Setup remote-connectable node?

Question

I'd like to setup a full remote node for personal usage (meaning I want it to act as a full node to help decentralize the network, but I don't want it to be open to everyone for use with the GUI / CLI - just for me).

Is there an available bash script or detailed instructions that will let me get a full (remote-connectable) node up and running? This would include opening relevant ports so that I am able to connect remotely.

Edit: Authorization to connect to RPC is not a requirement for an answer, simply instructions on how to make the full node remote connectable will suffice.

Answer 1

you'll want to restrict the RPC, otherwise other people that get access to your node can shut it down.

./monerod --rpc-bind-ip <external.ip.of.node> --restricted-rpc --confirm-external-bind

Binding to the external IP will allow you to connect from outside of your home. You might want to also use --rpc-bind-port <portnumber> if you want to reduce the chance that others will find your open node, like this guy: https://moneroworld.com/#nodes

Answer 2

In addition to @gingeropolous's answer, you can increase your privacy by encrypting the transport.

An easy solution is to use ssh tunneling :

ssh -L18081:< monerod-local-ip >:< monerod-rpc-bind-port > < external.ip.of.node >

For example, if your ssh server is on the same machine as monerod

ssh -L18081:127.0.0.1:18081 external.ip.of.node

And then just use 127.0.0.1 in the CLI/GUI.

One major disadvantage is that it requires an ssh account. As suggested by @hyc in the comment to this answer, probably one of the best solutions is to "use stunnel with a pair of self-generated certificates, and turn on cert authentication in stunnel".

Pretty sure this is not the most easy way to generate these certificates, but here is a script based on this tutorial :

git clone https://bitbucket.org/stefanholek/pki-example-2 && cd pki-example-2

COUNTRY="ZA"
STATE="Ponies"
LOCATION="Everywhere"
ORGANIZATION="Monero"
ORGANIZATION_UNIT="Romerito"
ROOT_COMMON_NAME="Romerito ROOT CA"
TLS_CA_COMMON_NAME="Romerito TLS CA"
TLS_SERVER_COMMON_NAME="Monerod TLS Server"
USER_COMMON_NAME="Barney"
DNS="DNS:green.no,DNS:www.green.no"
BASE_URL="http:\/\/green.no"
EMAIL="donate@getmonero.org"
ROOT_CA_END_DATE="20221231235959Z"
TLS_CA_END_DATE="20191231235959Z"

find ./ -type f -exec sed -i "s/NO/$COUNTRY/g" {} \;
find ./ -type f -exec sed -i "s/Green AS/$ORGANIZATION/g" {} \;
find ./ -type f -exec sed -i "s/Green Certificate Authority/$ORGANIZATION_UNIT/g" {} \;
find ./ -type f -exec sed -i "s/Green Root CA/$ROOT_COMMON_NAME/g" {} \;
find ./ -type f -exec sed -i "s/Green TLS CA/$TLS_CA_COMMON_NAME/g" {} \;
find ./ -type f -exec sed -i "s/http:\/\/green\.no/$BASE_URL/g" {} \;
find ./ -type f -exec sed -i "s/sha1/sha256/g" {} \;
find ./ -type f -exec sed -i "s/2048/4096/g" {} \;

# Create ROOT CA
mkdir -p ca/root-ca/private ca/root-ca/db crl certs
chmod 700 ca/root-ca/private  && chmod 700 ca/root-ca/private
cp /dev/null ca/root-ca/db/root-ca.db && cp /dev/null ca/root-ca/db/root-ca.db.attr
echo 01 > ca/root-ca/db/root-ca.crt.srl && echo 01 > ca/root-ca/db/root-ca.crl.srl
openssl req -new -config etc/root-ca.conf -out ca/root-ca.csr -keyout ca/root-ca/private/root-ca.key -nodes \
  -subj "/C=$COUNTRY/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=$ORGANIZATION_UNIT/CN=$ROOT_COMMON_NAME/emailAddress=$EMAIL"
openssl ca -selfsign -batch -config etc/root-ca.conf -in ca/root-ca.csr \
  -out ca/root-ca.crt -extensions root_ca_ext -enddate $ROOT_CA_END_DATE
openssl ca -gencrl -config etc/root-ca.conf -out crl/root-ca.crl

#Create TLS CA
mkdir -p ca/tls-ca/private ca/tls-ca/db crl certs
chmod 700 ca/tls-ca/private
cp /dev/null ca/tls-ca/db/tls-ca.db && cp /dev/null ca/tls-ca/db/tls-ca.db.attr
echo 01 > ca/tls-ca/db/tls-ca.crt.srl && echo 01 > ca/tls-ca/db/tls-ca.crl.srl
openssl req -new -config etc/tls-ca.conf -out ca/tls-ca.csr -keyout ca/tls-ca/private/tls-ca.key -nodes \
  -subj "/C=$COUNTRY/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=$ORGANIZATION_UNIT/CN=$TLS_CA_COMMON_NAME/emailAddress=$EMAIL"
openssl ca -batch -config etc/root-ca.conf -in ca/tls-ca.csr -out ca/tls-ca.crt -extensions signing_ca_ext -enddate $TLS_CA_END_DATE
openssl ca -gencrl -config etc/tls-ca.conf -out crl/tls-ca.crl
cat ca/tls-ca.crt ca/root-ca.crt > ca/tls-ca-chain.pem
cat crl/tls-ca.crl crl/root-ca.crl > crl/tls-ca-chain.crl

#Create TLS server certificate
SAN=$DNS openssl req -new -config etc/server.conf -out certs/green.no.csr -keyout certs/green.no.key -nodes \
  -subj "/C=$COUNTRY/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=$ORGANIZATION_UNIT/CN=$TLS_SERVER_COMMON_NAME/emailAddress=$EMAIL"
openssl ca -batch -config etc/tls-ca.conf -in certs/green.no.csr -out certs/green.no.crt -extensions server_ext
cat certs/green.no.crt ca/tls-ca.crt ca/root-ca.crt> certs/green-chain.pem

# Create TLS client certificate
openssl req -new -config etc/client.conf -out certs/barney.csr -keyout certs/barney.key -nodes \
  -subj "/C=$COUNTRY/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=$ORGANIZATION_UNIT/CN=$USER_COMMON_NAME/emailAddress=$EMAIL"
openssl ca -batch -config etc/tls-ca.conf -in certs/barney.csr -out certs/barney.crt -policy extern_pol -extensions client_ext

Stunnel configuration file for the server :

[monerod_server]
accept = 30000
connect = < monerod-local-ip >:18081
sslVersion = TLSv1.2
verify = 2
cert = /path/to/certs/green-chain.pem
key = /path/to/certs/green.no.key
CAfile = /path/to/ca/tls-ca-chain.pem
CRLfile = /path/to/crl/tls-ca-chain.crl

Stunnel configuration file for the client :

[monerod_client]
client = yes
accept = 18081
connect = < external.ip.of.node >:30000
sslVersion = TLSv1.2
verify = 3
cert = /path/to/certs/barney.crt
key = /path/to/certs/barney.key
CAfile = /path/to/ca/green-chain.pem

This example requires port 30000 to be open on external.ip.of.node, and eventually redirected to the machine hosting stunnel.

Disclamer : my PKI skills are quite limited and the lines starting with find are not part of the original tutorial.

Answer 3

I do exactly this.

Run ./monerod --rpc-bind-ip <your local network ip of this device>.

Then on your other machine, launch ./monero-wallet-cli (or the GUI) with ./monero-wallet-cli --daemon-host <the IP of your machine running monerod>.

Binding the IP to your LOCAL network IP address will allow only devices on your local network to connect to the daemon for using RPC commands, but it will still relay transactions for the network.

For example, your local IP might be something like 192.168.1.xxx or 10.2.xxx.xxx. It might be necessary to configure your router to keep this IP statically assigned to that computer, but aside from that nothing else is required.

edit: this is if you want to connect remotely within your own local network. if you want to be able to connect from anywhere, use @gingeropolous answer.