Free static IP for BTC/⚡️Lightning⚡️ Node

The problem:

When setting up a local ️Lightning️️️ node (e.g. Raspberry Pi) we need a fixed IP to help the network by accepting incoming connections. If you want to run a Lightning node, people can connect to, you definitely need static-ip. Forwading ports is not a problem, as cheap home routers support port-forwarding. Static-IP’s are a problem in most european countries, since you need to pay extra fees to receive a static-IP from your ISP.

Furthermore we can lock out bad actors trying to connect the dots and unmask you as Bitcoiner by checking your home IP. Sharing your home-IP for a bitcoin node is not a good idea.

This is why we use our local setup (RaspberryPi + HDD + bitcoind + LND) and just do the “IP-pointing part” via our choosen cloud hoster.

Hosting Full-Nodes on Cloud-Services

In my opinion full nodes being hosted on cloud-services don’t enrich the decentral properties of bitcoin, while our local-node with ip pointing does.

You think you run your own node, but you don’t own it.

Let’s just pretend every BTC node is hosted via one VPS provider. Let’s further pretend the VPS provider encounters outages/censorship. In this scenario every BTC node would be offline.

Everyone used the same VPS provider. What can we do? We just take our pre-synced and ready-to-go full node and point to a static-ip of a different VPS-provider.

The more full-nodes rely on VPS the more central the bitcoin network.

Let’s start

In this tutorial I will guide you through the steps on how to set a static IP for your local Raspberry Pi. I went the hard way and figured it out with the help of my friends. Afterwards I can tell you it took me about 16h, but was worth it. I learned a lot and now I am sharing my newly accquired knowledge.

Shoutout to 0xB10C

Prerequisites:

• Bitcoin + LND Full Node (testnet) → https://github.com/Stadicus/guides/blob/master/raspibolt/README.md
• minimal experience with Putty and WinSCP
• Amazon AWS / GoogleCloud (12 months free trial; I used GoogleCloud)
• Putty / PuttyGen
• WinSCP

Google Cloud

• Create a new instance
• choose region: closest to you
• Machine type : (micro)
• I changed “Boot Disk” from debian to ubuntu (not necessary)
• “Create”
• Now we need to wait some time and our machine will be ready for usage

Let’s open our first port

• Go to “compute engine → VM instances”
• look for your machine and click the three dots next to ssh → “view network details”
• on the left choose “firewall rules”
• “Create Firewall rule”

• Name: testin
• Direction of Traffic: Ingress
• Targets: All instances in the network
• Source IP Ranges: 0.0.0.0/0
• TCP: 1234
• We configured the first port forwarding for our GoogleCloud
• analogous do the same for TestOut (choose Egress instead of Ingress)

fix static-ip

• Go to “compute engine → VM instances”
• look for your machine and click the three dots next to ssh → “view network details”
• go to “external ip adresses”
• look for type and click “epemeral” and switch to “static”
• type a name and click “reserve”

Create SSH-Keys

(advanced users can use Linux to create keys, I did it via the Windows PuttyGen.exe)

• we need both file formats ppk (for Putty Authentication) and pem (for RBP to Cloud tunnel)

• open Puttygen.exe and click generate
• in “Key comment” field we need to insert our Google username (e.g. userxy@gmail.com we would put “userXY” in key comment)
• click save priv key to create .ppk file, choose location
• click yes when asked if you want to safe without passphrase
• type name and save
• click conversion and choose “export openssh key”, type name and save
• now we have created both keys. Both contain the same key, but use different formats
• Public key is shown in the puttygen window

SSH to GoogleCloud

• copy the public key and insert in Google Console (on the left side look for metadata, click ssh keys, paste your public key (edit, add, save))
• Open Putty
• hostname is UserXY@yourIP (shown in google instances →external IP)

• insert private key in Putty (on the left side click the + in SSH tab, look for Auth
• in box “Private key file for authentication” insert path to your key
• choose .ppk file
• Connect via Putty
• when asked click yes
• Now we are connected

change Google Cloud’s SSH config and add two lines

sudo nano /etc/ssh/sshd_config

AllowTcpForwarding yes

GatewayPorts yes

• safe and exit
• sudo restart ssh / sudo systemctl restart ssh

Insert keys to Raspberry-Node

• to authenticate we need to copy our GoogleCloud private key to RBP
• start WinSCP and log into your RBP
• copy the converted private key (!!not .pkk!!) to a choosen path (e.g. /home/admin/)
• click the file and push F9 to change permission
• switch permissions from 644 to 600
• close WinSCP

create first SSH Tunnel via Putty

• Open Putty and log into your RBP
• Putty Tunnel command:

ssh -i /home/admin/keyFilename -R 1234:localhost:1234 UserXY@yourExternalip

/home/admin/path is the priv key file

username = userXY (your google username)

yourpublicip= external IP shown in Google Console

• type yes
• The tunnel is now established

Verify the work

• SSH in your Raspberry node
• Start test server to see if it worked out

cd /home/admin/download
python -m SimpleHTTPServer 1234

• Type in a browser: YourExternalIP:1234
• You should now see your download folder via HTTP Server
• If it was successfull close your HTTP Server

Troubleshooting

If you are having issues try typing the following command in your Google Cloud’s Putty and see the result

netstat -tulpn 

check for your specific ports in our case would be 1234

0.0.0.0:1234 means we are good (tunneling works)

127.0.0.1 would be a bad sign

If you see this and can not connect to your Webserver via WWW it’s not the SSH-tunnel. Exactly look for Foreign Adress 0.0.0.0:*. If you see something different, this is why it doesn’t work.

Bitcoin + LND

• Your Raspberry and GoogleCloud are configured to forward port 1234 now we need to adapt to BTC + LND
• Open incoming and outgoing ports in GoogleCloud: Update firewall rules in GoogleCloud (same we did with 1234)
• In the same run you can close port 1234 (incoming und outgoing)

18333 (testnet)

8333 (mainnet)

9735 (lightning)

On your RBP establish tunnel for (1)8333 and 9735

• Open a Putty session for the Bitcoin-port

ssh -i /home/admin/keyFilename -R 18333:localhost:18333 UserXY@yourExternalip (for testnet)
ssh -i /home/admin/keyFilename -R 8333:localhost:8333 UserXY@yourExternalip (for mainnet)

• Open a second Putty session for the Lightning-port

ssh -i /home/admin/keyFilename -R 9735:localhost:9735 UserXY@yourExternalip

Verify our work

Let’s verify if it worked

sudo systemctl start bitcoind
sudo systemctl start lnd

• wait until both are online and active
• go to https://ping.eu/port-chk/
• paste your external static ip
• put port (1)8333 / 9735
• You should see the ports as “open”

Adapt lnd.conf to new static-IP

edit lnd.conf:

sudo nano /home/bitcoin/.lnd/lnd.conf

add the following line:

externalip=YOUREXTERNALSTATICIP

Autostart SSH-tunnels after reboot

Let’s add the ssh commands as a crontab to have them autostarted after rebooting

• ssh into RBP with user “admin”

crontab -e

#addlines

@reboot sleep 60;ssh -i /home/admin/yourprivkey.pem -nN -R 18333:localhost:18333 username@ExternalIP

@reboot sleep 60;ssh -i /home/admin/yourprivkey.pem -nN -R 9735:localhost:9735 username@ExternalIP

18333 is the testnet setup. If you want to go to mainnet use port 8333

• safe and exit

sudo reboot

• restart bitcoind and LND
• Verify function by checking ports via https://ping.eu/port-chk/

We made it. Congratulations. Enjoy your Lightning Node!