Hybrid clearnet and Tor mode for lightning (LND and CL)

[openoms]

moving the discussion from #2684

LND config flag

https://docs.lightning.engineering/lightning-network-tools/lnd/quick-tor-setup#hybrid-mode

[tor]
; Allow outbound and inbound connections to be routed through Tor
; tor.active=true

; Allow the node to connect to non-onion services directly via clearnet. This
; allows the node operator to use direct connections to peers not running behind
; Tor, thus allowing lower latency and better connection stability.
; WARNING: This option will reveal the source IP address of the node, and should
; be used only if privacy is not a concern.
; tor.skip-proxy-for-clearnet-targets=true

C-lightning setting

https://lightning.readthedocs.io/TOR.html#quick-start-on-linux

# 'always-use-proxy' informs C-Lightning to always use Tor even when connecting to nodes with public IPs. 
# You can set this to false or remove it, if you are not privacy-conscious and find Tor is too slow for you.
always-use-proxy=false

Bitcoin Core

could be configured to use clearnet connections as well - need to look up the exact config. It would help to prevent the partitinioning of the BItcoin network to To-only and clearnet-only parts.

Hide the home IP address with a shared VPN

this should work on the RPi: https://mullvad.net/en/help/linux-openvpn-installation/

or a simple openvpn config and autostart with any provider (not recommending PIA): https://www.raspberrypi-spy.co.uk/2020/06/raspberry-pi-vpn-setup-guide/

To restart openvpn for the autostart to kick in:

sudo systemctl daemon-reload
sudo systemctl restart openvpn

Configure the ufw to stop leaking the public IP in case the VPN disconnects: https://www.comparitech.com/blog/vpn-privacy/how-to-make-a-vpn-kill-switch-in-linux-with-ufw/

If your VPN is configured with a domain find out the IPs with:

host vpn.domain.com

to which addresses you need to allow the traffic.

Can test with:

sudo systemctl openvpn start
curl https://api.ipify.org
# should show a VPN ip address
sudo systemctl stop openvpn
curl https://api.ipify.org
# this should be blocked

[openoms]

Setting tor.skip-proxy-for-clearnet-targets=true for the signet LND instance makes it fail straight after the wallet unlock:

[ERR] RPCS: [/lnrpc.Lightning/GetInfo]: wallet locked, unlock it to enable full RPC access
[INF] LNWL: Opened wallet
[INF] CHRE: Primary chain is set to: bitcoin
[INF] CHRE: Initializing bitcoind backed fee estimator in CONSERVATIVE mode
[INF] LNWL: Started listening for bitcoind transaction notifications via ZMQ on 127.0.0.1:23333
[INF] LNWL: Started listening for bitcoind block notifications via ZMQ on 127.0.0.1:23332
[ERR] RPCS: [/lnrpc.Lightning/GetInfo]: the RPC server is in the process of starting up, but not yet ready to accept calls
[INF] LNWL: The wallet has been unlocked without a time limit
[INF] CHRE: LightningWallet opened
[DBG] LNWL: Birthday block has already been verified: height=61982, hash=0000000c4c60c552336c6735f277fedc90f043bc8ab5b701660664722a8a69aa
[DBG] LNWL: Waiting for chain backend to sync to tip
[INF] LTND: Shutdown complete

EDIT: answered in https://github.com/lightningnetwork/lnd/issues/6005

Need to remove: tor.streamisolation=true

(currently will need to modify the prestart script also. Comment out the line 196:

setting ${lndConfFile} ${insertLine} "tor.streamisolation" "true"

in config.scripts/lnd.check.sh)

[openoms]

A script to activate a public VPN service + killswitch (firewall):

EDIT moved to a gist: https://gist.github.com/openoms/037bb0e3cccab58bfac5376db37bb57c

[openoms]

TODO for v1.7.2

remove the setting ${lndConfFile} ${insertLine} "tor.streamisolation" "true" from lnd.check.sh as it is incompatible with tor.skip-proxy-for-clearnet-targets=true and will cause trouble when the lnd.conf is edited manually.

[rootzoll]

OK looking foward to the PR :)

[openoms]

For v1.7.2 tor.skip-proxy-for-clearnet-targets=true can be configured manually and lnd.check.sh will switch tor.streamisolation off on LND restart.

Pushing the better clearnet support to v1.8.

[openoms]

A great guide about the options mentioned here and includes the option using a VPN: https://github.com/blckbx/lnd-hybrid-mode/

[rootzoll]

@openoms wanna target this for soonish 1.8 or push it to 1.8.1?

[benjamin-wilson]

This is a killer feature, sooner the better! 🙏

[openoms]

@benjamin-wilson if you are not worried exposing your public IP address for the channel peers simply setting: tor.skip-proxy-for-clearnet-targets=true in the [tor] section of the lnd.conf does the job.

In the v1.7.2 release lnd.check.sh already deals with (switches off) with tor.streamisolation if that option is active so shouldn't break anything. I think the killswitch configs are out of scope of our implemenation, privacy focused users should keep tor-only.

So the implementation can be simply putting this setting in the menu with a sensible warning and have the similar solution (always-use-proxy=false) for C-lightning.

[benjamin-wilson]

What is the behavior of LND when hybrid mode is on but the nat,externalip or externalhosts configurations are not set? Will it still skip tor for outgoing connections but not broadcast the public ip for incoming?

[openoms]

What is the behavior of LND when hybrid mode is on but the nat,externalip or externalhosts configurations are not set? Will it still skip tor for outgoing connections but not broadcast the public ip for incoming?

yes, the tor.skip-proxy-for-clearnet-targets=true setting only applies to outgoing connections to clearnet nodes. There is no announcement of the IP made with this setting, but the clearnet nodes will see your public IP address - as the address of the connected node.

[benjamin-wilson]

Will two nodes that both have tor.skip-proxy-for-clearnet-targets=true still communicate though tor only?

[openoms]

Will two nodes that both have tor.skip-proxy-for-clearnet-targets=true still communicate though tor only?

if neither of them have a public IP endpoint advertised then yes, will communicate over Tor.

[TheRealFuture42]

That would be great! I currently tunnel traffic over OpenVPN, but I can't use Tor that way.

[maximlomans]

What is the behavior of LND when hybrid mode is on but the nat,externalip or externalhosts configurations are not set? Will it still skip tor for outgoing connections but not broadcast the public ip for incoming?

The strangest thing occurred - i could only make sense of it after stumbling on this thread.

• I have 2 nodes, both behind tor and linked to one another through a private channel - still struggling to get a single loop out to complete successfully, meaning; actually moving funds on-chain, and not just telling me it "completed", still an improvement from where i was months ago, wouldn't even initiate. - main difference now is that I dig [nat | prot_forwarding] incompatibilities.

• so i considered setting up ip2tor but could only do it through duckdns, which btw; ff's netcraft add-on tagged 'duckdns.org' with the openssl heartbleed vuln, not something i was willing to do, since I already have a paid managed DNS service & registered domain with noip - should have a custom option available in the subscriptions' menu - in the process or rather testing how web redirect would work on a separate pi3 first, which means I'll have to manually install lnbits, ip2tor, config nginx with letsencrypt etc. - not on the nodes.

So i figured i might as well try the 'tor.streamisolation=false', since i've added 'tor.skip-proxy-for-clearnet-targets=1' it worked in the sense it didn't crash lnd for the first 20min, then channels on the one node started going offline... checking lnd service status i saw it erred , went down and wouldn't start, while the isolation parameter kept resetting itself to true, automatically.

I thought it might be because the same node had c-lightning installed, albeit not enabled, it wasn't - to cut a long story short, what did get lnd to start up again was removing the 2 tor parameters, on the one node, the other runs fine, but still no loop out routes back to the nodes. If it still fails after all that, I might have to disable tor.

I'm assuming it had something to do with the tor communication between the 2 nodes | private channel, maybe even watchtower.. I didn't get that far into debugging the whole thing, it was almost 0600 by the time it started up again and decided to pack it up for the night / day

[openoms]

@maximlomans to disable the tor streamisolation edit it to false in the config.scripts/lnd.check.sh

since this is coming up repeatedly will disable this check completely for the next release

[maximlomans]

will do, thank you openoms ; ) the same node had c-lightning installed ..must'av ran lnd.check.sh - the other didn't went to check, though i edited it anyway- didn't work, had to undo, cl-lightning kept reapplying the 'tor.streamisolation=true'.. after even trying commenting it out. looked into cl's network.aliases.sh no sign of tor not yet done,

● lnd.service - LND on Loaded: loaded (/etc/systemd/system/lnd.service; enabled; vendor preset: enabled) Active: activating (auto-restart) (Result: exit-code) since Thu 2022-05-05 17:31:17 CEST; 18s ago Process: 10897 ExecStartPre=/home/admin/config.scripts/lnd.check.sh prestart mainnet (code=exited, status=0/SUCCESS) Process: 10998 ExecStart=/usr/local/bin/lnd --configfile=/home/bitcoin/.lnd/lnd.conf (code=exited, status=1/FAILURE) Main PID: 10998 (code=exited, status=1/FAILURE)

[maximlomans]

got it - cat ~/.lightning/config

lightningd configuration for bitcoin mainnet

network=bitcoin announce-addr=127.0.0.1:9736 log-file=cl.log log-level=info plugin-dir=/home/bitcoin/cl-plugins-enabled

Tor settings

proxy=127.0.0.1:9050 bind-addr=127.0.0.1:9736 addr=statictor:127.0.0.1:9051/torport=9736 always-use-proxy=true **

[maximlomans]

still not, there must be another network/tor conflict ... i ll have to take solace in the fact that the other node publishes the ip

[rootzoll]

@openoms lots of input here - can you give me the tl;dr as a take away for the v1.8.0 release .. sound ar least like enough interest for an FAQ entry on that topic.

[openoms]

"Hybrid" mode settings for CLN:

Update/home/bitcoin/.lightning/config:

# Tor
addr=statictor:127.0.0.1:9051/torport=9735
proxy=127.0.0.1:9050
always-use-proxy=false

# Clearnet
bind-addr=0.0.0.0:<ClearnetPort>
announce-addr=<ClearnetIp>:<ClearnetPort>

See https://lightning.readthedocs.io/lightningd-config.5.html#networking-options

https://twitter.com/SwissRouting/status/1543617791017816064 https://t.me/lightningd/14227

[openoms]

There is a great paid solution now under beta testing (looking very good): https://tunnelsats.com/ https://github.com/blckbx/tunnelsats

[turbolift]

i configured a ip2tor subscription for my raspiblitz to forward the public address to the onion service. after trying to use hybrid clearnet configuration i realized, that lnd.check.sh is "fixing" my manual configuration of lnd.conf.

is this a valid configuration and will raspiblitz support ip2tor configurations?

[openoms]

i configured a ip2tor subscription for my raspiblitz to forward the public address to the onion service. after trying to use hybrid clearnet configuration i realized, that lnd.check.sh is "fixing" my manual configuration of lnd.conf.

is this a valid configuration and will raspiblitz support ip2tor configurations?

No, this is not a good idea as the the outgoing connection will still go to your peers through your clearnet public IP address. You might as well broadcast your public IP as the node address, Ip2Tor doesn't help. In any case you can just rename lnd.check.sh to stop it overriding your manual config.

[jchia]

"Hybrid" mode settings for CLN:

Update/home/bitcoin/.lightning/config:

# Tor
addr=statictor:127.0.0.1:9051/torport=9735
proxy=127.0.0.1:9050
always-use-proxy=false

# Clearnet
bind-addr=0.0.0.0:<ClearnetPort>
announce-addr=<ClearnetIp>:<ClearnetPort>

See https://lightning.readthedocs.io/lightningd-config.5.html#networking-options

https://twitter.com/SwissRouting/status/1543617791017816064 https://t.me/lightningd/14227

What is this file? It's not on my raspiblitz 1.8.0 and after I created it and restarted lnd.service, my node was still announcing only the onion address.

[TheRealFuture42]

"Hybrid" mode settings for CLN: Update/home/bitcoin/.lightning/config:

# Tor
addr=statictor:127.0.0.1:9051/torport=9735
proxy=127.0.0.1:9050
always-use-proxy=false

# Clearnet
bind-addr=0.0.0.0:<ClearnetPort>
announce-addr=<ClearnetIp>:<ClearnetPort>

See https://lightning.readthedocs.io/lightningd-config.5.html#networking-options https://twitter.com/SwissRouting/status/1543617791017816064 https://t.me/lightningd/14227

What is this file? It's not on my raspiblitz 1.8.0 and after I created it and restarted lnd.service, my node was still announcing only the onion address.

This will not work currently with this settings. Hybrid mode is on Milestone 1.8.2 https://github.com/rootzoll/raspiblitz/milestone/18

Currently, this is only possible through various workarounds!

One of them is to create a VPN server with a public static IP in front of your Raspiblitz. That's how I do it, but I don't recommend it because you have to change a few things and ensure that the settings are correct with every update. This may cause some of the features of your Raspiblitz to stop working properly. It is probably wiser to wait for the official integration ;)

[benjamin-wilson]

Is there currently a way to do hybrid mode with CLN and 1.9? After 1.8 it broke the hybrid mode.