Comment on page

Paranoid mode (Witnet over proxies and Tor)

How to make your Witnet node resolve data requests over multiple network proxies to protect itself from potential reputation loss and slashing.
Witnet-Rust now supports an opt-in functionality called paranoid mode. This mode protects nodes from being targeted by ill-intended data requests that may harm their reputation score and steal part of their collateralized Wit coins.
When a node is in paranoid mode, in addition of performing data retrieval through its regular network interface, it will also perform the retrieval over one or more network proxies. Only if the result is consistent across all the proxies, it will proceed to submit a commitment as a response to the request.
Several proxy protocols are supported. This includes Tor, which is probably the most reliable and easy-to-setup proxying solution.
For the extremely privacy-conscious, the paranoid mode allows also to disable the regular network interface, so that data retrieval can never leak their clearnet IP address.

Supported proxy protocols

The currently supported proxy protocols are:
Supports authentication
URL example
tor (over socks5)
Authentication support may be added in a future release of witnet-rust if there is demand for it.


Paranoid mode is configured through the witnet.toml configuration file of your node. By default, this file can be found in the following location in your file system:
GNU/Linux and MacOS
The settings that are relevant to the paranoid mode can be found in the [witnessing] section of the witnet.toml file:
proxies = []
paranoid_percentage = 51
allow_unproxied = true
If the [witnessing] section does not exist in your configuration file, you can simply create it by copying and pasting these lines at the end of witnet.toml.


The proxies setting expects a list of addresses to be used as proxies when performing data retrieval. These need to include full scheme, URL and port (you have some examples in the Supported proxy protocols table above).
proxies = [
If this setting is not found in the configuration file, paranoid mode is disabled.


The paranoid_percentage setting adjusts how strict or lenient to be with inconsistent data sources. Paranoid level is defined as the percentage of successful retrievals over total number of retrieval transports. That is, if we have 3 proxies in addition to the default unproxied transport (4), and we set the paranoid percentage to 51 (51%), the node will only commit to requests in which "half plus one" of the data sources are in consensus (3 out of 4).
proxies = [
// add proxy addresses here
paranoid_percentage = 66
If this setting is not found in the configuration file, the default percentage value is 51%.


The allow_unproxied setting enables or disables the default unproxied HTTP transport so as to protect the clearnet IP address of a witnessing node. This feature can only be active if the address of at least one retrieval proxy is provided.
This extreme form of the paranoid mode is enabled by setting allow_unproxied to false.
proxies = [
// add proxy addresses here
allow_unproxied = false
If this setting is not found in the configuration file, it defaults to true, i.e. unproxied witnessing is allowed as usual.

Recommendations and best practices

Public proxy servers (at your own risk!)

There are plenty of publicly accessible HTTP, HTTPS, SOCKS4 and SOCKS5 proxy servers that anyone can use for free. Their addresses are regularly collected and listed on websites like these:
While there are thousands of different proxy addresses you can choose from, finding a good one is a bit hit or miss—it often takes a lot of trial and error. Public proxies also tend to be very slow and can go down unadvertedly at any time. In general terms, they are not reliable enough for the witnessing activity of a Witnet node. Other options such as premium SOCKS5 proxy services and Tor are much preferable.
Some VPN providers offer premium SOCKS5 proxy services that perform much better than those that you can use for free. These are some good options:
The only downside to premium proxy services is that, unless you are already using one of those for your regular browing, you will have to pay a subscription. Moreover, if you want to use several of these for optimum results, the cost may be significant. If you just want to add one proxy and prefer not to pay any subscription services, the Tor proxy explained below could be the best option for you.
By default, every Tor client normally exposes a SOCKS5 interface that can be used to tunnel network traffic through the Tor network.
If you are running your Witnet node using Docker, setting up another Docker container that will run a Tor proxy on the same machine can be as simple as it gets:
GNU/Linux and MacOS
docker run -d \
--name tor-socks-proxy \
--publish 9150:9150 \
--restart always \
docker run -d --name tor-socks-proxy --publish 9150:9150 --restart always peterdavehello/tor-socks-proxy
For non-containerized setups, here is a detailed guide on how to run a Tor Socks5 proxy on a Debian or Ubuntu server.