Running a fully private LN node - recommendations
758 sats \ 5000 boost \ 11 comments \ @south_korea_ln 1 Jan 2023 bitcoin
Hi fellow LN node runners and other afficionados,
I've run a very well-connected and highly-ranked LN node in the past. Due to some technical problems, I had to shut it down. This node was not anon, i.e. it was linked to my Twitter profile, I promoted it in the Plebnet Telegram groups, etc.
I am thinking of coming back online. At this point, I am still hesitating between going fully anon or basically restarting the previous node and leverage my old contacts.
For the sake of this post, I'd like to get your recommendations, best practices, list to guides on how to run a fully anon node, i.e. I can run it but no one can ever link it to my real world identity, and it cannot be shutdown by any regulatory agency in the future. Based on these recommendations, I'll form my opinion if that this a feasible goal.
I'd like to know what to do from start to end.
  • Which implementation to use? I liked my previous experience using LND so implementation doesn't matter, that's what I'd like to use again.
  • Is it ok to use any LND channel management tool? I used LNDg in the past and would like to use it again?
  • How can I fund my node with a part of my stack which might contain previously tainted coins due to having already been used for running an LN node. How can I move those funds to a separate stack that cannot be linked back to the rest of my stack?
  • I had bad experience with Tor-only and switched to a hybrid node using VPN. This was the best decision I made in terms of uptime reliability, absence of payment failures, etc. This is thus important to me as I'd like to become an important and well-connected routing node again. In the context of an anon node, is there a way to be hybrid again? What about my real-world identity that is linked to my VPN provider? Are there VPN providers that do not require such KYC? What of the risk of my VPN provider cutting me off in the future as they start considering all nodes to be money-transmitters and thus require licenses.
  • How to open channels in a private way? Taproot-related, etc?
  • How to run this node efficiently where one needs to perform swap-outs to close liquidity loops? I used to use amongst others Wallet of Satoshi to move off-chain liquidity back on-chain. Is that also a possible attack vector in determining my node's identity?
  • Any other weakness related to off-chain chain-analysis which last time I checked made running an anon LN node a hard problem.
  • I am by no means a privacy or even IT expert. The last technical problem I encountered required me to interact with other Plebs on Telegram to help me recover my funds due to corrupted channel.db
  • How to connect another less private node to my anon node without compromising that anon node's privacy?
  • How to use tools such as LN+ to find inbound liquidity while at the same time not compromising my identity?
  • How to connect to previous favorite node runners without them linking my former characteristic behavior as an LN node runner and associated identity to my new anon node?
  • Anything else I'm forgetting?
Running a profitable LN node is a difficult problem, doing it anonymously seems to be much harder. But as things stand, this might be a wise choice to make to be able to stay in the game and help the LN become a reliable censorship resistant tool. However, all this effort might be useless if only one piece of the privacy puzzle breaks down. Is it reallistically even possible to do this in the current stage of the LN? I was listening to the recent Kevin Rooke (@kr) podcast with Ben Carman, and there seem to be many weak spots still that I haven't thought of.
Please tag any person who might actually know more about this. Feel free to share it outside of SN too so that this post can also possibly become the reference for anyone who would like to reproduce this.
Thank you!
write
preview
related posts
383 sats \ 2 replies \ @Hakuna 1 Jan 2023
This is a lot to dig into. It's late in the night, so I'll throw some pointers, but it's not addressing all of your very well founded questions.
  • implementation doesn't matter that much. LND as well as CLN and Eclair are open sourced, and there is a somewhat certainty that with a larger community of users, security is hardened. But since LN is a hot wallet, funds are never 100% safu
  • same with LN management tools. with LNDg and command line, you should be sufficiently setup to manage properly, as well as balancing risk using 3rd party software. Since LNDg is open sourced, you can control and verify what is shared with other parties (none at this point, but you can doublecheck before each update)
  • funding non-KYC is a keypoint. @Darthcoin has a tremendous amount of great guides about this. You may want to read this longer guide, a list of kycnotme providers, How to consolidate UTXOs and listen to this talk about LN Privacy.
  • Hybrid is key for successful routing nodes. Most if not all VPN providers expect you to KYC, so this is a no-no. Tunnel⚡️Sats addresses exactly that usecase - no KYC VPN for your node
  • Swap out options are growing every day. As long you keep your node BTC UTXOs clean and switch addresses, you should be fine with trustless and custodial options. But this may change over time, so keep connected with the community what the best options are (I'm not well versed on this topic)
  • Darthcoin had a guide once to build a dark / hidden / shadow node, which has only private (read: unnanounced) channel(s) to his "public / front" node. This way, you can mostly keep the dark one behind. but note, that invoices from the dark node will reveal it's path. I can't seem to find that guide anymore
  • Node runners come and go. I think you can only be successful if you keep connecting to the community. Use lnvpn.net to buy a mobile number. Use this to sign up with telegram or use matrix. Build your own email server or at least use proton.me for a new, anonymous email address. Keep the social network interaction to a bare minimum. Amboss will collect your IP address when you claim your node, but without it, your marketing exposure is gone. I know many node runners who only open to channels where they can reach / talk to the runner. So it''ll always be a tradeoff
  • keep updating your node OS. Many runners forget about this
That's it for now, hope it's useful, even though it's a bit erratic.
reply
0 sats \ 1 reply \ @south_korea_ln OP 2 Jan 2023
Thanks. I'll definitely dig into @Darthnode's guides. Forgot about them when I wrote the post. His ideological recommendation is usually not to care about possible regulators, but if at least, one can make it harder for them to intervene, one should do it. And his guides provide exactly such information. And indeed, before caring about any LN privacy, I should first work on my online privacy in general. What about updating the OS is related to privacy specifically? It sounds like good advice, but not sure in the context of privacy.
reply
100 sats \ 0 replies \ @Hakuna 2 Jan 2023
Yes, the social souroundings of your node need to be tight as well, to ensure your identity is anonymous and protected. Recalled a couple of options I forgot yesterday, wanted to mention them since they are important:
  • don't use public mempool sites to look up tx's. this could allow malicious sites to relate your identity (IP) to tx. Better always use your local mempool instance from your node
  • don't use umbrel. Better go for a bare-metal setup, where you only install what you need, and everything is validated by the open source community. Raspibolt is a key here, and has most of the apps you may be used to use as install guide (including mempool, see above)
  • you may ditch twitter and telegram completely, and go full #nostr. It's a vivid bitcoin and lightning community, and helps you to stay completely anonymous and away from centralised social media services
On your last question on OS updates: This was more about security, not about privacy per se. But if your security is weak, it creates attack vectors to expose your identity, too. So keep a natural habbit keeping your OS up-to-date secures your stack and your identity. One more thing: #raspiblitz has everything Tor'ed (even OS updates), so your ISP basically doesn't know shit about you
  • running bitcoind
  • running a linux system
  • transacting with lightning
The drawbacks are speed and reliability as @1fatmess mentioned further below. But as long speed is not a key factor, tor is a great obfuscation method.
Hope this helps and adds to your research list
reply
181 sats \ 1 reply \ @DarthCoin 2 Jan 2023
Apart from what @Hakuna and others told you here I would add these for you to read:
reply
10 sats \ 0 replies \ @south_korea_ln OP 3 Jan 2023
Thanks a lot. I'll dig into them. Thank you for your invaluable contributions to the field.
reply
149 sats \ 1 reply \ @timechain 2 Jan 2023
If you look at the breakdown by implementation, it's almost all LND, CLN is around 13%, eclair is under 2%. It would be great to have more CLN, especially because... TARO makes me nervous. I understand that's where you're expertise is though.
reply
0 sats \ 0 replies \ @south_korea_ln OP 3 Jan 2023
Yes, I follow the sentiment. I did like using LNDg a lot though, so unless I find something else equivalent, I might have to stick with LND. CLN is doing good work.
Currently, LND is the one that has had several publicized bugs, but that comes with being the most used implementation I imagine. It's probably the most stress-tested at the moment.
Taro and RGB are indeed something I'll be watching closely. Even though they claim that only entry and exit nodes will knowingly be interacting with Taro/RGB, it'll definitely change the routing dynamics from routing nodes in between if things catch on.
reply
110 sats \ 1 reply \ @TonyGiorgio 2 Jan 2023
https://abytesjourney.com/lightning-privacy/
reply
10 sats \ 0 replies \ @south_korea_ln OP 2 Jan 2023
Looks like a great starting point. Will read it carefully as well as the many links inside and incorporate it into my study material for the coming weeks. Thank you!
reply
100 sats \ 1 reply \ @1fatmess 2 Jan 2023
I am quite far down this rabbit hole and plan on sharing my findings (and remaining questions) soon. @Hakuna’s response is good. I think the main considerations are UTXOs used opening channels and masking your IP address with a VPN as Tor just isn’t a viable option (and it’s BS to pretend otherwise—I say this as someone fully behind Tor 24/7 atm and my node is basically shit as a result).
You’ll really want to run 2 nodes: one on clearnet but where the IP and UTXOs don’t dox you, but payments are reliable, and one behind Tor with less reliable performance for fully-private personal usage. As others have mentioned, @Darthcoin’s guides are very useful here, too.
Look into a tool like Lnproxy for this, as well, as receiving on Lightning is bad for privacy.
reply
0 sats \ 0 replies \ @south_korea_ln OP 2 Jan 2023
Thank you. I'll be happy to read your findings in the future. Please ping me when you do share them.
I'll look into Lnproxy.
reply