How does Lightning Network over TOR work?

3

0

I'm interested to understand in detail how the lightning network works over Tor. Implementations like lnd, c-lightning etc. offer an extension which allow running TOR with Lightning. I would like to understand how running Lightning with TOR works in practice. In particular I'm interested in the following cases:

1) I am the sender, but I enabled Tor in my node. How does sending to a node R outside Tor network looks like?

2) I am the recipient node, and I do not advertise an IP address, but an onion address. How do I receive payments?

3) The sender node S is a regular LN node, without any Tor connections. As a sender, I want to send a payment to node R and my LN node finds the best path to send my payment to R. Is it possible that this path will at any hop go thought Tor or go through onion node, because any of the nodes in the selected path happens to be onion or has access to Tor? And if yes, how the routing looks then?

AnnMP

Posted 2019-10-02T14:55:13.523

Reputation: 133

Answers

4

Running lightning node over TOR is no different than running it over normal IP connection. Sending payment, fulfilling incoming payment, sending error messages etc. would happen in the exact same way in both cases. The only difference is that the above messages that you send to your peer will now happen over TOR network rather than a direct IP package.

If you are using only TOR without any public IP address then to route your payment to a node that is using only public IP address you will need to have a node in your path to the receiver that is (1) running TOR and public IP or (2) or running public IP and can connect to TOR nodes using the socks5 proxy. If you do not have this node in between you would not be able to send the payment.

When Tor service starts it creates a socks5 proxy which is by default at address 127.0.0.1:9050. If a node with public IP is started with the option --proxy=127.0.0.1:9050 (or including it in the config file) the node will be able to connect to nodes running TOR (like yours).

If you are running TOR and have a public IP address then you can directly connect with nodes that run tor or public IP nodes via the tor service socks5 proxy.

I am the sender, but I enabled TOR in my node. How does sending to a node R outside TOR network looks like?

The network routing happens according to what I mentioned above. However, the path calculation for sending the payment to the receiver happens on your node so it does not involve what network routing you are using. You would construct the onion routing packet with the path to the receiver (the channels you will use to send the payment), and try to send this onion and the payment_hash to your peer via the update_add_htlc message. This message will then go over TOR nodes before reaching your peer, instead of a directly reaching your peer.

I am the recipient node, and I do not advertise an IP address, but an onion address. How do I receive payments?

You can receive payments from nodes directly that are running TOR. If you want to receive payments from nodes that have only public IP, then you would need to have a node in your path that has the proxy option set so that it can connect to TOR nodes via socks5 proxy.

The sender node S is a regular LN node, without any Tor connections. As a sender, I want to send a payment to node R and my LN node finds the best path to send my payment to R. Is it possible that this path will at any hop go thought Tor or go through onion node, because any of the nodes in the selected path happens to be onion or has access to Tor? And if yes, how the routing looks then?

Assume you the path from S to R looks like this: S -> T -> U -> V -> R. Number of cases can arise:

  • S and R do not run TOR: It depends
    • All the nodes could be on public IP and your payment goes through.
    • T could be node running public IP and TOR. It has a public IP channel with you, and TOR channel with U. U can then have a proxy option set that allow it to have TOR based channels with T and public IP channel with U. V is a public IP node and U routes payment to V in normal way.
  • R runs TOR: At least one node in between should run/understand TOR
    • T/U/V has a public IP, and have TOR so that they can make channels with TOR nodes and public IP nodes
    • T/U/V are all public IP nodes but V has a proxy option set which allows it to have a tor based channel connection with R.

Ugam Kamat

Posted 2019-10-02T14:55:13.523

Reputation: 5 180

Thanks for the great reply, highly appreciate it. Here are just a couple of detailed questions: Is there any way to know which nodes can support TOR connections beside the ones that actually publish an onion address? The majority of the nodes publish only a public IP but that doesn't mean they don't have TOR enabled, right? On the other hand, if we don't know which nodes enable TOR how we can correctly pick the path from source to destination of the payment?AnnMP 2019-10-02T17:03:33.970

1Part 1: (1) I think it has to work the opposite way. Using only TOR node you cannot connect to a public IP address node (outbound connection), but can accept connection from a public IP node that can connect to TOR through proxy. (2) Nodes announce the services that they run in the node_announcement message. You can just run the command lightning-cli listnodes <node_id> and check what network that node supports.Ugam Kamat 2019-10-02T17:32:35.530

1Part 2: (3) you pick the path based on channels. If there is a path with channels in between you and the receiver than at least one node in between must support both the services. If it didn't the nodes wouldn't have been able to connect, let alone set up a channel.Ugam Kamat 2019-10-02T17:33:54.043

Thanks for the replies, that's super helpful! The information about the supported networks, is that the one information under the key 'addresses' or something else?AnnMP 2019-10-03T19:48:24.260

@AnnMP yes, you will see the supported address types in the key addresses. For example, you could query 03a503d8e30f2ff407096d235b5db63b4fcf3f89a653acb6f43d3fc492a7674019 node and find that it runs three types of addresses: ipv4, ipv6, and torv3.Ugam Kamat 2019-10-04T05:40:14.223

"If there is a path with channels in between you and the receiver than at least one node in between must support both the services." That's wrong, you can of course connect to a public ip node over tor (unless the other node is blocking connections from tor exits).chpio 2019-10-05T07:12:03.033

Also: you can receive payments from a public ip node if you're running an only-tor node by connecting to that node and then opening a channel, the other way around (opening a connection from the public ip node to your tor node) wouldn't work because of your node not having a public ip. A channel can be opened in both directions as long as there is a connection between nodes.chpio 2019-10-05T07:16:24.763

@chpio 1/2 You might be right that the public IP can accept incoming connection, but the Lightning implementations does not support that. Check out the c-lightning docs related to what they support over tor. In case #1 you will see that public IP address without TOR service supports only outgoing.

Ugam Kamat 2019-10-06T06:21:34.790

@chpio 2/2 As I said above related to the implementations, public IP nodes can only send outbound connections to the nodes running TOR and TOR only nodes can only receive inbound connection. However, after the connection is established, they can open the channel in any direction.Ugam Kamat 2019-10-06T06:24:00.907

Asked: 2019-10-02T14:55:13.523

Viewed: 201 times

Active: 2019-10-02T17:39:38.320