Skip to content

Latest commit

 

History

History
261 lines (197 loc) · 7.34 KB

README.md

File metadata and controls

261 lines (197 loc) · 7.34 KB

About

This repository contains Docker Compose files for running a Bitcoin and/or a Monero node inside a container, including - if desired - VPN configuration (wireguard) to hide the IP address of the nodes.

NOTE: This was originally created for personal use. If something is unclear please let me know.

NOTE: Lightning node support coming soon.

Networking VPN Diagram

Requirements

  • Docker Compose
  • For VPN configuration, either a commercial service or a custom VPS.

Docker Compose Files

This repo contains two Docker Compose files, depending on whether a VPN connection should be established or not.

By default, all the (persistent) data generated by bitcoind and monerod (and wireguard VPN) is saved to ./mounts. This includes blockchain data, states and other configuration files.

Option 1: Nodes without VPN

Configure

Copy the appropriate file (*.nodes-no-vpn.*) and give it a name:

$ cp docker-compose.nodes-no-vpn.yml my-setup.yml

Then open the file and adjust the CLI_ARGS environment variable according to you needs. Those arguments are passed on directly to bitcoind and monerdo, respectively. Those arguments are application specific and not documented here.

This is the only thing you need to adjust (marked "ADJUST"). You're free to change mount options, etc.

Firewall Configuration

Update the firewall rules accordingly:

# Bitcoin port
$ sudo ufw allow in 8333
# Monero port
$ sudo ufw allow in 18080

Execution

1. Run from CLI

To run the Docker Compose file:

  • Run a Bitcoin node only:
     $ docker compose -f my-setup.yml --profile bitcoin up
  • Run a Monero node only:
     $ docker compose -f my-setup.yml --profile monero up
  • Run both a Bitcoin and a Monero node:
     $ docker compose -f my-setup.yml --profile bitcoin --profile monero up

That's it, you're done. You might want to run this in tmux so you can detach and logout of the machine, for example. Alternatively, see Run in background (systemd)

2. Run in background (systemd)

TODO

Option 2: Nodes with VPN Setup

Configure

Copy the appropriate file (*.nodes-with-vpn.*) and give it a name:

$ cp docker-compose.nodes-with-vpn.yml my-setup.yml

Then open the file and adjust the CLI_ARGS environment variable according to you needs. Those arguments are passed on directly to bitcoind and monerdo, respectively. Those arguments are application specific and not documented here. The networking IP assignments should work out of the box, unless you already use the 10.50.0.0/24 subnet for other networks. Adjust it accordingly (remember to specify those IP addresses in the VPN server configuration).

This is the only thing you need to adjust (marked "ADJUST"). You're free to change mount options, etc.

VPN Configuration

NOTE: You can use a commercial VPN service that supports wireguard for this setup that also provides the encryption keys for you. However, you will need to forward ports to your nodes and often the commercial service chooses the port numbers for you, not giving you much flexibility. As a result, you must configure the ports in the Docker Compose file accordingly.

Key generation

You need to generate a private/public keypair for both the client and the server, use the wg CLI tool. For example:

$ sudo apt install wireguard
$ wg genkey
YGBDCJe2FwuIE53VW7UnFKpenOnKAhhFlYm//4ufVHU=
$ echo 'YGBDCJe2FwuIE53VW7UnFKpenOnKAhhFlYm//4ufVHU=' | wg pubkey
OyBsjeFKQASaV14UX5SZWPaH0GC7z9G89fx3pmOX1xg=

(Do not use those example keys for your setup, generate your own)

Client Configuration

Use the template file in ./mounts/wireguard/ and rename it to wg0.conf. The wireguard container will mount that volume and use that configuration.

$ cp ./mounts/wireguard/wg0.conf.template ./mounts/wireguard/wg0.conf

Then adjust it accordingly:

# Client
[Interface]
PrivateKey = <PRIVATE-KEY>
Address = 10.50.0.50/32

# VPN Server
[Peer]
PublicKey = <PUBLIC-KEY>
AllowedIPs = 0.0.0.0/0
# Public VPN Endpoint
Endpoint = <IP-ADDRESS>:51820

Note that you do not need to open any ports on your client, given that everything is routed through the VPN network and the client will initialize the VPN connection.

Server Configuration

On the remote VPN server, enable packet forwarding for IPv4 by opening the following file:

$ sudo vim /etc/sysctl.conf

Then set the following line to 1:

net.ipv4.ip_forward=1

Save, close and reload values:

$ sudo sysctl -p

Then create the servers config file in /etc/wireguard/wg0.conf. Depending on your configuration, you might need to update the internal IP addresses, ports, etc. Also, please check the network interface: your VPN servers network interface to the internet might not be called eth0. Adjust it accordingly by checking:

$ ip link

The configuration file:

[Interface]
# ADJUST: Make sure this matches the `Endpoint` in the clients `wg0.conf`.
ListenPort = 51820
PrivateKey = <PRIVATE-KEY>
#
# Allow forwarding from the VPN network (to the internet)
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
# Enable NAT/masquerading when accessing internet
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Allow forwarding from the internet (to the VPN network)
PostUp = iptables -A FORWARD -i eth0 -j ACCEPT
#
# Forward ports to clients
# Bitcoin:
PostUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8333 -j DNAT --to-destination 10.50.0.20:8333
# Monero:
PostUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 18080 -j DNAT --to-destination 10.50.0.22:18080
#
## DROP rules, just the reverse of the above
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT;
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i eth0 -j ACCEPT
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 8333 -j DNAT --to-destination 10.50.0.20:8333
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 18080 -j DNAT --to-destination 10.50.0.22:18080

# Client (Docker Compose)
[Peer]
PublicKey = <PUBLIC-KEY>
AllowedIPs = 10.50.0.0/24

Then update the servers firewall rules accordingly:

# VPN port
$ sudo ufw allow in 51820
# Bitcoin port
$ sudo ufw allow in 8333
# Monero port
$ sudo ufw allow in 18080

Now start the wireguard VPN:

$ sudo wg-quick up wg0
# Enable on startup:
$ sudo systemctl enable wg-quick@wg0.service

Execution

Same commands as for the non-VPN setup.