This is a dedicated guide to help quickly spin up a Neutrino node with lnd 0.17.0-Beta. I recommended going through all of the security features on the Raspibolt and Digital ocean guide as part of DYOR before you commit more than a few sats on this node. Its a WIP 👷🏻♂️. This guide will give you options to add more tools:
- Watchtower support
- NOSFT locally (prerequisites: Node v18+)
- Balance of Satoshi (BOS) with Telegram bot and static channel backup (SCB) (prerequisites: Node v18+)
- More to come 🚀
Neutrino is a great way to familiarize yourself with bitcoin. Since it is self-custody you will be responsible for your keys (mnemonic seed). It's quick and cheap to get started, making it ideal for testing. It's a great way to run Nosft locally. If you run a full node it is commonly used as a watchtower or used for its static clearnet IP in hybrid mode. Since its a light client and doesn't store the blockchain it has also been a primary driver for mobile applications. Check out Neutrino for more info.
This guide is based on the Raspibolt guide with some modifications for it to be a Neutrino node. This is a quick guide with little commentary and explaination. If you want to know everything that is going on and run a full node you can find the full guide here at Raspibolt. My user is joe. Anywhere you see joe, change it to your user ⚡️.
For added security features check out Raspibolt and Digital Ocean Guides.
We will spin up the node using Digital Ocean and create a droplet. You can use any cloud service you would like. Digital Ocean seemed to be the cheapest and easiest. Use my referral link here. You will get $200 in credits over a 60 day period. We will be using a $7/mos. Droplet. Then enable the Reserved IP for $5/mos.
- Create a project
- Click "Create" under drop down click -> "Droplet"
- For Region choose one close to you; Choose Ubuntu for Image; Choose Basic; Select the cheapest droplet $6 - $7.
- Under "HostName" name your Droplet
- Create password or SSH keys
- "Create Droplet"
- Click on your droplet once it loads. Next to Reserved IP click
Enable now
and assign it. - Click your droplets name to get back to it. Then click "Access" then click "Launch Droplet console"
# save password; change user joe to your user
adduser joe
# grant sudo permssions to user joe
usermod -aG sudo joe
rsync --archive --chown=joe:joe ~/.ssh /home/joe
ufw app list
ufw allow OpenSSH
ufw allow 9735
ufw allow 10009
ufw enable
ufw status
sudo systemctl enable ufw
For LNDg and Nosft: allow home IP address to access the software through your browser.
# Replace xxx.xx.xxx.xxx w/your home IP, google what’s my ip
sudo ufw allow from xxx.xx.xxx.xxx
-> Optional: allow for nosft
sudo ufw allow 3000/tcp comment ‘nosft’
-> Optional: allow for lndg
sudo ufw allow 8889/tcp comment 'allow LNDg SSL'
# As user joe we will verify the install.
sudo su - joe
cd /tmp
sudo apt install ots
Create the shell variable for the version update.
VERSION="0.17.0"
Download and verify the $VERSION.
wget https://github.com/lightningnetwork/lnd/releases/download/v$VERSION-beta/lnd-linux-amd64-v$VERSION-beta.tar.gz
wget https://github.com/lightningnetwork/lnd/releases/download/v$VERSION-beta/manifest-v$VERSION-beta.txt
wget https://github.com/lightningnetwork/lnd/releases/download/v$VERSION-beta/manifest-roasbeef-v$VERSION-beta.sig
wget https://github.com/lightningnetwork/lnd/releases/download/v$VERSION-beta/manifest-roasbeef-v$VERSION-beta.sig.ots
sha256sum --check manifest-v$VERSION-beta.txt --ignore-missing
curl https://raw.githubusercontent.com/lightningnetwork/lnd/master/scripts/keys/roasbeef.asc | gpg --import
gpg --verify manifest-roasbeef-v$VERSION-beta.sig manifest-v$VERSION-beta.txt
ots verify manifest-roasbeef-v$VERSION-beta.sig.ots -f manifest-roasbeef-v$VERSION-beta.sig
tar -xzf lnd-linux-amd64-v$VERSION-beta.tar.gz
sudo install -m 0755 -o root -g root -t /usr/local/bin lnd-linux-amd64-v$VERSION-beta/*
lnd --version
lnd version 0.17.0-beta commit=v0.17.0-beta
sudo adduser --disabled-password --gecos "" lnd
# change Joe to your user.
sudo adduser joe lnd
# Used -p creates the parent directory.
sudo mkdir -p /data/lnd
sudo chown joe:joe /data
sudo chown -R lnd:lnd /data/lnd
Change to user lnd.
sudo su - lnd
ln -s /data/lnd /home/lnd/.lnd
ln -s /data/bitcoin /home/lnd/.bitcoin
# As user “lnd”, create a text file and enter your LND wallet password. Save and exit (ctrl C)
nano /data/lnd/password.txt
# Tighten access privileges and make the file readable only for user “lnd”
chmod 600 /data/lnd/password.txt
Create the LND configuration file and paste the following content below. Make sure to replace XXX.XXX.XXX.XXX
with your Reserved IP to externalip=
and change alias=
to your liking. Optional for watchtower support remove # from Watchtower
and wtclient.active=true
. more info at the Raspibolt WatchTower guide
nano /data/lnd/lnd.conf
# RaspiBolt: lnd configuration
# /data/lnd/lnd.conf
[Application Options]
alias=YOUR_FANCY_ALIAS
debuglevel=info
maxpendingchannels=5
listen=localhost
externalip=XXX.XX.XXX.XXX
maxbackoff=20s
# Password: automatically unlock wallet with the password in this file
# -- comment out to manually unlock wallet, and see RaspiBolt guide for more secure options
wallet-unlock-password-file=/data/lnd/password.txt
wallet-unlock-allow-create=true
# Automatically regenerate certificate when near expiration
tlsautorefresh=true
# Do not include the interface IPs or the system hostname in TLS certificate.
tlsdisableautofill=true
# Explicitly define any additional domain names for the certificate that will be created.
# tlsextradomain=raspibolt.local
# tlsextradomain=raspibolt.public.domainname.com
# Channel settings
bitcoin.basefee=1000
bitcoin.feerate=1
minchansize=100000
accept-keysend=true
accept-amp=true
#protocol.wumbo-channels=true
protocol.no-anchors=false
coop-close-target-confs=240
# Watchtower
#wtclient.active=true
# Performance
gc-canceled-invoices-on-startup=true
gc-canceled-invoices-on-the-fly=true
ignore-historical-gossip-filters=1
stagger-initial-reconnect=true
#routing.strictgraphpruning=true
#marks too many channels as zombie channels
# Database
[bolt]
db.bolt.auto-compact=true
db.bolt.auto-compact-min-age=168h
[Bitcoin]
bitcoin.active=1
bitcoin.mainnet=1
#bitcoin.node=bitcoind
bitcoin.node=neutrino
#[tor]
#tor.active=true
#tor.v3=true
#tor.streamisolation=true
# for hybrid
#tor.skip-proxy-for-clearnet-targets=true
[neutrino]
# Mainnet addpeers
neutrino.addpeer=btcd-mainnet.lightning.computer
neutrino.addpeer=mainnet1-btcd.zaphq.io
neutrino.addpeer=mainnet2-btcd.zaphq.io
neutrino.addpeer=lnd.bitrefill.com:18333
neutrino.addpeer=faucet.lightning.community
neutrino.feeurl=https://nodes.lightning.computer/fees/v1/btc-fee-estimates.json
neutrino.validatechannels=false
lnd
Open a second terminal and keep lnd running in the first terminal session running with lnd. Commands for the second session start with the prompt $2.
# $2
sudo su - lnd
You will enter the password that matches nano /data/lnd/password.txt
after `lncli create' then type “n”, enter, enter
# $2
lncli create
You will be given your seed. save in a safe and secure place.
---------------BEGIN LND CIPHER SEED---------------
- These 2. are 3. your 4. seed
- words 6. you 7. should 8. save
- them 10. somewhere 11. safe 12. especially
- if 14. your 15. are 16. going
- to 18. have 19. funds 20. on
- this 22. node 23. be 24. safe
---------------END LND CIPHER SEED-----------------
!!!YOU MUST WRITE DOWN THIS SEED TO BE ABLE TO RESTORE THE WALLET!!!
# Close out of second LND session
exit
Back in your first SSH session where LND is still running Stop LND with Ctrl-C. As user “lnd” check if the wallet is unlocked automatically.
lnd
You will see something like this near the top:
# [INF] LNWL: The wallet has been unlocked without a time limit
#[INF] CHRE: LightningWallet opened
Create LND systemd unit with the following content. Save and exit. Back to Joe user. Enter exit
if your still in user LND to get back to user joe.
sudo nano /etc/systemd/system/lnd.service
# RaspiBolt: systemd unit for lnd
# /etc/systemd/system/lnd.service
[Unit]
Description=LND Lightning Network Daemon
Wants=bitcoind.service
After=bitcoind.service
[Service]
# Service execution
###################
ExecStart=/usr/local/bin/lnd
ExecStop=/usr/local/bin/lncli stop
# Process management
####################
Type=simple
Restart=always
RestartSec=30
TimeoutSec=240
LimitNOFILE=128000
# Directory creation and permissions
####################################
User=lnd
# /run/lightningd
RuntimeDirectory=lightningd
RuntimeDirectoryMode=0710
# Hardening measures
####################
# Provide a private /tmp and /var/tmp.
PrivateTmp=true
# Mount /usr, /boot/ and /etc read-only for the process.
ProtectSystem=full
# Disallow the process and all of its children to gain
# new privileges through execve().
NoNewPrivileges=true
# Use a new /dev namespace only populated with API pseudo devices
# such as /dev/null, /dev/zero and /dev/random.
PrivateDevices=true
# Deny the creation of writable and executable memory mappings.
MemoryDenyWriteExecute=true
[Install]
WantedBy=multi-user.target
sudo systemctl enable lnd
sudo systemctl start lnd
systemctl status lnd
# make sure it shows enabled in green.
# reboot session
sudo reboot
# log back into your user
sudo su - joe
ln -s /data/lnd /home/joe/.lnd
sudo chmod -R g+X /data/lnd/data/
sudo chmod g+r /data/lnd/data/chain/bitcoin/mainnet/admin.macaroon
After your up and running for a couple minutes you should see a couple peers connect and and sync to chain with this command:
lncli getinfo
curl -sL https://deb.nodesource.com/setup_lts.x | sudo -E bash -
sudo apt-get install -y nodejs
sudo apt-get update
node -v
npm -v
You should be running node-> v18.15.0 and npm-> 9.6.3.
# Install Nosft repo:
git clone https://github.com/dannydeezy/nosft.git
cd nosft
npm install
# After running this command leave terminal running while using Nosft in your browser
npm run dev
While terminal is open and running, enter in your browser: your "Reserved_IP:3000"
Install Docker (for LNDG). Set up and install Docker Engine from Docker’s apt repository.
- Update the apt package index and install packages to allow apt to use a repository over HTTPS:
sudo apt-get update
sudo apt-get install \
ca-certificates \
curl \
gnupg
- Add Docker’s official GPG key:
sudo mkdir -m 0755 -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
- Use the following command to set up the repository:
echo \
"deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
"$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
Install Docker Engine
- Update the apt package index:
sudo apt-get update
- Install Docker Engine, containerd, and Docker Compose.
- To install the latest version, run:
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
- Verify that the Docker Engine installation is successful by running the hello-world image:
sudo docker run hello-world
sudo apt install docker-compose
# If you don't want to preface the docker command with sudo, create a Unix group called docker and add users to it. When the Docker daemon starts, it creates a Unix socket accessible by members of the docker group.
sudo groupadd docker
sudo usermod -aG docker $USER
newgrp docker
docker run hello-world
sudo apt install nginx
# Create a self-signed SSL/TLS certificate (valid for 10 years)
sudo openssl req -x509 -nodes -newkey rsa:4096 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt -subj "/CN=localhost" -days 3650
# NGINX is also a full webserver. To use it only as a reverse proxy, remove the default configuration and paste the following configuration into the nginx.conf file.
sudo mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
sudo nano /etc/nginx/nginx.conf
user www-data;
worker_processes 1;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
stream {
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 4h;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
include /etc/nginx/streams-enabled/*.conf;
}
# Create a new directory for future configuration files
sudo mkdir /etc/nginx/streams-enabled
Test this barebone NGINX configuration
sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
If you run into the unknown directive "stream" error, then you need to install the stream module first:
sudo apt install libnginx-mod-stream
# Install LNDg from repo using docker
git clone https://github.com/cryptosharks131/lndg.git
cd lndg
Copy and replace the contents (adjust custom volume paths and user "joe" to LND and LNDg folders) of the docker-compose.yaml with the below
nano docker-compose.yaml
services:
lndg:
build: .
volumes:
- /home/joe/.lnd:/root/.lnd:ro
- /home/joe/lndg/data:/lndg/data:rw
command:
- sh
- -c
- python initialize.py -net 'mainnet' -server '127.0.0.1:10009' -d && supervisord && python manage.py runserver 0.0.0.0:8889
network_mode: "host"
Deploy your docker image:
sudo docker-compose up -d
LNDg should now be available on port 8889 with your reserved ip at http://ReserveIP:8889
Open and copy the password from output file: ''' nano data/lndg-admin.txt ''' Use the password from the output file and the username '''lndg-admin''' to login
sudo docker-compose down
sudo docker-compose build --no-cache
sudo docker-compose up -d
## OPTIONAL: remove unused builds and objects
sudo docker system prune -f
Reminder to allow ufw firewall to port 8889 and allow traffic for your home IP
Prerequisite - Node V18+ Here
curl -sL https://deb.nodesource.com/setup_16.x | sudo -E bash -
sudo apt-get install -y nodejs
mkdir ~/.npm-global
npm config set prefix '~/.npm-global'
Update path and add new line to the end
nano ~/.profile
PATH="$HOME/.npm-global/bin:$PATH"
Save and exit (ctrl + x)
Update shell
. ~/.profile
Install Balance of Satoshi. This command can be used to upgrade it as well.
npm i -g balanceofsatoshis
Go to Telegram Start chat with @BotFather press /start /newbot
Decide A bot name NodeAliasNew Decide a bot user name for telegram BotName_bot
You will get a long alphanumeric API KEY for the bot, Note that. You can always retrieve it using /mybot
with BotFather
BotFather will give you a link to your new bot, click on it and it will take you to your bot.
Now come back to your node. On your SSH session run: bos telegram
at first prompt type API key (alpha numeric) received from BotFather.
In Telegram go to your bot by clicking on the link provided in BotFather. Then press Start. Type /connect. You will get a numeric key, type that numeric key on the second prompt in your ssh session with bos telegram.
You should get a connected message in your Telegram Bot as well as on SSH session.
Verify by typing /version in your telegram bot and you should see the version number of bos. If you have issues or have installed the telegram bot before you might have to remove the old api key in the by nano /home/joe/.bos/telegram_bot_api_key
To run Telegram bot in backgound login via ssh as user joe.
Change to the following directory: cd /etc/systemd/system/
create a so called unit-file: sudo touch bos-telegram.service
open file with: sudo nano bos-telegram.service
copy the following content into it, adding in your connection code and your user:
# /etc/systemd/system/bos-telegram.service
[Unit]
Description=bos-telegram
Wants=lnd.service
After=lnd.service
[Service]
ExecStart=/home/<your_user>/.npm-global/bin/bos telegram --use-small-units --connect <your_connection_code>
User=<your_user>
Restart=always
TimeoutSec=120
RestartSec=30
StandardOutput=null
StandardError=journal
[Install]
WantedBy=multi-user.target
Save file and then type the following command in the terminal: sudo systemctl enable bos-telegram.service
Reboot your node sudo reboot
Wait until your telegram bot shows the new connection to check whether the service is running properly you can type: sudo systemctl status bos-telegram.service
. For more Telegram commands check out Raspibolt guide for Telegram