Skip to content

feat: add Tor SOCKS5 proxy support for outbound .onion connections#89

Closed
sat-engineer wants to merge 1 commit intogetAlby:mainfrom
sat-engineer:feat/tor-socks-outbound
Closed

feat: add Tor SOCKS5 proxy support for outbound .onion connections#89
sat-engineer wants to merge 1 commit intogetAlby:mainfrom
sat-engineer:feat/tor-socks-outbound

Conversation

@sat-engineer
Copy link

@sat-engineer sat-engineer commented Feb 7, 2026

Summary

  • Implement SOCKS5 protocol in connection.rs to route outbound peer connections through a Tor proxy, enabling LDK nodes to connect to peers at .onion addresses
  • Add set_tor_proxy_address() on NodeBuilder with FFI-compatible UDL bindings
  • Route OnionV3 addresses through SOCKS5 proxy while keeping clearnet addresses on direct TCP

Details

This is a self-contained SOCKS5 implementation (~100 lines) that doesn't depend on unreleased upstream code. It follows the approach of ldk-node #778 but avoids the dependency on lightning_net_tokio::tor_connect_outbound() which isn't in any released crate version yet.

SOCKS5 features:

  • Full RFC 1928/1929 handshake (method negotiation, username/password auth, CONNECT)
  • Tor stream isolation via random password per connection (uses EntropySource::get_secure_random_bytes())
  • Supports OnionV3, IPv4, IPv6, and Hostname address types
  • Base32 encoder for OnionV3 address derivation
  • 30-second connection timeout

Architecture:

  • tor_proxy_address lives on NodeBuilder (not Config) for UniFFI compatibility
  • ConnectionManager detects .onion addresses and routes them through the proxy
  • No new crate dependencies

Test plan

  • cargo check passes with zero warnings
  • Built and deployed on Umbrel with two Alby Hub instances
  • Peer connection over .onion succeeded
  • Lightning channel opened over Tor
  • Lightning payments settled over Tor (1k and 2k sats, 0 fees)

🤖 Generated with Claude Code

@sat-engineer sat-engineer mentioned this pull request Feb 7, 2026
Closed
3 tasks
@sat-engineer @claude @AOrobator
feat: add Tor SOCKS5 proxy support for outbound .onion connections
e799323 
Implement SOCKS5 protocol in connection.rs to route outbound peer
connections through a Tor proxy. This enables LDK nodes to connect
to peers at .onion addresses.

Changes:
- Add tor_socks5_connect() with full SOCKS5 handshake (RFC 1928/1929)
- Support Tor stream isolation via random password auth per connection
- Add set_tor_proxy_address() on NodeBuilder (FFI-compatible via UDL)
- Route OnionV3 addresses through SOCKS5, clearnet through direct TCP
- Include base32 encoder for OnionV3 address derivation

Based on the approach in upstream ldk-node PR lightningdevkit#778, but with a
self-contained SOCKS5 implementation that doesn't depend on unreleased
lightning_net_tokio::tor_connect_outbound().

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sat-engineer sat-engineer force-pushed the feat/tor-socks-outbound branch from c7a84c9 to e799323 Compare February 7, 2026 20:42
@sat-engineer
Copy link
Author

sat-engineer commented Feb 7, 2026

Reopening with clean history

@sat-engineer sat-engineer deleted the feat/tor-socks-outbound branch February 7, 2026 20:43
@sat-engineer sat-engineer restored the feat/tor-socks-outbound branch February 7, 2026 20:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sat-engineer