Set up an LND watchtower and connect a client
Last updated
Was this helpful?
Last updated
Was this helpful?
A watchtower monitors the bitcoin blockchain for any transaction attempting to steal from its client by closing a channel with a previous, invalid state. If a breach is found the watchtower immediately broadcasts a punisher transaction moving all funds in the channel to the on-chain wallet of its client.
If there are two nodes in your control from lnd v0.7.0 you can set them up to look out for each other. Best to be done with nodes in two separate physical location so any unexpected loss of contact can be covered for.
Check for the latest version and release notes. Update or use an to update lnd on a RaspiBlitz or a compatible system.
Run the commands in the node`s terminal
#
stands for $ sudo
Change the lnd.conf:
# nano /mnt/hdd/lnd/lnd.conf
insert the lines on the end of the file:
the watchtower listens on the port 9911 by default, but can be set to any other unused port with: watchtower.listen=0.0.0.0:PORT
in the config file.
The IP address 0.0.0.0
is used to accept connections from everywhere (default setting)
allow the port through the firewall:
# ufw allow 9911 comment "watchtower"
# ufw enable
restart lnd # systemctl restart lnd
forward the port 9911 on the router
Check in the log if the service is working:
# tail -n 10000 /mnt/hdd/lnd/logs/bitcoin/mainnet/lnd.log
Sample log output:
Filter the relevant messages continuously with (press CTRL+C to exit):
# tail -f -n 10000 /mnt/hdd/lnd/logs/bitcoin/mainnet/lnd.log | grep WTWR
Take note of the pubkey
from:
$ lncli tower info
The watchtower`s pubkey is distinct from the pubkey of the lnd node.
Change the lnd.conf:
# nano /mnt/hdd/lnd/lnd.conf
insert the lines on the end of the file:
Add a watchtower from the command line (can add multiple one-by-one):
Use the watchtower-pubkey
noted previously from $ lncli tower info
.
For a clearnet client the host
needs to be the clearnet IP (or dynamicDNS) of the watchtower even if the watchtower is running behind Tor.
Restart lnd
# systemctl restart lnd
Check in the log if the service is working:
# tail -n 100 /mnt/hdd/lnd/logs/bitcoin/mainnet/lnd.log
Sample log output:
Filter the relevant messages continuously with (press CTRL+C to exit):
# tail -f -n 10000 /mnt/hdd/lnd/logs/bitcoin/mainnet/lnd.log | grep WTCL
To have more information in the log add the line to the lnd.conf file:
or run the command on the go:
lncli debuglevel --level=WTWR=debug,WTCL=debug
Sample result in the log:
Sit back and enjoy that now there is no way to cheat your node even when it is offline!
Both nodes (the watchtower and the client) must be behind Tor to be able to communicate.
Change the lnd.conf:
# nano /mnt/hdd/lnd/lnd.conf
insert the lines on the end of the file:
Edit the Tor config file of the watchtower:
# nano /etc/tor/torrc
add the lines:
restart Tor and lnd with systemctl: # systemctl restart tor
# systemctl restart lnd
Take note of the watchtower's onion address by running:
# cat /mnt/hdd/tor/lndWT9911/hostname
Take note of the watchtower-pubkey by running
$ lncli tower info
Filter the log continuously with (CTRL+C to exit):
# tail -f -n 10000 /mnt/hdd/lnd/logs/bitcoin/mainnet/lnd.log | grep WTWR
Example output on the watchtower side:
Change the lnd.conf:
# nano /mnt/hdd/lnd/lnd.conf
insert the lines on the end of the file:
Add a watchtower from the command line (can add multiple one-by-one):
The details of a test node are prefilled. Connections are welcome, but there is no guarantee for this service to stay online.
Use the watchtower-pubkey
noted previously from $ lncli tower info
.
The host is watchtower's .onion address noted previously from: # cat /mnt/hdd/tor/lndWT9911/hostname
restart lnd with systemctl:
# systemctl restart lnd
Check which watchtowers are listening:
$ lncli wtclient towers
Example output:
Filter the log continuously with (CTRL+C to exit):
# tail -f -n 10000 /mnt/hdd/lnd/logs/bitcoin/mainnet/lnd.log | grep WTCL
Example output on the client side:
Run in the terminal:
Latest lnd release notes:
Will O`Beirne shows in this article (and GitHub repo) how to demonstrate a breach and the actions of a watchtower on a simulated network:
SLP83 Conner Fromknecht β Bitcoin Lightning Watchtowers in depth podcast: transcript:
Check for some altruistic watchtowers and share your own: