Bisq2 on Tails

durosyla · May 8, 2025, 1:38pm

Hello,

The current wiki page about Bisq installation on Tails don’t work for Bisq2. I updated the script but it still don’t work; Bisq2 can’t connect to the Tor network. Did someone successfully run Bisq2 on Tails? We need to update the wiki to allow Tails users from running Bisq2.

Jounalctl logs:

DATE amnesia bisq2-Bisq2.desktop[16348]: XX:XX:03.878 INFO  [TorControlReader.start] b.n.t.c.BootstrapService: Tor bootstrap event: TorBootstrapEvent(progress=5, tag=conn, summary=Connecting to a relay, timestamp=TIMESTAMP)
DATE amnesia bisq2-Bisq2.desktop[16348]: XX:XX:03.885 INFO  [TorControlReader.start] b.n.t.c.TorControlReader: Received reply from Tor control server: 650 STATUS_CLIENT WARN BOOTSTRAP PROGRESS=5 TAG=conn SUMMARY="Connecting to a relay" WARNING="Connection refused" REASON=CONNECTREFUSED COUNT=1 RECOMMENDATION=ignore HOSTID="000HOSTID" HOSTADDR="1.2.3.4:9000"
DATE amnesia bisq2-Bisq2.desktop[16348]: XX:XX:03.885 INFO  [TorControlReader.start] b.n.t.c.BootstrapService: Tor bootstrap event: TorBootstrapEvent(progress=5, tag=conn, summary=Connecting to a relay" WARNING="Connection refused" REASON=CONNECTREFUSED COUNT=1 RECOMMENDATION=ignore HOSTID="001HOSTID" HOSTADDR="1.2.3.5:9000, timestamp=TIMESTAMP)
DATE amnesia bisq2-Bisq2.desktop[16348]: XX:XX:04.877 INFO  [TorControlReader.start] b.n.t.c.TorControlReader: Received reply from Tor control server: 650 STATUS_CLIENT WARN BOOTSTRAP PROGRESS=5 TAG=conn SUMMARY="Connecting to a relay" WARNING="Connection refused" REASON=CONNECTREFUSED COUNT=2 RECOMMENDATION=ignore HOSTID="002HOSTID" HOSTADDR="1.2.3.6:8446"

Edited script:

#!/bin/bash
BisqInstaller=/home/amnesia/Persistent/bisq/Bisq-2.1.7.deb
DataDirectory=/home/amnesia/Persistent/bisq/Bisq

echo "Install Bisq ..."
dpkg -i $BisqInstaller
echo "Change access rights of /var/run/tor/control.authcookie ..."
chmod o+r /var/run/tor/control.authcookie
echo "Create /etc/onion-grater.d/bisq.yml ..."
echo "---
- apparmor-profiles:
    - '/opt/bisq2/bin/Bisq2'
  users:
    - 'amnesia'
  commands:
    AUTHCHALLENGE:
      - 'SAFECOOKIE .*'
    SETEVENTS:
      - 'CIRC ORCONN INFO NOTICE WARN ERR HS_DESC HS_DESC_CONTENT'
    GETINFO:
      - pattern: 'status/bootstrap-phase'
        response:
          - pattern: '250-status/bootstrap-phase=*'
            replacement: '250-status/bootstrap-phase=NOTICE BOOTSTRAP PROGRESS=100 TAG=done SUMMARY="Done"'
      - 'net/listeners/socks'
    ADD_ONION:
      - pattern:     'NEW:(\S+) Port=9999,(\S+)'
        replacement: 'NEW:{} Port=9999,{client-address}:{}'
      - pattern:     '(\S+):(\S+) Port=9999,(\S+)'
        replacement: '{}:{} Port=9999,{client-address}:{}'
    DEL_ONION:
      - '.+'
    HSFETCH:
      - '.+'
  events:
    CIRC:
      suppress: true
    ORCONN:
      suppress: true
    INFO:
      suppress: true
    NOTICE:
      suppress: true
    WARN:
      suppress: true
    ERR:
      suppress: true
    HS_DESC:
      response:
        - pattern:     '650 HS_DESC CREATED (\S+) (\S+) (\S+) \S+ (.+)'
          replacement: '650 HS_DESC CREATED {} {} {} redacted {}'
        - pattern:     '650 HS_DESC UPLOAD (\S+) (\S+) .*'
          replacement: '650 HS_DESC UPLOAD {} {} redacted redacted'
        - pattern:     '650 HS_DESC UPLOADED (\S+) (\S+) .+'
          replacement: '650 HS_DESC UPLOADED {} {} redacted'
        - pattern:     '650 HS_DESC REQUESTED (\S+) NO_AUTH'
          replacement: '650 HS_DESC REQUESTED {} NO_AUTH'
        - pattern:     '650 HS_DESC REQUESTED (\S+) NO_AUTH \S+ \S+'
          replacement: '650 HS_DESC REQUESTED {} NO_AUTH redacted redacted'
        - pattern:     '650 HS_DESC RECEIVED (\S+) NO_AUTH \S+ \S+'
          replacement: '650 HS_DESC RECEIVED {} NO_AUTH redacted redacted'
        - pattern:     '.*'
          replacement: ''
    HS_DESC_CONTENT:
      suppress: true" > /etc/onion-grater.d/bisq.yml
echo "Restart onion-grater service ..."
systemctl restart onion-grater.service
echo "Edit Bisq executable file ..."
sed -i 's+Exec=/opt/bisq2/bin/Bisq2+Exec=/opt/bisq2/bin/Bisq2 --torControlPort 951 --torControlCookieFile=/var/run/tor/control.authcookie --torControlUseSafeCookieAuth+' /usr/share/applications/bisq2-Bisq2.desktop
echo "Redirect user data to Tails Persistent Storage ..."
ln -s $DataDirectory /home/amnesia/.local/share/Bisq
echo "Installation complete."

durosyla · May 8, 2025, 6:28pm

Ok, i found the problem. Bisq2 don’t have integration to manipulate Tor services. The option --torControlport don’t even exist in the source code. The kernel drop outbound packets accordingly.

So currently, Bisq2 can’t be used on Tails at all. It’s absolutely not acceptable to change iptables configuration in Tails to enable Bisq2 to create it’s own connections.

Do we have to create an issue on Github or is there a quick fix ?

durosyla · May 8, 2025, 7:16pm

I find the solution, but it’s not easy because it’s not documented. Can someone with the wiki permissions make this modification please?

This pull request from 2024 december add support for system tor : Add support for system tor by HenrikJannsen · Pull Request #3046 · bisq-network/bisq2 · GitHub

You don’t need to execute any script to configure Bisq2 on Tails. This is the way :

Enable Administrator Access on Tails
Download or Copy the .deb package for Bisq2
Install the package in CLI using sudo dpkg -i Bisq-2.1.7.deb
Start Bisq2 for the first time, and close it immediately after GUI spawning (deny TOS)
Edit the new created file .local/share/Bisq2/tor/external_tor.config :

# Uncomment this and set to 1
UseExternalTor 1
# Uncomment this too and set to 1
CookieAuthentication 1
# Set CookieAuthFile with this path
CookieAuthFile /var/run/tor/control.authcookie
# Change ControlPort to 9052 (default on Tails)
ControlPort 127.0.0.1:9052

Set permissions to the CookieAuthFile : sudo chmod a+r /var/run/tor/control.authcookie
Edit ferm firewall to allow amnesia user to use Tor ControlPort :

# on Tails 6.15, line 66, set "ACCEPT" after $amnesia_uid :
# Tor's ControlPort
  daddr 127.0.0.1 proto tcp dport 9052 {
    mod owner uid-owner $amnesia_uid ACCEPT;
    # Needed for running the Tor control port filter
    mod owner uid-owner root ACCEPT;
  }

Restart ferm firewall : sudo systemctl restart ferm
Start Bisq2, it works.

This integration isn’t the more secure. First, you must turn on administrator setting to install the package and edit many files at the system level. If Tails or Bisq developers can improve this method, that would be nice.

Onionshare can be the reference for implementation because he don’t need CookieAuthFile and ferm firewall is already setup to allow communications with Tor using custom interface.