jshufro/how.md Secret

## how.md

      
    Raw
  

              how.md
            
          
    ⚠ NOTE - Mullvad no longer supports port forwarding and is not a suitable staking VPN ⚠


If you already set up mullvad, you can run sudo systemctl disable --now wg-quick@wg0 to deactivate it.
Switch UFW back to the old ports for the EC: sudo ufw allow 30303 comment 'Execution client port, standardized by Rocket Pool'
Switch UFW back to the old ports for the CC: sudo ufw allow 9001 comment 'Consensus client port, standardized by Rocket Pool'
Set your EC P2P and CC P2P ports to 30303 and 9001 respectively in rocketpool service config
Start tailscale back up: sudo tailscale up

⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠
⚠⚠ The old guide is below only for archival purposes- Mullvad no longer supports port forwarding ⚠⚠
⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠

Background

Staking over VPN provides an additional layer of privacy. Instead of your home IP address being exposed to the Ethereum p2p network, an anonymous IP address owned by the VPN will be exposed.
This extra layer of privacy makes it harder for an attacker to physically locate your node.
In order to make this work, however, you will need a VPN provider that supports port forwarding. I'm using Mullvad, and this guide will be Mullvad-specific. The cost is 5€/month, and bandwidth is unlimited.
This set-up works with Tailscale!
Warnings


Mullvad occasionally does decommission their servers. When this happens, it happens without warning, and your node will seem to lose its internet connection. To fix this, simply download a new conf from mullvad and repeat the steps of this guide.


If you forget to pay mullvad, your node will lose access to the internet, and you will start missing attestations. Set a calendar reminder!


Process

Register for Mullvad

Go to the registration page and create an account number.
This account number is both your username and password, so keep it securely backed up!
Once you've registered, a number of payment options exist. Choose one, and top up the account.
Generating a key and copying the config to your node

Mullvad works over a protocol known as Wireguard.
Head to the Mullvad key generation page. Select:

Linux
Click Generate Key
Pick a country/city/server near you
Default DNS
Click Download file. If the page says Download zip archive be sure to select a specific server on step 3.

You will need to copy the downloaded file to your node. The easiest way to do that is with scp...
Fill out your user name and node IP and run:
scp ~/Downloads/*-wg-*.conf you_username@your_node_ip:
You will be prompted for your password and 2fa, if enabled.
If this succeeds, skip to the next section.
If you are using a ssh key file with a non-standard path or name, the above command will fail.
Instead you will have to update and run:
scp -i /path/to/your/key/file ~/Downloads/mlvd-*.conf you_username@your_node_ip:
Installing wireguard on your node

Run
sudo apt update
sudo apt install wireguard resolvconf
Next, move your config file to the correct location and set its permissions:
sudo mv mlvd-*.conf /etc/wireguard/wg0.conf
sudo chmod 600 /etc/wireguard/wg0.conf
Start wireguard with:
sudo wg-quick up wg0
and verify that it's working using
sudo wg show wg0
You should see something like:
interface: wg0
  public key: E0jkhgdak/OoLteyaksjdjlhgkjhasd
  private key: (hidden)
  listening port: 51351
  fwmark: 0xca6c

peer: igdja678/hjkgdhakjhdkla
  endpoint: 12.234.567.890:86134
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 42 seconds ago
  transfer: 948.58 MiB received, 852.90 MiB sent

Finally, enable VPN on reboots:
sudo systemctl enable wg-quick@wg0

Enable port forwarding

At this stage, your VPN is working, but you will have difficulty maintain good peer counts because port forwarding is not configured.
Head to the port forwarding settings page

Under Select city select the same city that you used in the key generation step.
Under Select key select the key you generated earlier (it should be the only option).
If there are multiple keys, you can use sudo wg show wg0 to find the public key on your node.
Click "Add port" twice. Write down the two port numbers that it generates, ie, if it displays se-ups-54321, write down "54321".

Configure smartnode

On the node, run
rocketpool service config

In the section for Execution Client (ETH1) update your P2P Port to the first port you wrote down earlier.
In the section for Consensus Client (ETH2) update your P2P Port to the second port you wrote down earlier.
Save and exit. Restart containers when prompted (you will miss a few attestations here if doppelganger detection is enabled).

Update UFW

When you originally set up the node, you configured a firewall and opened the standardized ports for eth1 and eth2 peer-to-peer connections. You will want to update ufw to close those ports and expose the ones you're using with Mullvad.
First, delete the old rules with:
sudo ufw delete allow 30303/tcp
sudo ufw delete allow 30303/udp
sudo ufw delete allow 9001/tcp
sudo ufw delete allow 9001/udp
Next, replace  with the first port you wrote down in the Enable port forwarding section in the following commands and run them:
sudo ufw allow <PORT>/tcp comment 'Execution client port - Mullvad'
sudo ufw allow <PORT>/udp comment 'Execution client port - Mullvad'
Then, replace  with the second port you wrote down in the Enable port forwarding section in the following commands and run them:
sudo ufw allow <PORT>/tcp comment 'Consensus client port - Mullvad'
sudo ufw allow <PORT>/udp comment 'Consensus client port - Mullvad'
Finally, for good measure, run sudo ufw reload to make sure the changes are effective.
Verify everything is working

On the node, determine your new IP address.
curl icanhazip.com
In a browser, navigate to YouGetSignal and fill in Remote Address with your new IP.
Test both of the ports you have written down and make sure they both show as open.
Extra steps for Tailscale users

If you're using tailscale, you need to edit /etc/wireguard/wg0.conf to include a couple extra lines in the [Interface] section:
PostUp = tailscale up && ip route replace 100.64.0.0/10 dev tailscale0 || true
PreDown = ip route del 100.64.0.0/10 dev tailscale0 && tailscale down || true

Once you've added these lines run sudo wg-quick down wg0 and sudo wg-quick up wg0 so they take effect.
If, after rebooting, you can't connect via ssh over tailscale, follow these steps:

Additionally, sometimes, the systemd startup order brings up wireguard before tailscale, which breaks things.
To fix this, edit /lib/systemd/system/[email protected]
At the very top you'll see a section that looks like this:
[Unit]
Description=WireGuard via wg-quick(8) for %I
After=network-online.target nss-lookup.target
Wants=network-online.target nss-lookup.target

To make wireguard start after tailscale, add tailscaled.service to the end of both After and Wants so it looks more like this:
[Unit]
Description=WireGuard via wg-quick(8) for %I
After=network-online.target nss-lookup.target tailscaled.service
Wants=network-online.target nss-lookup.target tailscaled.service

Then try rebooting and sshing in again.