Open openoms opened 2 years ago
Setting
tor.skip-proxy-for-clearnet-targets=true
for the signet LND instance makes it fail straight after the wallet unlock:
[ERR] RPCS: [/lnrpc.Lightning/GetInfo]: wallet locked, unlock it to enable full RPC access
[INF] LNWL: Opened wallet
[INF] CHRE: Primary chain is set to: bitcoin
[INF] CHRE: Initializing bitcoind backed fee estimator in CONSERVATIVE mode
[INF] LNWL: Started listening for bitcoind transaction notifications via ZMQ on 127.0.0.1:23333
[INF] LNWL: Started listening for bitcoind block notifications via ZMQ on 127.0.0.1:23332
[ERR] RPCS: [/lnrpc.Lightning/GetInfo]: the RPC server is in the process of starting up, but not yet ready to accept calls
[INF] LNWL: The wallet has been unlocked without a time limit
[INF] CHRE: LightningWallet opened
[DBG] LNWL: Birthday block has already been verified: height=61982, hash=0000000c4c60c552336c6735f277fedc90f043bc8ab5b701660664722a8a69aa
[DBG] LNWL: Waiting for chain backend to sync to tip
[INF] LTND: Shutdown complete
EDIT: answered in https://github.com/lightningnetwork/lnd/issues/6005
Need to remove:
tor.streamisolation=true
(currently will need to modify the prestart script also. Comment out the line 196:
setting ${lndConfFile} ${insertLine} "tor.streamisolation" "true"
in config.scripts/lnd.check.sh
)
A script to activate a public VPN service + killswitch (firewall):
EDIT moved to a gist: https://gist.github.com/openoms/037bb0e3cccab58bfac5376db37bb57c
TODO for v1.7.2
remove the
setting ${lndConfFile} ${insertLine} "tor.streamisolation" "true"
from lnd.check.sh
as it is incompatible with
tor.skip-proxy-for-clearnet-targets=true
and will cause trouble when the lnd.conf is edited manually.
OK looking foward to the PR :)
For v1.7.2 tor.skip-proxy-for-clearnet-targets=true
can be configured manually and lnd.check.sh
will switch tor.streamisolation
off on LND restart.
Pushing the better clearnet support to v1.8.
A great guide about the options mentioned here and includes the option using a VPN: https://github.com/blckbx/lnd-hybrid-mode/
@openoms wanna target this for soonish 1.8 or push it to 1.8.1?
This is a killer feature, sooner the better! 🙏
@benjamin-wilson if you are not worried exposing your public IP address for the channel peers simply setting:
tor.skip-proxy-for-clearnet-targets=true
in the [tor]
section of the lnd.conf
does the job.
In the v1.7.2 release lnd.check.sh
already deals with (switches off) with tor.streamisolation
if that option is active so shouldn't break anything.
I think the killswitch configs are out of scope of our implemenation, privacy focused users should keep tor-only.
So the implementation can be simply putting this setting in the menu with a sensible warning and have the similar solution (always-use-proxy=false
) for C-lightning.
What is the behavior of LND when hybrid mode is on but the nat,externalip or externalhosts configurations are not set? Will it still skip tor for outgoing connections but not broadcast the public ip for incoming?
What is the behavior of LND when hybrid mode is on but the nat,externalip or externalhosts configurations are not set? Will it still skip tor for outgoing connections but not broadcast the public ip for incoming?
yes, the tor.skip-proxy-for-clearnet-targets=true
setting only applies to outgoing connections to clearnet nodes. There is no announcement of the IP made with this setting, but the clearnet nodes will see your public IP address - as the address of the connected node.
Will two nodes that both have tor.skip-proxy-for-clearnet-targets=true
still communicate though tor only?
Will two nodes that both have
tor.skip-proxy-for-clearnet-targets=true
still communicate though tor only?
if neither of them have a public IP endpoint advertised then yes, will communicate over Tor.
That would be great! I currently tunnel traffic over OpenVPN, but I can't use Tor that way.
What is the behavior of LND when hybrid mode is on but the nat,externalip or externalhosts configurations are not set? Will it still skip tor for outgoing connections but not broadcast the public ip for incoming?
The strangest thing occurred - i could only make sense of it after stumbling on this thread.
I have 2 nodes, both behind tor and linked to one another through a private channel - still struggling to get a single loop out to complete successfully, meaning; actually moving funds on-chain, and not just telling me it "completed", still an improvement from where i was months ago, wouldn't even initiate. - main difference now is that I dig [nat | prot_forwarding] incompatibilities.
So i figured i might as well try the 'tor.streamisolation=false', since i've added 'tor.skip-proxy-for-clearnet-targets=1' it worked in the sense it didn't crash lnd for the first 20min, then channels on the one node started going offline... checking lnd service status i saw it erred , went down and wouldn't start, while the isolation parameter kept resetting itself to true, automatically.
I thought it might be because the same node had c-lightning installed, albeit not enabled, it wasn't - to cut a long story short, what did get lnd to start up again was removing the 2 tor parameters, on the one node, the other runs fine, but still no loop out routes back to the nodes. If it still fails after all that, I might have to disable tor.
I'm assuming it had something to do with the tor communication between the 2 nodes | private channel, maybe even watchtower.. I didn't get that far into debugging the whole thing, it was almost 0600 by the time it started up again and decided to pack it up for the night / day
@maximlomans to disable the tor streamisolation
edit it to false in the config.scripts/lnd.check.sh
since this is coming up repeatedly will disable this check completely for the next release
will do, thank you openoms ; ) the same node had c-lightning installed ..must'av ran lnd.check.sh - the other didn't went to check, though i edited it anyway- didn't work, had to undo, cl-lightning kept reapplying the 'tor.streamisolation=true'.. after even trying commenting it out. looked into cl's network.aliases.sh no sign of tor not yet done,
● lnd.service - LND on Loaded: loaded (/etc/systemd/system/lnd.service; enabled; vendor preset: enabled) Active: activating (auto-restart) (Result: exit-code) since Thu 2022-05-05 17:31:17 CEST; 18s ago Process: 10897 ExecStartPre=/home/admin/config.scripts/lnd.check.sh prestart mainnet (code=exited, status=0/SUCCESS) Process: 10998 ExecStart=/usr/local/bin/lnd --configfile=/home/bitcoin/.lnd/lnd.conf (code=exited, status=1/FAILURE) Main PID: 10998 (code=exited, status=1/FAILURE)
got it - cat ~/.lightning/config
network=bitcoin announce-addr=127.0.0.1:9736 log-file=cl.log log-level=info plugin-dir=/home/bitcoin/cl-plugins-enabled
proxy=127.0.0.1:9050 bind-addr=127.0.0.1:9736 addr=statictor:127.0.0.1:9051/torport=9736 always-use-proxy=true **
still not, there must be another network/tor conflict ... i ll have to take solace in the fact that the other node publishes the ip
@openoms lots of input here - can you give me the tl;dr as a take away for the v1.8.0 release .. sound ar least like enough interest for an FAQ entry on that topic.
"Hybrid" mode settings for CLN:
Update/home/bitcoin/.lightning/config:
# Tor
addr=statictor:127.0.0.1:9051/torport=9735
proxy=127.0.0.1:9050
always-use-proxy=false
# Clearnet
bind-addr=0.0.0.0:<ClearnetPort>
announce-addr=<ClearnetIp>:<ClearnetPort>
See https://lightning.readthedocs.io/lightningd-config.5.html#networking-options
https://twitter.com/SwissRouting/status/1543617791017816064 https://t.me/lightningd/14227
There is a great paid solution now under beta testing (looking very good): https://tunnelsats.com/ https://github.com/blckbx/tunnelsats
i configured a ip2tor subscription for my raspiblitz to forward the public address to the onion service. after trying to use hybrid clearnet configuration i realized, that lnd.check.sh is "fixing" my manual configuration of lnd.conf.
is this a valid configuration and will raspiblitz support ip2tor configurations?
i configured a ip2tor subscription for my raspiblitz to forward the public address to the onion service. after trying to use hybrid clearnet configuration i realized, that lnd.check.sh is "fixing" my manual configuration of lnd.conf.
is this a valid configuration and will raspiblitz support ip2tor configurations?
No, this is not a good idea as the the outgoing connection will still go to your peers through your clearnet public IP address. You might as well broadcast your public IP as the node address, Ip2Tor doesn't help.
In any case you can just rename lnd.check.sh
to stop it overriding your manual config.
"Hybrid" mode settings for CLN:
Update
/home/bitcoin/.lightning/config:
# Tor addr=statictor:127.0.0.1:9051/torport=9735 proxy=127.0.0.1:9050 always-use-proxy=false # Clearnet bind-addr=0.0.0.0:<ClearnetPort> announce-addr=<ClearnetIp>:<ClearnetPort>
See https://lightning.readthedocs.io/lightningd-config.5.html#networking-options
https://twitter.com/SwissRouting/status/1543617791017816064 https://t.me/lightningd/14227
What is this file? It's not on my raspiblitz 1.8.0 and after I created it and restarted lnd.service, my node was still announcing only the onion address.
"Hybrid" mode settings for CLN: Update
/home/bitcoin/.lightning/config:
# Tor addr=statictor:127.0.0.1:9051/torport=9735 proxy=127.0.0.1:9050 always-use-proxy=false # Clearnet bind-addr=0.0.0.0:<ClearnetPort> announce-addr=<ClearnetIp>:<ClearnetPort>
See https://lightning.readthedocs.io/lightningd-config.5.html#networking-options https://twitter.com/SwissRouting/status/1543617791017816064 https://t.me/lightningd/14227
What is this file? It's not on my raspiblitz 1.8.0 and after I created it and restarted lnd.service, my node was still announcing only the onion address.
This will not work currently with this settings. Hybrid mode is on Milestone 1.8.2 https://github.com/rootzoll/raspiblitz/milestone/18
Currently, this is only possible through various workarounds!
One of them is to create a VPN server with a public static IP in front of your Raspiblitz. That's how I do it, but I don't recommend it because you have to change a few things and ensure that the settings are correct with every update. This may cause some of the features of your Raspiblitz to stop working properly. It is probably wiser to wait for the official integration ;)
Is there currently a way to do hybrid mode with CLN and 1.9? After 1.8 it broke the hybrid mode.
moving the discussion from #2684
LND config flag
https://docs.lightning.engineering/lightning-network-tools/lnd/quick-tor-setup#hybrid-mode
C-lightning setting
https://lightning.readthedocs.io/TOR.html#quick-start-on-linux
Bitcoin Core
could be configured to use clearnet connections as well - need to look up the exact config. It would help to prevent the partitinioning of the BItcoin network to To-only and clearnet-only parts.
Hide the home IP address with a shared VPN
this should work on the RPi: https://mullvad.net/en/help/linux-openvpn-installation/
or a simple openvpn config and autostart with any provider (not recommending PIA): https://www.raspberrypi-spy.co.uk/2020/06/raspberry-pi-vpn-setup-guide/
To restart openvpn for the autostart to kick in:
Configure the
ufw
to stop leaking the public IP in case the VPN disconnects: https://www.comparitech.com/blog/vpn-privacy/how-to-make-a-vpn-kill-switch-in-linux-with-ufw/If your VPN is configured with a domain find out the IPs with:
to which addresses you need to allow the traffic.
Can test with: