Bitcoin node with 24/7 inbound connections without static IP

[ekzyis]

Hey!

I was wondering how people run nodes on their home network with an ISP which does not provide a static IP while keeping inbound connections during public IP changes.

I have been googling around for a while and was quite surprised that I haven't found a solution to this. This issue describes my problem that only restarts seem to help: https://github.com/bitcoin/bitcoin/issues/10262

At first, I thought I could use DynDNS and set externalip in my bitcoin config to this hostname. But in https://bitcointalk.org/index.php?topic=5282693.0, it is explained that the bitcoin network only advertises IP addresses:

under the hood the only thing that your node sends others and involves your address are
- a version message that contains your IPV6 or IPV4 mapped to v6 in it which could usually just be 0s
- an addr message that contains your IP address the same as before.
both of these are stream of bytes and represent and interpreted as an IP address not a domain name.

which makes sense to me. So now I understand why using externalip with DynDNS can't work.

Then I thought I could use my virtual private server as a proxy since it has a static IP. I thought this could work using `ssh -D 8330 vps` for outbound connections and `ssh -R 8333:localhost:8330 vps` for inbound connections.

But no inbound connections are made. This is my bitcoin config:

Code:

##
## bitcoin.conf configuration file. Lines beginning with # are comments.
##

# I2P
i2psam=127.0.0.1:7656
i2pacceptincoming=true

# accept inbound connections
listen=1
externalip=134.***.***.***:8333
discover=1
upnp=1
proxy=127.0.0.1:8330

# accept JSON-RPC commands
server=1
rpcuser=bitcoin
rpcpassword=***

disablewallet=1

# Enable pruning to reduce storage requirements by deleting old blocks.
# This mode is incompatible with -txindex and -coinstatsindex.
# 0 = default (no pruning).
# 1 = allows manual pruning via RPC.
# >=550 = target to stay under in MiB.
prune=0

datadir=/home/bitcoin/.bitcoin
txindex=1
mempoolfullrbf=1

[main]
rpcport=8332

[test]
rpcport=18332

I would be very glad if this would be possible. I really want to have the "full bitcoin node experience" with 24/7 inbound connections and seeing who connects to me and how long etc.

Also, I think running a lightning routing node without a static IP could become troublesome.

I also read about https://tunnelsats.com/ and I think this could also solve my problem even though I am not running (yet) a lightning node.

But I thought I could solve this using a simple proxy setup or similar easy tools.

Thanks for your time reading this!

Edit:

I guess running bitcoin over tor would be a viable solution for uninterrupted inbound connections? But there is no workaround for clearnet?

[1715645336]

1715645336

[1715645336]

1715645336

[1715645336]

1715645336

[1715645336]

1715645336

[jackg]

I think I mentioned this about 5 years ago (for myself) and no-IP seemed to be an option members had heard of to get a hostname (I think they used to give static IPs but might not do).

Tor is an alternative and quite a good one for running a lightning service (some wallets enforce its use). I don't think it matters too much if you're running a node connected via a hidden service or one on clearnet - you don't need as much firewall configurations to use tor in my experience anyway.

[mendace]

Running a Bitcoin node on a home network with a dynamic IP address can be challenging, as the IP address of the node will change over time. This can disrupt inbound connections to the node, making it difficult for other nodes on the network to connect to it.

One solution to this problem is to use a Dynamic DNS service, which allows you to use a hostname (e.g. "mynode.dyndns.org") to refer to your node's IP address, even if the IP address changes over time. The hostname can then be used in the externalip setting in your Bitcoin configuration file, so that other nodes on the network can connect to your node using the hostname.

Another solution is to use a Virtual Private Server (VPS) with a static IP address as a proxy for your home node. In this setup, you can use ssh tunnels to forward traffic between your home node and the VPS. This allows other nodes on the network to connect to your home node via the VPS, using the static IP address of the VPS.

Running Bitcoin over the Tor network is another option that could allow for uninterrupted inbound connections to your node. In this setup, your node would be accessible via a hidden service on the Tor network, which would provide a stable address that other nodes can use to connect to your node.

Overall, there are several solutions to the problem of running a Bitcoin node with a dynamic IP address. Each solution has its own advantages and disadvantages, and the best option for you will depend on your specific situation and requirements.

[PawGo]

I cannot find it now, but I remember some time ago there was a quite similar question, OP had problems with shared IP.
The problem was that his IP provider had a very limited pool of IP addresses and several customers where using the same IP, therefore there was no way to use port forwarding. You should check if it is not the case in your situation.

[LoyceV]

Does your IP address change during the day, or only when you reset your modem?

Either way: have you tested it? I'm pretty sure the network can handle it if your IP goes offline, nodes will just continue with their other connections and eventually find your new IP again.

[NotATether]

One solution to this problem is to use a Dynamic DNS service, which allows you to use a hostname (e.g. "mynode.dyndns.org") to refer to your node's IP address, even if the IP address changes over time. The hostname can then be used in the externalip setting in your Bitcoin configuration file, so that other nodes on the network can connect to your node using the hostname.

Last time I tried it (in v21), Bitcoin Code did not support using hostnames for node addresses. And there is no DNS code in Bitcoin Core at all, all of that is actually in a separate, independent program called dnsseed. So how is this possible?

[seoincorporation]

The right way to fix your issue is with NO-IP

https://www.noip.com/

Remember to configure your PC in the modem as DMZ, that way you will allow any call from WAN, that's the right way to do it, but you should have in mind that now anyone can try to access your server, so, before opening it to the WAN you should learn about some secure ways to protect your server.

[ekzyis]

Hey, thanks for all the replies.

Tor is an alternative and quite a good one for running a lightning service (some wallets enforce its use). I don't think it matters too much if you're running a node connected via a hidden service or one on clearnet - you don't need as much firewall configurations to use tor in my experience anyway.

I am using Tor now and it took some time, but I have inbound connections now. I also have been running i2p for a while but I think I never had any connection using I2P ever. I guess not many nodes run on I2P? Or I need a seed node?

But there is no workaround for clearnet?

One possible workaround is using VPN which offer port forwarding feature.

Ah, I guess that's where services like https://tunnelsats.com/ come into play? I guess I could create my own VPN with my VPS using WireGuard?

Running a Bitcoin node on a home network with a dynamic IP address can be challenging, as the IP address of the node will change over time. This can disrupt inbound connections to the node, making it difficult for other nodes on the network to connect to it.

One solution to this problem is to use a Dynamic DNS service, which allows you to use a hostname (e.g. "mynode.dyndns.org") to refer to your node's IP address, even if the IP address changes over time. The hostname can then be used in the externalip setting in your Bitcoin configuration file, so that other nodes on the network can connect to your node using the hostname.

Another solution is to use a Virtual Private Server (VPS) with a static IP address as a proxy for your home node. In this setup, you can use ssh tunnels to forward traffic between your home node and the VPS. This allows other nodes on the network to connect to your home node via the VPS, using the static IP address of the VPS.

Running Bitcoin over the Tor network is another option that could allow for uninterrupted inbound connections to your node. In this setup, your node would be accessible via a hidden service on the Tor network, which would provide a stable address that other nodes can use to connect to your node.

Overall, there are several solutions to the problem of running a Bitcoin node with a dynamic IP address. Each solution has its own advantages and disadvantages, and the best option for you will depend on your specific situation and requirements.

TBH, that sounds like a ChatGPT response, haha. Interesting times we live in.

Regarding Dynamic DNS: I already tried that and as others pointed out, a node advertises IP addresses, not hostnames. So this doesn't work.

Regarding VPS: I tried this but I couldn't get inbound connections to work. Do you have a guide for that? I used `ssh -D` for outbound connections and `ssh -R` for inbound connections but that didn't work as described in my initial post:

Then I thought I could use my virtual private server as a proxy since it has a static IP. I thought this could work using `ssh -D 8330 vps` for outbound connections and `ssh -R 8333:localhost:8330 vps` for inbound connections.

But no inbound connections are made.

I cannot find it now, but I remember some time ago there was a quite similar question, OP had problems with shared IP.
The problem was that his IP provider had a very limited pool of IP addresses and several customers where using the same IP, therefore there was no way to use port forwarding. You should check if it is not the case in your situation.

My port forwarding works since I do get inbound connections when I restart my node. Only when my public IP changes, the inbound connections are lost and for some reason, no inbound connections appear again until I restart my node. Shouldn't I at least get new inbound connections after some time?

Does your IP address change during the day, or only when you reset your modem?

Either way: have you tested it? I'm pretty sure the network can handle it if your IP goes offline, nodes will just continue with their other connections and eventually find your new IP again.

Yes, I tested it. I have been monitoring my public IP using a custom script and after every public IP change, all inbound connections were dropped. However, my IP was never found again.

I think I waited for at least a day once but nothing. I also thought my new IP should be eventually found but this does not seem to be the case. Maybe I have to dig into the code to understand this better. Wanted to do this anyway sometime, haha

One solution to this problem is to use a Dynamic DNS service, which allows you to use a hostname (e.g. "mynode.dyndns.org") to refer to your node's IP address, even if the IP address changes over time. The hostname can then be used in the externalip setting in your Bitcoin configuration file, so that other nodes on the network can connect to your node using the hostname.

Last time I tried it (in v21), Bitcoin Code did not support using hostnames for node addresses. And there is no DNS code in Bitcoin Core at all, all of that is actually in a separate, independent program called dnsseed. So how is this possible?

The simple answer is that it is not possible

The right way to fix your issue is with NO-IP

https://www.noip.com/

Remember to configure your PC in the modem as DMZ, that way you will allow any call from WAN, that's the right way to do it, but you should have in mind that now anyone can try to access your server, so, before opening it to the WAN you should learn about some secure ways to protect your server.

Isn't NO-IP the same as a DynDNS service? So this will not work since bitcoin does not advertise hostnames?

So I think my only viable solution here is to (also) continue using Tor or look into a VPN solution.

[DaveF]

Side thought: I don't know where you are located but most ISPs do offer a static IP option for a fee. Might have to get the 'business class' service or something similar but it does tend to exist if you look for it. It might cost more, but if you are going to be putting in a lot of time and effort to get this to work, and there is an option just to pay and get static it might be worth it to save you some of that time and effort.

I can see you getting this to work and then something else someplace else changes and it stops working and you are back to spending time and effort to get it to work again till the next time something changes.

TOR will always work, but if you want a clearnet public IP, paying for it, if it's available might just be easier.

-Dave

[LoyceV]

Yes, I tested it. I have been monitoring my public IP using a custom script and after every public IP change, all inbound connections were dropped.

That makes sense, they're looking at your old IP. I'm surprised though, I didn't expect any ISP to change an IP address while you're using it. Can't you complain to them?

However, my IP was never found again.

I'm confused: does this mean Bitcoin Core gets no new inbound transactions, while it's still downloading new blocks?

I think I waited for at least a day once but nothing. I also thought my new IP should be eventually found but this does not seem to be the case.

Have you tried restarting Bitcoin Core? If that solves it, you can just schedule it to restart after each IP change.

I guess I could create my own VPN with my VPS using WireGuard?

It's possible. But from what i know, cost of VPN and cheap VPS (which usually has 1 CPU/1GB RAM) usually is hardly difference. So personally i would recommend VPN since you don't have to setup WireGuard and maintain your VPS.

I've tested OpenVPN on a $4/year VPS, and that worked. It's ipv6 only for that price, and shares the ipv4 IP. Around Black Friday, I paid $10.28/year for a 768 MB VPS with it's own ipv4 IP.

Come to think of it: according to myips.php, my ipv6 IP changes all the time! My ipv4 IP doesn't change. I have no idea why it even switches back and forth between ipv4 and ipv6, nor do I know why the ipv6 IP changes.

[LoyceV]

I've tested OpenVPN on a $4/year VPS, and that worked. It's ipv6 only for that price, and shares the ipv4 IP. Around Black Friday, I paid $10.28/year for a 768 MB VPS with it's own ipv4 IP.

It's true it's much cheaper if you're willing to rent less-popular provider with some limitation (usually not using KVM or no customer support).

For what it's worth: the former is OpenVZ, the latter KVM (and quite popular, and even still available at that price). And indeed, I don't expect support.

[ekzyis]

Side thought: I don't know where you are located but most ISPs do offer a static IP option for a fee. Might have to get the 'business class' service or something similar but it does tend to exist if you look for it. It might cost more, but if you are going to be putting in a lot of time and effort to get this to work, and there is an option just to pay and get static it might be worth it to save you some of that time and effort.

I can see you getting this to work and then something else someplace else changes and it stops working and you are back to spending time and effort to get it to work again till the next time something changes.

TOR will always work, but if you want a clearnet public IP, paying for it, if it's available might just be easier.

-Dave

Hey, I think I will indeed just use a static IP. Costs 5€ more per month (need to switch to "business" contract as you mentioned). Should be worth it. I was just a bit nervous because most likely the minimal duration of the contract will be set back to 2 years.

But I read that when I move to a new shared apartment, I don't have to pay for the contract anymore if there is already a internet service provider there. So I guess I am fine regarding this.

But there is no workaround for clearnet?

One possible workaround is using VPN which offer port forwarding feature.

Ah, I guess that's where services like https://tunnelsats.com/ come into play?

I checked their service briefly and found this.

Do you offer full-service VPNs too?

In short: No. Currently we are specializing VPN usage for the sole purpose of lightning node running. If you are looking for a privacy-preserving, lightning-payment enabled VPN provider, we recommend to take a look at LNVPN.net.

I guess I could create my own VPN with my VPS using WireGuard?

It's possible. But from what i know, cost of VPN and cheap VPS (which usually has 1 CPU/1GB RAM) usually is hardly difference. So personally i would recommend VPN since you don't have to setup WireGuard and maintain your VPS.

Ahh thanks for looking through. Very good to know that they aren't a full-service VPN.

Now that I think of it ... I already use Mullvad VPN. Can I maybe just use that to have a static IP for my bitcoin node? Not entirely sure how this works but seems like VPNs are the solution if I don't have a static IP. Will look into it, thanks! Totally forgot about my existing VPN, lol

Yes, I tested it. I have been monitoring my public IP using a custom script and after every public IP change, all inbound connections were dropped.

That makes sense, they're looking at your old IP. I'm surprised though, I didn't expect any ISP to change an IP address while you're using it. Can't you complain to them?

However, my IP was never found again.

I'm confused: does this mean Bitcoin Core gets no new inbound transactions, while it's still downloading new blocks?

Yes, it gets no inbound connections anymore. I already finished my IBD. So not sure how it would behave during IBD. But I thought IBD has nothing to do with inbound connections? My outbound connections are still here so downloading blocks should be fine.

I think I waited for at least a day once but nothing. I also thought my new IP should be eventually found but this does not seem to be the case.

Have you tried restarting Bitcoin Core? If that solves it, you can just schedule it to restart after each IP change.

Yes, that's what I have been doing when this occurs. Haven't though of automatic restarting after each IP change... I want to have consistent inbound connections tbh. When I start to run a lightning node, I think this restart solution may become a problem, no? Or isn't it that much of a problem if my node goes down regularly for a minute? I think it should be back up after a minute. But since the node needs to be online to route payments, the IP change could happen during a unfortunate time and thus maybe a channel gets closed?? Don't know enough about LN however.

I guess I could create my own VPN with my VPS using WireGuard?

It's possible. But from what i know, cost of VPN and cheap VPS (which usually has 1 CPU/1GB RAM) usually is hardly difference. So personally i would recommend VPN since you don't have to setup WireGuard and maintain your VPS.

I've tested OpenVPN on a $4/year VPS, and that worked. It's ipv6 only for that price, and shares the ipv4 IP. Around Black Friday, I paid $10.28/year for a 768 MB VPS with it's own ipv4 IP.

Come to think of it: according to myips.php, my ipv6 IP changes all the time! My ipv4 IP doesn't change. I have no idea why it even switches back and forth between ipv4 and ipv6, nor do I know why the ipv6 IP changes.

I already have a VPS so that's no problem. As mentioned above, I also realized (lol) that I already use Mullvad VPN. Totally forgot about it. So I already have what I need to make this work, only needs some configuration? Will look into it.

Yes, I tested it. I have been monitoring my public IP using a custom script and after every public IP change, all inbound connections were dropped.

That makes sense, they're looking at your old IP. I'm surprised though, I didn't expect any ISP to change an IP address while you're using it. Can't you complain to them?

Unfortunately, it's fairly common occurrence on few parts of the world or if you specifically look for cheap internet connection. My ISP also does that.

I wouldn't call my ISP cheap (it's DTAG) but maybe because every ISP in Germany is quite expensive. I am paying 39,95€ per month. Static IP with business contract would cost 44,95€.

I guess I could create my own VPN with my VPS using WireGuard?

It's possible. But from what i know, cost of VPN and cheap VPS (which usually has 1 CPU/1GB RAM) usually is hardly difference. So personally i would recommend VPN since you don't have to setup WireGuard and maintain your VPS.

I've tested OpenVPN on a $4/year VPS, and that worked. It's ipv6 only for that price, and shares the ipv4 IP. Around Black Friday, I paid $10.28/year for a 768 MB VPS with it's own ipv4 IP.

It's true it's much cheaper if you're willing to rent less-popular provider with some limitation (usually not using KVM or no customer support).

I am paying 4,39€ for my VPS. 2 virtual cores, 2GB RAM and 100 GB SSD. And 5€ per Month for Mullvad VPN. Never heard of KVM or OpenVZ before. Interesting. I'll ask my hosting provider what they use out of interest.

[PawGo]

I am paying 4,39€ for my VPS. 2 virtual cores, 2GB RAM and 100 GB SSD. And 5€ per Month for Mullvad VPN. Never heard of KVM or OpenVZ before. Interesting. I'll ask my hosting provider what they use out of interest.

Having VPS you should be able to use VPN like Strongswan which has thousands of users and support is quite good. The only problem you may have is configuration of VPS on your provider side, as it may block forwarding. Usually it is not a big problem and if you work with 'people' with whom you may talk, not just machines which produce 'tickets' for customers' requests, the problem should be solvable.

https://www.tecmint.com/setup-ipsec-vpn-with-strongswan-on-debian-ubuntu/

[LoyceV]

I already use Mullvad VPN. Can I maybe just use that to have a static IP for my bitcoin node? Not entirely sure how this works but seems like VPNs are the solution if I don't have a static IP.

Try it You may need port forwarding to get incoming connections.

When I start to run a lightning node, I think this restart solution may become a problem, no? Or isn't it that much of a problem if my node goes down regularly for a minute?

If you're not using it to receive customer payments, I wouldn't worry about a short downtime.

I am paying 4,39€ for my VPS. 2 virtual cores, 2GB RAM and 100 GB SSD.

That would fit a pruned node, but chances are your host won't appreciate doing an IBD (or any other sustained high load) on a shared server.

[ekzyis]

Mhh, I think I set everything up now.

Wireguard config on VPS (139.144.78.247, 10.101.111.1):

Code:

[Interface]
ListenPort = 51871
PrivateKey = ***
Address = 10.101.111.1/24
Address = fdd0:d60d:40e2::1/48

[Peer]
PublicKey = GFYVo00RCThWwqscZesLR1yB6JUjSMaHCZkOR5Qf3SU=
AllowedIPs = 10.101.111.3/32
AllowedIPs = fdd0:d60d:40e2::3/128

Wireguard config on host running `bitcoind`:

Code:

[Interface]
ListenPort = 51993
PrivateKey = ***
Address = 10.101.111.3/32
Address = fdd0:d60d:40e2::3/128
DNS = 10.101.111.1

[Peer]
PublicKey = 0XGa5Bh9nycdOgelLxnM3j2NZU3pQwhZSadb8adCtRg=
AllowedIPs = 10.101.111.0/24
AllowedIPs = fdd0:d60d:40e2::/48
Endpoint = 139.144.78.247:51871
PersistentKeepalive = 30

Firewall config on VPS:

Code:

# Generated by iptables-save v1.8.8 on Wed Dec 28 04:13:17 2022
*nat
:PREROUTING ACCEPT [67046:5670872]
:INPUT ACCEPT [59551:5317013]
:OUTPUT ACCEPT [45735:3534422]
:POSTROUTING ACCEPT [45876:3543566]
-A PREROUTING -d 139.144.78.247/32 -p tcp -m tcp --dport 8333 -j DNAT --to-destination 10.101.111.3:8333
-A POSTROUTING -s 10.101.111.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -d 10.101.111.3/32 -p tcp -m tcp --dport 8333 -j SNAT --to-source 10.101.111.1
COMMIT
# Completed on Wed Dec 28 04:13:17 2022
# Generated by iptables-save v1.8.8 on Wed Dec 28 04:13:17 2022
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [95156:17840022]
:DINPUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m comment --comment ICMP -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m comment --comment DNS -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m comment --comment DNS -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m comment --comment DNS -j ACCEPT
-A INPUT -p tcp -m tcp --dport 55680 -m comment --comment SSH -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 51871 -m comment --comment Wireguard -j ACCEPT
-A INPUT -i wg0 -m comment --comment Wireguard -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8333 -m comment --comment Bitcoin -j ACCEPT
-A INPUT -j DINPUT
-A INPUT -j LOG --log-prefix "[BLOCK] "
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i wg0 -o wg0 -j ACCEPT
-A FORWARD -s 10.101.111.0/24 -i wg0 -o eth0 -j ACCEPT
-A FORWARD -d 10.101.111.0/24 -i eth0 -o wg0 -j ACCEPT
-A FORWARD -d 10.101.111.3/32 -p tcp -m tcp --dport 8333 -j ACCEPT
-A FORWARD -s 10.101.111.3/32 -p tcp -m tcp --sport 8333 -j ACCEPT
COMMIT
# Completed on Wed Dec 28 04:13:17 2022
# Generated by iptables-save v1.8.8 on Wed Dec 28 04:13:17 2022
*mangle
:PREROUTING ACCEPT [4748337:1815851052]
:INPUT ACCEPT [2377025:1436094833]
:FORWARD ACCEPT [2371296:379753460]
:OUTPUT ACCEPT [2266054:992585711]
:POSTROUTING ACCEPT [4637422:1372343380]
COMMIT
# Completed on Wed Dec 28 04:13:17 2022
# Generated by iptables-save v1.8.8 on Wed Dec 28 04:13:17 2022
*raw
:PREROUTING ACCEPT [4748337:1815851052]
:OUTPUT ACCEPT [2266054:992585711]
COMMIT
# Completed on Wed Dec 28 04:13:17 2022

Firewall config on 10.101.111.3:

Code:

# Generated by iptables-save v1.8.8 on Wed Dec 28 05:19:58 2022
*nat
:PREROUTING ACCEPT [37288:7556135]
:INPUT ACCEPT [21970:1335343]
:OUTPUT ACCEPT [769784:50634744]
:POSTROUTING ACCEPT [769796:50635464]
-A POSTROUTING -s 10.101.111.0/24 -o eno1 -j MASQUERADE
COMMIT
# Completed on Wed Dec 28 05:19:58 2022
# Generated by iptables-save v1.8.8 on Wed Dec 28 05:19:58 2022
*filter
:INPUT DROP [652:247011]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1051583:430152831]
-A INPUT -i lo -m comment --comment loopback -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m comment --comment icmp -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -m comment --comment dns -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -m comment --comment dns -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m comment --comment ssh -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8333 -m comment --comment bitcoin -j ACCEPT
-A INPUT -p udp -m udp --dport 51993 -m comment --comment wireguard -j ACCEPT
-A INPUT -i wg0 -m comment --comment wireguard -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4444 -m comment --comment i2p -j ACCEPT
-A INPUT -j LOG --log-prefix "[BLOCK] "
-A FORWARD -i wg0 -o wg0 -j ACCEPT
-A FORWARD -s 10.101.111.0/24 -i wg0 -o eno1 -j ACCEPT
-A FORWARD -d 10.101.111.0/24 -i eno1 -o wg0 -j ACCEPT
-A FORWARD -d 10.101.111.3/32 -p tcp -m tcp --dport 50001 -j ACCEPT
COMMIT
# Completed on Wed Dec 28 05:19:58 2022
# Generated by iptables-save v1.8.8 on Wed Dec 28 05:19:58 2022
*mangle
:PREROUTING ACCEPT [80965100:484892881730]
:INPUT ACCEPT [76736821:482622440948]
:FORWARD ACCEPT [4228181:2270372993]
:OUTPUT ACCEPT [76191966:498444621955]
:POSTROUTING ACCEPT [80420147:500714994948]
COMMIT
# Completed on Wed Dec 28 05:19:58 2022

(Removed docker rules and peers irrelevant to this problem)

Used `externalip=134.144.78.247` in bitcoin config to advertise my static, public IP.

However, I get no IPv4 inbound connections:

Code:

$ bitcoin-cli -netinfo
Bitcoin Core client v24.0.1 - server 70016/Satoshi:24.0.0/

         ipv4    ipv6   onion     i2p   total   block
in          0       0      11       0      11
out         8       1       1       0      10       2
total       8       1      12       0      21

Local addresses
134.144.78.247                                                     port   8333    score      4
bc7npnwigyxmag6lalhoach4uuu2ntjhyznvjfcm7dqp2jv7sny5ffqd.onion     port   8333    score      4
pbpyuy3cg77ad7dw5as2k5aszmnag6gid2n4odxtku5gxzk6s3ca.b32.i2p       port      0    score      4

bitnodes.io did show my node as up when I finished configuring the firewall but now, it says "Your IP network is currently pending review." whatever that means.

I tested my setup using `nc` by sending a `version` message to the public IP. I got a response from my node, so I don't know what's wrong with this setup.

Code:

$ cat version_001.dat | nc 139.144.78.247 8333 > version_response.dat
^C
$ xxd version_001.dat
00000000: f9be b4d9 7665 7273 696f 6e00 0000 0000  ....version.....
00000010: 6600 0000 bdca d498 8011 0100 0d04 0000  f...............
00000020: 0000 0000 5083 5063 0000 0000 0000 0000  ....P.Pc........
00000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000040: 0000 0000 0000 0d04 0000 0000 0000 0000  ................
00000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000060: ff0a e912 84bd d3e2 102f 5361 746f 7368  ........./Satosh
00000070: 693a 3233 2e30 2e30 2f8e 960b 0001       i:23.0.0/.....
$ xxd version_response.dat
00000000: f9be b4d9 7665 7273 696f 6e00 0000 0000  ....version.....
00000010: 6600 0000 1d06 38a5 8011 0100 0d04 0000  f.....8.........
00000020: 0000 0000 a5c7 ab63 0000 0000 0000 0000  .......c........
00000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000040: 0000 0000 0000 0d04 0000 0000 0000 0000  ................
00000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000060: e31e 7cf3 6363 d92b 102f 5361 746f 7368  ..|.cc.+./Satosh
00000070: 693a 3234 2e30 2e30 2fad bc0b 0001 f9be  i:24.0.0/.......
00000080: b4d9 7774 7869 6472 656c 6179 0000 0000  ..wtxidrelay....
00000090: 0000 5df6 e0e2 f9be b4d9 7365 6e64 6164  ..].......sendad
000000a0: 6472 7632 0000 0000 0000 5df6 e0e2 f9be  drv2......].....
000000b0: b4d9 7665 7261 636b 0000 0000 0000 0000  ..verack........
000000c0: 0000 5df6 e0e2                           ..]...

I didn't redact the public IP of my node here on purpose since I think it would be very helpful if someone can try to connect to my node and see if the connection is stable.

Any ideas?

[ekzyis]

Now that I think of it ... I already use Mullvad VPN. Can I maybe just use that to have a static IP for my bitcoin node? Not entirely sure how this works but seems like VPNs are the solution if I don't have a static IP. Will look into it, thanks! Totally forgot about my existing VPN, lol

I've tried Mullvad some time ago and they both support port forwarding[1] (to accept incoming connection) and static IP address[2]. Although you need to configure it manually once.

--snip--

I am paying 4,39€ for my VPS. 2 virtual cores, 2GB RAM and 100 GB SSD. And 5€ per Month for Mullvad VPN. Never heard of KVM or OpenVZ before. Interesting. I'll ask my hosting provider what they use out of interest.

FYI, this information usually available on FAQ page or page which list their VPS. You could use application such as virt-what as well.

[1] https://mullvad.net/en/help/port-forwarding-and-mullvad/
[2] https://mullvad.net/en/help/why-wireguard/

I checked Mullvad out, I can only pick a random inbound port. But I want 8333 so that won't work. It used to be that bitcoin has a bias towards default ports, however, that doesn't seem to be the case anymore since https://github.com/bitcoin/bitcoin/pull/23542.

Nevertheless, I don't want to depend / don't need Mullvad here. I should be able to configure using my own VPN. I see this as a learning experience.

I used `virt-what`. It returned openvz and lxc. Since the VPS is still running on kernel 4.15.0, and Wireguard is only supported since kernel 5.6, I switched to a diffe[Suspicious link removed] provider (linode) with full virtualization. This one is running kernel 6.1.1-arch1-1 now.

I already use Mullvad VPN. Can I maybe just use that to have a static IP for my bitcoin node? Not entirely sure how this works but seems like VPNs are the solution if I don't have a static IP.

Try it You may need port forwarding to get incoming connections.

When I start to run a lightning node, I think this restart solution may become a problem, no? Or isn't it that much of a problem if my node goes down regularly for a minute?

If you're not using it to receive customer payments, I wouldn't worry about a short downtime.

I am paying 4,39€ for my VPS. 2 virtual cores, 2GB RAM and 100 GB SSD.

That would fit a pruned node, but chances are your host won't appreciate doing an IBD (or any other sustained high load) on a shared server.

I already finished IBD. I don't want to run the node on the shared server. I want to keep running it without pruning on my machine at home but just expose it using Wireguard and a VPS with a static public IP.

[ekzyis]

Hey, wanted to give a quick update about this since this may help other people who read this in the future.

I managed to get my node running at home using the static IP from my VPS by forwarding all inbound traffic to 10.101.111.3:8333 where my bitcoin node is listening.

I don't know why it didn't work at the beginning but the inbound connections are stable now. I think it's been running for 2+ months now without any issues.

This is my iptables setup (excluded rules not relevant to this topic):

Code:

Chain PREROUTING (policy ACCEPT 3223K packets, 156M bytes)
 pkts bytes target     prot opt in     out     source               destination         
 400K   23M DNAT       6    --  *      *       0.0.0.0/0            139.144.78.247       tcp dpt:8333 to:10.101.111.3:8333

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 7058  663K ACCEPT     17   --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp dpt:51871 /* Wireguard */
12703  837K ACCEPT     0    --  wg0    *       0.0.0.0/0            0.0.0.0/0            /* Wireguard */
 4657  229K ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8333 /* Bitcoin */
2675K  108M REJECT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 194K   70M ACCEPT     0    --  wg0    wg0     0.0.0.0/0            0.0.0.0/0           
 368M  452G ACCEPT     0    --  wg0    eth0    10.101.111.0/24      0.0.0.0/0           
 172M   15G ACCEPT     0    --  eth0   wg0     0.0.0.0/0            10.101.111.0/24     
   17  3558 ACCEPT     6    --  *      *       0.0.0.0/0            10.101.111.3         tcp dpt:8333
    0     0 ACCEPT     6    --  *      *       10.101.111.3         0.0.0.0/0            tcp spt:8333

Chain POSTROUTING (policy ACCEPT 2832K packets, 172M bytes)
 pkts bytes target     prot opt in     out     source               destination
 400K   23M SNAT       6    --  *      *       0.0.0.0/0            10.101.111.3         tcp dpt:8333 to:10.101.111.1