This repository contains Docker Compose files for running a Bitcoin and/or a Monero node inside a container, including - if desired - VPN configuration (wireguard) to hide the IP address of the nodes.
NOTE: This was originally created for personal use. If something is unclear please let me know.
NOTE: Lightning node support coming soon.
- Docker Compose
- For VPN configuration, either a commercial service or a custom VPS.
This repo contains two Docker Compose files, depending on whether a VPN connection should be established or not.
By default, all the (persistent) data generated by bitcoind
and monerod
(and
wireguard
VPN) is saved to ./mounts
. This includes blockchain data, states and
other configuration files.
Copy the appropriate file (*.nodes-no-vpn.*
) and give it a name:
$ cp docker-compose.nodes-no-vpn.yml my-setup.yml
Then open the file and adjust the CLI_ARGS
environment variable according to
you needs. Those arguments are passed on directly to bitcoind
and monerdo
,
respectively. Those arguments are application specific and not documented here.
This is the only thing you need to adjust (marked "ADJUST"
). You're free to
change mount options, etc.
Update the firewall rules accordingly:
# Bitcoin port
$ sudo ufw allow in 8333
# Monero port
$ sudo ufw allow in 18080
To run the Docker Compose file:
- Run a Bitcoin node only:
$ docker compose -f my-setup.yml --profile bitcoin up
- Run a Monero node only:
$ docker compose -f my-setup.yml --profile monero up
- Run both a Bitcoin and a Monero node:
$ docker compose -f my-setup.yml --profile bitcoin --profile monero up
That's it, you're done. You might want to run this in tmux
so you can detach
and logout of the machine, for example. Alternatively, see Run in background
(systemd)
TODO
Copy the appropriate file (*.nodes-with-vpn.*
) and give it a name:
$ cp docker-compose.nodes-with-vpn.yml my-setup.yml
Then open the file and adjust the CLI_ARGS
environment variable according to
you needs. Those arguments are passed on directly to bitcoind
and monerdo
,
respectively. Those arguments are application specific and not documented here.
The networking IP assignments should work out of the box, unless you already use
the 10.50.0.0/24
subnet for other networks. Adjust it accordingly (remember to
specify those IP addresses in the VPN server configuration).
This is the only thing you need to adjust (marked "ADJUST"
). You're free to
change mount options, etc.
NOTE: You can use a commercial VPN service that supports wireguard for this setup that also provides the encryption keys for you. However, you will need to forward ports to your nodes and often the commercial service chooses the port numbers for you, not giving you much flexibility. As a result, you must configure the ports in the Docker Compose file accordingly.
You need to generate a private/public keypair for both the client and the
server, use the wg
CLI tool. For example:
$ sudo apt install wireguard
$ wg genkey
YGBDCJe2FwuIE53VW7UnFKpenOnKAhhFlYm//4ufVHU=
$ echo 'YGBDCJe2FwuIE53VW7UnFKpenOnKAhhFlYm//4ufVHU=' | wg pubkey
OyBsjeFKQASaV14UX5SZWPaH0GC7z9G89fx3pmOX1xg=
(Do not use those example keys for your setup, generate your own)
Use the template file in ./mounts/wireguard/
and rename it to wg0.conf
. The
wireguard container will mount that volume and use that configuration.
$ cp ./mounts/wireguard/wg0.conf.template ./mounts/wireguard/wg0.conf
Then adjust it accordingly:
# Client
[Interface]
PrivateKey = <PRIVATE-KEY>
Address = 10.50.0.50/32
# VPN Server
[Peer]
PublicKey = <PUBLIC-KEY>
AllowedIPs = 0.0.0.0/0
# Public VPN Endpoint
Endpoint = <IP-ADDRESS>:51820
Note that you do not need to open any ports on your client, given that everything is routed through the VPN network and the client will initialize the VPN connection.
On the remote VPN server, enable packet forwarding for IPv4 by opening the following file:
$ sudo vim /etc/sysctl.conf
Then set the following line to 1
:
net.ipv4.ip_forward=1
Save, close and reload values:
$ sudo sysctl -p
Then create the servers config file in /etc/wireguard/wg0.conf
. Depending on
your configuration, you might need to update the internal IP addresses, ports,
etc. Also, please check the network interface: your VPN servers network
interface to the internet might not be called eth0
. Adjust it accordingly by
checking:
$ ip link
The configuration file:
[Interface]
# ADJUST: Make sure this matches the `Endpoint` in the clients `wg0.conf`.
ListenPort = 51820
PrivateKey = <PRIVATE-KEY>
#
# Allow forwarding from the VPN network (to the internet)
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
# Enable NAT/masquerading when accessing internet
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Allow forwarding from the internet (to the VPN network)
PostUp = iptables -A FORWARD -i eth0 -j ACCEPT
#
# Forward ports to clients
# Bitcoin:
PostUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8333 -j DNAT --to-destination 10.50.0.20:8333
# Monero:
PostUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 18080 -j DNAT --to-destination 10.50.0.22:18080
#
## DROP rules, just the reverse of the above
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT;
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i eth0 -j ACCEPT
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 8333 -j DNAT --to-destination 10.50.0.20:8333
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 18080 -j DNAT --to-destination 10.50.0.22:18080
# Client (Docker Compose)
[Peer]
PublicKey = <PUBLIC-KEY>
AllowedIPs = 10.50.0.0/24
Then update the servers firewall rules accordingly:
# VPN port
$ sudo ufw allow in 51820
# Bitcoin port
$ sudo ufw allow in 8333
# Monero port
$ sudo ufw allow in 18080
Now start the wireguard VPN:
$ sudo wg-quick up wg0
# Enable on startup:
$ sudo systemctl enable [email protected]
Same commands as for the non-VPN setup.