, it will use a special cookie file for authentication.

On the main computer we have to put our .onion address in the masternode.conf.
Example: mn1 vvitroeopey3h7i2.onion:51472 93HaYBVUCYjEMeeH1Y4sBGLALQZE1Yc1K64xiqgX37tGBDQL8Xg 2bcd3c84c84f87eaa86e4e56834c92927a07f9e18718810b92e0d0324456a67c 0

Sample init scripts:

Useful commands:
~$ /home/pivx/pivx-4.0.2/bin/pivx-cli getnetworkinfo
~$ /home/pivx/pivx-4.0.2/bin/pivx-cli getmasternodestatus
Sometimes the masternode cannot be started from the controller wallet. You can also enter this command directly on the masternode:
~$ /home/pivx/pivx-4.0.2/bin/pivx-cli startmasternode local false

~$ fail2ban-client status sshd
~$ fail2ban-client set sshd banip
~$ fail2ban-client set sshd unbanip
~$ iptables -S -v
~$ ip6tables -S -v
~$ iptables -L -v
~$ ip6tables -L -v

Other useful packages:
~$ apt install man htop nullmailer logcheck logcheck-database

Intel & AMD CPUs support a native AES crypto acceleration. You can check if AES-NI is enabled:
~$ cat /proc/cpuinfo | grep aes

If your server has IPMI, you can activate it yourself in the BIOS ;-)
Last edited: