From c4221c3c3aa074b1a040a6418ffdbe0ebeaa0903 Mon Sep 17 00:00:00 2001 From: Adrian-Stefan Mares Date: Sun, 20 Jun 2021 11:16:03 +0200 Subject: [PATCH] config+lnd: Update Tor configuration for hybrid node mode --- config.go | 9 +++++---- lncfg/tor.go | 1 + lnd.go | 20 +++++++++++++++++--- 3 files changed, 23 insertions(+), 7 deletions(-) diff --git a/config.go b/config.go index d795feed0..d07e6c22b 100644 --- a/config.go +++ b/config.go @@ -906,9 +906,10 @@ func ValidateConfig(cfg Config, usageMessage string, // our real information. if cfg.Tor.Active { cfg.net = &tor.ProxyNet{ - SOCKS: cfg.Tor.SOCKS, - DNS: cfg.Tor.DNS, - StreamIsolation: cfg.Tor.StreamIsolation, + SOCKS: cfg.Tor.SOCKS, + DNS: cfg.Tor.DNS, + StreamIsolation: cfg.Tor.StreamIsolation, + DirectConnections: cfg.Tor.DirectConnections, } } @@ -1316,7 +1317,7 @@ func ValidateConfig(cfg Config, usageMessage string, // connections. if len(cfg.RawListeners) == 0 { addr := fmt.Sprintf(":%d", defaultPeerPort) - if cfg.Tor.Active { + if cfg.Tor.Active && !cfg.Tor.DirectConnections { addr = fmt.Sprintf("localhost:%d", defaultPeerPort) } cfg.RawListeners = append(cfg.RawListeners, addr) diff --git a/lncfg/tor.go b/lncfg/tor.go index e7070c38c..8051e399f 100644 --- a/lncfg/tor.go +++ b/lncfg/tor.go @@ -6,6 +6,7 @@ type Tor struct { SOCKS string `long:"socks" description:"The host:port that Tor's exposed SOCKS5 proxy is listening on"` DNS string `long:"dns" description:"The DNS server as host:port that Tor will use for SRV queries - NOTE must have TCP resolution enabled"` StreamIsolation bool `long:"streamisolation" description:"Enable Tor stream isolation by randomizing user credentials for each connection."` + DirectConnections bool `long:"directconnections" description:"Allow the node to establish direct connections to services not running behind Tor."` Control string `long:"control" description:"The host:port that Tor is listening on for Tor control connections"` TargetIPAddress string `long:"targetipaddress" description:"IP address that Tor should use as the target of the hidden service"` Password string `long:"password" description:"The password used to arrive at the HashedControlPassword for the control port. If provided, the HASHEDPASSWORD authentication method will be used instead of the SAFECOOKIE one."` diff --git a/lnd.go b/lnd.go index bd0f2839d..a00dc9ca1 100644 --- a/lnd.go +++ b/lnd.go @@ -8,6 +8,7 @@ import ( "bytes" "context" "crypto/tls" + "errors" "fmt" "io/ioutil" "net" @@ -168,6 +169,10 @@ type ListenerCfg struct { ExternalRestRegistrar RestRegistrar } +var errStreamIsolationWithDirectConnections = errors.New( + "direct connections cannot be used while stream isolation is enabled", +) + // Main is the true entry point for lnd. It accepts a fully populated and // validated main configuration struct and an optional listener config struct. // This function starts all main system components then blocks until a signal @@ -752,10 +757,19 @@ func Main(cfg *Config, lisCfg ListenerCfg, interceptor signal.Interceptor) error return err } + if cfg.Tor.StreamIsolation && cfg.Tor.DirectConnections { + return errStreamIsolationWithDirectConnections + } + if cfg.Tor.Active { - srvrLog.Infof("Proxying all network traffic via Tor "+ - "(stream_isolation=%v)! NOTE: Ensure the backend node "+ - "is proxying over Tor as well", cfg.Tor.StreamIsolation) + if cfg.Tor.DirectConnections { + srvrLog.Info("Onion services are accessible via Tor! NOTE: " + + "Traffic to clearnet services is not routed via Tor.") + } else { + srvrLog.Infof("Proxying all network traffic via Tor "+ + "(stream_isolation=%v)! NOTE: Ensure the backend node "+ + "is proxying over Tor as well", cfg.Tor.StreamIsolation) + } } // If the watchtower client should be active, open the client database.