sudocarlos · May 11, 2024 11:54
diff --git a/Start9 access using a VPS and Tailscale b/Start9 access using a VPS and Tailscale
 # Start9 access using a VPS and Tailscale

 This guide is a combination of articles from BTCPayServer Docs and Tailscale KBs.
 They did a great job, so most of what you see here are unaltered parts of the
 pages listed in the [sources](#sources) section.

 This guide describes how to use a VPS and Tailscale to connect to Core Lightning on
 your Start9 from Zeus. You can also expose and connect to other Start9 services
 as described in the end.

 ## Sources

 - https://tailscale.com/kb/1019/subnets
 - https://docs.btcpayserver.org/Deployment/ReverseSSHtunnel/
 - https://docs.btcpayserver.org/Deployment/ReverseProxyToTor
 - https://docs.start9.com/0.3.5.x/service-guides/lightning/zeus-cln-direct

 ## Benefits

 - no changes on your Start9 or home router
 - encrypted connection (SSH) inside of an encrypted connection (Tailscale/Wireguard)
 - hides the IP of your home network

 ## Requirements

 - a Virtual Private Server (VPS) - eg. a minimal package on Lunanode for ~3.5$/month
 - a computer with Tailscale in the same LAN as your Start9
 - root access on the VPS - you need to set up webserver and install packages
 - a domain or subdomain - this will be setup on the proxy webserver


 ## Same-LAN host setup

 For more details on the following steps, see [sources](#sources)

 [Download and install Tailscale](https://tailscale.com/download/) onto your
 subnet router machine.

 Assuming a Linux machine, see [sources](#sources) for details about enabling IP
 forwarding and firewalls. I didn't have to bother with either in my case 
 (Synology DSM 7.2).

 Advertise subnet routes

 ```bash
 sudo tailscale up --advertise-routes=192.168.0.0/24,192.168.1.0/24
 ```

 Replace the subnets in the example above with the right ones for your network. Both
 IPv4 and IPv6 subnets are supported.

 [Enable subnet routes from the admin console](https://tailscale.com/kb/1019/subnets?tab=linux#enable-subnet-routes-from-the-admin-console)


 ## VPS Setup

 You will create a nginx reverse proxy and autossh service, which forwards requests
 to your Start9.

 ### Install dependencies

 Login to VPS as root and install the required dependencies: (example assumes a 
 Debian based system)

 ```bash
 # switch to root user (if not logged in as root)
 sudo su -

 # install dependencies
 apt update
 apt install -y certbot nginx autossh
 ```

 ### Tailscale setup

 [Download and install Tailscale](https://tailscale.com/download/) on your VPS.

 [Use your subnet routes from other machines](https://tailscale.com/kb/1019/subnets?tab=linux#use-your-subnet-routes-from-other-machines)

 ```bash
 # enable automatic route discovery
 sudo tailscale up --accept-routes
 ```

 ### SSH tunnels setup

 #### Authorize SSH key

 ```bash
 # check for an existing ssh public key
 cat ~/.ssh/*.pub
 ```

 If there is no existing SSH public key, generate one (keep pressing ENTER):

 ```bash
 ssh-keygen -t rsa -b 4096
 ```

 This will generate the SSH keypair `id_rsa` (private key) and `id_rsa.pub` inside `~/.ssh`.
 View this file so that you can add your SSH public key to your Start9

 ```bash
 cat .ssh/id_rsa.pub
 ```

 Copy the output

 **On your Start9**, go to System > SSH and click 'Add New Key'. Paste the key and submit.

 To verify that it works, SSH into the Start9 – this should not prompt for the password anymore:

 ```bash
 ssh start9@START9_LOCAL_ADDRESS
 ```

 #### Create the service file

 ```bash
 sudo nano /etc/systemd/system/autossh-tunnel.service
 ```

 Paste the following and fill in the `START9_LOCAL_ADDRESS`.

 ```ini
 [Unit]
 Description=AutoSSH tunnel service
 After=network.target

 [Service]
 User=root
 Group=root
 Environment="AUTOSSH_GATETIME=0"
 ExecStart=/usr/bin/autossh -C -M 0 -v -N -o "ServerAliveInterval=60" -L 8443:c-lightning.embassy:3001 start9@START9_LOCAL_ADDRESS
 StandardOutput=journal

 [Install]
 WantedBy=multi-user.target

 ```

 Enable and start the service:

 ```bash
 sudo systemctl enable autossh-tunnel
 sudo systemctl start autossh-tunnel
 ```

 The port forwarding with a reverse ssh-tunnel is now complete.
 You should be able access the ports/services of the host computer through the IP of the VPS.

 #### Monitoring

 Check if there are any errors on the host computer:

 ```bash
 sudo journalctl -f -n 20 -u autossh-tunnel
 ```

 To check if tunnel is active on the VPS:

 ```bash
 netstat -tulpn
 ```

 ### Webserver setup

 #### Point domain to the VPS

 Create the A record on the DNS server of your domain/subdomain and point it to your VPS IP address.

 #### Prepare SSL and Let's Encrypt

 ```bash
 # generate 4096 bit DH params to strengthen the security, may take a while
 openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

 # create directory for Let's Encrypt files
 mkdir -p /var/lib/letsencrypt/.well-known
 chgrp www-data /var/lib/letsencrypt
 chmod g+s /var/lib/letsencrypt
 ```

 #### nginx configuration: http

 Create a variable mapping to forward the correct protocol setting and check if the Upgrade header is sent by the client, e.g. `/etc/nginx/conf.d/map.conf`:

 ```nginx
 map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  default $http_x_forwarded_proto;
  ''      $scheme;
 }

 map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
 }
 ```

 Create a config file for the domain, e.g. `/etc/nginx/sites-available/cln.conf`:

 ```nginx
 server {
  listen 80;
  server_name cln.MYDOMAIN.COM;

  # Let's Encrypt verification requests
  location ^~ /.well-known/acme-challenge/ {
    allow all;
    root /var/lib/letsencrypt/;
    default_type "text/plain";
    try_files $uri =404;
  }

  # Redirect everything else to https
  location / {
    return 301 https://$server_name$request_uri;
  }
 }
 ```

 We will configure the https server part in the same config file once we obtained the SSL certificate.

 Enable the web server config by creating a symlink and restarting nginx:

 ```bash
 ln -s /etc/nginx/sites-available/cln.conf /etc/nginx/sites-enabled/cln.conf

 systemctl restart nginx
 ```

 #### Obtain SSL certificate via Let's Encrypt

 Run the following command with adapted email and domain parameters:

 ```bash
 certbot certonly --agree-tos --email [email protected] --webroot -w /var/lib/letsencrypt/ -d cln.MYDOMAIN.COM
 ```

 #### nginx configuration: https

 Now that we have a valid SSL certificate, add the https server part at the end of `/etc/nginx/sites-available/btcpayserver.conf`:

 ```nginx
 server {
  listen 80;
  server_name cln.MYDOMAIN.COM;

  # Let's Encrypt verification requests
  location ^~ /.well-known/acme-challenge/ {
    allow all;
    root /var/lib/letsencrypt/;
    default_type "text/plain";
    try_files $uri =404;
  }

  # Redirect everything else to https
  location / {
    return 301 https://$server_name$request_uri;
  }
 }

 server {
  listen 443 ssl http2;
  server_name cln.MYDOMAIN.COM;

  # SSL settings
  ssl_stapling on;
  ssl_stapling_verify on;

  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;

  # Update this with the path of your certificate files
  ssl_certificate /etc/letsencrypt/live/cln.stubby.dev/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/cln.stubby.dev/privkey.pem;

  ssl_dhparam /etc/ssl/certs/dhparam.pem;
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
  ssl_prefer_server_ciphers off;

  resolver 9.9.9.9 149.112.112.112 valid=300s;
  resolver_timeout 30s;

  add_header Strict-Transport-Security "max-age=63072000" always;
  add_header Content-Security-Policy "frame-ancestors 'self';";
  add_header X-Content-Type-Options nosniff;

  # Proxy requests to the ssh tunnel
  location / {
    proxy_pass https://localhost:8443/;
    proxy_http_version 1.1;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
  }
 }
 ```

 Restart nginx once more:

 ```bash
 systemctl restart nginx
 ```

 Now, visiting `cln.MYDOMAIN.com/v1/getinfo` should show an error, like

 ```json
 {"message":"Authentication Failed!","error":"Bad Macaroon!"}
 ```

 ### Zeus wallet setup

 **On your Start9**, make sure you have C-Lightning-REST enabled.
 Services > Core Lightning > Config > Advanced > Plugins > C-Lightning-REST

 Copy your REST Macaroon (Hex) for Zeus wallet setup
 Services > Core Lightning > Properties > REST Properties > REST Macaroon (Hex)

 **In Zeus wallet**, add a new node
 Settings > (tap the active node) > **+**

 Setting | Value
 ---
 Node interface | Core Lightning (c-lightning-Rest)
 Host | cln.MYDOMAIN.COM
 Macaroon (Hex format) | *see last step*
 REST Port | 443
 Certificate Verification | *enabled*

 SAVE NODE CONFIG

 Party time!
	# Start9 access using a VPS and Tailscale

	This guide is a combination of articles from BTCPayServer Docs and Tailscale KBs.
	They did a great job, so most of what you see here are unaltered parts of the
	pages listed in the [sources](#sources) section.

	This guide describes how to use a VPS and Tailscale to connect to Core Lightning on
	your Start9 from Zeus. You can also expose and connect to other Start9 services
	as described in the end.

	## Sources

	- https://tailscale.com/kb/1019/subnets
	- https://docs.btcpayserver.org/Deployment/ReverseSSHtunnel/
	- https://docs.btcpayserver.org/Deployment/ReverseProxyToTor
	- https://docs.start9.com/0.3.5.x/service-guides/lightning/zeus-cln-direct

	## Benefits

	- no changes on your Start9 or home router
	- encrypted connection (SSH) inside of an encrypted connection (Tailscale/Wireguard)
	- hides the IP of your home network

	## Requirements

	- a Virtual Private Server (VPS) - eg. a minimal package on Lunanode for ~3.5$/month
	- a computer with Tailscale in the same LAN as your Start9
	- root access on the VPS - you need to set up webserver and install packages
	- a domain or subdomain - this will be setup on the proxy webserver


	## Same-LAN host setup

	For more details on the following steps, see [sources](#sources)

	[Download and install Tailscale](https://tailscale.com/download/) onto your
	subnet router machine.

	Assuming a Linux machine, see [sources](#sources) for details about enabling IP
	forwarding and firewalls. I didn't have to bother with either in my case
	(Synology DSM 7.2).

	Advertise subnet routes

	```bash
	sudo tailscale up --advertise-routes=192.168.0.0/24,192.168.1.0/24
	```

	Replace the subnets in the example above with the right ones for your network. Both
	IPv4 and IPv6 subnets are supported.

	[Enable subnet routes from the admin console](https://tailscale.com/kb/1019/subnets?tab=linux#enable-subnet-routes-from-the-admin-console)


	## VPS Setup

	You will create a nginx reverse proxy and autossh service, which forwards requests
	to your Start9.

	### Install dependencies

	Login to VPS as root and install the required dependencies: (example assumes a
	Debian based system)

	```bash
	# switch to root user (if not logged in as root)
	sudo su -

	# install dependencies
	apt update
	apt install -y certbot nginx autossh
	```

	### Tailscale setup

	[Download and install Tailscale](https://tailscale.com/download/) on your VPS.

	[Use your subnet routes from other machines](https://tailscale.com/kb/1019/subnets?tab=linux#use-your-subnet-routes-from-other-machines)

	```bash
	# enable automatic route discovery
	sudo tailscale up --accept-routes
	```

	### SSH tunnels setup

	#### Authorize SSH key

	```bash
	# check for an existing ssh public key
	cat ~/.ssh/*.pub
	```

	If there is no existing SSH public key, generate one (keep pressing ENTER):

	```bash
	ssh-keygen -t rsa -b 4096
	```

	This will generate the SSH keypair `id_rsa` (private key) and `id_rsa.pub` inside `~/.ssh`.
	View this file so that you can add your SSH public key to your Start9

	```bash
	cat .ssh/id_rsa.pub
	```

	Copy the output

	On your Start9, go to System > SSH and click 'Add New Key'. Paste the key and submit.

	To verify that it works, SSH into the Start9 – this should not prompt for the password anymore:

	```bash
	ssh start9@START9_LOCAL_ADDRESS
	```

	#### Create the service file

	```bash
	sudo nano /etc/systemd/system/autossh-tunnel.service
	```

	Paste the following and fill in the `START9_LOCAL_ADDRESS`.

	```ini
	[Unit]
	Description=AutoSSH tunnel service
	After=network.target

	[Service]
	User=root
	Group=root
	Environment="AUTOSSH_GATETIME=0"
	ExecStart=/usr/bin/autossh -C -M 0 -v -N -o "ServerAliveInterval=60" -L 8443:c-lightning.embassy:3001 start9@START9_LOCAL_ADDRESS
	StandardOutput=journal

	[Install]
	WantedBy=multi-user.target

	```

	Enable and start the service:

	```bash
	sudo systemctl enable autossh-tunnel
	sudo systemctl start autossh-tunnel
	```

	The port forwarding with a reverse ssh-tunnel is now complete.
	You should be able access the ports/services of the host computer through the IP of the VPS.

	#### Monitoring

	Check if there are any errors on the host computer:

	```bash
	sudo journalctl -f -n 20 -u autossh-tunnel
	```

	To check if tunnel is active on the VPS:

	```bash
	netstat -tulpn
	```

	### Webserver setup

	#### Point domain to the VPS

	Create the A record on the DNS server of your domain/subdomain and point it to your VPS IP address.

	#### Prepare SSL and Let's Encrypt

	```bash
	# generate 4096 bit DH params to strengthen the security, may take a while
	openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

	# create directory for Let's Encrypt files
	mkdir -p /var/lib/letsencrypt/.well-known
	chgrp www-data /var/lib/letsencrypt
	chmod g+s /var/lib/letsencrypt
	```

	#### nginx configuration: http

	Create a variable mapping to forward the correct protocol setting and check if the Upgrade header is sent by the client, e.g. `/etc/nginx/conf.d/map.conf`:

	```nginx
	map $http_x_forwarded_proto $proxy_x_forwarded_proto {
	default $http_x_forwarded_proto;
	'' $scheme;
	}

	map $http_upgrade $connection_upgrade {
	default upgrade;
	'' close;
	}
	```

	Create a config file for the domain, e.g. `/etc/nginx/sites-available/cln.conf`:

	```nginx
	server {
	listen 80;
	server_name cln.MYDOMAIN.COM;

	# Let's Encrypt verification requests
	location ^~ /.well-known/acme-challenge/ {
	allow all;
	root /var/lib/letsencrypt/;
	default_type "text/plain";
	try_files $uri =404;
	}

	# Redirect everything else to https
	location / {
	return 301 https://$server_name$request_uri;
	}
	}
	```

	We will configure the https server part in the same config file once we obtained the SSL certificate.

	Enable the web server config by creating a symlink and restarting nginx:

	```bash
	ln -s /etc/nginx/sites-available/cln.conf /etc/nginx/sites-enabled/cln.conf

	systemctl restart nginx
	```

	#### Obtain SSL certificate via Let's Encrypt

	Run the following command with adapted email and domain parameters:

	```bash
	certbot certonly --agree-tos --email [email protected] --webroot -w /var/lib/letsencrypt/ -d cln.MYDOMAIN.COM
	```

	#### nginx configuration: https

	Now that we have a valid SSL certificate, add the https server part at the end of `/etc/nginx/sites-available/btcpayserver.conf`:

	```nginx
	server {
	listen 80;
	server_name cln.MYDOMAIN.COM;

	# Let's Encrypt verification requests
	location ^~ /.well-known/acme-challenge/ {
	allow all;
	root /var/lib/letsencrypt/;
	default_type "text/plain";
	try_files $uri =404;
	}

	# Redirect everything else to https
	location / {
	return 301 https://$server_name$request_uri;
	}
	}

	server {
	listen 443 ssl http2;
	server_name cln.MYDOMAIN.COM;

	# SSL settings
	ssl_stapling on;
	ssl_stapling_verify on;

	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;

	# Update this with the path of your certificate files
	ssl_certificate /etc/letsencrypt/live/cln.stubby.dev/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/cln.stubby.dev/privkey.pem;

	ssl_dhparam /etc/ssl/certs/dhparam.pem;
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
	ssl_prefer_server_ciphers off;

	resolver 9.9.9.9 149.112.112.112 valid=300s;
	resolver_timeout 30s;

	add_header Strict-Transport-Security "max-age=63072000" always;
	add_header Content-Security-Policy "frame-ancestors 'self';";
	add_header X-Content-Type-Options nosniff;

	# Proxy requests to the ssh tunnel
	location / {
	proxy_pass https://localhost:8443/;
	proxy_http_version 1.1;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $remote_addr;
	proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection $connection_upgrade;
	}
	}
	```

	Restart nginx once more:

	```bash
	systemctl restart nginx
	```

	Now, visiting `cln.MYDOMAIN.com/v1/getinfo` should show an error, like

	```json
	{"message":"Authentication Failed!","error":"Bad Macaroon!"}
	```

	### Zeus wallet setup

	On your Start9, make sure you have C-Lightning-REST enabled.
	Services > Core Lightning > Config > Advanced > Plugins > C-Lightning-REST

	Copy your REST Macaroon (Hex) for Zeus wallet setup
	Services > Core Lightning > Properties > REST Properties > REST Macaroon (Hex)

	In Zeus wallet, add a new node
	Settings > (tap the active node) > +

	Setting \| Value
	---
	Node interface \| Core Lightning (c-lightning-Rest)
	Host \| cln.MYDOMAIN.COM
	Macaroon (Hex format) \| see last step
	REST Port \| 443
	Certificate Verification \| enabled

	SAVE NODE CONFIG

	Party time!