I hope this is the appropriate place to ask this.
I’m building a web app that is using an lnd instance to facilitate payments via the lightning network. When I run my node app on my laptop that is connected to the same network as my rpi4 running Umbrel i am able to access my node via umbrel.local:10009. However, since my web app is deployed in the cloud I need to access my node from outside via <my-public-ip>:10009. In other words I need to publicly expose my lnd’s gPRC port.
im using alexbosworth's ln-service
The problem is i am unable to reach my node…
  • my router does forward :10009 to my rpi4’s static ip
  • telnet <my-public-ip>:10009 DOES yield a response
  • my deployments domain IS listed as an entry the tlsextradomain
  • rpclisten IS configured as 0.0.0.0
  • externalip IS set to <my-public-ip>
  • im starting to suspect that this issue has to do with dockers default network and it is not letting any traffic outside the default network reach any container.
i provided a little sketch to make it really clear:
132 sats \ 1 reply \ @lrz 17 Jul 2022
Have you considered using Wireguard?
reply
How would a VPN help me in this case? Can you point me to a guide?
Keep in mind that i don't have any ssh access in my deployment. Its heavily preconfigured and simply runs any Nextjs app that you point it to.
A few things worth trying come to mind:
  • Whenever you update items like tlsextradomain in the lnd.conf file, you need to regenerate the tls.cert so it has the latest values included. Restarting LND should do the trick (I believe there also might be an LND command for this)
  • You might additionally need to publish the full host and domain in Docker along the lines of -p <external-ip>:10009:10009 to expose it externally
  • Have you tried using the onion address instead? That should be reachable from anywhere.
Hope this helps. Docker networking is never fun, I've been there. Good luck!
reply
Whenever you update items like tlsextradomain in the lnd.conf file, you need to regenerate the tls.cert so it has the latest values included
I think this is the answer. Just restarting won't do the trick though. You need to delete the original tls.cert file before starting it back up again.
I suspect that the networking bit is not the problem. OP mentioned that they can telnet port 10009 from external networks. That means the port is successfully forwarded, it's the app that's not working.
reply
I think this is the answer.
unfortunately, this is not the answer. every time i made changes i deleted both tls files and restarted lnd. my tls certs are always up to date.
OP mentioned that they can telnet port 10009 from external networks.
on that note: while i do get a response when i telnet <public-ip>:10009 can i assume that this is actually reaching my lnd? Is A response the RIGHT response or is there a RIGHT response apart from A response or NO response?
reply
A telnet response is always better than a timeout. That means something is responding. But since you say you already did delete the tls.cert beforehand, I'm wondering what else can be wrong.
If you decode the contents of the tls.cert file using https://www.sslchecker.com/certdecoder for instance, do you see all your IPs and domains?
Another way to check if you can connect is, use Zap Wallet to connect to your node. Zap uses the gRPC interface to connect. It might even give you useful error messages if initially you run into trouble connecting.
reply
no i do not see any of my IPs or domains that is provided, interesting.
however i know that the cert was just regenerated because the issuance date got updated (the last one was yesterday). are the entries form tlsextraip and tlsextradomain supposed to be listed in the decoded dataset somewhere?
reply
Yes your extra IPs and domains you provided in tlsextraip and tlsextradomain config entries should appear in the 'SAN' subject in the certificate. If they are not there, your app will not be able to perform the necessary SSL handshake.
You need to investigate why they are not getting picked up by lnd.
I don't use Umbrel so I do not know if they have hidden config files somewhere that overrides your manual lnd.conf entires. Maybe you can check with them Umbrel folks.
reply
dude, thank you. you helped a lot. i've asked a question on umbrel about this because it actually looks like they ignore the lnd.conf entries when generating the cert. waiting for the reply...
btw. i ended up using voltage.cloud and it works like a charm!
reply
I did some digging, it looks like it is a known issue with Umbrel after upgrade 0.5.0.
I think this is a great place to ask this. Unfortunately I don't know the answer, but I think someone here surely would and can help.
reply
Have you tried accessing the REST API on default port 8080? As far as I know that forwards all requests to gRPC.
That's how I've setup Zaprite for users to access their own nodes.
  • Umbrel uses default port 8080
  • MyNode uses port 10080 (both require https)
It works for Tor and also on clearnet (ex. Voltage) nodes using LND.
But ultimately it could be a docker issue blocking incoming traffic over certain ports.
reply
the library i'm using wants a gRPC socket. however, i did try this for fun to no avail...