config+lnd: Update Tor configuration for hybrid node mode

2024-11-19 01:43:16 +01:00 · 2021-06-20 11:16:03 +02:00 · 2021-06-20 11:16:03 +02:00 · c4221c3c3a
commit c4221c3c3a
parent be666b55b6
3 changed files with 23 additions and 7 deletions
--- a/config.go
+++ b/config.go
@ -906,9 +906,10 @@ func ValidateConfig(cfg Config, usageMessage string,
 	// our real information.
 	if cfg.Tor.Active {
 		cfg.net = &tor.ProxyNet{
-			SOCKS:           cfg.Tor.SOCKS,
-			DNS:             cfg.Tor.DNS,
-			StreamIsolation: cfg.Tor.StreamIsolation,
+			SOCKS:             cfg.Tor.SOCKS,
+			DNS:               cfg.Tor.DNS,
+			StreamIsolation:   cfg.Tor.StreamIsolation,
+			DirectConnections: cfg.Tor.DirectConnections,
 		}
 	}

@ -1316,7 +1317,7 @@ func ValidateConfig(cfg Config, usageMessage string,
 	// connections.
 	if len(cfg.RawListeners) == 0 {
 		addr := fmt.Sprintf(":%d", defaultPeerPort)
-		if cfg.Tor.Active {
+		if cfg.Tor.Active && !cfg.Tor.DirectConnections {
 			addr = fmt.Sprintf("localhost:%d", defaultPeerPort)
 		}
 		cfg.RawListeners = append(cfg.RawListeners, addr)
--- a/lncfg/tor.go
+++ b/lncfg/tor.go
@ -6,6 +6,7 @@ type Tor struct {
 	SOCKS             string `long:"socks" description:"The host:port that Tor's exposed SOCKS5 proxy is listening on"`
 	DNS               string `long:"dns" description:"The DNS server as host:port that Tor will use for SRV queries - NOTE must have TCP resolution enabled"`
 	StreamIsolation   bool   `long:"streamisolation" description:"Enable Tor stream isolation by randomizing user credentials for each connection."`
+	DirectConnections bool   `long:"directconnections" description:"Allow the node to establish direct connections to services not running behind Tor."`
 	Control           string `long:"control" description:"The host:port that Tor is listening on for Tor control connections"`
 	TargetIPAddress   string `long:"targetipaddress" description:"IP address that Tor should use as the target of the hidden service"`
 	Password          string `long:"password" description:"The password used to arrive at the HashedControlPassword for the control port. If provided, the HASHEDPASSWORD authentication method will be used instead of the SAFECOOKIE one."`
--- a/lnd.go
+++ b/lnd.go
@ -8,6 +8,7 @@ import (
 	"bytes"
 	"context"
 	"crypto/tls"
+	"errors"
 	"fmt"
 	"io/ioutil"
 	"net"
@ -168,6 +169,10 @@ type ListenerCfg struct {
 	ExternalRestRegistrar RestRegistrar
 }

+var errStreamIsolationWithDirectConnections = errors.New(
+	"direct connections cannot be used while stream isolation is enabled",
+)
+
 // Main is the true entry point for lnd. It accepts a fully populated and
 // validated main configuration struct and an optional listener config struct.
 // This function starts all main system components then blocks until a signal
@ -752,10 +757,19 @@ func Main(cfg *Config, lisCfg ListenerCfg, interceptor signal.Interceptor) error
 		return err
 	}

+	if cfg.Tor.StreamIsolation && cfg.Tor.DirectConnections {
+		return errStreamIsolationWithDirectConnections
+	}
+
 	if cfg.Tor.Active {
-		srvrLog.Infof("Proxying all network traffic via Tor "+
-			"(stream_isolation=%v)! NOTE: Ensure the backend node "+
-			"is proxying over Tor as well", cfg.Tor.StreamIsolation)
+		if cfg.Tor.DirectConnections {
+			srvrLog.Info("Onion services are accessible via Tor! NOTE: " +
+				"Traffic to clearnet services is not routed via Tor.")
+		} else {
+			srvrLog.Infof("Proxying all network traffic via Tor "+
+				"(stream_isolation=%v)! NOTE: Ensure the backend node "+
+				"is proxying over Tor as well", cfg.Tor.StreamIsolation)
+		}
 	}

 	// If the watchtower client should be active, open the client database.