I hope this is the appropriate place to ask this.
I’m building a web app that is using an lnd instance to facilitate payments via the lightning network. When I run my node app on my laptop that is connected to the same network as my rpi4 running Umbrel i am able to access my node via umbrel.local:10009. However, since my web app is deployed in the cloud I need to access my node from outside via <my-public-ip>:10009. In other words I need to publicly expose my lnd’s gPRC port.
im using alexbosworth's ln-service
The problem is i am unable to reach my node…
- my router does forward
:10009to my rpi4’s static ip - telnet
<my-public-ip>:10009DOES yield a response - my deployments domain IS listed as an entry the
tlsextradomain rpclistenIS configured as0.0.0.0externalipIS set to<my-public-ip>- im starting to suspect that this issue has to do with dockers default network and it is not letting any traffic outside the default network reach any container.
i provided a little sketch to make it really clear:
A few things worth trying come to mind:
tlsextradomainin thelnd.conffile, you need to regenerate thetls.certso it has the latest values included. Restarting LND should do the trick (I believe there also might be an LND command for this)-p <external-ip>:10009:10009to expose it externallyHope this helps. Docker networking is never fun, I've been there. Good luck!
I think this is the answer. Just restarting won't do the trick though. You need to delete the original tls.cert file before starting it back up again.
I suspect that the networking bit is not the problem. OP mentioned that they can telnet port 10009 from external networks. That means the port is successfully forwarded, it's the app that's not working.
unfortunately, this is not the answer. every time i made changes i deleted both tls files and restarted lnd. my tls certs are always up to date.
on that note: while i do get a response when i
telnet <public-ip>:10009can i assume that this is actually reaching my lnd? Is A response the RIGHT response or is there a RIGHT response apart from A response or NO response?A telnet response is always better than a timeout. That means something is responding. But since you say you already did delete the tls.cert beforehand, I'm wondering what else can be wrong.
If you decode the contents of the tls.cert file using https://www.sslchecker.com/certdecoder for instance, do you see all your IPs and domains?
Another way to check if you can connect is, use Zap Wallet to connect to your node. Zap uses the gRPC interface to connect. It might even give you useful error messages if initially you run into trouble connecting.
no i do not see any of my IPs or domains that is provided, interesting.
however i know that the cert was just regenerated because the issuance date got updated (the last one was yesterday). are the entries form
tlsextraipandtlsextradomainsupposed to be listed in the decoded dataset somewhere?https://i.ibb.co/XCGcsZ3/Screenshot-2022-07-18-at-10-41-58.png
Yes your extra IPs and domains you provided in
tlsextraipandtlsextradomainconfig entries should appear in the 'SAN' subject in the certificate. If they are not there, your app will not be able to perform the necessary SSL handshake.You need to investigate why they are not getting picked up by lnd.
I don't use Umbrel so I do not know if they have hidden config files somewhere that overrides your manual lnd.conf entires. Maybe you can check with them Umbrel folks.
dude, thank you. you helped a lot. i've asked a question on umbrel about this because it actually looks like they ignore the
lnd.confentries when generating the cert. waiting for the reply...btw. i ended up using voltage.cloud and it works like a charm!
I did some digging, it looks like it is a known issue with Umbrel after upgrade 0.5.0.
Glad to hear it!
Have you considered using Wireguard?
How would a VPN help me in this case? Can you point me to a guide?
Keep in mind that i don't have any ssh access in my deployment. Its heavily preconfigured and simply runs any Nextjs app that you point it to.
I think this is a great place to ask this. Unfortunately I don't know the answer, but I think someone here surely would and can help.
Have you tried accessing the REST API on default port 8080? As far as I know that forwards all requests to gRPC.
That's how I've setup Zaprite for users to access their own nodes.
(both require https)
It works for Tor and also on clearnet (ex. Voltage) nodes using LND.
But ultimately it could be a docker issue blocking incoming traffic over certain ports.
the library i'm using wants a gRPC socket. however, i did try this for fun to no avail...