Bitcoin Node on appVM

118 views
Skip to first unread message

Max

unread,
Jul 18, 2017, 11:33:38 AM7/18/17
to qubes-users
Hi,

I have installed the Bitcoin Core client and wish to allow inbound connections. Has anyone tried doing this? I am able to connect to the network with outbound connections but have had no success when trying to get inbound connections

I have taken these steps:

1) Installed Bitcoin GUI in the template VM
2) Run it in a dedicated AppVM, downloaded the entire blockchain and am in sync
3) Configured port forwarding on the router, removed the firewall
4) Followed the port forwarding steps (https://www.qubes-os.org/doc/firewall/#port-forwarding-to-a-qube-from-the-outside-world) but replaced the port 443 in the instructions with 8333
5) Tried to Telnet the IP address on the sys-net (appears to be 192.168.1.18 on the wlp0s1 and do check node on bitnodes.21.co but it is unable to connect to host / says my IP is unreachable

Any advice

Thanks,

Max

Unman

unread,
Jul 18, 2017, 11:45:13 AM7/18/17
to Max, qubes-users
I'm always worried when I see comments like "removed the firewall", or
global changes to firewall rules. This is almost never the right thing
to do.You should be able to put new permissive rules in the firewall
and retain other protections.

Anyway, 192.168.. is a private address, not routable on the internet.
What you want to provide is the EXTERNAL IP address on your router.
If you don't know this you can check it using nwtools.com, unless you're
using Tor or a VPN, in which case just log in to the router and check.

unman

Max

unread,
Jul 18, 2017, 12:08:20 PM7/18/17
to qubes-users, m...@myemail.io, un...@thirdeyesecurity.org

Hi Unman,

Regarding the firewall changes - possibly I wasn't clear.

The statement removing the firewall was simply me disabling it on the router. I wanted to eliminate this as a possibility before raising my questions here. The only changing of the firewall I have done in the Qubes OS is the iptables changes on the sys-net and sys-firewall VMs.

As far as I understand, whilst I may have been a bit of a fool to put in my private address in the telnet, the Bitnodes website was testing the correct port on the external IP address I have. I am getting an unreachable message here. I only did the internal address from a different device on the same network.

Thanks,

Max

Unman

unread,
Jul 18, 2017, 2:13:02 PM7/18/17
to Max, qubes-users
Hi Max,

If you can monitor the router, you should be able to see the inbound
traffic when you run that test.
You can also run 'iptables -L -nv' on sys-net, and watch counters - again,
you should see the counter increment when you run the test. (Watch a
rule that allows traffic to port 8333, obviously)
You can also watch counters on sys-firewall and the target qube.

By doing all this you should be able to see where the traffic is being
blocked, without needing to use a network sniffer or dumping traffic.

Start at the outmost node, and work inwards. At the point where you dont
see traffic you know the problem lies one hop upstream, (unless it
doesn't get to the router obviously).

If you see the traffic inbound at the destination qube, then it's
possible that you are blocking the return traffic on the way out. Just
reverse the process to trace the outbound traffic.

unman

qubenix

unread,
Jul 19, 2017, 11:40:00 AM7/19/17
to Unman, Max, qubes-users
Unman:
Max,

Maybe you already know this, but you can use Tor to get through the
firewall. Actually, if you install Tor in your AppVMs template, Bitcoin
will set up the hidden service on the fly over the control port. If
you're using a Whonix gateway it's a little more work, but not hard and
I can help. Still helpful for the network. I use `onlynet=onion` in my
Bitcoin config, so definitely helpful for me!

--
qubenix
GPG: B536812904D455B491DCDCDD04BE1E61A3C2E500
Reply all
Reply to author
Forward
0 new messages