diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix
index 401ad3d..4997024 100644
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@@ -15,6 +15,14 @@ let
         default = 8333;
         description = "Port to listen for peer connections.";
       };
+      onionPort = mkOption {
+        type = types.nullOr types.port;
+        default = null;
+        description = ''
+          Port to listen for Tor peer connections.
+          If set, inbound connections to this port are tagged as onion peers.
+        '';
+      };
       getPublicAddressCmd = mkOption {
         type = types.str;
         default = "";
@@ -263,8 +271,10 @@ let
     ${optionalString (cfg.assumevalid != null) "assumevalid=${cfg.assumevalid}"}
 
     # Connection options
-    ${optionalString cfg.listen "bind=${cfg.address}"}
-    port=${toString cfg.port}
+    ${optionalString cfg.listen
+      "bind=${cfg.address}:${toString cfg.port}"}
+    ${optionalString (cfg.listen && cfg.onionPort != null)
+      "bind=${cfg.address}:${toString cfg.onionPort}=onion"}
     ${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
     ${optionalString (cfg.i2p != false) "i2psam=${nbLib.addressWithPort i2pSAM.address i2pSAM.port}"}
     ${optionalString (cfg.i2p == "only-outgoing") "i2pacceptincoming=0"}
diff --git a/modules/btcpayserver.nix b/modules/btcpayserver.nix
index cc959aa..4a95900 100644
--- a/modules/btcpayserver.nix
+++ b/modules/btcpayserver.nix
@@ -119,7 +119,7 @@ in {
       # Enable p2p connections
       listen = true;
       extraConfig = ''
-        whitelist=${nbLib.address cfg.nbxplorer.address}
+        whitelist=download@${nbLib.address cfg.nbxplorer.address}
       '';
     };
     services.clightning.enable = mkIf (cfg.btcpayserver.lightningBackend == "clightning") true;
@@ -128,9 +128,6 @@ in {
       enable = true;
       # Enable p2p connections
       listen = true;
-      extraConfig = ''
-        whitelist=${nbLib.address cfg.nbxplorer.address}
-      '';
     };
 
     services.lnd.macaroons.btcpayserver = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {
diff --git a/modules/onion-services.nix b/modules/onion-services.nix
index 490f136..8fa3549 100644
--- a/modules/onion-services.nix
+++ b/modules/onion-services.nix
@@ -18,7 +18,7 @@ let
             default = config.public;
             description = ''
               Create an onion service for the given service.
-              The service must define options 'address' and 'port'.
+              The service must define options 'address' and 'onionPort' (or `port`).
             '';
           };
           public = mkOption {
@@ -64,7 +64,7 @@ in {
             inherit (cfg.${name}) externalPort;
           in nbLib.mkOnionService {
             port = if externalPort != null then externalPort else service.port;
-            target.port = service.port;
+            target.port = service.onionPort or service.port;
             target.addr = nbLib.address service.address;
           }
         );
@@ -118,6 +118,10 @@ in {
           externalPort = 80;
         };
       };
+
+      # When the bitcoind onion service is enabled, add an onion-tagged socket
+      # to distinguish local connections from Tor connections
+      services.bitcoind.onionPort = mkIf (cfg.bitcoind.enable or false) 8334;
     }
   ];
 }