Tor & Clearnet parallel setup (hybrid) for your umbrel with LND 14.1

Hey there,

since the update of LND to 0.14.0, you can setup your node to work in hybrid mode, eg being accessible and connecting via Tor and Clearnet at the same time LND 14 Release Notes.

So per documentation, it’s adding this line to the Section [Tor] in lnd.conf


I’m also quite confident you’d need to either set

to allow your node to advertise your external ID to gossip, otherwise the network doesn’t know about your clearnet option.
However, I’m wondering what else is necessary, can’t believe the above suffices. What else is missing? If nat doesn’t work, shouldn’t we set port-forwarding at your router for 9375? How to validate if the clearnet IP is working?

Would be good to get a conversation started amongst us folks who are getting more and more nervous about Tor stability and don’t need to be afraid of having our clearnet IP out there. For the record, it’s still more advisable to use Tor only if you can.

externalip= is enough if you just want to advertise your node in both networks.
Yes, you need to fw the 9735 port on your router to the static internal IP of your node.
Don’t forget also to open 9735 in ufw (your node machine).
Keed keep in mind: this works only if you have static public IP (not dynamic like many home connections). Otherwise you will need to use a dyndns service or something but still your IP will be changed and all the time you need to update it in lnd.conf.

I used only this for while (no need for lnd v.14, it works with any version), but then I disable it. Was just a test. Works nice.
This is onky to make “visible” your node, not to sync. Sync will still be on Tor.

Thanks DC.

I’ll try with the following two settings and check if umbrel-OS can identify my external IP automatically.
Will report back here if that works and whether this improves relaying routing quicker, too. Currently my node has a 2.4s response time, my hope is to get this < 1s via clearnet.

[Application Options]

Update here for others to replicate. Hope those steps are helping you.
I can confirm

  • my Node is available via Tor & Clearnet now. Read below what’s necessary to set
  • nat=true didn’t work for me. My node is connected via a bridged router to the ISP cable modem, so UPnP wasn’t successful
  • setting externalip= and keeping nat=true causes LND to repeatedly restart. You have to set either / or.
  • uncommenting #nat=true loaded LND fine => cd umbrel && docker-compose restart lnd
  • keeping an eye on the LND log when restarting helped identifying issues: tail -f ~/umbrel/lnd/logs/bitcoin/mainnet/lnd.log
  • lncli getinfo responds with both uris quickly, so gossip spreads the news, and sites like Amboss, Terminal Web and app-router updated quite quickly, that my node is available in clearnet
"uris": [

I haven’t made my watchtower available via clearnet yet, and it’s not a high priority. Next step likely to check how the next channel opening of a clearnet-only node to my node is working (before, I always had to add them as a peer before).

Secondly, I’d like to work on a DNS relay
tlsautorefresh=1 tlsdisableautofill=1

which is likely something to work on later this month, for the holiday time.

Sharing a guide we’ve put together, in case you want to setup your node with Hybrid Mode as well. I have now two nodes running in Hybrid Mode, one Umbrel and one Raspiblitz, where the latter is running with a Domain Name instead of an IP.

Next step for me is a VPN Setup to allow for regaining some anonymity. Raspiblitz plans to implement this in their 1.8 release. Might require some manual implementation for Umbrel, guides how to achieve this already are posted below.

Let me know how these are working out for you


Where is config in Umbrel node, where I can open port for lnd?

ufw is not installed by default and last time I probably blocked ssh port by mistake.

Usually you don’t need to open any port on your umbrel or router.
On Umbrel all traffic by default is on Tor.
But if you really want to open yes, you need to install ufw.

1 Like

Wondering if all of the instructions are sufficient in …

  • other nodes connecting to my node?
  • creating channels with my node?
  • routing transactions through my node?

Are transactions still going to route through my node over TOR by default? Or do other nodes essentially opt to take a faster route through clearnet if they choose to?

Depends on the node OS you’re running.
LND has the following sequence, considering your node is connected via all three protocol levels

  1. IPv4
  2. Tor
  3. IPv6

So for peer (re-)connection, channel opening and payment / HTLCs, it’ll always follow your gossip’ed 1) then 2) > and lastly 3). That’s both ways, your node to others, and others to you (in case they are LND, Eclair and CLN might have a different approach).