{"id":17869486,"url":"https://github.com/trezorhannes/vps-lnbits-wireguard","last_synced_at":"2025-08-10T07:13:19.278Z","repository":{"id":140770329,"uuid":"517438546","full_name":"TrezorHannes/VPS-LNBits-Wireguard","owner":"TrezorHannes","description":"Lightning Node connection via WireGuard Tunnel to make your LNBits instance public but hiding your Home IP","archived":false,"fork":false,"pushed_at":"2025-05-30T20:42:55.000Z","size":632,"stargazers_count":28,"open_issues_count":2,"forks_count":4,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-05T04:48:00.847Z","etag":null,"topics":["lightning-network","lnbits","lnd","vps-setup","wireguard"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/TrezorHannes.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-07-24T21:16:14.000Z","updated_at":"2025-05-30T20:42:59.000Z","dependencies_parsed_at":"2024-01-20T18:24:57.944Z","dependency_job_id":"7ffa4cf6-463e-4aa1-a201-d047e83752b4","html_url":"https://github.com/TrezorHannes/VPS-LNBits-Wireguard","commit_stats":null,"previous_names":["trezorhannes/vps-lnbits-wireguard","trezorhannes/vps-lnbits-wg"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/TrezorHannes/VPS-LNBits-Wireguard","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TrezorHannes%2FVPS-LNBits-Wireguard","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TrezorHannes%2FVPS-LNBits-Wireguard/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TrezorHannes%2FVPS-LNBits-Wireguard/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TrezorHannes%2FVPS-LNBits-Wireguard/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/TrezorHannes","download_url":"https://codeload.github.com/TrezorHannes/VPS-LNBits-Wireguard/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TrezorHannes%2FVPS-LNBits-Wireguard/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":269689826,"owners_count":24459716,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-10T02:00:08.965Z","response_time":71,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["lightning-network","lnbits","lnd","vps-setup","wireguard"],"created_at":"2024-10-28T10:05:56.971Z","updated_at":"2025-08-10T07:13:19.265Z","avatar_url":"https://github.com/TrezorHannes.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# VPS-LNbits with WireGuard VPN\n_An alternative Documentation to setup LNbits on a VPS, connected to your Lightning Network Node through a secured tunnel_\n\n\u003cimg src=\"https://upload.wikimedia.org/wikipedia/commons/thumb/0/0b/Brenner_Base_Tunnel_Aicha-Mauls.jpg/640px-Brenner_Base_Tunnel_Aicha-Mauls.jpg\" alt=\"Brennerbasistunnel – Wikipedia\"/\u003e\n\nThis guide offers a straightforward approach to setting up LNbits on a Virtual Private Server (VPS), securely connected to your Lightning Network Node via a WireGuard VPN tunnel. It's an alternative to [another guide using OpenVPN](https://github.com/TrezorHannes/vps-lnbits).\n\nYou might be looking into this because you:\n- Have a dynamic IP from your Internet Service Provider.\n- Want to hide your home IP for privacy.\n- Aim for faster Lightning Node HTLC routing with Clearnet availability alongside Tor.\n- Wish to offer LN Services (LNBits, BTCPay Server, etc.) to others.\n- Need a domain name or a free dynamic DNS for your LNBits instance.\n- Are curious and want to enhance your technical skills.\n\n## Table of Content\n\n- [Pre-Amble](#pre-amble)\n  - [Objective](#objective)\n  - [Challenge](#challenge)\n  - [Proposed Solution](#proposed-solution)\n- [Pre-Reads](#pre-reads)\n- [Pre-Requisites](#pre-requisites)\n- [Preparations](#preparations)\n  - [Make notes](#make-notes)\n  - [Visualize](#visualize)\n  - [Secure](#secure)\n- [Let's get started (LFG!)](#lets-get-started-lfg)\n  - [Lightning Node](#lightning-node)\n  - [VPS: Setup](#vps-setup)\n  - [VPS: Connect to your VPS and tighten it up](#vps-connect-to-your-vps-and-tighten-it-up)\n  - [VPS: Install Wireguard](#vps-install-wireguard)\n    - [VPS: Firewall](#vps-firewall)\n    - [VPS: LND and LNBits Port-Forwarding](#vps-lnd-and-lnbits-port-forwarding)\n    - [VPS: Start your WireGuard Server](#vps-start-your-wireguard-server)\n  - [VPS: Install LNBits](#vps-install-lnbits)\n- [Into the Tunnel](#into-the-tunnel)\n  - [LND Node: Install and test the VPN Tunnel](#lnd-node-install-and-test-the-vpn-tunnel)\n  - [LND Node: LND adjustments to listen and channel via VPS VPN Tunnel](#lnd-node-lnd-adjustments-to-listen-and-channel-via-vps-vpn-tunnel)\n- [Connect VPS LNBits to your LND Node](#connect-vps-lnbits-to-your-lnd-node)\n  - [LND Node: provide your VPS LNBits instance read / write access to your LND Wallet](#lnd-node-provide-your-vps-lnbits-instance-read--write-access-to-your-lnd-wallet)\n  - [VPS: Customize and configure LNBits to connect to your LNDRestWallet](#vps-customize-and-configure-lnbits-to-connect-to-your-lndrestwallet)\n  - [VPS: Start LNBits and test the LND Node wallet connection](#vps-start-lnbits-and-test-the-lnd-node-wallet-connection)\n  - [Your domain, Webserver and SSL setup](#your-domain-webserver-and-ssl-setup)\n    - [Domain](#domain)\n    - [VPS Webserver Option 1: Caddy 🆕 ](#-vps-caddy-web-server)\n    - [VPS Webserver Option 2: NGINX](#vps-nginx-web-server)\n- [Appendix \u0026 FAQ](#appendix--faq)\n\n\n## Pre-Amble\n\n### Objective\nTo have your [LNbits](https://github.com/lnbits/lnbits) instance on a cost-effective, anonymous [Virtual Private Server (VPS)](https://www.webcentral.com.au/blog/what-does-vps-stand-for), connected to your self-hosted [Lightning-Network](https://github.com/lightningnetwork/lnd) Node operating in Hybrid-Mode (Tor and Clearnet).\n\n### Challenge\nAchieving fast, reliable, non-custodial Bitcoin payments while maintaining privacy can be complex. While LNbits offers easy setup on platforms like Raspiblitz or Umbrel, a custom setup involves navigating several technical steps.\n\n### Proposed Solution\nThis guide details _one specific method_ to achieve this. Take your time; it might take 1-2 hours depending on your technical proficiency.\n\n## Pre-Reads\nThis guide builds upon the work of others. Familiarize yourself with these resources for a deeper understanding:\n- [Hybrid-Mode for LND](https://github.com/blckbx/lnd-hybrid-mode)\n- [Expose server behind NAT with WireGuard and a VPS](https://golb.hplar.ch/2019/01/expose-server-vpn.html)\n- [How To Set Up WireGuard on Ubuntu 22.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-22-04)\n- [Official LNbits Installation Guide](https://docs.lnbits.org/guide/installation.html)\n\n## Pre-Requisites\n- A running Lightning Node (e.g., `lnd-0.14.2-beta` or newer) on Umbrel (pre-0.5), Raspiblitz, MyNode, or a RaspiBolt.\n- Basic command-line skills.\n- A domain name or a subdomain from a service like [DuckDNS](https://www.duckdns.org/).\n- SSH access to your node and the VPS. For Windows, tools like [PuTTY](https://www.putty.org/) and [PuTTYgen](https://www.ssh.com/academy/ssh/putty/windows/puttygen) are useful.\n- A VPS account from a provider like DigitalOcean or any other that offers a public IP.\n\n[![DigitalOcean Referral Badge](https://web-platforms.sfo2.cdn.digitaloceanspaces.com/WWW/Badge%201.svg)](https://www.digitalocean.com/?refcode=5742b053ef6d\u0026utm_campaign=Referral_Invite\u0026utm_medium=Referral_Program\u0026utm_source=badge)\n_Disclaimer: This is a referral link. You get $100 in credit over 60 days. The setup here uses a basic $5-6/month VPS._\n\n## Preparations\n\n### Make notes\nDocument your steps and configurations. This will be invaluable for future reference or troubleshooting.\n- [ ] IP Addresses: VPS external, VPS Tunnel, Node Tunnel\n- [ ] Ports for forwarding\n- [ ] To-Do list\n- [ ] Questions / Open items\n\n### Visualize\nA simple diagram can help clarify the connections and data flow.\n![High-lvl-Flowchart](https://github.com/TrezorHannes/vps-lnbits-wg/blob/main/Wireguard%20VPN_LNBits.drawio.png?raw=true)\n\n### Secure\nThis guide does not cover comprehensive security hardening. Always prioritize security: start with small amounts of funds, stay updated on security practices, consider a peer review, and use 2FA/hardware keys where possible.\n\n## Let's get started (LFG!)\n\n### Lightning Node\nAssume your Lightning Node is operational, connected via Tor, funded, and you have SSH access with administrative rights.\n\n### VPS: Setup\nIf you need a VPS, consider [DigitalOcean](https://m.do.co/c/5742b053ef6d) or alternatives that offer a static IP and suit your budget (some even accept Lightning payments).\n\nFor DigitalOcean Droplet creation:\n   - Create a new Droplet.\n   - OS: Ubuntu 20.04 (LTS) x64 or newer.\n   - Plan: Basic Shared CPU (e.g., \"Regular Intel with SSD\" for ~$5-6/month).\n   - Datacenter Region: Your choice.\n   - Authentication: SSH keys (recommended). Follow DigitalOcean's guide to add your public key.\n   - Hostname: A memorable name, e.g., `myLNBits-VPS`.\n   - Optional: Backups, Monitoring, IPv6 (not used in this guide).\n\nOnce created, note down your VPS's public IPv4 address (e.g., `VPS Public IP: 207.154.241.101`).\n\n### VPS: Connect to your VPS and tighten it up\nSSH into your VPS: `ssh root@YOUR_VPS_PUBLIC_IP`.\nPerform initial server setup and hardening:\n   - Update packages: `sudo apt update \u0026\u0026 sudo apt upgrade -y`\n   - [Create a new sudo user](https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-22-04) (e.g., `admin`) and disable root login. Log in as this new user for subsequent steps.\n   - Install and configure UFW (Uncomplicated Firewall):\n```bash\nsudo apt install ufw -y\nsudo ufw default deny incoming\nsudo ufw default allow outgoing\nsudo ufw allow OpenSSH\nsudo ufw allow 80/tcp comment 'Standard Webserver HTTP'\nsudo ufw allow 443/tcp comment 'SSL Webserver HTTPS'\nsudo ufw allow 9735/tcp comment 'LND Main Node 1 Peer Port'\n# Add other necessary ports, e.g., for WireGuard (later)\nsudo ufw enable\n```\n   - Install Fail2ban for SSH protection: `sudo apt install fail2ban -y`\n   - Follow additional hardening steps from the DigitalOcean initial server setup guide, especially regarding SSH key authentication and securing shared memory if applicable.\n\n### VPS: Install Wireguard\nFollow the [DigitalOcean WireGuard setup guide](https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-22-04) for detailed context. We'll skip IPv6 for simplicity.\n   - Install WireGuard: `sudo apt install wireguard -y`\n   - Generate keys:\n```bash\nwg genkey | sudo tee /etc/wireguard/private.key\nsudo chmod go= /etc/wireguard/private.key\nsudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key\n```\n     Note down the private and public keys.\n   - Choose a private IP range for the VPN (e.g., `10.8.0.0/24`). Assign `10.8.0.1` to the VPS.\n   - Create WireGuard configuration file `sudo nano /etc/wireguard/wg0.conf`:\n```ini\n[Interface]\nPrivateKey = YOUR_VPS_WIREGUARD_PRIVATE_KEY\nAddress = 10.8.0.1/24\nListenPort = 51820\nSaveConfig = true\n```\n     Replace `YOUR_VPS_WIREGUARD_PRIVATE_KEY` with the content of `/etc/wireguard/private.key`.\n   - Enable IP forwarding: `sudo nano /etc/sysctl.conf`, uncomment `net.ipv4.ip_forward=1`. Save and apply: `sudo sysctl -p`.\n\n#### VPS: Firewall\nConfigure packet forwarding for WireGuard.\n   - Identify your VPS's main network interface (e.g., `eth0`): `ip route list default`\n   - Add forwarding rules to `sudo nano /etc/wireguard/wg0.conf` (append these lines):\n```ini\nPostUp = ufw route allow in on wg0 out on YOUR_MAIN_INTERFACE\nPostUp = iptables -t nat -I POSTROUTING -o YOUR_MAIN_INTERFACE -j MASQUERADE\nPreDown = ufw route delete allow in on wg0 out on YOUR_MAIN_INTERFACE\nPreDown = iptables -t nat -D POSTROUTING -o YOUR_MAIN_INTERFACE -j MASQUERADE\n```\n     Replace `YOUR_MAIN_INTERFACE` with your actual interface name (e.g., `eth0`). Save the file.\n   - Allow WireGuard UDP port through UFW: `sudo ufw allow 51820/udp`\n\n#### VPS: LND and LNBits Port-Forwarding\nForward LND peer traffic and LNBits traffic from the VPS to your node via the tunnel. LNBits will run on port 5000 on the VPS itself, so we primarily focus on LND peer port forwarding here. The LNBits connection to LND will happen over the tunnel directly.\n   - Assumption: Your LND node listens on port `9735`. Verify in your `lnd.conf`.\n   - Add iptables rules for LND port forwarding (replace `YOUR_MAIN_INTERFACE`, `10.8.0.2` is your LND node's future VPN IP):\n```bash\n# LND Peer Port Forwarding (e.g., 9735)\nsudo iptables -P FORWARD DROP # Default drop, be careful\nsudo iptables -A FORWARD -i YOUR_MAIN_INTERFACE -o wg0 -p tcp --syn --dport 9735 -m conntrack --ctstate NEW -j ACCEPT\nsudo iptables -A FORWARD -i YOUR_MAIN_INTERFACE -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\nsudo iptables -A FORWARD -i wg0 -o YOUR_MAIN_INTERFACE -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\nsudo iptables -t nat -A PREROUTING -i YOUR_MAIN_INTERFACE -p tcp --dport 9735 -j DNAT --to-destination 10.8.0.2:9735\nsudo iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 9735 -d 10.8.0.2 -j SNAT --to-source 10.8.0.1\n```\n   - **Critical Reminder**: If you adjust ports or forward additional ones, ensure your Node's firewall also permits these incoming connections through its `wg0` interface.\n   - **Best Practice for SSH**: Limit SSH access to your home IP: `sudo ufw allow from YOUR_HOME_IP/24 to any port 22 proto tcp comment 'SSH from Home'`. Test login from another terminal before disconnecting.\n   - Refresh UFW: `sudo ufw disable \u0026\u0026 sudo ufw enable`. Check status: `sudo ufw status verbose`.\n\n   To make iptables rules persistent across reboots (more robust than `netfilter-persistent` for complex rules alongside UFW):\n   Create a script to save rules: `sudo nano /etc/wireguard/iptables-save.sh`\n```bash\n#!/bin/bash\n# Save current iptables rules\nsudo iptables-save \u003e /etc/wireguard/iptables.rules\n# If using IPv6:\n# sudo ip6tables-save \u003e /etc/wireguard/ip6tables.rules\n```\n   Make it executable: `sudo chmod +x /etc/wireguard/iptables-save.sh`\n   Save current rules (after verifying they work!): `sudo /etc/wireguard/iptables-save.sh`\n\n   Create a systemd service to restore rules at boot: `sudo nano /etc/systemd/system/iptables-restore.service`\n```ini\n[Unit]\nDescription=Restore iptables rules\nAfter=network.target\nBefore=wg-quick@wg0.service\n\n[Service]\nType=oneshot\nExecStart=/sbin/iptables-restore /etc/wireguard/iptables.rules\n# If using IPv6:\n# ExecStart=/sbin/ip6tables-restore /etc/wireguard/ip6tables.rules\nRemainAfterExit=yes\n\n[Install]\nWantedBy=multi-user.target\n```\n   Enable the service: `sudo systemctl enable iptables-restore.service`\n\n#### VPS: Start your WireGuard Server\n   - Enable and start the WireGuard service:\n```bash\nsudo systemctl enable wg-quick@wg0.service\nsudo systemctl start wg-quick@wg0.service\nsudo systemctl status wg-quick@wg0.service\n```\nYour VPS WireGuard server is now running. Note down:\n   - [ ] VPS WireGuard IP (should be `10.8.0.1`)\n   - [ ] VPS WireGuard Listen Port (`51820`)\n   - [ ] VPS WireGuard Public Key (`cat /etc/wireguard/public.key`)\n\n### VPS: Install LNBits\nWe'll install LNBits using Poetry, as recommended in the [official LNbits documentation](https://docs.lnbits.org/guide/installation.html#option-2-poetry-recommended-for-developers).\n   - Ensure you have Python 3.9 or higher (Python 3.12 is recommended by LNbits at the time of writing). Check with `python3 --version`. Install if necessary (refer to deadsnakes PPA for Ubuntu if needed, or use your system's package manager).\n```bash\n# Example for Python 3.9 if not present (adjust version as needed)\n# sudo apt update\n# sudo apt install software-properties-common -y\n# sudo add-apt-repository ppa:deadsnakes/ppa\n# sudo apt install python3.9 python3.9-distutils -y\n```\n   - Install Poetry:\n```bash\ncurl -sSL https://install.python-poetry.org | python3 -\nexport PATH=\"/home/YOUR_SUDO_USER/.local/bin:$PATH\" \n# Add the export line to your ~/.bashrc or ~/.zshrc and source it (source ~/.bashrc)\n# Replace YOUR_SUDO_USER with your actual username (e.g., admin)\n```\n   - Clone LNbits and install dependencies:\n```bash\ngit clone https://github.com/lnbits/lnbits.git # Or lnbits-legend if you prefer the older UI\ncd lnbits # Or lnbits-legend\npoetry env use python3.9 # Or your installed Python 3.x version, e.g., python3.12\npoetry install --only main # Installs only main dependencies\n# poetry run python build.py # This step might be deprecated, check LNbits docs. Usually not needed for basic install.\n\nmkdir data\ncp .env.example .env\n```\n   - Test run LNBits (you'll configure it later): `poetry run lnbits --port 5000`\n   - Stop it with `CTRL+C`. We'll configure and run it as a service later.\n   - For troubleshooting, refer to the [LNbits installation guide](https://docs.lnbits.org/guide/installation.html).\n\n## Into the Tunnel\n\n### LND Node: Install and test the VPN Tunnel\nSwitch to your Lightning Node's terminal.\n   - Install WireGuard and resolvconf:\n```bash\nsudo apt update\nsudo apt install wireguard resolvconf -y\n```\n   - Generate keys for the node:\n```bash\nwg genkey | sudo tee /etc/wireguard/private.key\nsudo chmod go= /etc/wireguard/private.key\nsudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key\n```\n     Note your node's private key (keep secret!) and public key (will be needed on the VPS).\n   - Create `wg0.conf` on your node: `sudo nano /etc/wireguard/wg0.conf`. This node will be `10.8.0.2`.\n```ini\n[Interface]\nPrivateKey = YOUR_NODE_WIREGUARD_PRIVATE_KEY\nAddress = 10.8.0.2/24\n# DNS = VPS_DNS_SERVER_1 VPS_DNS_SERVER_2 # Optional: Use VPS DNS, e.g. 67.207.67.2 67.207.67.3 if your VPS provider has them, or common ones like 1.1.1.1\n\n[Peer]\nPublicKey = YOUR_VPS_WIREGUARD_PUBLIC_KEY\nAllowedIPs = 0.0.0.0/0 # Route all traffic through VPN\nEndpoint = YOUR_VPS_PUBLIC_IP:51820\nPersistentKeepalive = 25\n```\n     Replace placeholders with your actual keys and IPs.\n   - **Important for LAN access**: To maintain access to your node from your local network while all other traffic goes through the VPN:\n     - Find your node's LAN IP (e.g., `192.168.1.100`) and its gateway (e.g., `192.168.1.1`).\n     - Find your main network interface (e.g., `eth0`).\n     - Add `PostUp` and `PreDown` rules to your node's `/etc/wireguard/wg0.conf` in the `[Interface]` section:\n```ini\n# Add these lines in [Interface] section of node's wg0.conf\n# Replace with your actual Node LAN IP and Gateway IP\nPostUp = ip rule add from YOUR_NODE_LAN_IP table 200\nPostUp = ip route add default via YOUR_NODE_GATEWAY_IP dev YOUR_NODE_LAN_INTERFACE table 200\nPreDown = ip rule delete from YOUR_NODE_LAN_IP table 200\nPreDown = ip route delete default via YOUR_NODE_GATEWAY_IP dev YOUR_NODE_LAN_INTERFACE table 200\n```\n\n   - On your **VPS terminal**, add your node as a peer:\n```bash\nsudo wg set wg0 peer YOUR_NODE_WIREGUARD_PUBLIC_KEY allowed-ips 10.8.0.2\nsudo wg # Verify the peer is added\n```\n   - **Test the tunnel on your LND Node**:\n     - `sudo wg-quick up wg0`\n     - `sudo wg` (check for handshake and traffic on both node and VPS)\n     - Test connectivity: `ping 10.8.0.1` (from node to VPS tunnel IP)\n     - Check external IP: `curl https://api.ipify.org` (should show VPS IP)\n     - Deactivate: `sudo wg-quick down wg0`\n   - Enable and start WireGuard service on the node:\n```bash\nsudo systemctl enable wg-quick@wg0.service\nsudo systemctl start wg-quick@wg0.service\nsudo systemctl status wg-quick@wg0.service\n```\n\n### LND Node: LND adjustments to listen and channel via VPS VPN Tunnel\nBack on your LND Node terminal. **Backup your `lnd.conf` before editing!** (e.g., `cp ~/.lnd/lnd.conf ~/.lnd/lnd.conf.bak`). Path may vary based on your node setup (e.g. `/mnt/hdd/lnd/lnd.conf` for Raspiblitz).\n\nEdit `lnd.conf`:\n```ini\n[Application Options]\nexternalip=YOUR_VPS_PUBLIC_IP:9735 # Use your VPS Public IP and LND peer port\nnat=false\ntlsextraip=10.8.0.2 # LND Node's WireGuard IP, for LNbits to connect\n\n[tor]\ntor.active=true\ntor.v3=true\ntor.streamisolation=false\ntor.skip-proxy-for-clearnet-targets=true # Enable hybrid mode\n```\n   - Adjust paths and settings based on your specific LND node software (Raspiblitz, Umbrel, myNode, etc.). Some systems might have scripts that overwrite `lnd.conf`; consult their documentation. For example, Raspiblitz might require changes in `/mnt/hdd/raspiblitz.conf` or specific scripts.\n   - Restart LND to apply changes (e.g., `sudo systemctl restart lnd` or Docker restart command for Umbrel).\n   - Check LND logs for errors.\n   - Verify with `lncli getinfo`. You should see URIs for both your Tor address and your `VPS_PUBLIC_IP:9735`.\n\n## Connect VPS LNBits to your LND Node\n\n### LND Node: provide your VPS LNBits instance read / write access to your LND Wallet\nLNBits needs `tls.cert` and `admin.macaroon` from your LND node.\n**Warning**: These files are sensitive. Transfer them securely.\n1.  **`tls.cert`**: This file updates after LND restarts with the new `tlsextraip`. Check its modification date (`ls -la ~/.lnd/tls.cert`).\n    On your **VPS**:\n```bash\nmkdir -p /home/YOUR_SUDO_USER/.lnd # Or any secure location for LNBits to access\n# Securely copy tls.cert from your LND node to the VPS. Example using scp over the tunnel:\n# On VPS: scp YOUR_NODE_USER@10.8.0.2:/home/YOUR_NODE_USER/.lnd/tls.cert /home/YOUR_SUDO_USER/.lnd/tls.cert\n# Ensure YOUR_SUDO_USER (e.g., admin) owns the file on the VPS and has read access.\n# Adjust paths as per your node and VPS user.\nchmod 600 /home/YOUR_SUDO_USER/.lnd/tls.cert\n```\n\n2.  **`admin.macaroon`**:\n    On your **LND Node**:\n```bash\nxxd -ps -u -c 1000 ~/.lnd/data/chain/bitcoin/mainnet/admin.macaroon\n```\n    Copy the long hex string output.\n\n### VPS: Customize and configure LNBits to connect to your LNDRestWallet\nOn your **VPS** terminal, the initial LNBits configuration involves setting up the data folder and enabling the Admin UI. Edit the LNBits `.env` file: `nano ~/lnbits/.env` (or `~/lnbits-legend/.env`)\n\n#### Initial .env adjustments:\n```ini\nLNBITS_DATA_FOLDER=\"/home/YOUR_SUDO_USER/lnbits/data\" # Absolute path for LNbits data\nLNBITS_ADMIN_UI=true # Enables the Admin User Interface\n```\nReplace `YOUR_SUDO_USER` with your actual username (e.g., admin). Save the `.env` file.\n\nWith these settings, LNbits will start, and the Admin UI will be accessible. The crucial step of connecting LNbits to your LND node (by setting it as the funding source) is done **via the Admin UI** by the super user.\n\nTo activate, configure the funding source, and use the Admin UI:\n1.  Ensure `LNBITS_ADMIN_UI=true` and `LNBITS_DATA_FOLDER` are correctly set in your `.env` file.\n2.  Start LNBits (e.g., `poetry run lnbits` or via its systemd service as configured previously).\n3.  The first time LNBits runs with `LNBITS_ADMIN_UI=true`, a super user is automatically created. The Super User ID can typically be found in the `data/.super_user` file within your LNbits data folder (e.g., `cat /home/YOUR_SUDO_USER/lnbits/data/.super_user`).\n4.  Access your super user account by appending `?usr=SUPER_USER_ID` to your LNbits domain (e.g., `https://yourdomain.duckdns.org/wallet?usr=YOUR_SUPER_USER_ID`).\n5.  Navigate to the \"Manage Server\" or \"Admin\" section. Here, you can:\n    *   Set the `Funding Source` to `LndRestWallet`.\n    *   Provide the necessary LND connection details:\n        *   `LND REST Endpoint`: `https://10.8.0.2:8080` (Your LND Node's WireGuard IP and LND REST port)\n        *   `LND TLS Certificate Path`: `/home/YOUR_SUDO_USER/.lnd/tls.cert` (Absolute path to `tls.cert` on the VPS that LNBits can access)\n        *   `LND Macaroon Path or Hex`: Path to your `admin.macaroon` (ensure LNBits can access it) or the hex-encoded macaroon string. Using the hex string directly is often simpler if the file path access is complex.\n    *   Configure other site settings, themes, user permissions, and manage extensions.\n\nFor detailed information on the Admin UI, its features, how to manage super users, admin users, and specifically how to set up funding sources, please refer to the [official LNbits Admin UI documentation](https://docs.lnbits.org/guide/admin_ui.html) and the [Backend Wallets documentation](https://docs.lnbits.org/guide/wallets.html).\n\n### VPS: Start LNBits and test the LND Node wallet connection\nRun LNBits as a systemd service for auto-start and restarts.\nCreate `sudo nano /etc/systemd/system/lnbits.service`:\n```ini\n[Unit]\nDescription=LNbits\nAfter=network.target wg-quick@wg0.service # Ensure network and VPN are up\n\n[Service]\nWorkingDirectory=/home/YOUR_SUDO_USER/lnbits # Adjust path to your lnbits directory\nExecStart=/home/YOUR_SUDO_USER/.local/bin/poetry run lnbits --port 5000\nUser=YOUR_SUDO_USER # Your non-root sudo user\nRestart=always\nTimeoutSec=120\nRestartSec=30\nEnvironment=\"PYTHONUNBUFFERED=1\" # Add other environment vars if needed directly here or ensure .env is read\n\n[Install]\nWantedBy=multi-user.target\n```\nReplace `YOUR_SUDO_USER` and paths.\nEnable and start the service:\n```bash\nsudo systemctl daemon-reload\nsudo systemctl enable lnbits.service\nsudo systemctl start lnbits.service\nsudo systemctl status lnbits.service\n```\nCheck logs: `sudo journalctl -u lnbits.service -f`\nIf successful, LNBits should connect to your LND node. You can test the connection from VPS to LND REST API:\n`curl https://10.8.0.2:8080/v1/balance --cacert /home/YOUR_SUDO_USER/.lnd/tls.cert --header \"Grpc-Metadata-macaroon: YOUR_HEX_ENCODED_ADMIN_MACAROON\"`\n(This command syntax might vary slightly, it's for conceptual testing).\n\nLNBits should be running on `http://YOUR_VPS_PUBLIC_IP:5000` or `http://127.0.0.1:5000` locally on the VPS.\n\n### Your domain, Webserver and SSL setup\nTo make LNBits accessible via a domain with HTTPS.\n\n#### Domain\nUse a service like [DuckDNS](https://www.duckdns.org/) for a free subdomain or any domain registrar.\n   - Create an account (e.g., DuckDNS).\n   - Add a subdomain (e.g., `paymeinsats.duckdns.org`).\n   - Point this subdomain (A record) to your `VPS Public IP`.\n   - Note your DuckDNS token if using Nginx with Certbot's DNS challenge.\n\nChoose Caddy (simpler) or Nginx as your webserver.\n\n#### 🆕 VPS: Caddy web server\nCaddy handles HTTPS automatically.\n\u003cdetails\u003e\u003csummary\u003eClick here to expand Caddy setup\u003c/summary\u003e\n\u003cp\u003e\n\n##### Check DNS\nEnsure your domain points to your VPS IP using [DNS Lookup](https://mxtoolbox.com/DNSLookup.aspx) or [whatsmydns.net](https://www.whatsmydns.net/).\n\n##### Install Caddy\n(Refer to [official Caddy installation docs](https://caddyserver.com/docs/install) for the latest instructions for your OS)\n```bash\nsudo apt install -y debian-keyring debian-archive-keyring apt-transport-https\ncurl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg\ncurl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list\nsudo apt update\nsudo apt install caddy -y\n```\n\n##### Create Caddyfile\n`sudo nano /etc/caddy/Caddyfile`\nReplace `yourdomain.duckdns.org` with your actual domain:\n```caddyfile\nyourdomain.duckdns.org {\n  reverse_proxy /* 127.0.0.1:5000 {\n    # Optional: If you experience issues with SSE (Server-Sent Events) like live updates in LNbits,\n    # you might need specific handling for SSE paths, but usually the above is enough.\n    # header_up X-Forwarded-Host {host} # Caddy v2 often handles this automatically\n  }\n}\n```\nFor Server-Sent Events (SSE) used by some LNbits extensions (like live payment updates), a more specific configuration might be needed if issues arise:\n```caddyfile\nyourdomain.duckdns.org {\n    # Handle Server-Sent Events separately for better keepalive/buffering control\n    handle /api/v1/payments/sse* {\n        reverse_proxy 127.0.0.1:5000 {\n            transport http {\n                keepalive off # Or adjust as needed\n                compression off # SSE streams might not benefit from compression\n            }\n        }\n    }\n\n    # Default reverse proxy for all other requests\n    reverse_proxy /* 127.0.0.1:5000\n}\n```\n\n\n##### Start Caddy\n```bash\nsudo systemctl enable caddy\nsudo systemctl start caddy\nsudo systemctl status caddy\n```\nCaddy will automatically obtain and renew SSL certificates.\n\u003c/p\u003e\n\u003c/details\u003e\n\n#### VPS: Nginx web server\n\u003cdetails\u003e\u003csummary\u003eClick here to expand Nginx setup\u003c/summary\u003e\n\u003cp\u003e\n\n##### SSL Certificate with Certbot\nUsing Certbot with Nginx plugin:\n```bash\nsudo apt install certbot python3-certbot-nginx -y\nsudo certbot --nginx -d yourdomain.duckdns.org\n```\nFollow the prompts. Certbot will obtain the certificate and configure Nginx for SSL.\n\nAlternatively, for DNS challenge (useful for wildcards or if port 80 is blocked):\n```bash\nsudo apt install certbot -y # Or snap install if preferred\n# For DuckDNS, you might need a plugin like certbot-dns-duckdns.\n# Example for manual DNS challenge:\n# sudo certbot certonly --manual --preferred-challenges dns -d yourdomain.duckdns.org\n# Follow instructions to add TXT records to your DNS.\n```\n\n##### Nginx Configuration\nIf Certbot didn't create/update it, or for manual setup:\n`sudo nano /etc/nginx/sites-available/yourdomain.conf`\n```nginx\nserver {\n    listen 80;\n    server_name yourdomain.duckdns.org;\n    return 301 https://$host$request_uri;\n}\n\nserver {\n    listen 443 ssl http2;\n    server_name yourdomain.duckdns.org;\n\n    ssl_certificate /etc/letsencrypt/live/yourdomain.duckdns.org/fullchain.pem; # Path from Certbot\n    ssl_certificate_key /etc/letsencrypt/live/yourdomain.duckdns.org/privkey.pem; # Path from Certbot\n    include /etc/letsencrypt/options-ssl-nginx.conf; # Recommended SSL options\n    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # Recommended DH params\n\n    access_log /var/log/nginx/yourdomain-access.log;\n    error_log /var/log/nginx/yourdomain-error.log;\n\n    location / {\n        proxy_pass http://127.0.0.1:5000; # LNbits local address\n        proxy_set_header Host $host;\n        proxy_set_header X-Real-IP $remote_addr;\n        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n        proxy_set_header X-Forwarded-Proto $scheme;\n\n        # WebSocket support (if needed by LNbits extensions)\n        proxy_http_version 1.1;\n        proxy_set_header Upgrade $http_upgrade;\n        proxy_set_header Connection \"upgrade\";\n    }\n}\n```\nReplace `yourdomain.duckdns.org` with your actual domain.\nEnable the site and restart Nginx:\n```bash\nsudo ln -s /etc/nginx/sites-available/yourdomain.conf /etc/nginx/sites-enabled/\nsudo nginx -t # Test configuration\nsudo systemctl restart nginx\n```\n\u003c/p\u003e\n\u003c/details\u003e\n\nNow the moment of truth: Go to your Website [https://yourdomain.duckdns.org](https://yourdomain.duckdns.org) and either celebrate 🍻 \nor troubleshoot where things could have gone wrong. If the former: Congratulations - you made it!\n\nHope you enjoyed this article. Please do share feedback and suggestions for improvement.\nIf this guide was of any help, I'd appreciate if you share the article with others, give me a follow on X [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/HandsdownI.svg?style=social\u0026label=Follow%20%40HodlmeTight1337)](https://twitter.com/HodlmeTight1337) or [nostr](https://njump.me/npub1ch25m5lkk8kfepr63f0jnpd9te8l9f585pfpr2g2ma4pre9rmlrqlu0yjy), perhaps even donating some sats to hakuna@hodlmetight.org or via [Getalby](https://getalby.com/p/hakuna).\n\nI'm also always grateful for incoming channels to my node: [HODLmeTight](https://amboss.space/node/037f66e84e38fc2787d578599dfe1fcb7b71f9de4fb1e453c5ab85c05f5ce8c2e3)\n\n## Appendix \u0026 FAQ\n\n#### How do I restrict who can create wallets on my LNBits?\nAfter creating your admin user wallet in LNBits, note the user ID from the URL (e.g., `/usermanager/?usr=[32-digit-user-ID]`).\nEdit `~/lnbits/.env` and add the ID(s) to `LNBITS_ALLOWED_USERS`:\n`LNBITS_ALLOWED_USERS=\"USER_ID_1,USER_ID_2\"`\nRestart LNBits service.\n\n#### I'm stuck. Who can help?\nFirst, check logs (`journalctl -u lnbits.service`, Nginx/Caddy logs, LND logs). If the issue persists, create a detailed issue on the [LNbits GitHub](https://github.com/lnbits/lnbits/issues) or relevant community forums. Do not share macaroons or private keys.\n\n#### What can I do with LNBits?\nExplore the [LNBits website](https://lnbits.com/) and its extensions for various use cases like donation pages, payment solutions, etc.\n\n#### Why DigitalOcean? Can I use a more private/Lightning-payable VPS?\nThis guide uses DigitalOcean for familiarity. Providers like [Luna Node](https://www.lunanode.com/) accept sats and are often cheaper. Feel free to adapt this guide for other VPS providers.\n\n#### Can I connect multiple LND nodes to the same VPS tunnel?\nYes. Each node will need a unique WireGuard peer IP (e.g., `10.8.0.3`, `10.8.0.4`) and a unique LND peer port (e.g., 9736, 9737). You'll need to:\n- Add peer configurations on the VPS WireGuard server for each new node.\n- Add corresponding iptables DNAT/SNAT rules on the VPS for each node's LND peer port.\n- Configure each LND node's `lnd.conf` with its unique `externalip` (VPS public IP + unique LND port) and `tlsextraip` (its unique WireGuard IP).\n- Adjust LNbits `.env` files if running multiple LNBits instances, or configure a single LNBits to manage multiple LND backends if supported (check LNbits documentation for advanced multi-backend setups).\n\n---\nHope this guide helps! Share feedback or suggestions for improvement. If it helped, consider sharing it or supporting the original author/projects.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrezorhannes%2Fvps-lnbits-wireguard","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrezorhannes%2Fvps-lnbits-wireguard","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrezorhannes%2Fvps-lnbits-wireguard/lists"}