Multi Node VPS
In this small addition to the LNbits server tutorial I want to show what you need to set up multiple tunnels on one VPS, so you can get multiple nodes into the clearnet via one VPS. Additionally I have also included the LNbits REST API for each tunnel to the node. So the owner of the VPS can easily switch the funding source of his LNbits. I will show this here only in excerpts. So you also need the original tutorial.
Assumption:
- Node 1 – LND Port 9735 / REST API Port 8080
- Node 2 – LND Port 9736 / REST API Port 8081
- Node 3 – LND Port 9737 / REST API Port 8082
Addition to 7.2 – VPS – Basic settings of the Virtual Private Server
UncomplicatedFirewall (UFW) installieren und einrichten
apt install ufw
ufw default deny incoming
ufw default allow outgoing
ufw allow 22 comment 'OpenSSH'
ufw allow 80 comment 'Standard Webserver'
ufw allow 443 comment 'SSL Webserver'
ufw allow 9735 comment 'Node1'
ufw allow 9736 comment 'Node2'
ufw allow 9737 comment 'Node3'
ufw enable # -> y
ufw status # -> Check if OpenSSH or 22/tcp is inside!
Addition to 7.3 – VPS – Installing and setting up Docker
Here you need to add the ports in Docker for the additional nodes and generate the additional nodes certificates. What is also added here, if you have multiple nodes it makes sense to assign a fixed tunnel IP to each node. Otherwise the IP is assigned freely by the server. Whoever requests first after a restart of the VPS gets the first IP. This is a bit inconvenient if you want to set the routings in the iptables firewall.
Starting the OpenVPN server process
sudo docker run -v $OVPN_DATA:/etc/openvpn -d -p 1194:1194/udp -p 9735:9735 -p 8080:8080 -p 9736:9736 -p 8081:8081 -p 9737:9737 -p 8082:8082 --cap-add=NET_ADMIN --restart unless-stopped kylemanna/openvpn
generate a client certificate without a passphrase for the nodes
sudo docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full node1 nopass
sudo docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full node2 nopass
sudo docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full node3 nopass
get client configuration with embedded certificates for the nodes
sudo docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient node1 > node1.ovpn
sudo docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient node2 > node2.ovpn
sudo docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient node3 > node3.ovpn
NEW – Assign a fixed IP to the VPN tunnel for each node
To process the data for the Docker volume, you must first switch to the superuser/root account
sudo su
cd /var/lib/docker/volumes/ovpn-data/_data/ccd/
nano node1
- fill with:
ifconfig-push 192.168.255.6 192.168.255.5
- CTRL-x -> y -> ENTER
Repeat for the second node e.g.
nano node2
- fill with:
ifconfig-push 192.168.255.10 192.168.255.9
- CTRL-x -> y -> ENTER
The third node gets the IP ending .14
/ .13
and the fourth node gets .18
/ .17
. The node side of the tunnel, is always assigned the higher number, e.g. .6
and the server gets the ".5".
Info:
Example IP assignment for full compatibility with multiple nodes:
[ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18] [ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] ..
To activate the settings, reboot the VPS once $ reboot
. Alternatively, you can just restart the Docker container $ docker restart <Docker-ID>
and then exit the superuser/root with $ exit
.
Note:
After you have installed and set up OpenVPN on the node, you can check there with the command $ ip add show tun0
if you got the assigned IP.
Display the container ID
sudo docker ps # -> show the status, the ID of the container and the ports
Display the path to the nodex.ovpn
files
pwd # -> show the current path
ls # -> Should now show the node1.ovpn file
Addition to 7.4 – Node – Set up OpenVPN
Now you have to download and set up the individual certificate for each node. Here is an example for Node2.
Download the certificate from the VPS
Attention:
Adjust IP and if necessary the paths
scp synonym@111.111.111.111:/home/synonym/node2.ovpn /home/admin/VPNcert/
-> You have to confirm the new "fingerprint" once and then enter your user password
Assign read and write permissions only for the user
sudo chmod 600 /home/admin/VPNcert/node2.ovpn
Install and set up OpenVPN
Attention:
Also here adjust the path or name if necessary
sudo apt-get install openvpn -y
sudo cp -p /home/admin/VPNcert/node2.ovpn /etc/openvpn/CERT.conf
sudo systemctl enable openvpn@CERT
sudo systemctl start openvpn@CERT
sudo systemctl status openvpn@CERT
-> Pay attention to the following lines:
..
net_iface_up: set tun0 up
net_addr_ptp_v4_add: 192.168.255.10 peer 192.168.255.9 dev tun0
..
Now the IPs 192.168.255.10/.9 should be displayed automatically.
Addition to 7.5 – VPS – Specifying package rules for Docker
Call Docker Shell
sudo docker ps # -> display the ID again
sudo docker exec -it b7a78bb8b394 sh # -> start shell
Info:
With the slightly extended command $ sudo docker ps -a
you can also see unstarted containers and their status.
In Docker, set the package rules for the firewall
Caution:
Remember to check the IP (see previous chapter) and the ports.
iptables -A PREROUTING -t nat -i eth0 -p tcp -m tcp --dport 9735 -j DNAT --to 192.168.255.6:9735
iptables -A PREROUTING -t nat -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to 192.168.255.6:8080
iptables -A PREROUTING -t nat -i eth0 -p tcp -m tcp --dport 9736 -j DNAT --to 192.168.255.10:9736
iptables -A PREROUTING -t nat -i eth0 -p tcp -m tcp --dport 8081 -j DNAT --to 192.168.255.10:8081
iptables -A PREROUTING -t nat -i eth0 -p tcp -m tcp --dport 9737 -j DNAT --to 192.168.255.14:9737
iptables -A PREROUTING -t nat -i eth0 -p tcp -m tcp --dport 8082 -j DNAT --to 192.168.255.14:8082
iptables -t nat -A POSTROUTING -d 192.168.255.0/24 -o tun0 -j MASQUERADE
Note 1:
You can check the IPs on the node with the command: $ sudo systemctl status openvpn@CERT
.
Note 2:
Remember also that the ports you assign here for the LND nodes and for the REST API are also released on the node side in the ufw (uncomplicated firewall), otherwise it won’t work.
Save the rule permanently
To make sure that the packet rules are loaded after the next reboot, we stay in the Docker Shell and still have to edit the script file ovpn_env.sh
.
cd /etc/openvpn
vi ovpn_env.sh # -> editor opens
It became now the vi editor. The handling is a bit unusual, but if you follow the steps exactly, you should reach your goal. You can also find a command overview here.
For practice leave the editor now:
- ESC ->
:q!
-> ENTER -> Exit without save - You really have to enter the :q! like this
Now open the editor again:
vi ovpn_env.sh
- set the cursor to the last line -> G (=> capital "G" -> Shift+g)
- go into edit mode -> a (small "a")
- wrap one line -> ENTER
- now copy the "iptabels" line from above into it
- ESC -> leave edit mode
:wq
-> save changes and close the window
When you are done, exit the Docker Shell again as well:
exit
Addition to 7.6 – Node – Adjusting lnd.conf
On the Node you have to release the firewall port. For example I do this for the Node2 with the LND port 9736 and REST API port 8081. For the Raspiblitz you also have to adjust the lnd_check.sh
script. Otherwise the ports in the lnd.conf will be overwritten at the next reboot.
NEW Edit Firewall
sudo ufw allow 9736 comment 'VPS Tunnel LND Node2'
sudo ufw allow 8081 comment 'VPS Tunnel REST Node2'
sudo ufw status
Here you can check if the ports (9735, 9736,..) are open for the LND Node.
https://www.yougetsignal.com/tools/open-ports/
This only works when the LND is running and working normally. You can’t check the REST ports (8080, 8081,..) with this, because the ufw
of the VPS didn’t release the ports and doesn’t have to, because LNbits accesses the LND from the VPS over the tunnel and not over the internet.
LND.conf edit
cd /mnt/hdd/lnd/
sudo nano lnd.conf
-> Check the following line and adjust if necessary:
[Application Options]
..
nat=false # -> check and set to false
listen=0.0.0.0:9736 # -> check it
restlisten=0.0.0.0:8081 # -> check it
externalip=111.111.111.111:9736
tlsextraip=172.17.0.2
..
[tor]
..
tor.streamisolation=false
tor.skip-proxy-for-clearnet-targets=true
Special feature: ONLY on the Raspiblitz
The lnd_check.sh
script checks the lnd.conf and might overwrite your settings. Therefore you have to comment out some lines.
Call in the script the lines from 184:
sudo nano +184 /home/admin/config.scripts/lnd.check.sh
Comments out the following line with #
:
..
# setting ${lndConfFile} ${insertLine} "restlisten" "0\.0\.0\.0\:${portprefix}8080"
# # enforce LND port is set correctly (if set in raspiblitz.conf)
# if [ "${lndPort}" != "" ]; then
# setting ${lndConfFile} ${insertLine} "listen" "0\.0\.0\.0\:${portprefix}${lndPort}"
# else
# lndPort=9735
# fi
# # enforce PublicIP if (if not running Tor)
# if [ "${runBehindTor}" != "on" ]; then
# setting ${lndConfFile} ${insertLine} "externalip" "${publicIP}:${lndPort}"
# else
# when running Tor a public ip can make startup problems - so remove
# sed -i '/^externalip=*/d' ${lndConfFile}
# fi
..
-> save and close with CTRL+x -> y -> ENTER
Note:
You can update Bitcoin Core, LND and other applications manually, but a complete update of your node, to a new version, will probably be overwritten exactly this file and your node will only run over Tor gate! And if you have more than one node running over the VPS, or if you have assigned induvidual ports in general, the LND.conf will be overwritten automatically for the nodes which have another LND port than 9735 or REST port than 8080. The node still works, but only via TOR and the LNbits logs show Retrying connection to backend in 5 seconds... | The backend for LndRestWallet isn't working properly
. So keep this in mind, this is a sneaky error. If the port is free, you could test e.g. herewith.
Restart the LND once
sudo systemctl restart lnd.service
-> Both commands may take some time, be patient
Check if the certificate and the key has changed
ls -l
-> Date and time (GTM) of the tls.cert
and tls.key
files must have updated, if you made one for the certificates change!
Connection test
Test if you can reach the Google server from your node:
ip route get 8.8.8.8
-> You should get back 8.8.8.8 via 192.168.255.9 dev tun0 src 192.168.255.10
.
Note about Ride The Lightning (RTL)
By default RTL
uses the REST port 8080 to access LND. Therefore you will get the error message Error 503 - Unable to Connect to LND Server
when accessing the website if you change the REST port 8080 to LND. So you have to inform RTL about the port change. The port is defined in the file /mnt/hdd/app-data/rtl/RTL/RTL-Config.json
, but the JSON is always overwritten by the startup script /home/admin/config.scripts/bonus.rtl.sh
on the Raspiblitz. Therefore you have to edit this.
sudo nano /home/admin/config.scripts/bonus.rtl.sh
- Now search for "lnServerUrl" with: CTRL+w -> lnServerUrl -> ENTER
- Change the port for
lnServerUrl
from 8080 to e.g. 8081 for the second node - Then restart the RTL.service once
sudo systemctl restart RTL.service
Note:
For Thunderhub you don’t need this, because TH uses the RPC port 10009 instead of the REST port.
END
Everything else is basically the same as the original tutorial.
Created with love 🧡 Block 775775 / 825673
– Lightning ⚡ (er)leben –