What's wrong with it? Generally I have heard great things. It's just incredibly hard to get in between the portman containers, cause they take security super serious

Ahh okay hmmm I am trying to figure out if I need this or not

Haha yeah I figured. Try to have a go at the FAQ and best advice probably is: Have a chat with other runners who are already a customer. In a nutshell: If you try to become a routing node, or you're already there but hitting a ceiling, this is for you

How does this differ from umbrels setting of hybrid mode?

Umbrel hybrid - basically just the name of hybrid done by LND / CLN - connects to the Lightning Network via your home-router directly, with your home ISP address.

Obviously this results in your home-IP, location and network announced to everyone who cares.

We're not crying wolf, but if you want to avoid this as an attack vector, this is why you want a VPN as a masquerading option

That's exactly it.

Tailscale is for you accessing your node in a private tunnel, and your node responding back through that tunnel.

Tunnelsats is for the Lightning Network accessing your node in a private tunnel, and responding back both via the TS-Tunnel (and Tor = hybrid)

Makes sense?

Yes see the link, Umbrel and Raspiblitz / Bolt and Baremetal work fine

We haven't found a way to get this implemented with start9.

As we have to get onto the network layer, to mark outgoing lightning packets and send them through the tunnel, the way how start9 secured their structure makes it quite brittle.

We haven't given up, but it's currently not possible, sorry.

lncli listpeers | jq '.peers[] | select(.pub_key=="<peer_pubkey>") | .features'

This one parses my complete existing channel partners. Is it really so rarely used, that out of 140 channels, 0 support STC?

lncli listpeers | jq '.peers[] | select(.features."24".is_known and .features."26".is_known) | {pub_key, features}'

The opener, which is the one who's selling

One thing to add about a script I find particuarly useful to dig into when trying to answer the most pressing question a node-runner has:
How much should I charge for my new channel to X?

The script fee_adjuster.py can be run with --debug, resulting in no write changes, but just giving a terminal output on

• fetching amboss fee data for the channel you added into feeConfig.json
• following a waterfall fee-chart on what the proposed fee-setting would be, if we accept that the market currently charges that channel correctly

This is just an excerpt of what the script can do, eg fee-bands, group discounts, stuck adjustments etc. To see that in practice, below is the terminal output for my channel to Kraken 🐙⚡

.venv/bin/python ~/tools/Lightning-Python-Tools/Other/fee_adjuster.py --debug
--------------------------------------------------------------------------------
--- Stuck Check Debug for Peer 02f1a8c876... ---
  Configured stuck_time_period: 3 days
  Configured min_local_balance_for_stuck_discount: 25.0%
  API Check Window: 12 days
  Last outbound forward timestamp found: 2025-06-12 03:26:38
  Calculated days since last forward: 3
  Aggregate Outbound Ratio for Peer: 63.1%
  Calculated stuck bands down (after checks): 1
  Final Peer Status determination for stuck logic: Active (Recent Outbound Forward)
--- End Stuck Check Debug ---
--------------------------------------------------------------------------------
Alias: Kraken 🐙⚡
Pubkey: 02f1a8c87607f415c8f22c00593002775941dea48869ce23096af27b0cfdcc0b69
Channel ID: 837308890980417537
Capacity: 10,000,000
Local Balance: 6,311,206 | (Outbound: 63.1%)
Old Fee Rate (LNDg): 786

--- Fee Calculation Waterfall ---
  Start Fee (Amboss WEIGHTED_CORRECTED): 1,503.4 ppm
  +/- Base Adj (+0.0%): 1,503.4 ppm
  +/- Group Adj (-5.0%): 1,428.3 ppm
  +/- Trend Adj (+0.0%): 1,428.3 ppm
  * Fee Band Adj (-45.0%): 785.5 ppm
  Max Cap (3500 ppm): Not Applied
  Calculated Rate (Rounded): 786 ppm
---------------------------------

--- Context & Settings ---
  Group: Low Discount | Stuck ✅ | Weighted-Corrected
  Fee Base Used: weighted_corrected
  Trend Factor Used: 0.00 (Sensitivity: 0.60)
  Fee Bands: Enabled
    - Discount: -45.0%, Premium: 20.0%
    - Initial Band (Liquidity 63.1%): High Discount (60-80%)
    - Stuck Adjustment Applied: -1 bands
    - Final Band Used for Calc: Max Discount (80-100%)
    - Resulting Adjustment: -45.0%
  Stuck Adjustment: Enabled
    - Period: 3 days
    - Min Local Balance for Discount: 25.0%
    - Days Stuck: 3 days
    - Peer Status: Active (Recent Outbound Forward)
    - Adjustment Applied: 1 bands down

--- Inbound Auto Fee Adjustment ---
  Inbound Auto Fee Global Setting: Disabled

--- Amboss Peer Fee Data (Remote Perspective) ---
+-----------+---------+--------+--------+----------+-------------+
|    Time   |   Max   |  Mean  | Median | Weighted | W.Corrected |
+-----------+---------+--------+--------+----------+-------------+
|   TODAY   | 5000000 | 6475.7 |  500   |  4066.3  |    1503.4   |
|  ONE_DAY  | 5000000 | 6479.9 |  500   |  4061.5  |    1498.3   |
|  ONE_WEEK | 5000000 | 6527.8 |  500   |  3990.7  |    1409.4   |
| ONE_MONTH | 1500000 | 3450.8 |  500   |  3557.8  |    1650.2   |
+-----------+---------+--------+--------+----------+-------------+

Well, hard to say. I would say certainly more laid back into hammock maintenance possible, but some runners might take the extra mile to make the extra buck. It probably depends on

• your motivation + time-available
• your curiosity and desire for tinkering

If both of the above is not a personal preference, todays tools like Autofees and Auto-Rebalancer in LNDg offer a hands-off "hammock" approach.

Certainly less fire-drilling compared to 2-4 years ago.
Totally concur on your love for LNDg. I'm a big fan and also contributing to their code wherever I feel I can add value.

Yeah, oral would help, but imo not enough. We need to also stresstest What we're actually trying them to proof: Cognitive abilities, adapting to change, thinking on their heels, creative thinking, abstracting is the way to go.

Memorizing, summarizing, visualising stuff? Phew, I dunno.

Keeps reminding me of two things:

1. The cab driver test in London was the hardest test. They throw two street names at you, you had to explain, street by street, turn by turn, how to get from A to B. Guess how many use that knowledge today?
2. One internet meme I remember: I'd love to have a version of the olympics, where every athlete could go full bonkers on steroids and drugs. Let's see how high humans can really jump

Umbrel hybrid setting is just exposing your home IP + Tor.

It's better than Tor only for the aforementioned reasons, but be aware it's allowing aproximate geolocation, and you better be on top or beef up your home network security.

+1 @DarthCoin for calling what it is.

And here are some very good step-by-step guides about how to run a LN node behind a VPS tunnel, @Hakuna wrote these excellent guides:
https://github.com/TrezorHannes/Dual-LND-Wireguard-VPS
https://github.com/TrezorHannes/Dual-LND-Hybrid-VPS

For what it's worth, those guides run not only on a $6/month VPS as I've outlined in the guides, but I heard (not verified) that it even runs on the freebie tier Oracle and MSFT Cloud offers. It doesn't consume any of the expensive infra stuff: CPU / storage / memory, it's mostly commodotized traffic.

But yes, you probably need to KYC, or at least give some credit card input. However, if you shy away from costs, $0 and you'll have public obfuscation of your IP, reliability and speed - the key pillars of the Lightning Node Runner. 🏃

I think you're encountering a huge systemic earthcrack in the education system, which starts to build up and challenge every single cognitive test hoop we've established over the past centuries. And you're not going to be able to plaster that crack on your own with what used to work before.

I'm talking about this with some of my friends for a while, and this story is a phenomenal canary:
TLDR; a talented engineering student from Columbia University exposes the Mag7 Tech Interviewing process with an almost perfected AI interviewing ammunition belt. He secures all the job offerings, but instead of taking those, exposing that way of interviewing in the new world doesn't work anymore.

How do you mitigate this? Flying every interviewee in for face2face offline interviews? How is that proving they are up to the world of engineering in 5 years, 3 years even? How do you mitigate smart glasses, who'll boost every applicant to have a helper PhD in their pocket / ear / on their nose?

Possibly the better, but more challenging way: Question the way you weed out great talent, support the ones who struggle adopting the new ways, because in reality, this wave cannot be stopped anymore.

I know you're not going to revolutionise the education system on your own. But my current hypothesis is, what got us here isn't going to get us there. We all have to think more expansive how we're going to show empathy, support and provide value in this totally new predicament of AI.

Final thoughts: Is it fair to put them into oral assessment? Probably, yes. As a one off. Perhaps with a ceiling and a floor for the grades.
How about doing a repetition, and everyone (who can, ) can use an AI Pocket helper. And perhaps this will create some interesting results. At least it'll stir up an interesting discussion in the classroom, how they all think about this?

I'm not suggesting the cryptography is broken, but having an ongoing SSH root tunnel exposes unnecessary attack vectors. Terrapin was just the recent one, and I'm in favor to not have my ssh in the open at all.

Yes you can FW restrict the access to specific ip ranges, but then you're back into the configuration and security overhead you intended to avoid in the first place.

Read my summary, I think it's a valid option, but I wouldn't want this for my production routing node running for 4 years 24/7

I use Tor just in case my country bans bitcoin. It would be cool to use a public IP, I'll probably just rent a VPS and use it as a proxy. What are your thoughts on TunnelSats?

AMA
or alternatively, check our FAQ

ssh -N -R 8080:localhost:8080 root@vps

Valid points, however everyone needs to make their own choice of convenience vs speed & security. As I'm putting my own sats on the line, I err on latter.

https://m.stacker.news/39287

Summary
For maximum security and speed: As said wg would be my recommended choice, and we have it in productions with many VPNs and clients across the globe. And following that guide isn't that much PITA, but actually a great linux learning experience. I'd say this is a good asset if you're into running a node in any case.

For simplicity and quick setup: SSH tunneling can be a decent option, especially for temporary or less sensitive use cases.

In case your channel close are still pending, you may want to check out my guide at The Guide where your Lightning close-transaction can't get the channel closed

Let me know where you get stuck and I can help out further