Instructions to enable the LND watchtower over TOR

lnd-watchtower-over-tor.md

Create a TOR hidden service

In configuration file /etc/tor/torrc add:

HiddenServiceDir /var/lib/tor/hidden_service/lnd_watchtower
HiddenServiceVersion 3
HiddenServicePort 9911 127.0.0.1:9911

Now reload the TOR daemon with systemctl reload tor. Inspect the hostname TOR has assigned to your secret service with:

$ cat /var/lib/tor/hidden_service/lnd_watchtower/hostname
somerandomstring.onion

Enabling the watchtower feature

source: https://github.com/lightningnetwork/lnd/blob/master/docs/watchtower.md

Add the following configuration to your lnd.conf, replacing the <variables>:

[watchtower]
watchtower.active=true
watchtower.listen=127.0.0.1:9911
watchtower.externalip=<yourTORhostnamehere>.onion
watchtower.towerdir=/home/<LNDUSER>/.lnd/watchtower
watchtower.readtimeout=15s
watchtower.writetimeout=15s

Note: Use 127.0.0.1 here to prevent LND from accepting connections from outside the machine itself

Now restart LND. You should be able to retrieve the information about the running watchtower like this:

$ lncli tower info
{
    "pubkey": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "listeners": [
        "[::]:9911"
    ],
    "uris": [
        "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@yourTORhostnamehere.onion:9911"
    ]
}

People will be able to use your watchtower like this:

lncli wtclient add xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@yourTORhostnamehere.onion:9911

lncli doesn't have a tower command?

All precompiled binary already contains the watchtowerrpc subserver, but if you have compiled lnd yourself you might need to recompile lnd while adding watchtowerrpc:

$ make install tags="..... watchtowerrpc"