Get started with Bitnode Box
Lightning Network Daemon (LND)This chapter describes how to configure and run the Lightning Network Daemon (LND) on your Bitnode Box, enable connections from other Lightning Network nodes, create your Lightning wallet, start working with LND, and enable remote clients.
Configuring LND.The Lightning Network Daemon (LND) is a full implementation of a Lightning Network node, which is built and maintained by Lightning Labs. LND is already pre-installed on Bitnode Box in the following Windows Local AppData folder: Within the base directory you can find the LND configuration file (lnd.conf) to customize your Lightning Network node. The LND configuration file is a plain text file and consists of option=value entries, one per line, with optional comments starting with the ';' character. To edit it, you can use the pre-installed Notepad++ application, a free and open-source text and source code editor. Bitnode Box comes with a custom LND setup as follows:
To learn more, please check Configuring LND and Optimal Configuration of a Routing Node on the project’s official website. Enabling P2P Connections.On the one hand, if you want to use your Lightning node just to create a wallet and send or receive payments, no additional settings are required. On the other hand, if you also want to support the Lightning Network by routing payments across channels, and thus get fees for forwarding payments from users, you will need to configure LND to operate it as a public routing node. Lightning routing nodes must be externally accessible from the Internet to let others connect and open channels with you. Therefore, your routing node will need to expose a reachable public IP address. To do so, edit your LND configuration file by removing the semi-colons at the beginning of the 'externalip' entry and adding your external IP address.
Please note that your external IP address must be static (that always stays the same), because you will have funds in a channel with another peer that identifies you using that static IP address. If you have a dynamic IP address, that changes temporarily, then you can get a static IP address from your ISP (Internet Service Provider). However, a static IP address is usually more expensive than a dynamic IP address, and some ISPs do not supply static IP addresses. If you are using a VPN for privacy, the external IP address you have to specify here should be the public facing IP address which your VPN provides, usually at an additional fee. Instead of explicitly stating your external IP address, you could enable NAT-PMP support on LND by using a NAT router. NAT-PMP is a network protocol for establishing Network Address Translation (NAT) settings and port forwarding configurations. This feature will automatically retrieve your unique external IP address, even after it has changed in the case of dynamic IPs, and advertise it to the network using the ports the daemon is listening on. To enable NAT-PMP, edit your LND configuration file by removing the semi-colons at the beginning of the 'nat' entry.
Once you have configured an external IP address for your Lightning routing node, you’ll need to enable incoming traffic on port 9735, as it is the default LND port to listen on for incoming P2P connections and inbound channels. Enabling inbound P2P connections requires three steps: 1. Assign Bitnode Box a static (unchanging) internal IP address by configuring the DHCP on your router. This step has already been done when configuring Bitcoin Core (see chapter 2). 2. Create a port forwarding rule on your router to redirect inbound connections on port 9735 to your Bitnode Box. Start by logging into your router's settings page on a web browser. Locate an entry labeled Port Forwarding, Port Assignment, Ports, or something similar. Then create a port forwarding rule by giving it a name (e.g. lnd p2p), and set up both the external (WAN) port 9735 and the internal (LAN) port 9735, over TCP protocol, to the static internal IP address of your Bitnode Box. After filling in the details for the port mapping, save the entry. You should not need to restart anything. 3. Configuring your firewall to allow inbound connections on port 9735. Bitnode Box comes with an inbound port rule (LND p2p connections) on Windows Defender Firewall that allows incoming TCP data connections to the LND application (lnd.exe) on port 9735. To learn more, please check how to Create an Inbound Port Rule. You may also need to configure your router's firewall to open port 9735/TCP. To do so, log into your router's settings page on a web browser, and locate Firewall configuration. Then create a Firewall Rule, Filtering Rule, or Access Rule, to allow incoming TCP connections on internal LAN port 9735. Finally save to add the new rule, and your router will likely reboot to apply the settings. Running LND.You can run and interact with Lightning Network Daemon (LND) through Windows Terminal, a modern host application for command-line shells, including PowerShell by default, Command Prompt, and bash (via Windows Subsystem for Linux). A shell is a command-line interface (CLI) for interacting with the computer by typing text-based commands, which it interprets, processes, and outputs the results. To launch Windows Terminal, click on the Start menu, Windows taskbar or desktop shortcut. This will open a new PowerShell tab where you can type the commands to run. Key features of Windows Terminal include multiple tabs, panes, Unicode and UTF-8 character support, a GPU accelerated text rendering engine, and the ability to create your own themes and customize text, colors, backgrounds, and shortcuts. Note that before running LND, you should ensure that your Bitcoin Core node is fully synchronized with the network (see chapter 2). Therefore, launch Bitcoin Core if it’s not already running and wait until syncing is up-to-date. Then, start LND by typing the below command line in Windows PowerShell and press 'Enter' to execute it. > lnd
Windows Defender Firewall will ask you to allow LND to communicate on both private and public networks. When you first start LND, it auto-generates a self-signed TLS (Transport Layer Security) certificate in the LND base directory. Each TLS certificate consists of a key pair made of a public key (tls.cert file) and private key (tls.key file). By default, LND generates a TLS certificate configured to only allow connections from localhost (IP 127.0.0.1). Next, LND connects to the Bitcoin Core daemon (bitcoind) using RPC credentials. After opening the embedded bbolt database, LND will remain waiting for you to create a new wallet or unlock an existing wallet. Creating your Wallet.Once you start LND for the first time, it's time to create your Lightning wallet. This wallet in the context of LND is a database file (wallet.db) located in the data chain directory, that contains all addresses and private keys for the on-chain and off-chain (LN) funds. The wallet is independent of the chain backend that is used (bitcoind, btcd or neutrino) and must therefore be created as the first step after starting up a fresh LND node. To do this, you need to open a second command-line terminal by clicking on Command Prompt. Note that the previous LND instance will be running in its own terminal window, so that you can see its log outputs. Then, you have to use lncli client (LND's command-line interface) to initialize a wallet by entering the below command line: > lncli create The setup process will first prompt you for a password, which can be freely chosen. This password must be at least eight characters long. Note that you won't see any of your password characters as you type them, and you will be required to confirm your password a second time. Next, you will be asked if you have an existing cipher seed mnemonic that you want to use. Choose 'n' (or 'y' if you want to enter an existing seed). After this, you will be asked if you want to encrypt the cipher seed with a passphrase. Input your passphrase if you wish to encrypt it, or press enter to proceed without a cipher seed passphrase. Once done, LND wallet will generate a fresh 24-word cipher seed mnemonic for you, which can be used to restore the wallet in case of data loss. Make sure you write it down at some safe place. Also, note down your wallet-password and passphrase if applicable. Unlocking your Wallet.Every time LND starts up fresh (e.g. after a system restart or a version upgrade), you need to unlock (decrypt) the wallet database by entering the user-chosen wallet password. This will be indicated in lnd's log with a message like this: 2022-05-06 11:36:11.445 [INF] LTND: Waiting for wallet encryption password. Use 'lncli create' to create a wallet, 'lncli unlock' to unlock an existing wallet, or 'lncli changepassword' to change the password of an existing wallet and unlock it. Unlocking the wallet requires you to open a second command-line terminal by clicking on Command Prompt. Note that the previous LND instance will be running in its own terminal window, so that you can see its log outputs. Then enter the following command: > lncli unlock Next, type your wallet password. During the unlock phase, LND will automatically generate eight default macaroon files for specific purposes. A macaroon is an API access token that LND uses as the main authentication and authorization method. The macaroon files are located in the following LND subdirectory: First Steps with LNDTo begin using LND, you first need to make sure your LND node is running and fully synced to the chain. To get this information, you can use the following command: > lncli getinfo This will show you if the node is synced to chain and the block height is the most recent. In case your node is not yet fully synced, you will need to wait. Note that if the command fails entirely, LND may not be running. Once your LND node is running and fully synced, and your wallet is created, you can begin using LND to generate a new Lightning address, deposit Bitcoin into it, open payment channels, make outgoing payments, get inbound capacity, receive payments, and connect to Lightning Terminal. To learn more about first steps with LND, please check this document on the project’s official website. Upgrading LNDIt is recommended to upgrade LND to the latest release whenever it becomes available. If you miss a release, you should upgrade directly to the latest version. Before upgrading, you need to shut down LND with the command 'lncli stop'. This may take a minute for the process to shut down completely. Then, downloading and installing a release binary is recommended for use on mainnet. For this, visit the official release page on GitHub and select the latest version that does not have the "Pre-release" label set (unless you explicitly want to help test a Release Candidate, RC). Choose the zip package for Windows 64bit version (amd64) and download it. Then extract all the binary files and place them to the 'bin' directory of your existing LND, overwriting the previous binaries. C:\Users\Bitnode\AppData\Local\Lnd\bin Now you can start LND, unlock the wallet and verify you are using the correct version with the command 'lncli version'. Enabling Remote Clients.If you want to use your LND node with an external remote client, application, or service, such as a Lightning wallet, you will need to enable access to LND from outside the Bitnode Box through API connections (gRPC or REST), by configuring LND and open API ports as follows. Configuring LND requires three steps: 1. Specify the interface [IP:port] on which LND will listen on for gRPC or REST connections. By default, the LND node server instance listens for gRPC connections on port 10009, and REST connections on port 8080. To accept gRPC connections on all external interfaces, you would set your LND configuration file by adding:
Note that you can enter multiple listen addresses by repeating the directive over multiple lines. For example, to listen only on localhost and other IP address (e.g. 1.2.3.4):
In the same way, to accept REST connections on all external interfaces, you would set it like so:
2. Use a self-signed TLS certificate to secure API communication. Connections to LND are encrypted using TLS (Transport Layer Security) protocol. When you first start LND, it auto-generates a self-signed TLS certificate in the main LND data directory. Each TLS certificate consists of a key pair made of a public key (tls.cert file) and private key (tls.key file). Clients of the API need this in order to establish a TLS session with the LND server. By default, LND generates a TLS certificate configured to only allow connections from localhost (IP 127.0.0.1). So, you will need to configurate LND in order to add an extra IP address to the TLS certificate. To do so, edit the LND configuration file by removing the semi-colons at the beginning of the 'tlsextraip' entry and adding the external IP address of your LND node.
You can also use a domain name in addition to or instead of an IP address for the TLS certificate. To add an extra domain you have to edit the LND configuration file by removing the semi-colons at the beginning of the 'tlsextradomain' entry and adding the domain name of your LND node.
After making either of the above settings, you will need to regenerate the TLS certificate in your LND directory. You can do this by deleting the old certificate files and restarting your LND node. Finally, you will need to copy the tls.cert file to your remote machine within the client/app directory. 3. Use macaroons to authenticate RPC calls to LND. A macaroon is an API access token that LND uses as the main authentication and authorization method. When interacting with LND using the gRPC interface, macaroons are required by default in order to call RPC methods. LND will automatically generate eight default macaroon files during the unlock phase, created for specific purposes. The macaroon files are located in the following LND subdirectory: Lnd\data\chain\bitcoin\mainnet You will need to copy the admin.macaroon file to your remote machine within the client/app data directory. To learn more, please check the documents Macaroons and macaroons.md Once you have configured LND, you should also allow incoming traffic through API ports in your router and Windows Firewall. Enabling inbound gRPC or REST connections requires three steps: 1. Assign Bitnode Box a static (unchanging) internal IP address by configuring the DHCP on your router. This step has already been done when configuring Bitcoin Core (see chapter 2). 2. Create a port forwarding rule on your router to redirect inbound connections to your Bitnode Box. To enable inbound connections, it is required to set up port forwarding on your router. By default, the LND node server instance listens for gRPC connections on port 10009 and REST connections on port 8080. Start by logging into your router's settings page on a web browser. Locate an entry labeled Port Forwarding, Port Assignment, Ports, or something similar. Then create a port forwarding rule for gRPC connections by giving it a name (e.g. lnd grpc), and set up both the external (WAN) port 10009 and the internal (LAN) port 10009, over TCP protocol, to the static internal IP address of your Bitnode Box. In the same way, you can create a port forwarding rule for REST connections by giving it a name (e.g. lnd rest), and set up both the external (WAN) port 8080 and the internal (LAN) port 8080, over TCP protocol, to the static internal IP address of your Bitnode Box. After filling in the details for the port mapping, save the entry. You should not need to restart anything. 3. Configuring your firewall to allow inbound connections. For security purposes, firewalls block unsolicited and unwanted incoming network traffic through software ports. Bitnode Box uses the Windows Defender Firewall included with the operating system. Moreover, your home router may also have a built-in firewall. You will need to create an inbound port rule on Windows Defender Firewall in order to allow inbound TCP connections on port 10009 (gRPC) or port 8080 (REST), to the LND application (lnd.exe). After creating the inbound port rule, you should need to restart Windows. To learn more, please check how to Create an Inbound Port Rule. You may also need to configure your router's firewall to open API ports. To do so, log into your router's settings page on a web browser, and locate Firewall configuration. Then create a Firewall Rule, Filtering Rule, or Access Rule, to allow incoming TCP connections on internal LAN port 10009 (gRPC), or port 8080 (REST). Finally save to add the new rule, and your router will likely reboot to apply the settings. |
