To your question: yes, since umbrel is just a Debian Linux, you can install openvpn. Follow my guide here how to do that: https://github.com/TrezorHannes/Dual-LND-Hybrid-VPS
Also, if you’re looking for a fully managed node VPN offering exactly your solution, DM me. We’re about to launch the beta, with automated setup for umbrel new and old (and many other node setups)
I have two updates here:
Sats in July as a secure, automated and anonymous VPN Solution for Node RunnersHi @Hakuna thanks for the tutorial, it’s great. I followed it and it works fine apparently. However I had to use a domain name due to the risk of changing IP (even if in practice it happens no so often). I used a domain name to redirect (like in your example ln.example.com) it works and I can open channel with this URL but in Umbrel it’s always giving the QR code for the node IP and same on Amboss, it advertises my IP and not my domain. Is there a way to force the domain over the IP? What will happen if my IP change for a channel opened with the IP that is now old?
Hey Eluc,
great that it’s working for you.
Note that for LND, the externalhosts setting will always resolve to the IP, since the gossip layer network of LN works on IP bases. You won’t see domain names in the gossip traffic, hence Amboss / 1ML and such won’t be able to show domains for your node.
Now you’re concerned what if the IP changes, will my peers disconnect?
LND does update and resolve quite often, so that as soon your IP changes at home, your LND client resolves to the new IP and gossips this change to the network. Your direct peers will get this update directly from you, and in case one of them misses it, it’ll ask the LND gossipSyncer and will retrieve it for you.
So this is all “best case”, and there might be hic-ups. But we use domain-names for our VPN service Tunnelsats, and it works very reliable. We do see some challenges with CLN, since it only does DNS resolve ~1 / day, but so far we got this under control.
Hope this answers some of your concerns
Thanks for all the details. Sound great, hopefully I should not have my IP changing too often, from experience a couple of time per year if an incident on the line or a change in the modem happen. Also, when I can I will advertise my peer to use the Onion if possible, so it should be fine.
My purpose to switch to hybrid is to try to resolve issue with LNbits, BTCPay Server and lndhub in clearnet but it looks like it was not the cause of the problem. I will have to investigate further.
It would be super helpful to include the file locations of the Tor config and “Application Options” config files.
(or were these locations intentionally left out to limit use to experienced people 
)
Left out for two reasons:
Is it necessary to also open the 9735 port in the umbrel firewall?
nmap doesn’t list the 9735 port for my standard umbrel 0.5.3…
Nope, not necessary, since umbrel doesn’t have a firewall.
But you need to forward 9735 / TCP as incoming port on your router, and forward it to your node internal IP address. Here is a guide in case you need some help.
https://ping.eu/port-chk/ confirms port is open.
Bitcoin working.
Yet LND does not seem to be starting.
Troubleshoot indicates: “wallet locked, unlock it to enable full RPC access”
“unable to create server: unable to discover a NAT-PMP enabled device on the local network”
Sorry I missed that reply.
You need to deactivate nat with false, since your hardware apparently isn’t setup for LND to support it
Could the new update to Bitcoin Node Version 24.0.1-2 affect this hybrid-mode setting?
I’m hesitating to update because I’m not sure if the new feature “Advanced setting” around tor/clearnet may destroy the setting.
Good question actually. I don’t know what happens to your lnd.conf if you adjust the new advanced settings. I think you’ll be safe to update and just don’t adjust anything.
Updating bitcoin-core to v24 shouldn’t make any difference, since hybrid is an LN specific thing, not related to bitcoind.
Perhaps others are reckless enough to just test what the new clearnet / tor setting does. Or look into the code. I don’t have an umbrel anymore, sry
I have a problem with the hybrid. When I write to the lnd.conf file on reboot the node is cleared and only connects via tor.
I used to do the same thing with a raspi and it worked fine, but it doesn’t accept it on the minipc.
Any chance this guide would work for Core Lightning too? I can’t figure out from the existing material I’ve was hire to enable hybrid mode on CLN
EDIT: I found this gem digging through comments on an issue in the raspiblitz repo: https://github.com/rootzoll/raspiblitz/issues/2787#issuecomment-1173425297
Will update if that works for me…
Greetings.
I’m trying to use another node on my network.
Node (A) has port 9735 and is visible to the outside in hybrid mode.
Node (B) has port 9734 but I can’t get it to be in hybrid mode.
Both ports are defined in portforwarding on my router.
Is there any configuration file within Umbrel that continues to force 9735 and that can be changed?
Thanks.
There might be something in the docker-compose.yaml defining the port for the LND docker container.
You could check the port details with
sudo docker ps > copy the container.ID of lnd_lightning_1
sudo docker inspect container.ID
and look for the port. If you find the 9735, you may alter it with the yaml file outlined above, but since I’m out of the umbrel game for a long time already, probably someone else can chime in…
Thanks for replay.
I followed your instructions and was able to see the contents of the container.ID but unfortunately I can’t find the file “docker-compose.yaml” to change it.
I can only see …yml but this way I can’t find anything I can change and it doesn’t make any reference to port 9735
I was solved…
After a long period of reflection, I realized that there have been changes in Umbrel as of version 0.5.
The default setting of the listening port 9735 is now in the file
“umbrel/app-data/lightning/exports.sh”
Here it can be edited and changed in accordance with what is defined in lnd.conf :
Dynamic IP - DDNS:
[Application Options]
'# specify an interface (IPv4/IPv6) and port (default 9735) to listen on
'# listen on IPv4 interface or listen=[::1]:9736 on IPv6 interface
listen=0.0.0.0:9735
'# listen=[::1]:9736
externalhosts:9735=ln.example.com
[tor]
tor.active=true
tor.v3=true
'# deactivate streamisolation for hybrid-mode
tor.streamisolation=false
'# activate split connectivity
tor.skip-proxy-for-clearnet-targets=true
Finishing with the modification you will have to perform on your router in PortForward