LND: Tor & Clearnet - How to setup hybrid-mode

Please stick to IPv4 port 9375 if you don’t have more than 1 node.
Why?
Umbrel manages LND via docker, and the docker image listens per default on 9375 in your system.
If you still need to go ahead, read further below.

The setting
externalhosts=ln.example.com:9736
is not sufficient, it would require you to adjust the docker-compose settings, too:
nano ~/umbrel/docker-compose.yaml

Search for the LND section, you will see the port setting 9735:9735. Change this to the corresponding port you set in your lnd.conf and restart the docker images, which is necessary for the docker service to pick up your changes:
sudo ~/umbrel/scripts/stop && sudo ~/umbrel/scripts/start.

You can watch the LND logfile right after the above command is fully executed, which takes some time:
tail -f ~/umbrel/lnd/logs/bitcoin/mainnet/lnd.log
Once LND is fully started, check lncli getinfo and docker ps and ensure, that both the clearnet port and the LND docker entry are listening to the same port.

Once this is done, ask a peer to connect to your clearnet
lncli connect <YOURpubID@YOURclearnetIP:PORT>. If it responds with two empty brackets, your clearnet works, and Amboss will pick it up in a few minutes, too.

Note that this adjustment needs to be repeated each time Umbrel does an update, since they overwrite your docker-compose.yaml.

Hope this makes sense. Shout if stuck anywhere.

Hey @Hakuna,

Thanks for the detailed answer. I think I need to make clear what exactly I want to achieve and why.

1. the problem

Changing the fees, max HTLC or closing channels takes 2-3 days before every peer and amboss.space get the new values. Very frustrating.

2. the proposal from @DarthCoin:

Go hybrid, then everything will be o.k. After finding the right local (german that is) DynDNS service and opening the port 9735 in my router there is a new IPv4 clearnet address shown in amboss.space.

3. the nice-to-have

To be even more visible on the LN network and to be prepared for the future I wanted also a IPv6 cleanet address for my node.

4. what I need right now

If someome, who has both IPv4 and IPv6 running on his node, could make his configuration (ideally for the DynDNS version) available for the community that would be just great.

Sounds good.

Wrt to the problem statement: Seems your node takes a long time propagating changes to the gossip network. That might be solved with clearnet, but I’m not sure. When Tor works, it should not take longer than 15 Minutes. What might solve for that: Find some well connected nodes (bcash, wallet of satoshi, c-otto or others) and add them as peers. That helps receiving and sending gossip updates more frequently.

I’ve also seen this happening to nodes with few channels. I know, easier said than done, but adding more channels helps speeding up, too.

on Hybrid

• here is the original guide from Osito and myself. It’s also updated for achieving IPv6 listening. I can’t edit the guide here anymore, so need to deal with an external link.

• fewer than 5% of nodes out there communicate over IPv6, I don’t think it’s a critical element, at least not now. But on the DynDNS list, the guide above provides a list of DynDNS providers. duckdns.org, my favorite one, doesn’t offer IPv6 DNS lookup

• for the most sophisticated setup, you might consider adding your own VPS to allow VPN tunneling. The guide can be found here. This is more for rather serious node runners, who are in for the long and anonymous way. With this, adding your own domain name would also be possible, but not necessary, since you’ll have a static IP anyway

Hope this helps

Re slow gossip

Yes, my node is still quite small (32M / 11 ch) but I already have channels to some of the bigger nodes (c-otto, HODLmeTight, BohemialRhapsody) running. Adding the hybrid mode unfortunately didn‘t speed up the communication.

Re hybrid

This is where I am stuck:

image1257×262 57.9 KB

It says or and not and in the tutorial. As @Aydo tried earlier (see above) it doesn‘t work to just activate both listen commands.

I haven’t looked into the lnd code, and the documentation leaves some interpretation space open.

Since externalhosts is primarily used to manage a dynamic IP, I could speculate that your redundant entry of it above confuses LND. The output of lnd.logs when starting up would be interesting.

I have no vetted interest getting lnd running on IPv6, but would play around with these options:

lnd.conf

listen=0.0.0.0:9735
listen=[::]:9736
externalhosts=ln.example.com:9735

Given that dyn-DNS providers struggle with IPv6 resolve, and your IPv6 address doesn’t change when your ISP resets your connection (at least not that I’m aware off), I’d specify both ranges to let LND listen to it, and set externalhosts to allow for dynamic IPv4 > dns-domain translation.

Where I’m concerned is the docker service for LND: it’s listening when it’s docker run started, with the -p to port 9735 only. If you want a range, you need to adjust the docker-compose.yaml file, otherwise LND will never answer to 9736, even when lncli getinfo reports a gossip with the new IPv6 address.

But seriously guys, not sure it’s worth the effort. I barely know one node (C-Otto) using IPv6 next to Tor and Clearnet, and he says he barely has any connection to IPv6.

You can certainly run both IPv6 and IPv4 at the same port. Just repeating the message, one of the biggest nodes worldwide has Tor, IPv4 and IPv6 and 0 connections to IPv6.

Let’s look at Carsten’s node:

• 027ce055380348d7812d2ae7745701c9f93e70c1adeb2657f053f91df4f2843c71@157.90.112.145:9735
• 027ce055380348d7812d2ae7745701c9f93e70c1adeb2657f053f91df4f2843c71@[2a01:4f8:c2c:e8a0::1]:9735
• 027ce055380348d7812d2ae7745701c9f93e70c1adeb2657f053f91df4f2843c71@yi6ccghmivsydduxb2wnogyx2chz347bgu3kvqefea7rnhfi5iifqcyd.onion:9735

Here is how his lnd.conf probably looks like:

externalip=157.90.112.145
externalip=2a01:4f8:c2c:e8a0::1
listen=157.90.112.145
listen=2a01:4f8:c2c:e8a0::1

Specifying the port helps to keep you sane, and umbrel uses it in their sample-conf, so no harm following the standard nomen clature.

Thank you for the example. I’m starting to think externalhosts might not be querying AAAA record to obtain an IPv6 address. I’m certain it’s not my DNS provider as I use Cloudflare and can dig for A and AAAA records correctly.

More context is needed with the IPv6 addresses please. Is LND running in a docker container? The externalip address looks to be a gateway.

If LND is not running in a docker container then I believe the possible reason why the node is not seeing IPv6 connections is because externalip is a router/gateway address while the listen address is presumably the LND node. It’s setup for NAT which makes sense in IPv4 but not in IPv6 since the machine has its own unique global address and is directly reachable without needing the router/gateway to NAT.

Interesting, I didn’t delve into it in detail, mentally closed the chapter of IPv6 for later to dig into.
FWIW, this is not my node, and I don’t have more details on what is publicly available.

But your assumption makes sense. The external IP can be ping6’ed and traceroute6’ed, while the listening address cannot be resolved. I don’t assume Carsten running LND in a docker, and it’s a cloud service. I’ll ping him and see if he cares to adjust it.

Back to square one, what would be the right way to set this up, both external and listen IPv6 to be the same, no?

Edit: Actually, this is a copy and paste problem in my original post. Let me fix it, both external and listen are identical. Sorry @Aydo

Back to the original observation, I assume lnd doesn’t provide the lookup for IPv6, exactly out of the reason you outlined. It’s for dyn-dns, which is not necessary, since you have a global unique address anyway, and don’t need to dynamically update it, since it’s static.

I think is time for Umbrel to make a quick update on that Tor 4.7.7
@lukechilds @mayank many umbrel users under full Tor are complaining about slow sync, offline channels, not updating changes in channels, also no routing at all.

I did some tests with few nodes only Tor and update the Tor packages to 4.7.7 and seems to be a good fix.

Seems that some nodes are still using old version and maybe the protocol is excluding them, like making to be not reachable.
Indeed hybrid nodes are not heavily affected…
Be aware and act quick. People are getting frustrated.

I got it working and it seems the issue was what I suspected earlier, LND is not querying AAAA record to obtain an IPv6 address.

Here is my lnd.conf

listen=0.0.0.0
externalhosts=lnd.mydomain.com
externalip=2603:8000:xxxx:xxxx::1e

output of lncli getinfo

“uris”: [
“029be4825c37225ac1404d2a02a8341c389552f9de2e658762ba1ded582d78bfa6@[2603:8000:xxxx:xxxx::1e]:9735”,
“029be4825c37225ac1404d2a02a8341c389552f9de2e658762ba1ded582d78bfa6@x.x.x.x:9735”,
“029be4825c37225ac1404d2a02a8341c389552f9de2e658762ba1ded582d78bfa6@onion address>.onion:9735”
],

I used externalhosts to get my IPv4 address and used externalip to set the IPv6 address of the Pi running Umbrel. The options work fine together and a couple more observations below:

1. It’s not necessary to set a port if using port 9735. IPv4, IPv6, and Tor addresses can use the same port
2. Only necessary to set 0.0.0.0 or [::] (needs more testing to confirm IPv6 traversal)

Very good findings, thank you.
In case your node is behind a router, anything you think a new starter needs to know for IPv6 to work properly in the home setup?

I’m asking since sometimes home network router setups are fickling, some even don’t have IPv6 activated.

If your ISP has a native dual stack network then you shouldn’t have to set up anything for IPv6, maybe a couple of small settings. IPv6 is meant to be auto configured. You will see terms such as SLAAC or Sateless Address Auto Configuration, which is just what it sounds like. Router/gateway advertises its gateway address, typically a link-local address beginning with fe80::, a DNS address to use, and the prefix address (global routing address along with the subnet prefix). Clients use the RAs to configure IPv6 on their interfaces.

A lot of what you know about the way IPv4 works doesn’t apply to IPv6, mainly NAT. With IPv6, every device on the planet has a unique global address that can be addressed directly. For example, the IPv6 address above could be 2603:8000:3a2e:f100::1e, the first three octets, 2603:8000:3a2e are my ISP’s routing address, then the f100 is called the subnet prefix and is dependent on how many of those digits your ISP gives you and only you. My ISP gives me a /56 which means the last two digits or 00 in the f100 are mine to assign subnets with. That gives me 256 subnets to use if I wish. The remaining four octets or lesser /64 in the address is the client ID and is unique, that identifies the client.

Many clients will have more than one global IPv6 address, one is permanent on the subnet and is meant to be a stable address you can use to send traffic to the client. The second IPv6 address is a privacy extension address and is used by the client for outbound traffic. Clients will periodically generate a new privacy address, typically once a day and is meant for privacy so the client can’t be tracked easily by IPv6 address.

If you have a router that’s finicky to setup IPv6, I would recommend getting a better one. There’s no reason a router shouldn’t have perfect IPv6 support in 2022. Next, make sure it’s enabled and if it asks for a prefix length or something like that, start with /48, if it doesn’t work because the ISP just rejects the request then try /56 then finally /64, that’s the absolute minimum they should give you, which is enough for one subnet.

In Linux and Raspberry Pi in particular, you can disable the privacy extension setting and have it generate a client ID from its MAC address. That is changed in /etc/dhcpcd.conf, comment out slaac private and uncomment slaac hwaddr this way your Pi will use the same lesser /64 for all of its IPv6 addresses. That will keep the address the same, unless your ISP changes your IPv6 prefix (which they really shouldn’t) so you can set that in externalip

Sorry for the essay and please ask if you want more information about anything.

@Aydo, you‘re the best.

I followed your little tutorial and now there’s a new IPv6 address shown in amboss.space. Nice!

To verify that my node is really answering if someone rings those clearnet bells, could someone please connect me as a peer using the following links:

IPv4
03e18892b70da265e79a0170825d358a4dfcbe93e15070a937959275e638bef503@85.215.86.53:9735

IPv6
03e18892b70da265e79a0170825d358a4dfcbe93e15070a937959275e638bef503@[2001:4dd0:af19:4a50:2e3a:fdff:fee8:3d89]:9735

Thank you!

+1 on this. Just returned from some travelling and updated Umbrel, but everything is stucked in the dashboard, sounds like Umbrel is not reaching out and lightning can’t check balances.
Will try to update TOR SSHing into it, thanks @DarthCoin
Really hope I will can get out of this soon

The guide above is advising " Setting up a firewall is highly recommended."

Comments in other forums suggesting that this is not necessary as on Umbrel everything runs in docker containers e.g. " docker-compose.yml is a firewall for everything inside Docker."

What are you guys suggesting, is installing UFW on Umbrel necessary?

If your Umbrel is behind a router with a firewall then it’s not necessary to install a firewall on the machine running Umbrel. Just be careful with forwarding ports to your Umbrel, only forward the ports that are necessary for services you want to run and need those ports forwarded.

@DarthCoin hey pro! How are you doing? I have a question, is possible to use node open clearnet trought something like Cloudflare Tunnel? The objetive is been safe.

I am strongly suggest to read these articles in this order:

After a time using a shitty DynDNS provider I just recently went back to a Tor only connection. That completely broke my routing down to almost zero. So I decided to go hybrid again but this time using a proper VPS over VPN configuration.

This is what I have achieved so far:

• rented a VPS with a static IP
• installed, configured and started OpenVPN on the VPS
• installed, configured and started ufw on the VPS
• created a certificate
• copied the files ta.key and client1.ovpn to my node

The next step is unclear to me:

Can I just install OpenVPN on my node (running on v0.4.17) or is this not allowed since OpenVPN is not (yet) officially included in the umbrel app store?

I only found tutorials for Raspiblitz and normal Linux installations…