It looks like some kind of electrical junction with a Bitcoin logo on it.

There are many other useful things you can do with your own home server, such as run a lightning node, a tor node, or your own Electrum Private Server. This guide will tell you how.

What is a Bitcoin node?

If you use Bitcoin and care about your privacy and security, you should run a node.

The Bitcoin node verifies that the payments you receive are fully confirmed, and that funds in your wallet both exist and belong to you. It also helps to validate the network as a whole and make sure the Bitcoin is legitimate.

Before you start, get comfortable with the command line

This guide requires you to use the command line interface, or CLI, and an SSH client. SSH (Secure Shell) is a popular tool to “remote control” devices securely. In principle, it functions similarly to a VPN, with the exception that you gain access to a computer, rather than the entire internet.

Windows

Windows 10 has a native command line interface, though it might not be installed by default. To install it:

  1. Go to Settings > Apps
  2. Click Manage optional features under Apps & features

If an SSH client is installed on your machine it should appear here. If not, you can add it by clicking Add a Feature and then OpenSSH Client. Don’t install the OpenSSH Server.

To use the SSH client, you need to first open a PowerShell, which can be done by right-clicking the Start Menu or by pressing Windows+X and then selecting the PowerShell.

Once you have launched the PowerShell you enter SSH to be ready.

Mac OS

Open the terminal with Spotlight, the Launch Pad, or Finder.

Linux

Open the command line with Ctrl+Alt+T

Useful tips when using the command line

  • Copy/paste: The standard Ctrl+C and Ctrl+V won’t work in the command line, but you can use Ctrl+Shift+C and Ctrl+Shift+V instead. You can also use your mouse pointer to select text and then copy/paste it by right-clicking the area that you marked. Often you can also paste content by clicking the middle-key or wheel on your mousepad or mouse.
  • Using the up/down arrows in your keyboards will let you browse through recently executed commands, which is very useful if all you need is to change a small typo.
  • Use Ctrl+C to abort a command that is stuck. This will also get you out of most menus or programs.
  • The command line is also a bit like a one-dimensional file explorer. Use the ls command to see which files exist in the current folder, or cd to move to a specific directory. cd .. will move one directory down and cd ~/ goes back to the home folder.

A screenshot of the command line.

  • See which drives are currently connected and how much they are used with the df -h option.
  • You can use the Tab button to autocomplete many instances, for example when selecting a folder to move into with cd, copy with cp, move with mv, or delete with rm. Typing cd d followed by the Tab button will automatically complete a folder starting with d, if it exists. If there are multiple folders starting with d you can press the Tab button again to see the full list.

A screenshot of the command line.

Get a Virtual Private Server

Any server will do. With little effort, you can even convert an old laptop or use a mini PC for about 100 USD. Even a computer as small as a Raspberry Pi would theoretically suffice.

In our case, we will rent a Virtual Private Server (VPS) from Lunanode. We chose Lunanode because it’s relatively easy to sign up without identification—it accepts Bitcoin—and it’s reliable. Another great alternative is Cryptohost (which even takes Lightning!). Pricier but also requiring less personal information for signup is Njal.la.

Alternatively, you may also opt for one of the larger providers such as AWS, Digital Ocean, or Rackspace.

Sign Up

To sign up to Lunanode, you’ll need to verify your email address and phone number, then select your country and choose a password. You can immediately deposit Bitcoin into your account to start paying for your server or enter a credit card to bill you automatically.

Pricing

We recommend the m2 server for 7 USD per month. For the purposes of Bitcoin mining, we’ll add 80GB of storage for an extra 2.7 USD per month.

Find your SSH key

  • In Windows, use the SSH client (see above).
    1. If this is your first time using the SSH client, type ssh-keygen -o -b 4096 -t rsa on the command line to generate a key.
    2. Once you have generated a key, or if you already have a key, find it at C:\Users\YourUserName\.ssh\id_rsa.pub
    3. Open this file with your notepad and add it to your Lunanode panel
  • In Mac OS, open the terminal with Spotlight, Launch Pad, or Finder
    1. Create an SSH key with the command: ssh-keygen -o -b 4096 -t rsa
    2. You can then find your SSH key under ~/.ssh/id_rsa.pub
    3. Open this file with your notepad and add it to your Lunanode panel.
  • In Linux, open a terminal with the command: Ctrl+Alt+T
    1. Create an SSH with the command: ssh-keygen -o -b 4096 -t rsa
    2. You can then find your SSH key under ~/.ssh/id_rsa.pub
    3. Open this file with your notepad and add it to your Lunanode panel.

Add your SSH key

In your Lunanode dashboard, find the option “SSH Keys” on the left side. Give your SSH key a name and paste the contents of your notepad in its entirety into the public key field, then click “Add SSH Keypair.” It should then appear in the list.

Launch your server

To create your virtual machine, click on “Create VM” on the top left corner of your Lunanode dashboard. Choose a location, a plan, and an operating system, then decide on a hostname. In our case, that is Toronto, m2 on Ubuntu 18.04 (64 bit) and we named it Torontola. You’ll also need to add your keypair so you can securely log in.

Get extra storage

On the left side of the Lunanode dashboard is the option ‘Volumes.’ Now select the same region that your server is in, give it a name, then set a size (we recommend at least 80GB for your Bitcoin node). As soon as you create it you can select ‘manage’ and connect it to your server under ‘Attach to VM’. We will keep the driver at its default ‘virtio.’

Log in to your server

Under “virtual machine” you should see your instance now. Click on its name and you should see, among others, its external IP address. You can log in to your server by opening up a Terminal window and entering the command:

ssh ubuntu@

for example: ssh ubuntu@192.168.1.1

Since it’s your first login, you will likely be told the authenticity of your host couldn’t be confirmed. Enter yes to add your machine to your list of trusted devices. You’ll be warned again if the key changes.

Configure your server

Set up a simple firewall to protect the server. Ufw (uncomplicated firewall) should be pre-installed on your machine. Check if it’s installed or enabled by typing sudo ufw status

If you aren’t shown a “Status” message in response, you can install it with sudo apt install ufw

More important, enable SSH to log in to our machine remotely. Skip this step if you have direct access to the server, meaning you can plug a monitor and keyboard into it. If you can’t, you must enable SSH with sudo ufw allow ssh

Now turn the firewall on with sudo ufw enable

Update your server

Make sure your server is up to date by running the commands sudo apt update and sudo apt upgrade.

Now you’re all set! The next steps describe how to set up the Bitcoin node.

***

It looks like some kind of electrical junction with a Bitcoin logo on it.

How to set up your own Bitcoin node

Includes a full node, Lightning, Tor support, Zap Desktop and iOS wallet, ejabberd, and BTCPay Server.

1. Add a volume

To start, we need to get the server ready to connect to the Bitcoin network.

Make sure your volume has been set up and is attached to your server. You can double check in your Lunanode panel under ‘Volumes.’

In your terminal, logged into your server, you can now run the command sudo fdisk -l to confirm the volume name. It’s very likely the same as ours, /dev/vdc

To permanently attach the volume to our server, become a superuser temporarily. Become a superuser by running the command: sudo -i

Our username now changes to root@torontola, and we can run the following commands without sudo:

mkfs.ext4 /dev/vdc (formats the empty drive)
mkdir /media/bitcoin (creates a mount point)
mount /dev/vdc /media/bitcoin (mounts the device at the mount point)
echo '/dev/vdc /media/bitcoin ext4 defaults 0 2' >> /etc/fstab (makes the mount point permanent)
chown -R ubuntu /media/bitcoin (allows us to later write data to this drive as the default ubuntu user)

Go back to our regular user (safer) by typing exit

Test the setup by restarting your computer with the command sudo reboot now

This will also kick you out of the server, so log back in with ssh ubuntu@< your ip here >

Run the command df -h to see if the volume is correctly attached. Pay close attention to the line that shows /dev/vdc as being mounted on /media/bitcoin

A screenshot of the command line.

Your server is now ready to be a Bitcoin node!

2. Install and configure Bitcoind

Log in to (or stay logged in to) the server.

Install Bitcoind

To install Bitcoind, you first need to add the Bitcoin repository:

sudo add-apt-repository ppa:bitcoin/bitcoin

Confirm the choice, update the package manager with sudo apt update

Install Bitcoind with the command: sudo apt install bitcoind

Create a simple config file

Sync Bitcoin into our added volume, which requires a line addition to the config file. You might also want to prune it, which means limiting the size of the Blockchain by only keeping recent blocks on the disk.

Pruning allows us to save on storage space and cost. Create a bitcoin directory with the command: mkdir .bitcoin (the dot is important)

Then a config file with the command: nano ~/.bitcoin/bitcoin.conf

Now copy/paste the following into it:
datadir=/media/bitcoin
daemon=1
prune=70000

Save the file with the keys Ctrl+O and close the window with the command: Ctrl+X

Start Bitcoind

Start Bitcoind with the command bitcoind

You should get the response “Bitcoin server starting.” To see what your Bitcoin node is doing you can run the command tail -f /media/bitcoin/debug.log

You can also open a new terminal window, SSH into your machine, and keep this window open if you’d like. It will give you an easy overview of everything. You can exit the window by holding the keys Ctrl+C at the same time.

Check up on your computer

Check the health of our node also by typing bitcoin-cli --getinfo

In the example below, you can see we have synced 388,343 blocks (of ~566,000) and are connected to 16 peers.

A screenshot of the terminal commands.

Run the command top anytime to see how many resources are being consumed. This might also be useful when seeing if a process is still running. Below we can see that Bitcoind is consuming most of our memory, but relatively little CPU.

A screenshot of Terminal.

Now… Wait

Syncing Bitcoin will take a while. It’s best to pause here and continue later. You can periodically check back on your node using the bitcoin-cli --getinfo command or by observing the logs using tail -f /media/bitcoin/debug.log

Optional: Open ports

Allow incoming connections to our future Bitcoin node with sudo ufw allow 8333/tcp

Open ports help the network as it creates more space for others to connect.

Optional: Buy extra CPU time

Syncing your node for the first time can be CPU intensive. In your Lunanode admin panel, go to “Virtual Machines,” click on your server, then on “CPU.”

Change the option from “No” to “Yes” under “Pay for CPU utilization above baseline performance?” A complete sync of a Bitcoin node should not cost more than 4 USD.

3. Download and install Go

We’re roughly following the installation guide found on the Lightning Network Github, tailored to the Lunanode instance that we already have. We’ll try to keep our guide up to date, but if you see any unexpected errors, it might be worth checking there if anything has changed.

Download Go

Download the Go code with the command: wget https://dl.google.com/go/go1.11.5.linux-amd64.tar.gz

Verify that the data is correct by typing sha256sum go1.11.5.linux-amd64.tar.gz | awk -F " " '{ print $1 }'

This shows us the SHA256 hash of the data we downloaded. We expect the output to be ff54aafedff961eb94792487e827515da683d61a5f9482f668008832631e5d25

Install Go

The file comes compressed, similar to a zip file. Unpack Go into the home directory tar -C ~/ -xzf go1.11.5.linux-amd64.tar.gz

Copy it over to a more appropriate place with sudo mv ~/go /usr/local

Next, tell the server where it can find the Go code. This may differ from machine to machine. In our case it is:

export GOROOT=/usr/local/go
export GOPATH=$HOME/go
export PATH=$GOPATH/bin:$GOROOT/bin:$PATH

To make this permanent, add the lines to .bashrc file. Open the file using nano ~/.bashrc then scroll to the bottom and paste there.

Save and close nano by pressing the buttons Ctrl+O and Ctrl+X

Check if go is properly installed

Test if Go is properly installed by typing go version
Expect the output: go version go1.11.5 linux/amd64

4. Install lnd

Prerequisites

Download essentials before commencing the installation.

Run the command: sudo apt-get install -y build-essential
Make sure Git is installed. If not, install it with sudo apt install git

Download lnd

To install lnd, download the code go get -d github.com/lightningnetwork/lnd

Install lnd

Move into the directory of lnd with the command: cd ~/go/src/github.com/lightningnetwork/lnd

It’s generally recommended to stick with the latest release, rather than updating to the latest code on master. Check what the latest release of lnd is here. In our case it’s version v0.5.2-beta. We will “check out” this version with the command
git fetch --tags
git checkout v0.5.2-beta

Finally, install lnd with the command: make && make install

Now navigate back to the home folder with cd ~/

Check if lnd is properly installed

You should now be able to see if lnd is installed by typing lnd --version and lncli --version

It should read version 0.5.2-beta commit=v0.5.2-beta

Configure lnd

Create a configuration file for lnd. Make the directory with mkdir ~/.lnd

Edit it right away using nano ~/.lnd/lnd.conf

A screenshot of the Terminal.

Don’t forget to fill in the blue fields with your own information! You can freely choose a name and color for your node.

Find your IP address in the dashboard of Lunanode (if that is what you are using for your server).

You’ll need a username and password for the next step. For simplicity, it might be a good idea to avoid special characters.

# [Application Options]
alias=< name of your node >
color=< your favorite color in hex >

# [Bitcoin]
bitcoin.active=1
bitcoin.mainnet=1
bitcoin.node=bitcoind

bitcoind.rpchost=127.0.0.1
bitcoind.rpcuser=< your username >
bitcoind.rpcpass=< your password >

bitcoind.zmqpubrawblock=tcp://127.0.0.1:28332
bitcoind.zmqpubrawtx=tcp://127.0.0.1:28333

# [LND]
externalip=< your ip >

Configure Bitcoind

We’ll need to make some amendments to Bitcoind. We’ll open the config file with nano ~/.bitcoin/bitcoin.conf

We will need to add the following lines:
rpcuser=< your username >
rpcpassword=< your password >
zmqpubrawblock=tcp://127.0.0.1:28332
zmqpubrawtx=tcp://127.0.0.1:28333

Save and close the config file with Ctrl+O and Ctrl+X and restart Bitcoind with sudo service bitcoind restart

5. Launch lnd and create a wallet

Prerequisites

To begin this step, make sure Bitcoind is fully synced and ready. Test this by running the command: bitcoin-cli --getinfo and compare the value of blocks with a block explorer, for example, Blockstream.info.

The block height displayed by the block explorer should be the same as the “blocks” output of our command. If the number shown by the block explorer is larger, the node is not yet synced.

Use tail -f /media/bitcoin/debug.log to see the logs. This will also show when the last block was created and the sync progress. Our node will be synced up to this date.

A screenshot of Terminal.

Launch lnd

Launch lnd by typing lnd into your terminal. Alternatively, you can also try ~/go/bin/lnd

Does it look like the output below? Great, everything is going according to plan. If you see an error message, make sure Bitcoin is running or go back to the step that the error message suggests is wrong. Are all the configuration files correct?

A screenshot from Terminal

When your output looks like the one above, close lnd again by pressing the keys Ctrl+C

Permanently run lnd in the background with the command: lnd &>/dev/null

Type disown to make sure the task is still running, even if logged out or the terminal is closed.

Optional: Observe lnd through the debug logs

Open a new terminal, SSH back into the server and open the lnd logs to get a good idea of what is going on in the background.

It’s quite interesting, but will also alert you if anything is going wrong. In the new terminal window, type: tail -f ~/.lnd/logs/bitcoin/mainnet/lnd.log

Leave this view anytime by pressing Ctrl+C

Create a wallet

While lnd is running in the background, run the command: lncli create

Enter a wallet password, then confirm it.

Next, we are asked whether we have an existing cipher seed mnemonic. As this is a new Lightning node (as opposed to one that is being restored), we will use n

You can optionally encrypt your cipher seed—a good idea if you are storing the seed in a location accessible to others (under your mattress)—but you must remember the encryption key.

We choose not to encrypt the seed in this example. Below, the cipher seed is blacked out.

A Terminal screenshot of the cipher seed.

Unlock your wallet

If you created a new wallet, it should have unlocked automatically. If something went wrong or you are restarting lnd, you need to unlock your wallet with the command: lncli unlock

Sync lnd

Since this is the first time starting lnd, we will need to sync it.

6. Open a channel

If you prefer to leave the command line at this point, jump to the next step and connect Zap Desktop or Zap iOS to your node. You can then open channels and make payments inside of a neat user interface.

Make sure lnd is running and synced

Do this with the command: lncli getinfo. It should read synced to chain: true.

If it’s not synced, we need to make sure Bitcoind is running and synced, for example, by running bitcoin-cli --getinfo and comparing the current block height of our node with that of a block explorer.

Check the logs that Bitcoind (tail -f /media/ubuntu/bitcoin/debug.log) and lnd (tail -f ~/.lnd/lnd.log) are running.

Deposit coins into your node

Generate a new address with the command: lncli newaddress p2wkh

The output should be something like bc1…

You can now send Bitcoin to this address by copy/pasting the address into your Bitcoin wallet. If your wallet somehow cannot send to an address in the format bc1…, you can also generate a legacy address starting with ‘3’ using the command: lncli newaddress np2wkh

Check the balance anytime by using the command: lncli walletbalance

It will show both the confirmed and unconfirmed balance in Satoshi. 1 Bitcoin is 100 million Satoshi.

Connect to a node

In the next step, we will connect to a node. Maybe you already have a node to connect to or know a friend running a Lightning node. You can also pick one of the popular nodes listed on 1ml.com

A Lightning node’s URI looks like this: 0331f80652fb840239df8dc99205792bba2e559a05469915804c08420230e23c7c@74.108.13.152:9735

It contains the public key of the node before the @, then its IP or domain name and the port.

Connect to this node using the command: lncli connect [0331f80652fb840239df8dc99205792bba2e559a05469915804c08420230e23c7c@74.108.13.152:9735]

When successfully connected, the output should simply be an open and a close bracket without an error message.

Open a channel

Once the deposit has been confirmed on the Bitcoin Blockchain, open a channel. You can open the channel with the node connected with the above, but it is highly recommended that you connect to a diverse group of nodes. You are also welcome to open channels with multiple nodes.

We will open a channel with the command: lncli openchannel 0331f80652fb840239df8dc99205792bba2e559a05469915804c08420230e23c7c 200000, where the long string starting with 0331 is the other node’s public key and the number 200000 represents the amount of funds we want to put into this channel, denominated in Satoshi.

Once your channel is successfully open, you will get the funding transaction. When this transaction is confirmed on the Blockchain, your channel will be open and active. Until then it will be shown under pending channels.

Generally, it will take three confirmations for your channel to become active.

A screenshot of an open channel in Terminal.

Make a payment

To make a payment, you will need outgoing liquidity (have funds in channels with other nodes). To do this, all you need is to deposit Bitcoin into your node and open channels with the network.

Ideally, these channels are directly linked to the counterparties you transact with or well-connected nodes in the network.

You can always check your node with the command: lncli getinfo

Your node should always be synced to the chain, and you should have at least one active channel.

A Lightning invoice looks like this: lnbc10u1pwfxg42pp553wyha3ag66tn40zls69eeaeq0cyluj6ja54sygp7vh50gcy0rnsdqlxycrqvpqwdshgueqvfjhggr0dcsry7qcqzysyrmxj0554vrg4ej2we83m8n7rxj94s8c5a8rwjud07ptc6dw7j2hr42sxt7lnazglku3pfe9jkl8f0gupkuz7jly5xnq35qr202jwwqqy8qs9a

Decode it with the command: lncli decodepayreq [Lightning invoice]

This will show the amount, where the payment is going, and when the invoice expires.

A screenshot of a received payment in Terminal.

To make a payment we will use the command: lncli payinvoice [Lightning invoice]

After confirming the amount and destination, the node will attempt to make the payment. Once the payment has been successful, information about the payment, such as the hops and fees, will be received.

Receive a payment

To receive payments, you will need incoming liquidity. Encourage others to open channels with you (over time, as your node stays online, this will happen automatically).

Every time you make a payment through your channels, you will also automatically free up incoming liquidity. For example, if you deposit 10 USD into your node, open a channel, and make a payment over 2 USD, you will immediately have 2 USD in incoming capacity.

To receive a payment, generate an invoice. The invoice follows the format lncli addinvoice --memo “a memo” --amt --expiry < expiry time in seconds >

For example, we can run lncli addinvoice --memo “for VPN services” --amt 90000 --expiry 3600 for a 90,000 Satoshi invoice that is valid for one hour.

The result will include a r_hash, a pay_req and an add_index. The pay_req is our invoice that we can pass on.

A screenshot of a payment request in Terminal.

Check payments

See the invoices issued and their status with the command: lncli listinvoices. Below, we can see that the invoice we issued above has not yet been paid, as “settled” is set to false.

A screenshot of a payment in Terminal.

7. Update lnd

The Lightning network and software, like lnd, is under constant active development. New features are regularly added and bugs fixed whenever they are reported. You can report a bug yourself and check for new releases here.

To upgrade lnd, first close the application with the command lncli stop

Now navigate to your source folder, in our case: cd ~/go/src/github.com/lightningnetwork/lnd

Download the latest source code with git pull and navigate to the latest release with git checkout [latest release]. In our case that is git checkout v0.10.1-beta

To upgrade to this release, we used the command make clean && make && make install

After restarting lnd with lnd &>/dev/null & and unlocking our wallet, we can check if everything is properly updated with lncli --version. If it shows the version number of the latest release, we did everything right!

8. Useful commands with lnd

By far the most useful command in lnd is lncli help. It lists all the available commands. Get additional information on each command by adding the word “help.” For example, lncli addinvoice help will show you the available options when creating an invoice.

  • lncli getinfo shows you basic information about your node
  • lncli listchannels shows you the channels you currently have open and their status
  • lncli getnetworkinfo shows you the scope of the Lightning network from your point of view
  • lncli feereport shows you how much your node has earned from routing payments
  • lncli connect If a payment channel is offline or inactive, you may try to connect to the peer to revive it manually
  • lncli walletbalance shows you how many Satoshis you own on-chain
  • lncli channelbalance shows you how many Satoshis you own in channels

9. Alternative: Connect Zap Desktop

Zap is a user interface for Lightning node that can run on your computer. If you are running Lightning on your local machine, it’s trivial to connect. But if your node is in the cloud, you’ll need to do a few more steps.

For this step to work, both your Bitcoind and your lnd node need to be fully synced. Check whether lnd is synced with the command: lncli getinfo. It should read “synced to chain: true.”

If they’re not synced, make sure Bitcoind is running and synced, either by checking the log with tail -f /media/bitcoin/debug.log or by running bitcoin-cli --getinfo and comparing the block height with another node, or by checking block explorer.

Download Zap

Download Zap for desktop here. We downloaded the latest release, which in our example is v0.4.1 beta. Make sure you get the right version for your operating system! For Windows, that is ZapDesktop-win32-v0.4.1-beta.exe

Amend lnd.conf

Open our configuration file with nano ~/.lnd/lnd.conf

Amend the following lines:

rpclisten=0.0.0.0:10009
tlsextraip=< your IP address >
Save and close the file with Ctrl+O and Ctrl+X

Stop lnd

To make changes go into effect, restart lnd. To stop lnd, run lncli stop
Wait for a few seconds before starting it again. If you have the logs open, you can see when lnd has shut down. You can also check with top

Delete tls key and certificate

If you made changes to the configuration file that affect the tls key and certificate, you’ll need to delete them. Do so with the command: rm ~/.lnd/tls.cert and rm ~/.lnd/tls.key

To start again, run lnd &>/dev/null and disown

Open the firewall

To use Zap, make incoming connections to our Lightning node. Open the firewall with the command: sudo ufw enable 10009/tcp

Copy over the macaroon and TLS certificate

To authenticate the app and the server, you’ll need to copy two files (shown below).

Zap will check if the TLS key is correct to make sure it is always connected to the correct server (and not one impersonating it). To know which TLS key is right, we will need to tell Zap the TLS certificate.

Windows:

Open a new PowerShell with the command: scp ubuntu@< your nodes ip >:~/.lnd/tls.cert C:\Users\YourUserName\Desktop\ to copy the tls certificate to your desktop.

Use the command: scp ubuntu@< your nodes ip >:~/.lnd/data/chain/bitcoin/mainnet/admin.macaroon C:\Users\YourUserName\Desktop\ to copy the macaroon. If you want, you may copy it into any folder using the explorer.

Mac or Linux:

Open a new terminal and use the command: scp ubuntu@< your nodes ip >:~/.lnd/tls.cert ~/Desktop to copy the tls certificate.

Use the command: scp ubuntu@< your nodes ip >:~/.lnd/data/chain/bitcoin/mainnet/admin.macaroon ~/Desktop to copy the macaroon. You can also copy it into any folder using Finder or Files.

Configure Zap

Open Zap either by clicking on the file downloaded earlier or by finding it in applications. Choose the option Connect your own node in the startup screen.

A screenshot of the Zap connection screen.

Next, enter your IP address and the path to the certificate.

Windows:

This may look like this:
192.168.1.21:10009
C:\Users\YourUserName\Desktop\tls.cert
C:\Users\YourUserName\Desktop\admin.macaroon

Mac or Linux:

This may look like this:
192.168.1.21:10009
~/Desktop/tls.cert
~/Desktop/admin.macaroon

A screenshot of the Zap connection details screen.

Login

After clicking on Next and confirming your selection, you should be logged into your node. You can see your balance as well as your recent payments.

9b. Alternative: Connect Zap iOS

Zap is a user interface for your Lightning node that is still in alpha, but you can sign up to be a tester here. You can use it to connect remotely, check your funds, open channels, or make and receive payments.

Download Zap for iOS

Once you have joined as a tester, download and install the app through Testflight, Apple’s tool for downloading testing software. It will then show up as a regular app on your home screen.

Download lndconnect

To authenticate the app and the server, we’ll need to pass data from our server to the phone. When connecting Zap on the desktop, two files are copied over to our machine, but that’s not possible on a phone. Instead, use a tool called lndconnect that will generate a QR code for us.

Download lndconnect with the command:
go get -d github.com/LN-Zap/lndconnect

Install lndconnect

To install lndconnect, move into the directory with the command:
cd ~/go/src/github.com/LN-Zap/lndconnect

Install the program with make && make install

Run lndconnect

Type lndconnect in your terminal to make the QR code appear. You may have to zoom out a bit and enlarge the window with Ctrl++ (Keep control pressed and additionally press the plus or minus sign to zoom in or out)

Connect Zap

Open the Zap app in your phone and click Scan when given the option. Scan the QR code generated with lndconnect.

You can now see your balance, make and receive payments, and manage your channels with the app.

10. Optional: Configure Bitcoind over Tor

Privacy is great. Our Bitcoin business is solely our business, and no Internet Service Provider or government should be able to see how we use it.

But privacy is also great for security. If we can hide our Bitcoin activity, we can’t easily be targeted by criminal organizations. And, if our node can’t be found, it cannot be easily corrupted or fed false information.

Install tor

Quickly install tor with the command: sudo apt install tor

Configure tor

First, route all Bitcoin transactions through the Tor network. Then allow incoming transactions only over a hidden service.

To do this, we will need to create a password and its hash. To create a password, use your password manager (or use ours) to generate a 30+ character random password with uppercase letters, lowercase letters, and numbers.

Paste it for now in a notepad, but do not save it.

Create its hash using tor with the command: tor --hash-password “yourpassword”

Paste the output in a notepad for now.

Now edit the tor configuration file. Open it with the command: sudo nano /etc/tor/torrc

The configuration file is already prewritten, but everything is commented out (as indicated by the lines starting with # signs. Towards the bottom of the first section, find the phrase #ControlPort 9051

Remove the # sign, so it reads ControlPort 9051

Also, remove the # signs from these two lines

HashedControlPassword < your password >
CookieAuthentication 1

Replace the existing HashedControlPassword with the hash obtained in the step above. Now delete the hash from the notepad.

Save and close the new config file with Ctrl+O and Ctrl+X

Restart tor with the command: sudo service tor restart

Configure Bitcoind

Enter Bitcoin configuration file with nano ~/.bitcoin/bitcoin.conf

Amend the file with the following configuration:

  • proxy=127.0.0.1:9050 (points the Bitcoin node to the Tor Socks Proxy, so that all data goes through tor)
  • listen=1 (will listen to incoming connections)
  • onlynet=onion (to only connect through tor)
  • listenonion=1 (will listen for incoming connections through an onion address)
  • discover=0 (so our IP address is not broadcast)
  • torcontrol=127.0.0.1:9051 (shows the bitcoin node how to control Tor, for example, to create a hidden service)
  • torpassword=< YourTorPassword > (how the Bitcoin node will authenticate itself to the Tor node)

Paste the password created earlier, then close the notepad.

Close the editor with the commands: Ctrl+O and Ctrl+X
Restart Bitcoind with the command: sudo service bitcoind restart

Close the port

Bitcoin port 8333 no longer needs to be open. Close it with the command: sudo ufw deny 8333/tcp

Test your onion setup

You can now connect to onion nodes. You should find a list of such nodes in the Bitcoin wiki.

For example, connecting to BlueMatt’s node requires the command: bitcoin-cli addnode "nkf5e6b7pl4jfd4a.onion” add

Your Bitcoin node can connect to regular IP addresses still, but only accept incoming connections via the Tor network. Your onion address will show up in your logs at startup in case you want to connect to it specifically from another node you control. You can also find it at the very bottom with the command bitcoin-cli getnetworkinfo

11. Set up Electrum Private Server over Tor

If you are using the lightweight Electrum wallet, this tool will massively improve your privacy. While fast and handy, Electrum sends your Bitcoin addresses to a remote server, which will inform you about your balance. Anybody can set up such a server, and while you can send your queries via the Tor Network, there is no guarantee or protection that these servers aren’t quietly setting up profiles about you. With your own Electrum Private Server, you do not have to worry about this.

Install Electrum on your personal computer

You can find the Electrum client here. It is recommended that you verify the PGP signatures before installing the software. Installing Electrum on your computer is not different to any other software on your personal machine.

a. Create a wallet

It is possible to set up Electrum Personal Server with your existing Electrum wallet. This will require you to resync your Bitcoin node and take considerable time, so we will first set it up with a new wallet. When you open Electrum for the first time, it will prompt you to create a wallet. We recommend to create a ‘standard wallet’ with the ‘segwit’ option. You will be given a ‘seed phrase.’ It’s important to store this seed securely, either on a piece of paper in a safe location, or in your password manager. Anybody with access to this seed can take your Bitcoin. Under no circumstances store it somewhere online, such as a note-taking app like Google Keep or your email drafts.

b. Get your Master Public Key

In the menu under “Wallet, ”click “Information” to retrieve your Master Public Key. Anybody with this access to this key can see what transactions you are making and how many Bitcoin you have, but they cannot take your Bitcoin. We will need this Master Public Key later. For now we can save it in a text editor or keep the window open.

A screenshot of Lexie's Bitcoin wallet.

c. Configure bitcoind

Enter your bitcoin configuration file with nano ~/.bitcoin/bitcoin.conf

Amend the file with the following configuration:
server=1
disablewallet=0

If you have been following the guide above, you already have an RPC username and password set. You can always find it again in your bitcoind configuration file, which you can open with the command nano ~/.bitcoin/bitcoin.conf and save with Ctrl+O and close with Ctrl+X. Alternatively you can set any username and password in your configuration file. It will look like this:
rpcuser=< your username >
rpcpassword=< your password >

Save and close the config file with Ctrl+O and Ctrl+X and restart bitcoind with sudo service bitcoind restart

d. Set up a dedicated wallet

Create a dedicated wallet for electrum-personal-server with the command bitcoin-cli createwallet electrumpersonalserver true

e. Download electrum-personal-server

We can find all the latest releases here. Use the source code packaged with tar.gz. In our case, the latest version is v0.2.0. Download this software to our server with the command wget https://github.com/chris-belcher/electrum-personal-server/archive/eps-v0.2.0.tar.gz

Download the signature with wget https://github.com/chris-belcher/electrum-personal-server/releases/download/eps-v0.2.0/eps-v0.2.0.tar.gz.asc

f. Verify electrum-personal-server

First, download the PGP key of the developer, which is found here and here. Download it with the command wget https://raw.githubusercontent.com/chris-belcher/electrum-personal-server/master/docs/pubkeys/belcher.asc

Import it with the command gpg --import belcher.asc

Screenshot on the command line.

Verify whether the software is appropriately signed with the command gpg --verify eps-v0.2.0.tar.gz.asc

You guessed it, it's another command line screenshot.

g. Create a SSL key and certificate

To keep things organized, create a dedicated folder for all things related to electrum-personal-server with the command mkdir ~/eps. Navigate into that folder with cd ~/eps

Create the private key with openssl genrsa -out server.key 2048

Now create a certificate with openssl req -new -key server.key -out server.csr

The command will ask a series of questions, such as ‘Country Name’ or ‘Email Address.’ As we will not have this certificate signed by a certificate authority, we can ignore all pressing Enter each time.

Sign the certificate with the command openssl x509 -req -days 1826 -in server.csr -signkey server.key -out server.crt

It is valid for five years. You can adjust the validity by changing the number of days in the command above.

h. Install dependencies

Unless it is already installed, install python with sudo apt install python3-pip

i. Install electrum-personal-server

Unpack the tar.gz file with the command tar -xvzf eps-v0.2.0.tar.gz

Enter the directory with cd electrum-personal-server-eps-v0.2.0

Now copy the configuration file with the command cp config.ini_sample ~/eps/config.ini

You can open and edit the file with nano ~/eps/config.ini

  • In the first section, under “master-public-keys,” enter the public key obtained above.
  • If you have multiple wallets, you may add each wallet in a new line.
  • In the second section, under “bitcoin-rpc,” remove the #-sign before “rpc_user” and “rpc_password” and add the details in the bitcoin.conf file.
  • In the section “electrum-server,” adjust the location of the key and certificate.
    certfile = eps/server.crt
    keyfile = eps/server.key
  • Optionally, dedicate a permanent log file under “logging”, such as log_file_location = eps/eps.log
    Exit the editor with Ctrl+O and Ctrl+X

To install the software, go into the folder with cd ~/electrum-personal-server-eps-v0.2.0/

The folder name will depend on your version. We will install the software with pip3 install --user .

Don’t forget the dot at the end of the command!

Command line screenshot

j. Run electrum-personal-server for the first time

Run electrum-personal-server for the first time using the command electrum-personal-server ~/eps/config.ini

If you receive the error command not found it is likely that you will also have to add the directory .local to your $PATH. Use the command echo 'PATH=$HOME/.local/bin:$PATH' >> ~/.profile to do that. You will also have to log out and back in again using the command exit.

The first time we run electrum-personal-server it will import all the addresses from your Electrum wallet into the Bitcoind wallet. That takes about a minute.

Command line screenshot

Since we created a new, empty, Electrum wallet, we will not have to rescan the Blockchain. If you do need this step, continue reading below.

Optional: Rescan Bitcoind

If your Electrum wallet has already been set up and you do not want to move over to your new wallet, you have to rescan Bitcoind. To do that, make sure electrum-personal-server is not running, eg by looking at the log output or checking the list of running applications (except those running as root) with the command ps -U root -u root --deselect

Stop Bitcoind with the command sudo service bitcoind stop

You can restart Bitcoind with the command bitcoind --rescan

This will take a while. Depending on whether you are running Bitcoind with pruning or not, the entire Blockchain may have to be downloaded.

k. Set up tor

To make the electrum-personal-server available from your laptop and mobile phones, set up tor. Unless tor is already installed, run sudo apt install tor to set it up.

Navigate to the configuration file with the command sudo nano /etc/tor/torrc

In the section for ‘hidden services,’add the lines:

HiddenServiceDir /var/lib/tor/eps
HiddenServicePort 50002 127.0.0.1:50002

Restart tor with the command sudo service tor restart

To find out the hidden service address, run the command sudo cat /var/lib/tor/eps/hostname

For us, the address sih57ktjsudd2jpp.onion will appear. Yours will be different.

l. Run electrum-personal-server

Run electrum-personal-server again, but this time with the command electrum-personal-server ~/eps/config.ini &>/dev/null & and disown

This will make sure the program keeps running in the background, even when disconnected from the server. Watch the log output with tail -f ~/eps/eps.log

m. Install Tor on your personal machine

For this to work, you will need to set up Tor on your personal machine. You can download the Tor Browser here. You will need to keep it running in the background. Alternatively you can also install a Tor proxy directly on your machine. On your Android device, you can install Orbot.

n. Launch Electrum Client

Open your Electrum wallet on your computer and click on the round button on the bottom right.

Under ‘Proxy,’ select to use the Tor proxy at 127.0.0.1, port 9050 (port 9051 if you use the Tor Browser in the background). Under ‘Server’ enter your onion address, in our case sih57ktjsudd2jpp.onion

Optional: Disable connections to other servers

To connect your Electrum client exclusively to your electrum-personal-server, edit the configuration file on your machine. You can find it here:

  • Windows: C:\Program Files (x86)\Electrum\config
  • Linux: ~/.electrum/config
  • Mac: ~/.electrum/config

Open the file with a text editor and find the line that says “oneserver”:false, and change it to “oneserver”:true,

Restart Electrum and under Network you should see you are only connected to your own server.

A scrennshot of the server status.

Congratulations! You can now conveniently send and receive Bitcoin from your Laptop or mobile phone without having to compromise on the security and privacy of your full node!

Risky: Connect without Tor

If you have trouble connecting to Electrum-private-server via Tor, you can also open your firewall with sudo ufw enable 50002

As there is no authentication process, this will allow anybody who knows the address to connect to your instance. Unlike with Tor, it is possible to scan or guess millions of IP addresses for electrum-private-server instances, and there may or may not be bugs in this software that could allow a malicious attacker to take over your machine. If you are keeping Bitcoin on your machine, for example because you are also running a Lightning node, this is not recommended at all.

12. Create a simple web site

You’ll also be able to use this personal server to serve a simple web page. You can use this site to host information on how to contact you, or list your Lightning node information, or even host your personal blog.

Open the firewall a little

Allow incoming connections on port 80 and 443. To do that, run the commands sudo ufw allow http and sudo ufw allow https. Check the status of the firewall with the command sudo ufw status

Install nginx

Install nginx to serve the web pages. Use the command sudo apt install nginx

Navigate to your site by entering the IP address of the server into a browser window. You should see the ‘Welcome to nginx’ page. Edit the page with the command sudo nano /var/www/html/index.enginx-debian.html and refresh your browser.

A screenshot of Lexie's new webpage.

Configure a domain name

If you want your page to be easily reachable through a memorable url, you will need to purchase a domain name and set up your DNS records.

Then open the configuration file of nginx with the command sudo nano /etc/nginx/sites-enabled/default

Look for the line (in white) that starts with server_name and replace the underscore with your domain in the format yourdomain.com www.yourdomain.com (see the example in the screenshot below).

We can close the editor with the commands Ctrl+O and Ctrl+X

Test changes to this configuration file with the command sudo nginx -t

The output should read:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

We can then reload the configuration with sudo nginx -s reload

The screenshot the text above promised.

Get a free HTTPS certificate with Let’s Encrypt

se the Letsencrypt certbot to easily obtain a certificate. Add its repository with the command sudo add-apt-repository ppa:certbot/certbot, then update with sudo apt update and install the certbot with sudo apt install python-certbot-nginx

Obtain our certificates with the following command. (Make sure to enter your domain in the exact same format as we did above, and that your DNS records are set up correctly.)

sudo certbot --nginx -d expressvpn.com -d www.expressvpn.com

Enter an email address in case there is an issue with the certificate and accept the terms of the certificate. Optionally opt into receiving information about letsencrypt from the Electronic Frontier Foundation (EFF).

We recommend HTTPS only, as there is no reason anybody should ever request any unencrypted information from your server.

13. Make your website available as a Hidden Service

You can also make your website available as a hidden service with its own onion address. If you do not want to get a domain name or reveal the IP address of your server, operate it behind a firewall, or if you want to keep its location or operator secret, run it exclusively as a hidden service.

To do this, install nginx as the steps in chapter 12, but keep your firewall closed. Do not configure your domain name and do not install letsencrypt.

Configure tor

If tor is not yet installed, install it with the command sudo apt install tor

Then, navigate to the configuration file with the command sudo nano /etc/tor/torrc

Find the section ‘location-hidden services’ and remove the pound (#) sign from the following lines:
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:80

Optionally, also add the line HiddenServiceVersion 3 right below the HiddenServicePort entry to obtain a longer, more secure Version 3 onion address.

Now restart tor with the command sudo service tor restart

To obtain an onion url, run the command sudo cat /var/lib/tor/hidden_service/hostname

For us, the output is ufxehwtwybcu7pbw5ttzumn4hypg7excnnmmv56erbtcnakn4drva4ad.onion

The tor software will create a different onion url for each new HiddenServiceDir we specify. If you have not added the HiddenServiceVersion line, yours will be considerably shorter.

Configure nginx

If you used letsencrypt to reconfigure nginx, you might not be able to access your server yet through your onion url. To configure it properly, open the configuration file with the command sudo nano /etc/nginx/sites-enabled/default

Add the following to the bottom of the file. Make sure to replace the field with the onion url with your own onion url:

server {
listen 80;
listen [::]:80;

server_name ufxehwtwybcu7pbw5ttzumn4hypg7excnnmmv56erbtcnakn4drva4ad.onion;

root /var/www/html;
index index.html;
}

Open the tor browser

To navigate to your onion site you will need the Tor Browser. You can get it for free here.

Lexie's onion page.

14. Install Jitsi Meet for private and secure video conferencing

Jitsi Meet is an open source alternative to commercial video conferencing software. Your server will be able to host calls for multiple people in multiple virtual rooms. It works in most browsers, and client apps can be downloaded from the Play and App stores.

You can do this with the server you already have, but we recommend to set up a separate instance with more computing capacity. For this installation, we will choose the s.2 for US$14 per month from the ‘General Purpose’ tab under ‘Create VM’ in Lunanode.

Once the instance is up and running, log into it with ssh ubuntu@< your ip here >

If this is the first log in, you will be asked to confirm the ECDSA key fingerprint.

Update the machine

Before you begin, make sure everything is up to date and patched with the commands sudo apt update and sudo apt upgrade

Add the Jitsi repository

Add the Jitsi PGP key to your machine so that we can properly authenticate software and updates. Do this with the command wget https://download.jitsi.org/jitsi-key.gpg.key and sudo apt-key add jitsi-key.gpg.key

Now add Jitsi’s software repository to a list. First, open an editor and create a new file with sudo nano /etc/apt/sources.list.d/jitsi-stable.list

Populate this file with deb https://download.jitsi.org stable/

Close the editor with the commands Ctrl+O and Ctrl+X

Update the repository with sudo apt update

Configure the firewall

Make use of the ufw firewall. Check the current status of ufw with the command sudo ufw status

If it says ‘inactive,’ you will need to first allow ssh connections with sudo ufw allow ssh, then enable the firewall with sudo ufw enable

Add the following rules:
sudo ufw allow in 80/tcp
sudo ufw allow in 443/tcp
sudo ufw allow in 10000:20000/udp

Get a domain name

We recommend you use jitsi with a custom domain name that you own, although it can also be operated with a raw IP address.

If you use a domain name, configure it with a name server of your choice and point it to the IP of your server. We’ll need the domain name in the next step. You won’t be able to use the same sub-domain that you use for your web server above. If you serve your website via www.domain.com, for example, you can serve Jitsi Meet via meet.domain.com. This can be configured in the DNS settings of your domain registrar.

Install Jitsi Meet

Initiate the installation process with sudo apt install jitsi-meet

You will be asked to submit the hostname of the installation. This could be your domain name in the format domain.com, or meet.domain.com. In the next step, we will generate a self-signed certificate.

A Jitsi screenshot

Set up the HTTPS certificate

To defend against Man-in-the-Middle Attacks, and make sure a browser can properly access our installation, set up a certificate.

Use a ready-made script for this. We will run this script in root. To get permanent root privileges, run the command sudo -i

First, run the scripts with /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

Enter an email address that can be later used to provide updates. Confirm with enter

Start your first meeting

You can now navigate to your url and use your Jitsi installation! Happy video conferencing!

How to install Jitsi meet securely.

And much more to come…

There are plenty of other things to do with a home server. Please bookmark the page and check back as we add things and refine our processes.

If you have installed any of the tools above, congratulations! Let us know how it went, your personal configurations, and what else you are running!