pull down to refresh

Setting up a hybrid lightning node, even behid CGNAT:

1. Motivation

To run a lightning node in a completely sovereign way, we must host it on hardware under our control. To make our node accessible to other peers we must publish on the gossip network how to find our node, but since many of our local networks are behind a carrier grade NAT and the router does not have a public IP, it becomes a bit difficult. In this post I will explain how to expose our node with a ssh tunnel with a vps, even behind CGNAT. I won't explain how to create a tor hidden service because I think is trivial, if you are running a node, almost sure that you have one.

2. Prerequisities:

1- Running a lightning node 2- Having a vps with a public ip: lunanode is easy to use, and you can pay with lightning

3. Exposing the node

Connect to your VPS by ssh and edit /etc/ssh/sshd_config
sudo vim /etc/ssh/sshd_config
Ensure that:
AllowTcpForwarding yes GatewayPorts clientspecified
Make sure that the port that you want to expose is accessible by the internet, in my case it will be the default port 9735, replace 9735 by your custom port if you want:
sudo ufw allow 9735 sudo ufw reload
Now let's move to our local machine, where the node is running. With the assumption that your node is exposed in localhost:9735 (that's how it is by default) let's test our implementation, remember to change the ports if you have others, paste your vps public ip address and your vps user :
ssh -nNTv -R 0.0.0.0:9735:localhost:9735 **YOUR_VPS_IP_ADDRESS**
Now you must change the config of your node to advertise the new address. If you use CLN you can edit the config file and set announce-addr=YOUR_VPS_IP_ADDRESS:9735 (or your port). If you are using another lightning node implementation I am sure you can find the config file, and announce the address. Now everything must work, you can try to find your node from another node (maybe a friend's node) by the new ip:port address and the pubkey of course.

4. Finishing

You can close that now, and prepare to make it more robust. First we need to install autossh
sudo apt-get update && sudo apt-get install autossh
Create system d service
sudo vim /etc/system/systemd/autossh-lightning.service
and there put the service description, remember to replace the needed fields with your own data.
[Unit] Description=port forwarding through auto ssh After=network.target [Service] User=USERLOCAL ExecStart=/usr/bin/autossh -M 0 -o ServerAliveInterval=30 -o ServerAliveCountMax=3 -i /home/USERLOCAL/.ssh/id_rsa -nNTv -R 0.0.0.0:9735:localhost:9735 YOUR_VPS_IP_ADDRESS [Install] WantedBy=multi-user.target
Then run:
sudo systemctl start autossh-lightning sudo systemctl status autossh-lightning
If status is active we are all set.
24 sats \ 2 replies \ @ek 7 Nov
If anyone’s interested, I created a series about Wireguard which ended with port forwarding to achieve the same here.
Not saying using a VPN tunnel is better than a SSH tunnel, but knowing how to use DNAT and SNAT is pretty cool, especially since our internet routers do SNAT all the time. Maybe DNAT and SNAT could be considered a little more advanced than SSH remote port forwarding (again, not trying to judge).
reply
43 sats \ 1 reply \ @Cyrus OP 7 Nov
Hi,great post. port forwarding with wireguard, iptables, SNAT, DNAT are so cool, I recommend everyone to study about it. But the goal of this post is to expose a local lightning node that runs even behind CGNAT, so not only the node is behind NAT, but also the router of the local network. Another issue with wireguard is censorship resistance, it is so easy to identify wireguard traffic over the network, and drop the packets, what is so important in my case, and for everyone living a country that is actively censoring communications, specially vpns, for us pure wireguard is not a solution.
reply
4 sats \ 0 replies \ @ek 7 Nov
But the goal of this post is to expose a local lightning node that runs even behind CGNAT, so not only the node is behind NAT, but also the router of the local network.
How does CGNAT matter in this case? As long as the local lightning node initiates the connection it works the same with SSH or Wireguard.
Another issue with wireguard is censorship resistance
I see, makes sense. I didn’t think about this, thanks!
reply