Setting up hybrid-mode - my experiences

To set up hybrid-mode I started following this guide:

This guide is well written and should be easy enough to follow. Nonetheless it took me quite a while to make hybrid-mode work. The hardest part for me was to get Dynamic DNS working because I had difficulties to understand the concept. Port forwarding was also quite time consuming. That’s why I decided to summarize the detailed steps that worked for me. Maybe it is helpful for other plebs.

1. Firewall ufw install and activate

Here is an easy-to-follow guide:

Note : it is important to allow SSH before you enable ufw! On my first attempt following this guide I managed to block myself and I had to reflash my SD-card to get access to my node via SSH again.

With user “admin”, configure and enable the firewall rules:

sudo apt install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow SSH
sudo ufw logging off
sudo ufw enable
sudo ufw status

Make sure that the UFW is started automatically on boot

$ sudo systemctl enable ufw


Note : I got an error here but later I recognized that ufw starts automatically anyway.

Check Existing App Rules

To see a list of the applications where the firewall has rules, use:

sudo ufw app list

You can check for the ports that are open for those rules with.

sudo ufw app info SSH


Lnd needs port 9735 open, so we put it to the list:

sudo ufw allow 9735
sudo ufw enable
umbrel@umbrel:~ $ sudo ufw status
Status: active

To Action From
-- ------ ----
SSH ALLOW Anywhere
9735 ALLOW Anywhere
SSH (v6) ALLOW Anywhere (v6)
9735 (v6) ALLOW Anywhere (v6)

2. create a router forwarding rule for port 9735

Here is a German guide I followed:

the video:

and here is an English guide:!box/how-to-set-up-a-port-forwarding-on-a-fritzbox.html

These the setting that finally worked with my Technicolor Router:

Gateway > Advanced > Forwarding > Create IPv4:


Note : it took me some time to figure out what to put in the external IP Address field. Obviously, it is not the own external IP Address but all incoming (

Check if port 9735 is open using a service: or

3. configure Dynamic DNS (DDNS)

Dynamic DNS (DDNS) is a method of automatically updating a name server in the Domain Name System (DNS), often in real time, with the active DDNS configuration of its configured hostnames, addresses or other information. (src)

(A nice description but unfortunately zero understandable for all non-IT professionals)

Since my router offers several managed DDNS providers I decided to go that way and chose

Router > Gateway > Network > DDNS:

It took me a while to grasp the concept of dynamic DNS e.g. how the service provider keeps knowing my IP address once I left the web site? What I finally understood is this:

When you register with (or services alike) you get either a token or username/password and you can now register a sub domain. Once your router is properly configured with a DDNS service the router actively informs the DDNS service provider when the IP address changes.

By adding the line to your lnd.conf the lightning node now gets the IP address from the service provider. Remember to replace with the registered host name and the service of your choice.

Please comment if this explanation is not correct or incomplete.

Last step is to update lnd.conf accordingly

First things first → back up your lnd.conf before making any changes!

[Application Options]
# set the registered DDNS domain

# deactivate streamisolation for hybrid-mode
# activate hybrid connectivity

After restarting LND, it is now offering two addresses (URIs). These can be verified either by calling lncli getinfo:

"uris": [

You can also check with whether the new Address is shown besides the Tor Address:


The new address here does not mean that it is working. We still need to check the functionality.

Check functionality

I am sure the lightning experts know a lot of ways to check the functionality of a Clearnet IP-address. You can ask a fellow pleb to run lncli connect from his or her node.

This is the response when the connection was successful:

*$ lncli connect <my pubkey>*


And this is the response when the connection failed:

*$ lncli connect <my pubkey>*

*[lncli] rpc error: code = Unknown desc = dial proxy failed: dial tcp i/o timeout*

In case it fails on first attempt don’t worry and doublecheck all the steps again :blush:

1 Like

@thool thanks for this great primer – two questions…

  1. can you clarify the convention using “externalhosts=” ? The text says one thing ( and the sample code is different (

  2. if my new DNS is, to I just use

Thanks!! S.