• Step 1: Creating My Dedicated AppQube
• Step 2: Downloading and Extracting Bitcoin Core
• Step 3: Configuring bitcoind for Tor/Onion Only
• Step 4: Running and Monitoring My Node

If you’ve been following, I switched my main workstation over to Qubes-OS.

One of the great things you can do with Qubes-OS is run bitcoind inside it’s own qube.

By combining the virtualization security of Qubes OS with the default-Tor routing of Whonix, and configuring Bitcoin to connect only to Onion nodes, you create an extremely secure, leak-proof system.

Here is exactly how I built, configured, and monitored this setup.

§Step 1: Creating My Dedicated AppQube

I chose not to run my node inside the default anon-whonix Qube because I didn’t want my node’s background traffic mixing with my everyday web browsing.

1. I opened the Qubes Create Qube menu.

2. I named the new Qube whonix-bitcoin.

3. I set the Type to AppQube and selected whonix-workstation-18 as the Template.

4. I set the Networking to sys-whonix.

5. I opened the Qube’s settings and adjusted the Private storage to 1000 GiB because I wanted to store a full bitcoin node.

§Step 2: Downloading and Extracting Bitcoin Core

In Qubes OS, any files or programs installed outside the /home directory in an AppQube are wiped upon reboot. To make sure my Bitcoin installation was persistent, I installed it directly inside /home/user/.

1. I opened my whonix-bitcoin terminal.

2. I opened Tor Browser, downloaded the official Linux tarball of Bitcoin Core, and made sure it saved to my default Downloads folder.

3. I moved the archive to my home directory, extracted it, and set up my local binary links using these commands:

mv /home/user/Downloads/bitcoin-*.tar.gz /home/user/
tar -xvf bitcoin-*.tar.gz -C /home/user/
mkdir -p /home/user/bin
ln -s /home/user/bitcoin-*/bin/bitcoind /home/user/bin/bitcoind
ln -s /home/user/bitcoin-*/bin/bitcoin-cli /home/user/bin/bitcoin-cli

§Step 3: Configuring bitcoind for Tor/Onion Only

To force all of my outgoing Bitcoin traffic strictly through Tor onion addresses and block any potential clearnet leaks, I configured my bitcoin.conf file.

1. I created the data directory and the configuration file:

mkdir -p /home/user/.bitcoin
nano /home/user/.bitcoin/bitcoin.conf

2. I pasted the following privacy-hardened configuration into the file:

# Route all outgoing connections through the Whonix Gateway Tor proxy
proxy=10.152.152.10:9050

# Restrict network reachability to ONLY onion (Tor) addresses
onlynet=onion

# Disable DNS seeding and DNS lookups to prevent leaks
dnsseed=0
dns=0

# Do not listen for incoming connections (Keeps setup simple)
listen=0

# Run daemon in the background
daemon=1

3. I saved and closed the file using Ctrl+O, Enter, and then Ctrl+X.

§Step 4: Running and Monitoring My Node

With everything in place, I launched the background daemon:

/home/user/bin/bitcoind

To monitor the Initial Block Download (IBD) progress I am running this:

watch -n 2 "/home/user/bin/bitcoin-cli getblockchaininfo "

This is currently where I am at in the syncing process. About a day and a half in. I would expect this to take longer because we are doing it all over TOR, but so far so good.

https://blossom.laantungir.net/3095643b7f118a9fcdc40346b3c191437f40f5590a1e90381322d4ebb877b000.png