How to: mining Helium over a cellular connection
An in-depth, step-by-step guide to setting up your Helium miner with a mobile data hotspot
I have published a new article on how use the iNet GL-x750v2 router instead of the Rut240, as quite a few folks have had difficulty getting the Rut240 to work with Wireguard.
You can check it out here.
If you’re starting from scratch I suggest you read the first half of this article to understand the background about why these steps are necessary and the guide on how to setup a VPN server, and then go to that article for updated router setup instructions.
If you struggled getting the Rut240 to work, but already have a working VPN server, get yourself that router head straight to the new guide.
Quite a few people have had difficulty getting the Teltonika Rut240 cellular router to work with WireGuard VPN. I have reached out to Teltonika multiple times about the challenges with getting that particular router to work with WireGuard, but have yet to hear back from them. I plan on re-writing the guide using the iNet GL-X750V2 router instead soon, since both myself and multiple other people from the Helium discord have managed to get this VPS setup working with that router easily. If you’re starting this guide from scratch, I highly recommend purchasing that router instead of the Rut240, and following the Rut240 configuration guide, since the admin tools for both routers are very similar.
📶 Why cellular over at-home wifi?
With the surge of new hotspots on the Helium network, many folks are getting creative about how they deploy their miners in order to get the most bang for their buck. Creating setups that allow their miners to be placed anywhere without having to connect to an outlet or an at-home internet connection opens up a lot of new earning possibilities. While there are quite a few resources and even online retailers that will help you get set up with outdoor enclosures and solar power for your miners, it’s difficult to come by quality info on how to set up Helium miners over a cellular connection. This article is meant to fill that hole.
Most of the outdoor miner setups that you see in the #enclosures-and-offgrid channel in the Helium Discord make use of cellular data hotspots in order to connect their Helium miner to the internet. As you probably already know if you’ve been through setting up a Helium miner on your home network, getting your miner to communicate effectively with the internet can be a pain. Unfortunately, it can be especially challenging on mobile carrier networks.
🌐 A quick networking background
(Feel free to skip ahead to “🖥 The Guide: deploying a VPS for your mobile hotspot” if you’re familiar with NATs and GCNATs already…)
You’ve probably heard the word NAT thrown around. It stands for Network Address Translator. For a typical at-home setup, your router plays this “translator” role. It’s main job as a “translator” is to take requests to it’s “public” IP address (assigned by your internet service provider), and forward them along to local IP addresses that it automatically assigns to your home devices (192.168.1.*):
When you “open ports” or “port forward” to your Helium miner, you are giving your router instructions to “forward” requests over port 44158 to a device’s private IP (192.168.1.4 for the miner in this case):
Your router will also occasionally change the local IP addresses it assigns to individual devices, which can make any port forwarding rules outdated and non-functional. However, it is usually possible to tell your router to never change the assigned IP of a device on your network (ie to give it a static DHCP lease). It’s important to do this when port forwarding, otherwise the forwarding rules you create will not apply to the new IP address that your router gives the device that you meant to port forward to.
Having the ability to tell your router to give devices static IPs on your home network is a luxury we unfortunately don’t get when using cellular hotspots. This is due to how mobile carriers set up their own version of your home NAT called a CGNAT.
🪰 CGNAT vs. regular ol’ NAT’s
Carriers use what is called a CGNAT (Carrier-grade Network Address Translator) to manage the massive number of devices connected to their network simultaneously. Though this is likely a huge simplification, it’s basically like a NAT, but a CGNAT forwards requests made to it to multiple users’ devices on the entire network, as opposed to local devices in your home.
Why are Hotspots harder on cellular carrier networks?
If you were to try to “port forward” from a CGNAT’s IP address, there would be no way for the carrier to know which specific user/device combination to send the request it received on. This is because they all belong to different users, and are constantly being reassigned IPs by the CGNAT:
With no public static IP for your cellular hotspot, it’s impossible for the CGNAT to map all requests to on port 44158 to just your device’s IP out of everyone else’s hotspot and home IPs on the network. Then all those other people on the carriers CGNAT wouldn’t be able to forward 44158 to their devices as well!
So what do now??
At this point, you have two options in order to allow you to do proper port forwarding to your Helium miner while using a cellular hotspot:
- Get a static public IP address from your carrier for your SIM card. With a lot of handwaving, this basically means your carrier gives your hotspot a public IP address that wont change. Unfortunately, most carriers in the U.S. will only give you a static IP address if you sign up for a business plan with them (which of course, requires that you already own a business). Having a static IP would allow you to simply set up port forwarding in your cellular hotspot and call it a day.
- Set up a VPS (Virtual Private Server) with a static public IP, and configure it to forward traffic to your cellular router.
NOTE: you may be one of the lucky few that actually does have a Static IP address without having to purchase one, since some carriers out there (probably not in the U.S.) still do not put their connected devices behind a CGNAT. Before going any further, you can check if you’re SIM’s IP address is behind a CGNAT or not by visiting this link and typing in your IP address (you can find out your IP here). If it says “IPv4 address block not managed by the RIPE NCC,” then you don’t have a static public IP. Thanks to
molano#4878 in the Helium Discord for this tip!
Option 1 was just not feasible for me, since I didn’t own a business and didn’t really want to go through the hassle of setting one up for the few outdoor miners I’d be deploying.
Since Option 1 is relatively simple technically speaking, this article is going to discuss in detail how to setup Option 2.
🖥 The Guide: deploying a VPS for your mobile hotspot
At a high level there are three main steps to this guide, with a few details in between:
- Deploy a server to the cloud (VPS)
- Setup a VPN on that server
- Configure you’re cellular hotspot / router to work with said VPN
Before we get started, you’re going to need a few things…
To do this setup, you will need:
- Around $5 a month to spend on hosting a VPS
- An account with a PaaS like DigitalOcean or Linode to deploy the server you will install the VPS on (don’t worry, it’s not as scary as it sounds). In this example I will use Linode. If you use this referral link for Linode, you will get $100 free credit, which is almost worth two years of free VPN hosting
- A cellular router that is compatible with the open source WireGuard VPN. In this example, I used Teltonika’s Rut240 3g/4g Router, which is available on Amazon. There are other routers in the more affordable price range (~$70–$120) that work with WireGuard like the Cudy LT400 or Cudy AC1200 (thanks to Raúl Sal for this tip). I haven’t specifically tested this setup, but it seems reasonable that it would work just as well with the same VPS I walk through here.
- A little bit of experience with SSH and working in the terminal (I’ll try to guide you through this even if you haven’t used SSH before)
🕵️♂️ Step 1: Setting up a Virtual Private Server
With your newly created Linode account, we’re going to deploy a Debian 11 server.
From the Linode dashboard:
- Select “Create” > “Linode”
2. Fill out your server details. I chose Debian 11, deployed in the Newark, NJ region (since I live in NYC, it was the closest one), and selected “Nanode 1GB,” the lowest tier option for $5/month.
3. Add an SSH key so that you can remotely access your server.
If you don’t already have an SSH key on your computer, you can follow this guide to generate one. You can check if you already have an SSH key generated on your computer by running
cat ~/.ssh/id_rsa.pub | pbcopy
If you don’t get an error like this after running that:
/.ssh/id_rsa.pub No such file or directory
You will have the contents of your key copied into your clipboard, ready to be entered into Linode.
If you had to manually generate a key using the link above, copy the contents of the
id_rsa.pub file you generate into the “SSH Public Key” field, give it a label, and hit “Add Key.”
4. Hit “Deploy node”
5. Get excited! Also maybe grab a coffee while your server deploys (should take less than 5 minutes)
✨ Step 2: Install WireGuard on your newly deployed server
This is probably the more complicated bit of the guide, so strap in (don’t worry, I’ve got you covered)
Once your Linode’s status says “Running”, you’re ready to SSH into the server to install WireGuard
Click on your Linode’s label to be taken to its details page. Under “Access”, Click on the clipboard next to the “SSH Access” line:
Open a terminal on your computer (I’m on a mac and prefer to use iTerm2), and paste the command you copied. It should look something like
ssh root@<ip address of your linode server>
If all goes well, you should see the following prompt
Linux localhost 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Aug 21 20:00:37 2021 from 126.96.36.199
If this didn’t work try running
ssh-add ~/.ssh/id_rsa from your computers terminal. If that didn’t work, double check your steps from generating a new key!
Great, you’re inside your newly deployed server. If this didn’t work, it’s likely that you did not configure your SSH key correctly (did you make sure to copy/paste the public and not the private one into Linode’s set up page?).
Now, time to install WireGuard. You will run the following set of commands:
root@localhost:~# apt update
root@localhost:~# apt upgrade
root@localhost:~# apt install iptables
root@localhost:~# apt install wireguard
Hit “y” to. continue.
Now that WireGuard is installed, we need to set up a private/public key pair for the WireGuard VPN to use.
root@localhost:~# cd /etc/wireguard/
root@localhost:~# wg genkey | tee privatekey | wg pubkey > publickey
This last command will generate two files, privatekey and publickey. Inspect their contents with this value.
root@localhost:~# cat privatekey
<some long string of numbers and letters>
root@localhost:~# cat publickey
<some long string of numbers and letters>
Copy these values somewhere to use for later (but don’t leave either around after you’re done with em’). You will need to paste one of them into the configuration file for Wireguard in the next step.
Time to setup the config for Wireguard. You will need to open/edit a file, so basic familiarity with an editor like
nano will help you…
root@localhost:~# vim /etc/wireguard/wg0.conf
This will open a file editor view for the Wireguard config file. If there’s anything there, delete it and paste in the following:
ListenPort = 51820
PrivateKey = <REPLACEME with contents of privatekey>
Address = 10.0.1.1/24
MTU = 1420
PostUp = iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1240
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp = iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 44158 -m conntrack --ctstate NEW -j ACCEPT
PostUp = iptables -A FORWARD -i eth0 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
PostUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 44158 -j DNAT --to-destination 10.0.1.2
PostDown = iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1240
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i eth0 -o wg0 -p tcp --syn --dport 44158 -m conntrack --ctstate NEW -j ACCEPT
PostDown = iptables -D FORWARD -i eth0 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 44158 -j DNAT --to-destination 10.0.1.2
PublicKey = <REPLACEME later with public key generated for the cell router>
AllowedIPs = 10.0.1.2/32
Endpoint = 0.0.0.0:51820
Copy the above text, and replace the content within <> brackets on the line with
PrivateKey = <REPLACEME…> with the contents of the
privatekey file you copied previously. Don’t worry about the other
PublicKey line at the bottom for now…
To break down this file a bit:
- The first part of the file under
[Interface]is specifying network config for the Wireguard server itself.
- The lines after that starting with
PostUpspecify instructions for Wireguard after the server starts up.
iptablesis a complicated tool that can do a lot of different things, but in this case, we are using it to map the port
44158to an IP address
10.0.1.2, which will be the IP that were going to have our Wireguard VPN give to our cellular router. This is similar to how you would configure your at-home router to port forward 44158 to your helium hotspot’s IP, were just doing it for the VPN instead!
[Peer], we specify details for a "peer" to the VPN, which in this case is our mobile hotspot. (In Wireguard, all connected devices are considered peers, as opposed to it being a typical VPN server/client relationship — ie the hotspot is a peer to the VPS, and the VPS is a peer to the hotspot)
To save the changes to the config file you were editing (
/etc/wireguard/wg0.conf ), type
:wq. You should now be back in the terminal on your VPS if all went well.
Generate a key pair for the rut240 router
We’re going to need to generate one more public/private key pair for the one peer that this VPN will have (your mobile hotspot). You will use the same command as before, but will different file names
root@localhost:~# wg genkey | tee hotspot-privatekey | wg pubkey > hotspot-publickey
root@localhost:~# cat hotspot-privatekey
<some long string of numbers and letters>
root@localhost:~# cat hotspot-publickey
<some long string of numbers and letters>
Again, take note and copy the values of these private/public keys somewhere that you’ll be able to reference them later. You will need to copy the value of
hotspot-publickey and add it to your Wireguard config under the
root@localhost:~# vim /etc/wireguard/wg0.conf
Which should open your config file again (abbreviated for space)
ListenPort = 51820
PublicKey = <REPLACEME with contents of hotspot-publickey>
AllowedIPs = 10.0.1.2/32
Endpoint = 0.0.0.0:51820
Once you’ve added the public key we generated for your mobile hotspot, you’ve finished dealing with this file! Go ahead and save it (
:wq, you remembered right?)
Now, we need to add one configuration option to another file. You can do that with a quick one liner from the terminal:
root@localhost:~# echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf
This line enables port forwarding on your VPS. Now run the following to persist the configuration change:
root@localhost:~# sysctl -p
Just a few more steps now… But first, SELF CARE. Come traveler, take a breather 😌
Check out this adorable birb. Grab a snack. Whisper some reassuring sweet nothings to yourself in the mirror. Ok… now you’re ready…
*Cracks knuckles, stretches fingers* here we go.
Let’s enable Wireguard to run whenever the server boots up:
root@localhost:~# systemctl enable wg-quick@wg0
And now, we can finally start the Wireguard server up!
root@localhost:~# systemctl start wg-quick@wg0
Now, if you run
root@localhost:~# systemctl status email@example.com
You should see something like this (note the active status):
And with that, you’ve finished setting up your VPS! (for now — you might have to come back here in a bit to do one or two more things, so maybe leave this terminal window open for now)
📟 Step 3: Configure your mobile hotspot router
As a reminder, in this walkthrough, we’re using a Rut240 router. I’m not 100% certain how to configure other mobile routers as WireGuard clients, but I’m sure many routers have this option! The hardest part is definitely setting up the VPS itself…
So first, insert the SIM card you got from your carrier into the back of the rut240. Make sure you also installed all the necessary antennas it came with before powering on!
Ok, plug it in. Now, after a minute or so, it should show up in your computer’s Wifi list.
Connect to it.
Login to the router’s admin tools by visiting 192.168.1.1 in a browser (you will probably not be able to use Chrome to do this. I used Safari.
Once you get past all of Safari’s warnings and hit “Continue anyway”, you will be prompted with a login screen.
Use the default admin credentials that should be on a manual somewhere in your rut240 box. It will prompt you to change credentials after logging in for the first time, so do that.
Ok cool, you’re logged in. First things first: update the firmware (to do this, you will need to have a SIM inserted, as it uses internet, and getting the rut240 setup on my wifi turned out to be a dead end. Maybe you’ll be more lucky than I was. In any case, the firmware update isn’t that large)
If there is a pending update, click upgrade! Your router will likely reboot and disconnect you from 192.168.1.1. if this happens, just reconnect to it’s wifi once it’s back up and refresh the page.
Once you’re logged back in to the router again, you will need to install the WireGuard package firmware under “System > Package Manager”
Search for “Wireguard” in the search box, and install it!
Once Wireguard is installed, go to “Services > VPN > WireGuard”
Type a name for your Wireguard configuration and hit “Add” — I called mine wg_linode, but you can name it whatever. It will be un-enabled for you, since you have yet to configure it.
It should look something like this. Go ahead and click “Edit”. You will be taken to a page where you’ll need to enter some details about the Wireguard VPN we configured in Step 2. Specifically:
- toggle Enable checkbox on
- For the Private key input, enter the contents of the
hotspot-privatekeyfile you generated and copied in Step 2. You… did copy it somewhere right?
- For listen port: 51820
- For IP address: 10.0.1.2/32
- For MTU: 1420
Now, you will need to add the Wireguard server is a peer to the cell hotspot. Under the “Peers” section, click “Add”. Now click “Edit” on the row that was added.
Fill out the details exactly like the screenshot above except for public key and endpoint host. The public key you enter here will be the verrry first public key you generated in Step 1. It is Wireguard’s public key. If you forgot to copy it, you can find it in the SSH session you left open on your VPS. The file should be called
Endpoint host is going to be the IP address of the Linode server you deployed. You can find this from the Linode dashboard:
Hit Save in the router’s VPN config page.
Now go to “Network > LAN”
Under “Static Leases” section, hit “Add” and then type in the following:
Hostname: anything you want. I called mine sensecapM1 since that’s what I have
MAC Address: The ETH MAC address of your hotspot.
IP Address: Select “custom” from the drop down and type in 192.168.1.10
Now, go to “Network > Firewall > Port forwarding”
Add a “New Port Forward Rule” at the bottom, with the following details
External port (s): 44158
Internal IP: Select “custom” from the drop down and type in 192.168.1.10
Internal port (s): 44158
Hit “Add” and then hit “Save” at the bottom right. Your new rule should look like this in the port forwarding rules table above:
Now, click “Edit” on the rule.
For the “Source zone” section, select the “wireguard” option. Hit “Save” in the bottom right.
Now…take a deep breath… because you just finished setting up your rut240!!
🧪 Validating that it all works
So, in order to make sure that your VPS is properly forwarding traffic across 44158 to your cellular router and then to your Helium miner, go ahead and plug your miner into the rut240's ethernet port (make sure you plug it into the LAN port and not the WAN port). Give your miner a minute or two to boot up.
Once you’ve done this, go to this port checking tool and enter 44158 into the port number field. Hit “Check”.
Important: you must have your miner plugged into the router for the port checking tool test to work. It will show your port as being closed if your miner is not connected to the router.
At this point, it should say that this port is open and you should be getting inbound and outbound requests to your helium miner. Woohoo!
If for whatever reason the port is still closed, try double checking your port forwarding settings on the Rut240. Also, here’s a helpful command that you can run while SSH’ed into your VPS:
tcpdump -i wg0 -n
In order to run this, you may need to install
apt install tcpdump
This will monitor all traffic coming and going through the WireGuard network interface on your VPS. You can keep this running in the terminal while fiddling with Rut240 settings as a way to validate that things are working.
Don’t forget to clean up the public/private key pairs you generated on the server.
📊 Extra credit: An awesome way to monitor your device remotely
So, if like many of us trying to deploy their hotspots on a cellular network you don’t want have to physically run out to your deployed miner every time you need to update settings on your router… that’s possible with this setup! You shouldn’t have to do fiddle with router settings too often, but if you do, I have a solution for you:
First, if you’re connected directly to your rut240 from your computer, make sure to connect back to your home’s wifi.
Now, in a terminal on your computer, run the following:
ssh firstname.lastname@example.org -L 0.0.0.0:8081:10.0.1.2:80
This command forwards requests from your local machine’s browser to your deployed VPS and finally to the rut240’s admin tools.
While leaving this command running in the terminal, open up a browser and visit
localhost:8081 . If all goes well, you will see the login page for your cellular hotspot’s admin tools. Now you can manage your deployed router from the comfort of your home!
🎁 Wrapping up
If you made it this far, congratulations. You did it, friend. If you didn’t quite make it to the end because you hit unexpected turbulence on the way here, don’t worry! You can find me on the Helium discord as
switz#1985 . Also, I highly advise re-reading these instructions and checking that you input all the values in your router and in the VPS correctly, typos can be the biggest enemy with these kinds of things!
I couldn’t have done this without the patience, kindness and experience of
rbrtio#1507 on the Helium discord. Also want to shout out all the extremely helpful folks in the #enclosures-and-offgrid Helium discord channel. Also big kudos to
Mo#3110 for being the first one to battle test this guide, and for finding (and dealing with) my fat fingered typos!
If this worked for ya and/or you enjoyed the birbs content, consider buying me a coffee… or a popeyes chicken sandwhich… or whatever: