Must entry distant bitcoin node for Lightning
As a substitute of utterly opening up RPC ports to the entire web, I might do one thing fairly totally different. Right here, you are counting on the energy of your RPC auth credentials and the implementation being bugs free. Bitcoind itself strongly discourages to do what was recommended within the different reply:
-rpcbind=<addr>[:port] Bind to given handle to pay attention for JSON-RPC connections. Don't expose the RPC server to untrusted networks resembling the general public web! This selection is ignored until -rpcallowip can be handed. Port is elective and overrides -rpcport. Use [host]:port notation for IPv6. This selection will be specified a number of instances (default: 127.0.0.1 and ::1 i.e., localhost)
I solved it on a community degree: Since I’ve SSH port open anyway (although on a non-common port only for that additional little little bit of obscurity on high of the clearly non-obscurity-reliant safety), I opted for SSH tunneling.
Mainly I’ve a systemd service on the LN node that begins after boot and creates an SSH connection to my Bitcoin node. By means of that tunnel, it may possibly entry the node’s RPC port 18332 (testnet). The port shouldn’t be uncovered on to the web this manner, as an alternative solely reachable by way of SSH.
The service is generally stolen from https://avizard.blogspot.com/2021/01/aggressive-yet-sane-persistent-ssh-with.html.
$ cat /and many others/systemd/system/autossh_systemd_unit.service [Unit] Description=AutoSSH service to remotely entry RPC of Bitcoin node #After=network-online.goal # Use this as an alternative if autossh will work together with the native SSH server After=network-online.goal sshd.service [Service] Consumer=[NONPRIV_USER] Setting="AUTOSSH_GATETIME=30" Setting="AUTOSSH_POLL=30" Setting="AUTOSSH_FIRST_POLL=30" ExecStart=/usr/bin/autossh -M 0 -N -q -o "ServerAliveInterval 10" -o "ServerAliveCountMax 3" -o "ExitOnForwardFailure sure" -p [SSH_PORT] -l [USER] [HOST] -i [SSH_KEY] -L 18332:127.0.0.1:18332 #sleep 10 # We set 'sleep 10' to make ssh exit in case no TCP connections are forwarded in 10 seconds. # Helpful to get distant shell exit codes. ExecStop=/usr/bin/kill $MAINPID ExecReload=/usr/bin/kill -HUP $MAINPID Restart=at all times # On Linux TCP_TIMEWAIT_LEN shouldn't be tunable and set to (60*HZ), about 60 seconds. TCP_FIN_TIMEOUT additionally defauls to 60 seconds. RestartSec=60 # See systemd.kill(5) KillMode=course of [Install] WantedBy=default.goal
Moreover, the ufw firewall on my Bitcoin node solely permits SSH entry from 2 particular IPs that are the one which my Lightning node runs on and one other one from which I handle my stuff.
$ sudo ufw standing Standing: energetic To Motion From -- ------ ---- 8333 ALLOW Anyplace # Bitcoin Mainnet 18333 ALLOW Anyplace # Bitcoin Testnet [SSH_PORT]/tcp ALLOW [LN_NODE_IP] # SSH [SSH_PORT]/tcp ALLOW [MGMT_IP] # SSH 8333 (v6) ALLOW Anyplace (v6) # Bitcoin Mainnet 18333 (v6) ALLOW Anyplace (v6) # Bitcoin Testnet
Lastly, all customers can solely be logged into with autorized SSH keys and the LN node would not maintain a key to a superuser account, as an alternative the one person that machine (server) can at all times entry is a non-privileged person. This implies in case the LN node will get taken management of, my Bitcoin node remains to be wonderful.
$ cat /and many others/ssh/sshd_config [...] Port [SSH_PORT] [...] PubkeyAuthentication sure [...] PasswordAuthentication no [...]
Moreover, an IDS can be advisable on each machines, however the setup for that exceeds the scopes of this query.
I might have an interest to listen to what different choices folks use!