Publicly exposing lnd's gRPC port from within Umbrel?
242 sats \ 15 comments \ @zeRealSchlausKwab 17 Jul 2022 bitcoin freebie
I hope this is the appropriate place to ask this.
I’m building a web app that is using an lnd instance to facilitate payments via the lightning network. When I run my node app on my laptop that is connected to the same network as my rpi4 running Umbrel i am able to access my node via umbrel.local:10009. However, since my web app is deployed in the cloud I need to access my node from outside via <my-public-ip>:10009. In other words I need to publicly expose my lnd’s gPRC port.
im using alexbosworth's ln-service
The problem is i am unable to reach my node…
  • my router does forward :10009 to my rpi4’s static ip
  • telnet <my-public-ip>:10009 DOES yield a response
  • my deployments domain IS listed as an entry the tlsextradomain
  • rpclisten IS configured as 0.0.0.0
  • externalip IS set to <my-public-ip>
  • im starting to suspect that this issue has to do with dockers default network and it is not letting any traffic outside the default network reach any container.
i provided a little sketch to make it really clear:
https://i.ibb.co/SVdqR0t/Untitled-11.png
write
preview
related posts
132 sats \ 1 reply \ @lrz 17 Jul 2022
Have you considered using Wireguard?
reply
0 sats \ 0 replies \ @zeRealSchlausKwab OP 18 Jul 2022 freebie
How would a VPN help me in this case? Can you point me to a guide?
Keep in mind that i don't have any ssh access in my deployment. Its heavily preconfigured and simply runs any Nextjs app that you point it to.
400 sats \ 9 replies \ @rheedi0 17 Jul 2022
A few things worth trying come to mind:
  • Whenever you update items like tlsextradomain in the lnd.conf file, you need to regenerate the tls.cert so it has the latest values included. Restarting LND should do the trick (I believe there also might be an LND command for this)
  • You might additionally need to publish the full host and domain in Docker along the lines of -p <external-ip>:10009:10009 to expose it externally
  • Have you tried using the onion address instead? That should be reachable from anywhere.
Hope this helps. Docker networking is never fun, I've been there. Good luck!
reply
300 sats \ 8 replies \ @lada 17 Jul 2022
Whenever you update items like tlsextradomain in the lnd.conf file, you need to regenerate the tls.cert so it has the latest values included
I think this is the answer. Just restarting won't do the trick though. You need to delete the original tls.cert file before starting it back up again.
I suspect that the networking bit is not the problem. OP mentioned that they can telnet port 10009 from external networks. That means the port is successfully forwarded, it's the app that's not working.
reply
110 sats \ 7 replies \ @zeRealSchlausKwab OP 18 Jul 2022 freebie
I think this is the answer.
unfortunately, this is not the answer. every time i made changes i deleted both tls files and restarted lnd. my tls certs are always up to date.
OP mentioned that they can telnet port 10009 from external networks.
on that note: while i do get a response when i telnet <public-ip>:10009 can i assume that this is actually reaching my lnd? Is A response the RIGHT response or is there a RIGHT response apart from A response or NO response?
reply
300 sats \ 6 replies \ @lada 18 Jul 2022
A telnet response is always better than a timeout. That means something is responding. But since you say you already did delete the tls.cert beforehand, I'm wondering what else can be wrong.
If you decode the contents of the tls.cert file using https://www.sslchecker.com/certdecoder for instance, do you see all your IPs and domains?
Another way to check if you can connect is, use Zap Wallet to connect to your node. Zap uses the gRPC interface to connect. It might even give you useful error messages if initially you run into trouble connecting.
reply
200 sats \ 5 replies \ @zeRealSchlausKwab OP 18 Jul 2022 freebie
no i do not see any of my IPs or domains that is provided, interesting.
however i know that the cert was just regenerated because the issuance date got updated (the last one was yesterday). are the entries form tlsextraip and tlsextradomain supposed to be listed in the decoded dataset somewhere?
https://i.ibb.co/XCGcsZ3/Screenshot-2022-07-18-at-10-41-58.png
reply
200 sats \ 4 replies \ @lada 18 Jul 2022
Yes your extra IPs and domains you provided in tlsextraip and tlsextradomain config entries should appear in the 'SAN' subject in the certificate. If they are not there, your app will not be able to perform the necessary SSL handshake.
You need to investigate why they are not getting picked up by lnd.
I don't use Umbrel so I do not know if they have hidden config files somewhere that overrides your manual lnd.conf entires. Maybe you can check with them Umbrel folks.
reply
320 sats \ 3 replies \ @zeRealSchlausKwab OP 18 Jul 2022 freebie
dude, thank you. you helped a lot. i've asked a question on umbrel about this because it actually looks like they ignore the lnd.conf entries when generating the cert. waiting for the reply...
btw. i ended up using voltage.cloud and it works like a charm!
reply
200 sats \ 1 reply \ @lada 19 Jul 2022
I did some digging, it looks like it is a known issue with Umbrel after upgrade 0.5.0.
view replies
0 sats \ 0 replies \ @lada 18 Jul 2022
Glad to hear it!
reply on another page
120 sats \ 0 replies \ @versieboer 17 Jul 2022 freebie
I think this is a great place to ask this. Unfortunately I don't know the answer, but I think someone here surely would and can help.
reply
100 sats \ 1 reply \ @john 17 Jul 2022
Have you tried accessing the REST API on default port 8080? As far as I know that forwards all requests to gRPC.
That's how I've setup Zaprite for users to access their own nodes.
  • Umbrel uses default port 8080
  • MyNode uses port 10080 (both require https)
It works for Tor and also on clearnet (ex. Voltage) nodes using LND.
But ultimately it could be a docker issue blocking incoming traffic over certain ports.
reply
0 sats \ 0 replies \ @zeRealSchlausKwab OP 18 Jul 2022 freebie
the library i'm using wants a gRPC socket. however, i did try this for fun to no avail...