Harden a VPS based Umbrel node


I recently installed me a new node on a VPS (Ubuntu) and I’m currently attempting to make it secure. Unfortunately Docker overrides UFW rules, so all the ports are completely exposed, making my node login etc available on clear net.

How can I change this to make my node available only via Tor? And maybe the BTCpay Server via HTTPS?

UPDATE: Research suggests that this is a Docker problem and no easy fix exists, but maybe somebody has an idea https://degreesofzero.com/article/docker-and-firewalls.html

My Umbrel is also on a Debian OS (not Ubuntu) and I manage myself the ufw rules.
I don’t know why do you say that docker is exposing your login in clearnet. Is not true.

But anyway your concept is flawed from the beginning. Just by running your node on a hosted server, you are already fully exposed. So if you are so paranoic with privacy, a VPS is not the place to keep your node. Umbrel was designed to be a personal server, in your home, in full control, not a virtual server. There are many other solutions for a remote node.

An Umbrel node anyways, is running by default all Tor, so there are no ports open by default, only if you open them in your local machine ufw and forward the ports on your router (where is located your node).

If you just want a BTCpay server in clearnet, there’s NO need to use Umbrel for that. Just install a BTCpay server (even on a VPS) and use it in clearnet. Done. Don’t complicate things more than is necessary.

If you still want to use Umbrel for other apps + BTCPay server, then here is a solution how to expose only BTCpay app in Umbrel to clearnet.

I run this node on a VPS, because I want to use it for business purposes and my home internet is not nearly stable enough to do that.

The problem I have is simply that Umbrel per default exposes everything on the local network, which in the case of a VPS is of course problematic.

Normally using UFW or firewalld would be an easy fix, especially since as you noted, everything is already using Tor. Only Docker does not play nice with firewall and just overrides rules.

So the question I have is really, if there is either a guide how to lock up all the Docker clearnet exposure with a firewall or how to stop Docker from exposing containers in the first place.

Basically I want Umbrel to be accesible via Tor only.

It will be easier to fix your home internet than to harden a VPS that is not in your control

No, unfortunately, improving my infrastructure is not an option.

Constructive feedback on where to either find the documentation on how to best tame Docker to accept firewall rules or reconfigure the containers to not expose ports on clearnet would be appreciated.

Or if you say it is not doable (as above link suggests), maybe can anybody suggest a Node Deployment that is suited for use on a VPS?

Maybe you should look into something like voltage which can run a full node in the cloud. Then again you are running a server on other people’s hardware. Your choice

Thanks for the tip, but I prefer to run my code, even if for other reasons it’s not my own hardware.

For anybody else looking into this:
So far, I identified that there appears to be no easy way. All docker-compose.yml files need to be rewritten and probably many more config files, to make docker communicate purely on localhost and not broadcast freely on LAN.

I think doing a build that isolates docker containers and drops inbound clearnet connections to any node ports is something that could interest many people, not only for VPS deployment, but also if you travel with your node and can’t trust the LAN etc.

It’s clearly possible and could probably be implemented as a three way switch in the UI (e.g. Tor OFF-ON-ONLY).