How To Mine Wownero With Xmrig Proxy

Started by jrswab, Jul 06, 2021, 04:56 PM

Previous topic - Next topic


It sounds like xmrig-proxy does not hash on its own. Can the xmrig-proxy machine also be running xmrig to mine, or is the xmrig-proxy machine only able to function as proxy without mining?


Yes, you can run xmrig on the same machine as xmrig-proxy. Just configure it as usual.


Quote from: "orklemerkle, post:45, topic:672"This does imply that the connection between the proxy and the miner should be secured–if an eavesdropper has been listening to those transaction keys, and the miner has solved a block, the eavesdropper too can spend the reward.

Hey @orklemerkle, As I'm new to Linux & Ubuntu, how do I check if the connections between my miners and XMrig-proxy is secure?
If they are not secure, what do I need to do to make them secure connections?  
Thanks in advance.


I should first clarify that, in this context, by "secure" I mean

  • 1) no one else can eavesdrop on the connection between the proxy and miner, _and_
  • 2) no one else can in any way change/modify the same, including by dropping or forging network messages (packets).

In infosec lingo these are called _confidentiality_ and _integrity_, respectively. Breaking property (1) means someone else can spend the block reward (if found); breaking (2) is less severe but means someone else can make your miners work for them instead.

To put it simply, in most cases, your connection is secure by default if you can trust all devices on the network(s) over which you make your connection. "Trust" here means you trust them not to run away with your WOW and/or hashrate, and that an attacker can't take advantage of them (i.e. hack them) to do the same.

Local loopback (`localhost` and ``) is secure if you trust the machine administrator, LANs are secure if you trust everything plugged into them, Wi-Fi is secure if you trust everything with access (use a good password!), routed networks are probably not secure unless you trust the entire network or you've comprehensively firewalled off the untrusted parts, and the Internet is definitely not secure.


If you have to make a connection over an insecure network, `xmrig-proxy` makes this very easy with built-in support]( for [Transport Layer Security (TLS)]( This is the same security protocol used in [HTTPS.

By default, you don't have to change anything on the proxy. On the miner, it's just a config change.

1. Under the relevant entry in `pools`, change `"tls": false` to `"tls": true`. At this point there is still no security against an active attacker impersonating the proxy, because unlike in HTTPS there's no certificate authority that vouches for the proxy's identity.

2. Get the proxy's key fingerprint. Run `xmrig` with that config over a secure network, for example via localhost on the proxy machine itself, until it shows the proxy's fingerprint:

   [2021-08-24]  net      use pool localhost:xxxx TLSv1.3
   [2021-08-24]  net      fingerprint (SHA-256): "3515acddb73760de3c072d5b3a86101c1d8db49b338a38e6b43347936ed71a85"

   Here I've temporarily changed the config to point to `localhost`. You can stop `xmrig` after that.

   Alternatively, instead of running `xmrig`, run the following *fun* one-liner on the proxy machine (works on Linux and Mac!):

   openssl x509 -in cert.pem -noout -sha256 -fingerprint | cut -d= -f2 | tr -d ':' | tr A-F a-f

3. Copy the 64-character fingerprint, add quote marks, and paste it in place of `null` for `tls-fingerprint`, so that you have something like this:

   "tls": true,
   "tls-fingerprint": "3515acddb73760de3c072d5b3a86101c1d8db49b338a38e6b43347936ed71a85",

4. Save that config and apply it on your miners. Now your connection is secure even over insecure networks. Eavesdropping will only yield encrypted data. An impersonation attack will cause the fingerprint to no longer match, making `xmrig` refuse to connect.

The security now depends on the key file, by default `cert_key.pem`. Make sure that no one else learns its contents. It may help to secure it with file permissions--on Linux, `chmod 600 cert_key.pem`. (Note that this can't save you if someone gets `root` or the user account gets trojaned.)

If someone does get a hold of it (or if you're paranoid enough to think that it's already happened), you can generate new keys by deleting `cert.pem` and `cert_key.pem`, and then restarting `xmrig-proxy`. Modify miner configs again to match the new fingerprint.

Unless noted, all of this is generally applicable and not specific to Linux.


In case you're wondering how impersonating the proxy can break confidentiality, consider the following:

`Real proxy -- [TLS authenticated by proxy's key] -- Impersonator -- [TLS authenticated by the attacker's key] -- Miner`

The impersonator decrypts the data coming from one end, and re-encrypts it for sending to the other end. If the miner doesn't check that it's really the proxy it's talking to (by comparing key fingerprints), the impersonator can have access to the decrypted data and can do anything they want with it before passing it along (or not). This is called a _man-in-the-middle attack_ (MITM).


Hello everyone, thanks for all the comments, are very useful to configure the proxy and the miners, respect to the proxy that is better to use in nicehash or simple mode? Thanks, greetings.


@orklemerkle Have you successfully mined blocks while providing the secret spend key ONLY to xmrig-proxy? Can anyone else confirm that this works? I'd like to switch to that method if possible. Should we change the top post to reflect this option? Seems good to know. Many thanks.


Quote from: "purplewow, post:51, topic:672"Have you successfully mined blocks while providing the secret spend key ONLY to xmrig-proxy?


Quote from: "purplewow, post:51, topic:672"Should we change the top post to reflect this option?

Sounds good to me. @jrswab, what do you think?


It works :slight_smile:

XMRig proxy then uses that secret spend key to create new ones for each miner/job.


Quote from: "orklemerkle, post:52, topic:672"Sounds good to me. @jrswab, what do you think?

Yeah, I can updated this post. Let me read back a bit to make sure I get the details right.


I am mining in windows. It shows new jobs and my hashrate, but it never shows any shares being submitted. Is this normal since i see on your info it shows 0 shares until you actually found a block? I still can't seem to set my individual difficulty, even after reading everything here. I swear once I know how to do all of this correctly I can do a very easy tutorial that actually includes all info and bat files. Information here is missing certain things that makes the difference whether the miner runs or not. I just want to make sure I am actually finding shares and not wasting my pc power for nothing.


you wont send any shares, only when you find a block. Shares are for pools, not solomining.


Thank you very much for your response. Just wanted to make sure I was actually mining properly.


It looks like you're mining directly to the daemon from `xmrig`, without an intervening `xmrig-proxy`. That's perfectly fine for solo mining, and because you're mining directly to the blockchain, the definition of a "share" is a found block.

The custom difficulty stuff is for when you have `xmrig-proxy` to pool together multiple mining computers behind one `wownerod`.


Quote from: "orklemerkle, post:58, topic:672"The custom difficulty stuff is for when you have `xmrig-proxy` to pool together multiple mining computers behind one `wownerod`.

Hi @orklemerkle , it would be nice if you could dive a little deeper on the above (perhaps a separate forum post) outlining how to best configure this value for optimum mining performance.

There may be some of us newbies to mining with only 3 x PCs and others (more intermediate) mining on 5-10 PCs. I presume the XMrig Proxy setting for "custom difficulty" value will need to change based on the number of PCs mining.

I am not sure how to set this value, hence why (and perhaps others) I would appreciate some guidance on this.  Thanks in advance.


I am running more than a few pcs, but when i tried to set up the XMrig miners on the other pcs using the IPv4 address from the PC that was running the wownero node, but it would not work to mine on the other PCs, So that is why I had to run the node on each PC to be able to mine more than one PC. I have no idea what I am doing wrong, since I used the video on how to set up mining multiple pcs, but only the works. I must be doing something wrong, but all the research I have done has not helped so far.