Monero node on an Optiplex with bare-metal Ubuntu (no Docker) \ stacker news ~tech

This guide will walk you through setting up a Monero node (monerod) directly on your Ubuntu server. No Docker, just pure Ubuntu and Monero.

Why Run Your Own Node?

Privacy: When you use a remote node (the default in many wallets), that node operator can potentially see your IP address and link it to your transaction activity. Running your own node means your wallet only talks to your server on your hardware.
Network Strength: Full nodes are the backbone of the Monero network. They validate transactions and blocks, ensuring the rules are followed. Running one makes the network more decentralized and resilient.
Control: You are your own source of truth for the Monero blockchain.

What We'll Do:

We'll download the official Monero software, verify it's legitimate, configure it, and set it up to run automatically using systemd (Ubuntu's service manager).

Prerequisites:

Ubuntu Server: You have Ubuntu Server (ideally 22.04 LTS or newer) installed and running. (If you aren't ready, follow my guide https://expatriotic.me/ubuntu and then come back).
SSH Access: You know how to connect to your server's command line using SSH from your regular computer. All commands below are typed into that SSH terminal window.
Basic Terminal Concepts: We'll explain commands as we go, but know that you type commands and press Enter to run them. Commands are case-sensitive!

Phase 1: Preparation & Downloading

First, we need to connect to our server via SSH. Once logged in, you'll see a command prompt, likely ending in $. I use Tailscale to manage my SSH, but you don't have to.

1. Navigate to Downloads Directory: It's good practice to download software into a specific folder. Let's create one called downloads in your home directory (~) and move into it.

# Create the directory if it doesn't exist (-p prevents errors if it's already there)
mkdir -p ~/downloads

# Change directory into downloads
cd ~/downloads

mkdir -p: Makes a directory. -p means "make parent directories if needed and don't complain if it exists."
cd: Changes directory. ~/downloads means the downloads folder inside your home directory. Your prompt might change slightly to show you're now in ~/downloads.

2. Set the Monero Version (The Shortcut!) To make things easier and less prone to typos, we'll store the version number we want in a variable. Check the Monero Downloads page for the latest CLI version. As of late October 2025, it's 0.18.4.3.

MONERO_VERSION=0.18.4.3

(Remember: No spaces around the =! If a new version is out, just change the number here.)

3. Download Monero Software: Now we use the wget command (a tool for downloading files from the internet) along with our variable to get the Monero software and the file containing official checksums (hashes).

# Download the 64-bit Linux Command Line Tools (CLI)
wget https://downloads.getmonero.org/cli/monero-linux-x64-v${MONERO_VERSION}.tar.bz2

# Download the file containing official hashes (checksums)
wget https://www.getmonero.org/downloads/hashes.txt

You'll see progress bars as the files download.

Phase 2: Verification

This is the most important security step. Do not skip it. We need to be sure the software we downloaded hasn't been tampered with. We'll use two methods: GPG signatures and SHA256 hashes.

1. Get the Developer's GPG Key: GPG is like a digital signature system. We need the public key of a trusted Monero developer to verify the signature on the hashes.txt file. 'binaryFate' is a core developer whose key is commonly used.

# Download binaryFate's public GPG key
wget -O binaryfate.asc https://raw.githubusercontent.com/monero-project/monero/master/utils/gpg_keys/binaryfate.asc

# Display the fingerprint of the downloaded key
gpg --keyid-format long --with-fingerprint binaryfate.asc

# The output you are looking for must show this fingerprint: Primary key fingerprint: 81AC 591F E9C4 B65C 5806 AFC3 F0AF 4D46 2A0B DF92

# If and only if the fingerprint matches, proceed to import it

# Import the key into your GPG keychain
gpg --import binaryfate.asc

wget -O: Downloads the file but saves it with a specific name (binaryfate.asc).
gpg --import: Adds the downloaded key to your list of known keys. You only need to do this once per key.

2. Verify the hashes.txt File: Now, use GPG to check if the hashes.txt file we downloaded was actually signed by the key we just imported.

gpg --verify hashes.txt

Look closely at the output! You need to see two things:

gpg: Good signature from "binaryFate <binaryfate@getmonero.org>" ...
Primary key fingerprint: 81AC 591F E9C4 B65C 5806 AFC3 F0AF 4D46 2A0B DF92

You will likely see a warning: This key is not certified with a trusted signature!. This is expected and not a problem in this case. It simply means you haven't personally built a "web of trust" to this key.

The Good signature confirms the file was signed by the key, and the matching fingerprint (which you already verified in step 1) confirms it's the correct key. If you see both, the file is authentic. If anything does not match, STOP.

3. Verify the Downloaded Monero Software: The hashes.txt file contains a list of unique "fingerprints" (SHA256 hashes) for the official Monero files. Now that we trust hashes.txt (because it had a good signature), we can check if the fingerprint of the file we downloaded matches the fingerprint listed inside hashes.txt.

# Check the SHA256 hash of our download against the list in hashes.txt
sha256sum --check --ignore-missing hashes.txt

sha256sum --check: Tells the tool to read expected hashes from the file (hashes.txt) and compare them to the actual files in the current directory.
--ignore-missing: hashes.txt lists many files; this tells sha256sum not to complain about files we didn't download (like the Windows or Mac versions).

You are looking for one specific line in the output (it must match the version you downloaded): monero-linux-x64-v${MONERO_VERSION}.tar.bz2: OK

If you see "OK", the file is verified! If you see "FAILED" or any errors, STOP. Do not proceed. Your download might be corrupt or tampered with. Delete it and try downloading again.

Phase 3: Installation

With the software verified, we can install it.

1. Install bzip2: The downloaded file is compressed using bzip2. We need that tool to extract it.

# Update package list and install bzip2
sudo apt update
sudo apt install -y bzip2

sudo: Runs the command with administrator privileges (needed for installing software). You'll likely be asked for your password.
apt update: Refreshes the list of available software packages.
apt install -y bzip2: Installs the bzip2 package. -y automatically says "yes" to prompts.

2. Extract the Archive: Now we use the tar command to unpack the downloaded file.

# Extract the contents of the Monero archive
tar -xjvf monero-linux-x64-v${MONERO_VERSION}.tar.bz2

tar: The archive utility.
-xjvf: Options telling tar to eXtract, use bzip2 (j), be Verbose (show files), using File monero...tar.bz2.

This will create a new directory, likely named something like monero-x86_64-linux-gnu-v0.18.4.3.

3. Install the Main Program (monerod): We only need the main Monero daemon program right now (monerod). We'll move it to a standard location where the system looks for executable programs.

# Find the exact name of the folder tar created
# (ls -d lists directories, */ matches any directory, head -n 1 picks the first)
EXTRACTED_FOLDER=$(ls -d monero-*/ | head -n 1)

# Move the monerod program to /usr/local/bin
sudo mv ${EXTRACTED_FOLDER}monerod /usr/local/bin/

# Optional: Move the wallet CLI too if you want to use it from this server later
sudo mv ${EXTRACTED_FOLDER}monero-wallet-cli /usr/local/bin/

# Optional but recommended: Install port-checking tool
sudo apt install -y net-tools

mv: Moves a file. We use sudo because /usr/local/bin is a system directory.

4. Clean Up: Let's remove the files we no longer need.

# Remove the extracted folder
rm -r ${EXTRACTED_FOLDER}

# Optional: Remove the downloaded archive and verification files
rm monero-linux-x64-v${MONERO_VERSION}.tar.bz2 hashes.txt binaryfate.asc

rm -r: Removes a directory and its contents.
rm: Removes files.

Phase 4: Configuration

Now we'll create the configuration file. This is the most important part, as it tells your node how to run and who can connect.

1. Create the Config File

First, create the directory.

mkdir -p ~/.bitmonero

The . at the start makes it a hidden directory (won't show up with a plain ls).

2. Create Configuration File:

We use a simple text editor called nano to create the file.

nano ~/.bitmonero/monerod.conf

This opens an empty editor.

3. Paste the Base Configuration

Paste the following configuration using your mouse or keyboard shortcuts (like Shift+Insert or Cmd+V). (Note: Replace YOUR_USERNAME with your actual username).

# Monero Node Base Configuration
# -------------------------------

# === Paths ===
# Tells monerod where to store the blockchain
data-dir=/home/YOUR_USERNAME/.bitmonero/lmdb
# Tells monerod where to write its log
log-file=/home/YOUR_USERNAME/.bitmonero/bitmonero.log
log-level=1

# === Basic Network Settings ===
no-igd=1
enable-dns-blocklist=1

# === Restricted RPC (for local 'monerod status' command) ===
# This creates a "read-only" port just for your server
rpc-restricted-bind-ip=127.0.0.1
rpc-restricted-bind-port=18089

Do not save yet! Now, you must choose one of the following options.

4. Choose Your Connection Method

Option A: Connect via LAN or VPN (e.g., Tailscale, Mullvad)

This is the simplest method and what I use. This makes your node's "admin" port (18081) available on your private network, protected by your firewall.

Add this text to the bottom of your monerod.conf:

# === Main RPC (for Feather Wallet via LAN/Tailscale) ===
# This opens the "admin" port (18081) for sending transactions.
# 0.0.0.0 means "listen on all network interfaces"
rpc-bind-ip=0.0.0.0
rpc-bind-port=18081

# Monerod will refuse to start if rpc-bind-ip is not 127.0.0.1
# This line overrides that security check. We need this.
confirm-external-bind=1

Pro-tip: You can find your node's Tailscale IP by running tailscale ip -4 on the node. You can find your LAN IP by running ip a | grep inet. You can replace 0.0.0.0 with one of these specific IPs for slightly more security, but 0.0.0.0 is fine as long as your firewall is on.*

Option B: Connect via Tor Onion Service

This is more advanced but provides excellent privacy. It keeps your node's RPC port completely off your local network and makes it accessible only as a hidden service.

First, you must install Tor:

# Run this in a separate terminal
sudo apt update
sudo apt install tor

Second, edit your torrc file: sudo nano /etc/tor/torrc

Add these two lines to the file (you can add them at the end):

HiddenServiceDir /var/lib/tor/monero-rpc-service/
HiddenServicePort 18081 127.0.0.1:18081

Save and exit, then restart Tor: sudo systemctl restart tor

Third, get your new onion address: sudo cat /var/lib/tor/monero-rpc-service/hostname It will output a long .onion address. Copy this!

Finally, add this text to the bottom of your monerod.conf:

# === Main RPC (for Feather Wallet via Tor) ===
# We bind the "admin" port to localhost, and let Tor handle
# the external connection.
rpc-bind-ip=127.0.0.1
rpc-bind-port=18081

# Tell monerod to advertise your onion address
# (REPLACE with the hostname you copied!)
anonymous-inbound=YOUR_HOSTNAME.onion:18081,127.0.0.1:18081,24

# Tell monerod to use Tor for outgoing transactions
tx-proxy=tor,127.0.0.1:9050

5. Save and Exit nano

You should now have the Base Config plus either Option A or Option B.

Press Ctrl+X.
Press Y for Yes.
Press Enter to save.

Phase 5: Running as a Service (systemd)

We want monerod to start automatically when the server boots and restart if it crashes. systemd handles this.

1. Create the Service File:

We need sudo because this file lives in a system directory.

sudo nano /etc/systemd/system/monerod.service

2. Paste the Service Configuration:

Paste the following text into nano. Carefully replace YOUR_USERNAME with your actual Linux username (e.g., satoshis).

[Service]
# Replace YOUR_USERNAME with your actual username!
User=YOUR_USERNAME
Group=YOUR_USERNAME

Type=simple
# Run monerod in the foreground, using the config file.
# systemd handles daemonization.
ExecStart=/usr/local/bin/monerod --config-file /home/YOUR_USERNAME/.bitmonero/monerod.conf --non-interactive

Restart=on-failure
RestartSec=30
# Add some basic security hardening
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
MemoryDenyWriteExecute=true

3. Save and Exit nano: (Ctrl+X, Y, Enter).

4. Enable and Start the Service: Tell systemd about the new file and start the Monero node.

# Reload systemd to recognize the new file
sudo systemctl daemon-reload

# Enable the service (start on boot) AND start it now
sudo systemctl enable --now monerod.service

enable: Creates a link so the service starts automatically after rebooting.
--now: Also starts the service immediately.

Phase 6: (Recommended) Open Firewall for Peers

Your node is running, but your server's firewall (ufw) is likely blocking other Monero nodes from connecting to you. To be a full participant and help strengthen the network, you need to allow incoming connections on the Monero P2P port (18080).

# Allow incoming TCP connections on port 18080
sudo ufw allow 18080/tcp

Note: We are only opening port 18080, which is the P2P port for syncing with other nodes. We are not opening your admin RPC port (18081) or restricted RPC port (18089) to the public internet. By binding them to 127.0.0.1 (or a local IP) in your config, they are already secure and inaccessible from outside your server or private network.

Phase 7: Monitoring the Sync

Your Monero node is now running in the background! But it needs to download and verify the entire Monero blockchain, which is over 230GB and will take hours or days.

1. Watch the Live Logs: See what monerod is doing right now.

journalctl -fu monerod.service

journalctl: The tool for viewing system logs.
-f: "Follow" the log, showing new lines as they appear.
-u monerod.service: Only show logs for our Monero service.

You'll see messages about connecting to peers and syncing blocks. Heights will increase, e.g., Synced 123456/3XXXXXX.

To stop following the log, press Ctrl+C. This only stops the viewer, not the Monero node itself.

2. Check Sync Status: Get a quick summary of the sync progress.

monerod status

This will show the current height and the target height.

For more details:

monerod sync_info

Just let it run. The sync is automatic. You can log out of SSH, and it will continue. Check back periodically using monerod status or journalctl.

Phase 8: How to Connect Your Wallet

Once the sync is complete, you can configure Monero wallets (like the official GUI wallet, Cake Wallet, Feather, or Monerujo).

If you chose Option A (LAN/Tailscale):

    In Feather, go to Settings -> Node.

    Add a new node and enter your node's LAN IP (like 192.168.8.50) or Tailscale IP (like 100.x.x.x).

    Use port 18081.

If you chose Option B (Tor):

    In Feather, go to Settings -> Node.

    Add a new node and paste in your full .onion address.

    Use port 18081.

    Make sure "Connect over Tor" is checked.

Conclusion

Congratulations! You've successfully installed, verified, configured, and launched your own Monero full node directly on your Ubuntu server. You're enhancing your privacy and supporting the Monero network.