-
Notifications
You must be signed in to change notification settings - Fork 0
Full Lethean exit node install guide
To follow this guide you need basic knowledge how to use Linux by command line interface. We are using a fresh installed debian 9 64-bit Linux installation.
NOTE: This guide was written before the release of Debian 10 Buster. There are not yet any Lethean paxkages for Debian Buster. Make sure to use Debian 9, Stretch. Make sure any references to stable in /etc/apt/sources.list is changed to stretch or oldstable before upgrading or installing any packages
You should setup a normal user named lthn, give him sudo access and make your system secure. Detailed instructions can be read here.
There is a description how to do this here.
We are using debian Stretch so we do it like this:
$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo apt-get install apt-transport-https
$ sudo su
# echo 'deb [trusted=yes] http://monitor.lethean.io/dl/stretch/ ./' >/etc/apt/sources.list.d/lethean.list
# exit
$ sudo apt-get update
$ sudo apt-get install lethean-vpn
For the exit node we also need the lethean-wallet-vpn-rpc and lethean-wallet-cli packages. Install them:
sudo apt-get install lethean-wallet-cli lethean-wallet-vpn-rpc
After installing the software packages we need to run the deploy script when we install the exit node for the first time. This should only be done when installing from scratch. There are other ways to do upgrades and change of configuration.
When installing lethean-vpn package we got a script file /usr/bin/lthn-easy-deploy-node.sh installed. This script have some environment variables we should set and the easiest way to change them is to edit the script itself. But we don't want the change the original script because it might be overwritten at upgrades of packages and it is also nice to have the original version left in case we do something stupid while editing. So let's create our own copy:
$ sudo cp /usr/bin/lthn-easy-deploy-node.sh /usr/bin/custom-lthn-easy-deploy-node.sh
And now we can edit our copy using the nano editor
$ sudo nano /usr/bin/custom-lthn-easy-deploy-node.sh
At minimum you must change ENDPOINT which is IP address or FQDN to your exit node. It is recommended to set your own passwords, especially for your wallet. You may want to change your wallet file name but it is not necessary. Here is an example how it can look like after editing some variables:
# Set defaults. Can be overriden by env variables
[ -z "$LTHNPREFIX" ] && LTHNPREFIX=/
[ -z "$PROVIDERID" ] && PROVIDERID=""
[ -z "$PROVIDERKEY" ] && PROVIDERKEY=""
[ -z "$DAEMON_HOST" ] && DAEMON_HOST="sync.lethean.io"
[ -z "$WALLETFILE" ] && WALLETFILE="/var/lib/lthn/supereasynode"
[ -z "$WALLETPASS" ] && WALLETPASS="sdriuwe589ns9e8"
[ -z "$WALLETRPCUSER" ] && WALLETRPCUSER="lthnrpcuser"
[ -z "$WALLETRPCPASS" ] && WALLETRPCPASS="rpcpass"
[ -z "$WALLETRPCHOST" ] && WALLETRPCHOST="127.0.0.1"
[ -z "$WALLETRPCPORT" ] && WALLETRPCPORT="13660"
[ -z "$WALLETRESTOREHEIGHT" ] && WALLETRESTOREHEIGHT="464227"
[ -z "$CAPASS" ] && CAPASS=syriymnw49
[ -z "$CACN" ] && CACN=SuperEasyNode
[ -z "$ENDPOINT" ] && ENDPOINT="usnode.extremenet.com"
[ -z "$PORT" ] && PORT="8081"
[ -z "$PROVTYPE" ] && PROVTYPE="commercial"
Please don't just copy these settings. Choose your own settings you want to use on your own exit node! Save the script file in nano with Crtrl-O and then exit nano with Crtrl-X
It is good to save the output when the script run because it show important information how to restore the wallet, error messages and other things. I have not found this is logged by default so we are doing this manually by redirecting the standard output and error out to a text file deploy.log like this:
$ sudo custom-lthn-easy-deploy-node.sh &> deploy.log
The command may take a while because it generates certificates that need some time of calculation. It does also sync the wallet with blockchain data. Just be patient until the command is completed. It may need several minutes.
When completed check the first 250 lines (adjust if needed) of the file with:
$ head -n 250 deploy.log
The file ends with a long log of wallet syncing which is not so interesting to see for now, that is why we limit to see first 250 lines. Check if you see any errors.
The file contains all information needed to get access to the coins in the wallet (the 25 Words for recovery). Please write the 25 Words down at a safe place before deleting this file. Or store the file at a safe place. Also make backup of the generatted wallet.key file (here supereasynode.key) and your wallet password. You also would like to keep the your wallet address.
The wallet files are stored in the directory /var/lib/lthn We can take a look:
$ ls /var/lib/lthn/
ha log ovpn run supereasynode supereasynode.address.txt supereasynode.keys
To confirm that the wallet is OK we can try it with the command line wallet lethean-wallet-cli using sync.lethean.io as daemon host. Use the wallet password entered in WALLETPASS variable in the custom-lthn-easy-deploy-node.sh file above. If you did not change the wallet file it should be /var/lib/lthn/wallet instead of /var/lib/lthn/supereasynode.
$ lethean-wallet-cli --daemon-host sync.lethean.io --wallet-file /var/lib/lthn/supereasynode
Lethean 'Congo' (v3.1.0-89c3f11)
Logging to lethean-wallet-cli.log
Wallet password: ***************
Opened wallet: iz4GWcmt8BVbct3GhaEBNAJBknfb2yL1iQkCcfDgnEm2g3q7UrwukXoMteJGhUyFAyME6QNMFJddQ1jUdJBEQR6U2jQi1Z2zn
**********************************************************************
Use "help" command to see the list of available commands.
**********************************************************************
Starting refresh...
Height 210625 / 452801
The refresh might take a while but normally it is quick. It is the wallet syncing with the blockchain and the deploy script have just done that. Let it complete. You really want to be able to use this wallet because it is here you receive the payments to your exit node. If you want you can copy the wallet files (use the scp command or WinSCP if you are on Windows) and use them in your GUI wallet at home to access your funds on the exit node. However it is still good to know how to use the command line wallet. Once the refresh is completed you can learn more by entering help command in the wallet. Stop the wallet by Writing exit and press enter.
The configuration is already taken care of by the deploy script.
NOTE: See Using local Lethean daemon (optional) below if you want to use local daemon instead of remote node. You could also change to another remote daemon in similar way. For now we don't change anything in /etc/default/lethean-wallet-vpn-rpc.
Now is a good time to test if the lethean-wallet-vpn-rpc service can be started without any error. If you use local daemon you should have lethean-daemon running first and wait until blockchain is fully synced. But here we use the remote node so we don't have to wait for the letheand to sync.
$ sudo systemctl start lethean-wallet-vpn-rpc.service
$ systemctl status lethean-wallet-vpn-rpc.service
If it works it should say something like "Active: active (running)" and show no failed status. Now we can enable the service to start at boot:
$ sudo systemctl enable lethean-wallet-vpn-rpc.service
There is a log file /var/log/lthn/wallet-vpn-rpc.log that we can check too:
$ cat /var/log/lthn/wallet-vpn-rpc.log
It should not show any errors at bottom of the file (there may be old errors from previous runs still left in the file).
Tinyproxy should already be set up enabled and running and set up to work properly on most web sites. Some websites might use websockets or other non-standard ports. If your users have problems because of blocked ports this can be fixed like following:
First stop tinyproxy.service in case it is running.
$ sudo systemctl stop tinyproxy.service
Edit the file as usual with nano
$ sudo nano /etc/tinyproxy/tinyproxy.conf
Change the ConnectPort settings as you wish.
Now when we feel safe with tinyproxy settings we can enable and start tinyproxy.service
$ sudo systemctl enable tinyproxy
$ sudo systemctl start tinyproxy
Check status:
$ systemctl status tinyproxy
Tinyproxy can be tested with curl. First we need to install curl:
$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo apt-get install curl
By using the -x option in curl we can specify a proxy address to use to load the wbpage we specify with the -L option. Example:
$ curl -x http://127.0.0.1:8888 -L https://www.youtube.com
This should load html code that should fill your screen with text. If that works the proxy can be used by lethean-vpn
See description of the sdp.json file. You need to edit the file to make it work with your exit node and to give correct info to your VPN users.
sudo nano /etc/lthn/sdp.json
After editing the file should look similar to this
{
"protocolVersion": 1,
"provider": {
"certificates": [
{
"cn": "ignored",
"content": "-----BEGIN CERTIFICATE-----MIIFGDCCAwCgAwIBAgIJAMt6wFAS9JyQMA0GCSqGSIb3DQEBCwUAMBkxFzAVBgNVBAMMDkxUSE5FYXN5RGVwbG95MB4XDTE5MDYwNTE0NDkyN1oXDTM5MDUzMTE0NDkyN1owGTEXMBUGA1UEAwwOTFRITkVhc3lEZXBsb3kwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDSfb9fVnTJOaCuP9fp/s9rPeLguIzgsjkWNIpd5Mqalxy/oDz/ymk74C2O8f3lekrO9HXu/tgmawQPXs02IFtHTOV69iAsytHuLHgFwOpT3QYEKbkHgWlWbjBjLlvtfCHYt7MhnPcJ2hTDUH1PMKFwa+9PiXNFNU+LbZMHPMQ7cAmh5Bu4L6YdzfE0EwNLc7AJuG/5xeV2kokzMkSUyr6SWm3A/wgbo0mxHHAWJDNMJy0OWKqQArlfiGziCrGw0v1IATM5MDUzMTE0NDkyN1owGTEXMBUGA1UEAwwOTFRITkVhc3lEZXBsb3kwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDSfb9fVnTJOaCuP9fp/s9rPeLguIzgsjkWNIpd5Mqalxy/oDz/ymk74C2O8f3lekrO9HXu/tgmawQPXs02IFtHTOV69iAsytHuLHgFwOpT3QYEKbkHgWlWbjBjLlvtfCHYt7MhnPcJ2hTDUH1PMKFwa+9PiXNFNU+LbZMHPMQ7cAmh5Bu4L6YdzfE0EwNLc7AJuG/5xeV2kokzMkSUyr6SWm3A/wgbo0mxHHAWJDNMJy0OWKqQArlfiGziCrSQb8aFzuULSuqXtT2JgZ/6t2leyGJiOn4iL2ZjyyySnqOQ/ktTo60NBa6tZ6yj0ojOQ1iJHocgsUZbHpcxlg+4PZAIf1BnX7TfUQ2l7arcfHP4hGoch74/+Ld00+AtnDeensR5psVmsq2WVe0J+UT5RlhprbilNIMc01vID1IOIU6DVlc55f6t+46OzLgfd9Zx52P3Xk7IO5SOKsHvtrAkauh0c8IuHuZoqTLoKAlVg2DKaQBGBQYWrIqfpZS1c1yqt1kVe/4nAWVhaiTK6FNST4TXop24edPaHoKbBXPkE7SPw7fys1Y3zEyQlf5SymQ8vi/hrVOn+GzUoUBlUdHvksWRK3BQ+dLqAU6q5AT+RVQ91zDRxoi+NkIBFut7JtHd8gNAoaWt7WxqnK3JnNHDBerE5U4jvN9fJChgFoTwRmuAVkHVx/HbI-----END CERTIFICATE-----",
"id": 0
}
],
"id": "2e257307d9e17b5a04aa00ed45019efefb24c9c0fe1f07d9e17b5a04aacf4a76e",
"name": "SuperEasyNode",
"nodeType": "commercial",
"terms": "See https://extremenet.com",
"wallet": "iz4GWcmt8BVbct3GhaEBNAJBknfb2yL1iQkCcfDgnEm2g3q7UrwukXoMteJGhUyFAyME6QNMFJddQ1jUdJBEQR6U2jQi1Z2zn"
},
"services": [
{
"allowRefunds": false,
"certificates": [
{
"id": 0
}
],
"cost": "0.10000000",
"disable": false,
"downloadSpeed": 10000000,
"firstPrePaidMinutes": 30,
"firstVerificationsNeeded": 0,
"id": "1A",
"name": "My very special proxy service",
"proxy": [
{
"endpoint": "usnode.extremenet.com",
"port": "8081/TCP"
}
],
"subsequentPrePaidMinutes": 30,
"subsequentVerificationsNeeded": 1,
"type": "proxy",
"uploadSpeed": 10000000,
"vpn": []
}
]
}
Now it is time to take a look at the file /etc/lthn/dispatcher.ini This file together with sdp.json contains configuration that is used by the lthnvpnd (VPN dispatcher) service.
sudo nano /etc/lthn/dispatcher.ini
Set provider-name same as in sdp.json. In our example SuperEasyNode Set provider-terms same as in sdp.json (not sure if it is used for anything here, probably mostly for your own reference).
The name variable for each service (in the [service-1A] section] should be set the same as in sdp.json. I beleive it is mostly used to see in logs "started service blablabla" and it is good to know which service we are setting up. Don't think it change any funcionality.
If you have a line "endpoint=127.0.0.1" you can remove it, it is not needed here.
We have only configured service 1A in sdp.json so we can remove the [service-1B] section. It is set to enabled=false so it does not do anything but I prefer to keep the file clean. Do as you wish. The enabled=false line is useful if you want to temporary disable a service. Then you can set enabled=false in dispatcher.ini for the service and disabled: "true" in sdp.json for the same service.
After editing the dispatcher.ini file should look similar to this:
[global]
;log-level=DEBUG
ca=/etc/lthn/ca/certs/ca.cert.pem
provider-id=2e2573577e9b6c924b500ed45019efefb24c9c0fe1f07d9e17b5a04aacf4a76e
provider-key=690c1a59ca4b2d4b1da2008278f76070decd1b4e59df6544cf565984e892e824
provider-name=SuperEasyNode
provider-terms=See https://www.extremenet.com
wallet-address=iz4GWcmt8BVbct3GhaEBNAJBknfb2yL1iQkCcfDgnEm2g3q7UrwukXoMteJGhUyFAyME6QNMFJddQ1jUdJBEQR6U2jQi1Z2zn
wallet-username=lthnrpcuser
wallet-password=rpcpass
[service-1A]
name=My very special proxy service
backend_proxy_server=127.0.0.1:8888
crt=/etc/lthn/ca/certs/ha.cert.pem
key=/etc/lthn/ca/private/ha.key.pem
crtkey=/etc/lthn/ca/certs/ha.both.pem
Start the lethean-vpn-server.service with following command:
$ sudo systemctl start lethean-vpn-server.service
Then check the status of the service:
$ systemctl status lethean-vpn-server.service
We can also examine the log in realtime using this command to debug any failure:
$ sudo journalctl -u lethean-vpn-server.service -fe
To stop viewing log press Ctrl-C
This time it started correctly so no debugging was needed. Now we enable the service to make it autostart at boot.
$ sudo systemctl enable lethean-vpn-server.service
Created symlink /etc/systemd/system/multi-user.target.wants/lethean-vpn-server.service → /lib/systemd/system/lethean-vpn-server.service.
To make the exit node visible for customers in Lethean GUI wallet, in lthnvpnc client and on nodes.lethean.io we must upload the service description file sdp.json to Lethean SDP server. This is done by using the lvmgmt program like this:
$ lvmgmt -U
You will get a message similar to this:
WARNING:lvmgmt:Uploading SDP to server {'sdp': 'https://sdp.lethean.io/v1'}
INFO:audit:type=SDP,obj=//etc/lthn/sdp.json,action=UPLOAD,
INFO:audit:type=SDP_WALLET,paymentid=2E2573577E9B6C924B500ED45019EFEFB24C9C0FE1F07D9E17B5A04AACF4A76E,wallet=iz4xKrEdzsF5dP7rWaxEUT4sdaDVFbXTnD3Y9vXK5EniBFujLVp6fiAMMLEpoRno3VUccxJPnHWyRctmsPiX5Xcd3B61aDeas,action=NEED_PAYMENT,
ERROR:lvmgmt:Failed to upload service/provider config to SDP server!
ERROR:lvmgmt:You must send payment to the SDP before your service(s) will be uploaded! See documentation.
ERROR:lvmgmt:Error uploading SDP!
To use the exit node marketplace you must pay a monthly service fee of 10 LTHN. The message above is both a description where and how to pay and an error that payment is needed. You should pay to LTHN address iz4xKrEdzsF5dP7rWaxEUT4sdaDVFbXTnD3Y9vXK5EniBFujLVp6fiAMMLEpoRno3VUccxJPnHWyRctmsPiX5Xcd3B61aDeas with a payment id that is the same as the provider-id of your exit node. The error message above give you the payment-id you should use and also the payment address. Easiest way to pay is to use your GUI wallet and send 10 LTHN to the address above and with the payment-id you get when you run the command (not the same as shown above). Remember that you must repeat this payment every month to keep your exit node alive on the marketplace.
After you paid you have to wait a few minutes to get confirmation in the blockchain. The SDP server wallet will check if there is a payment with the same payment-id as the provider-id in the sdp.json file you are trying to upload.
When payment is completed and properly confirmed in blockchain we try to publish the exit node again:
$ lvmgmt -U
WARNING:lvmgmt:Uploading SDP to server {'sdp': 'https://sdp.lethean.io/v1'}
INFO:audit:type=SDP,obj=//etc/lthn/sdp.json,action=UPLOAD,
INFO:audit:wallet=iz4xKrEdzsF5dP7rWaxEUT4sdaDVFbXTnD3Y9vXK5EniBFujLVp6fiAMMLEpoRno3VUccxJPnHWyRctmsPiX5Xcd3B61aDeas,type=SDP_WALLET,paymentid=2E2573577E9B6C924B500ED45019EFEFB24C9C0FE1F07D9E17B5A04AACF4A76E,action=NEED_PAYMENT,
WARNING:lvmgmt:SDP upload succeeded!
This time it was successful! Now the exit node should be alive and visible on Lethean marketplace. It will show up in GUI wallet almost instantly but nodes.lethean.io is not updated as often so you may need to wait a while until you can see it there. We can use the Lethean VPN client to check if we can see our exit node. We can serach for the provider name using grep utility to find the line.
$ lthnvpnc list | grep SuperEasyNode
local:2e2573577e9b6c924b500ed45019efefb24c9c0fe1f07d9e17b5a04aacf4a76e/1A(pl01.lethernet.com:8081/TCP),proxy,SuperEasyNode,My very special proxy service
NOTE: It show up as local instead of sdp if you do this command on the exit node. a better way to be sure it is published is to run it on another machine. Or just take a look in the GUI wallet and see if it is there.
If it did not show up you can try view all exit nodes and see if you can spot it.
$ lthnvpnc list
Maybe you frogot set the name in sdp.json and it show up as EasyProvider :-)
Now you can test the Proxy bu connecting from GUI wallet. Start browser (Chrome or Firefox) and enable Lethean plugin and try web surfing. Check your location with some ip checking service as https://checkmyip.com/. Test your speed with speedtest.net. Also you should visit https://lethean.io/ and make sure that it say "Protected" on top of the page. Hopefully everything should work!
NOTE: If you get latency error when testing on speedtest.net with chrome - try using Firefox and Lethean browser plugin. It worked for me in Firefox but not in Chrome when testing with speedtest.net. Another difference was that I was using Privacy Badger plugin in Firefox but not in Chrome which blocked ads on speedtest.net when using Firefox.
$ sudo reboot
Wait until it is rebooted and test the exit node again. Log in to exit node and check status of services.
$ systemctl status
Everything should work and there should be no errors.
Start and enable Lethean daemon to autostart after boot.
$ sudo systemctl start lethean-daemon.service
$ sudo systemctl enable lethean-daemon.service
You might have to wait several hours for it to download blockchain and syncing to blockchain. I have not been able to fully test this yet using debian pacages because I have not large enough disk drive on my VPS server. You would need more than the 20 GB I have.
To check the status of the syncing process:
$ letheand status
!! We are fast syncing blockchain now. Please wait until synced.
Pid of sync process: 1259
** Blockchain daemon is not running
* Blockchain data:
total 9.4G
drwxr-xr-x 2 lthn lthn 4.0K Jun 27 17:21 .
drwxrwx--- 8 lthn lthn 4.0K Jun 27 17:21 ..
-rw------- 1 lthn lthn 9.4G Jun 27 17:37 data.mdb.part
-rw-r--r-- 1 lthn lthn 11K Jun 27 17:21 data.mdb.zsync
You can also take a live look at the letheand.log file
$ tail -f /var/log/lthn/letheand.log
When you get a line that say SYNCHRONIZED OK
the daemon is in sync with the blockchain.
To stop watching it press Ctrl-C.
Edit /etc/default/lethean-wallet-vpn-rpc file:
$ sudo nano /etc/default/lethean-wallet-vpn-rpc
Change the DAEMONHOST to localhost, similar to this:
RPCPORT=13660
DAEMONHOST=localhost
WALLETPASS="sdriuwe589ns9e8"
WALLETRPCURI="http://127.0.0.1:13660/json_rpc"
RPCLOGIN="lthnrpcuser:rpcpass"
LETHEANWALLET="/var/lib/lthn/supereasynode"
Restart the lethean-wallet-vpn-rpc.service and lethean-vpn-server.service.
$ sudo systemctl restart lethean-wallet-vpn-rpc.service
$ sudo systemctl restart lethean-vpn-server.service
Firewall setup is described separately here.
We are going to make a custom firewall setup for the SuperEasyNode example (the exit node we set up in this guide). We are going to add one OpenVPN service using port 20001 UDP so we can as well prepare the firewall for this too. We are going to have a simple DNS setup where the clients can use any public DNS server on internet or (if we setup one) a DNS server on the exit node itself. We are going to use a restricted exit policy (see the firewall doc linked above). We are also allowing ssh connections to the server but doing some limiting to block some abusers.
First to make the OpenVPN server work we must enable forwarding in Linux. Edit /etc/sysctl.conf
$ sudo nano /etc/sysctl.conf
A bit down in the document you should see following lines:
# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1
Lines starting with # is comments. So to uncomment we remove the # character like this:
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
Then save with Ctrl-O and exit nano editor with Ctrl-X This change will enable packet forwarding after next reboot. We don't need to enable it at runtime now, we can just reboot when we have completed firewall setup.
Now we are going to download the iptables script example "iptables_supereasynode.sh". You may need to install wget first if not already installed. Download the script example like this:
$ wget https://raw.githubusercontent.com/ronnylov/lethean-vpn/feature/ronnylov/iptables/server/firewall/examples/iptables_supereasynode.sh
We can rename it to iptables.sh
$ mv iptables_supereasynode.sh iptables.sh
We need to figure out what is the name of the external network interface that connects to internet
$ ip address | grep inet
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
inet 147.135.208.118/32 brd 147.135.208.118 scope global ens3
inet6 fe80::f816:3eff:fe7e:436c/64 scope link
$ ip route
default via 147.135.208.1 dev ens3
147.135.208.1 dev ens3 scope link
In this case we only had one network interface other than lo (lo is for localhost, loopback interface). Your server may have many interfaces but look after the one with your external ip address. The ip route command show default route which usually goes to external internet interface too. So the conclusion is that in this case we connect to internet through the network interface named ens3.
We need to set this in iptables.sh. Your network interface may have another name, please check as above. You may need to set other variables as discussed in the firewall readme and in script comments to match your setup.
Edit the file:
$ nano iptables.sh
EXTIF=ens3 # The name of the network interface which is connected to internet
Now we try to apply the rules by running the script as root using sudo after making the script executable:
$ chmod +x iptables.sh
$ sudo ./iptables.sh
Save the iptables rules to a file rules.v4
$ sudo iptables-save > rules.v4
To make rules stay after reboot we use iptables-persistent. We need to install it:
$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo apt-get install iptables-persistent
Say yes to ipv4 rules and no to ipv6 rules (we have only mada a configuration for ipv4 here). We can now move our saved rules (already done by package installation but I will show you in case you modify rules):
$ sudo cp rules.v4 /etc/iptables/rules.v4
You could try a remote connection with ssh or PuTTY now to be sure it works before rebooting. If it works reboot:
$ sudo reboot
NOTE: If you are using OVH VPS (or similar VPS setup) I had to do some additional steps.
If you have issues with performance or randomly getting errors when open web pages this tweak may help. Expecially if your server is on a network without IPv6 support. But also because Lethean VPN does not fully support IPv6 yet. It may or may not work with IPv6 enabled. Try the tweak if you have problems.
Read how to do it here.
This is considered more as a tweak and not necessary to make the exit node work. It will probably help to make your exit node feel faster. Read more about it here.
We have already prepared for this in the Firewall instructions above by enabling ip forwarding and setting up firewall to allow incoming connections on UDP port 20001. In the iptables script we setup that tun0 interface have forwarding of connections to the external network interface masqerading the ip address. Only a limited number of outgong ports are permitted in the firewall setup example we used. The tun0 interface was setup for using ip address range 10.11.0.0/16.
We need to setup lethean-vpn to use these settings.
We edit sdp.json file to add the second service which is VPN instead of proxy.
$ sudo nano /etc/lthn/sdp.json
There are example configurations here. We can copy one of the vpn services like the one with id 1D from this file. But we change the id to 2A (I use 1A, 1B, 1C and so on for proxies and 2A, 2B, 2C and so on for VPN's but you can use whatever ID you want).
Note that we changed some other things too but see previous explanation of fields in sdp.json to figure it out. We have also adjusted the speed for the proxy service with the results we got from speedtest.net tests (in this case 80 Mbit/s). Additionally we lowered the price on the proxy service. So our sdp.json will look like something like this when edited:
{
"protocolVersion": 1,
"provider": {
"certificates": [
{
"cn": "ignored",
"content": "-----BEGIN CERTIFICATE-----MIIFGDCCAwCgAwIBAgIJAMt6wFAS9JyQMA0GCSqGSIb3DQEBCwUAMBkxFzAVBgNVBAMMDkxUSE5FYXN5RGVwbG95MB4XDTE5MDYwNTE0NDkyN1oXDTM5MDUzMTE0NDkyN1owGTEXMBUGA1UEAwwOTFRITkVhc3lEZXBsb3kwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDSfb9fVnTJOaCuP9fp/s9rPeLguIzgsjkWNIpd5MqalxyoDzymk74C2O8f3lekrO9HXutgmawQPXs02IFtHTOV69iAsytHuLHgFwOpT3QYEKbkHgWlWbjBjLlvtfCHYt7MhnPcJ2hTDUH1PMKFwa+9PiXNFNU+LbZMHPMQ7cAmh5Bu4L6YdzfE0EwNLc7AJuG/5xeV2kokzMkSUyr6SWm3A/wgbo0mxHHAWJDNMJy0OWKqQArlfiGziCrGw0v1IATM5MDUzMTE0NDkyN1owGTEXMBUGA1UEAwwOTFRITkVhc3lEZXBsb3kwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDSfb9fVnTJOaCuP9fp/s9rPeLguIzgsjkWNIpd5Mqalxy/oDz/ymk74C2O8f3lekrO9HXu/tgmawQPXs02IFtHTOV69iAsytHuLHgFwOpT3QYEKbkHgWlWbjBjLlvtfCHYt7MhnPcJ2hTDUH1PMKFwa+9PiXNFNU+LbZMHPMQ7cAmh5Bu4L6YdzfE0EwNLc7AJuG/5xeV2kokzMkSUyr6SWm3A/wgbo0mxHHAWJDNMJy0OWKqQArlfiGziCrSQb8aFzuULSuqXtT2JgZ/6t2leyGJiOn4iL2ZjyyySnqOQ/ktTo60NBa6tZ6yj0ojOQ1iJHocgsUZbHpcxlg+4PZAIf1BnX7TfUQ2l7arcfHP4hGoch74/+Ld00+AtnDeensR5psVmsq2WVe0J+UT5RlhprbilNIMc01vID1IOIU6DVlc55f6t+46OzLgfd9Zx52P3Xk7IO5SOKsHvtrAkauh0c8IuHuZoqTLoKAlVg2DKaQBGBQYWrIqfpZS1c1yqt1kVe/4nAWVhaiTK6FNST4TXop24edPaHoKbBXPkE7SPw7fys1Y3zEyQlf5SymQ8vi/hrVOn+GzUoUBlUdHvksWRK3BQ+dLqAU6q5AT+RVQ91zDRxoi+NkIBFut7JtHd8gNAoaWt7WxqnK3JnNHDBerE5U4jvN9fJChgFoTwRmuAVkHVx/HbI-----END CERTIFICATE-----",
"id": 0
}
],
"id": "2e257307d9e17b5a04aa00ed45019efefb24c9c0fe1f07d9e17b5a04aacf4a76e",
"name": "SuperEasyNode",
"nodeType": "commercial",
"terms": "See https://extremenet.com",
"wallet": "iz4GWcmt8BVbct3GhaEBNAJBknfb2yL1iQkCcfDgnEm2g3q7UrwukXoMteJGhUyFAyME6QNMFJddQ1jUdJBEQR6U2jQi1Z2zn"
},
"services": [
{
"allowRefunds": false,
"certificates": [
{
"id": 0
}
],
"cost": "0.05000000",
"disable": false,
"downloadSpeed": 80000000,
"firstPrePaidMinutes": 30,
"firstVerificationsNeeded": 0,
"id": "1A",
"name": "My very special proxy service",
"proxy": [
{
"endpoint": "usnode.extremenet.com",
"port": "8081/TCP"
}
],
"subsequentPrePaidMinutes": 30,
"subsequentVerificationsNeeded": 1,
"type": "proxy",
"uploadSpeed": 80000000,
"vpn": []
},
{
"allowRefunds": false,
"certificates": [
{
"id": 0
}
],
"cost": "0.10000000",
"disable": false,
"downloadSpeed": 30000000,
"firstPrePaidMinutes": 30,
"firstVerificationsNeeded": 0,
"id": "2A",
"name": "My tiny VPN server",
"vpn": [
{
"endpoint": "usnode.extremenet.com",
"port": "20001/UDP"
}
],
"subsequentPrePaidMinutes": 30,
"subsequentVerificationsNeeded": 1,
"type": "vpn",
"uploadSpeed": 30000000,
"proxy": []
}
]
}
We must also add this new service to the configuration file /etc/lthn/dispatcher.ini. There are examples of dispatcher.ini here. So we need to edit the file:
$ sudo nano /etc/lthn/dispatcher.ini
We make it look similar to this by adding the [service-2A] section to your dispatcher.ini file at the bottom.
[global]
;log-level=DEBUG
ca=/etc/lthn/ca/certs/ca.cert.pem
provider-id=2e2573577e9b6c924b500ed45019efefb24c9c0fe1f07d9e17b5a04aacf4a76e
provider-key=690c1a59ca4b2d4b1da2008278f76070decd1b4e59df6544cf565984e892e824
provider-name=SuperEasyNode
provider-terms=See https://www.extremenet.com
wallet-address=iz4GWcmt8BVbct3GhaEBNAJBknfb2yL1iQkCcfDgnEm2g3q7UrwukXoMteJGhUyFAyME6QNMFJddQ1jUdJBEQR6U2jQi1Z2zn
wallet-username=user
wallet-password=pass
[service-1A]
name=My very special proxy service
backend_proxy_server=127.0.0.1:8888
crt=/etc/lthn/ca/certs/ha.cert.pem
key=/etc/lthn/ca/private/ha.key.pem
crtkey=/etc/lthn/ca/certs/ha.both.pem
[service-2A]
name=My tiny VPN server
crt=/etc/lthn/ca/certs/openvpn.cert.pem
key=/etc/lthn/ca/private/openvpn.key.pem
crtkey=/etc/lthn/ca/certs/openvpn.both.pem
enabled=true
mgmtport=10111
iprange=10.11.0.0
ipmask=255.255.0.0
dns=10.11.0.1
tundev=tun0
NOTE: The file paths crt, key and crtkey have been changed compared to the example files on github. This is because the debian packages use /etc/lthn directory instead of the old /opt/lthn/etc directory. There should be a note about this on github docs.
Things to note here is that tundev, iprange and dns must match the settings you have in the iptables.sh script. The settings above means that OpenVPN service with ID "2A" will be using a tunnel network interface with name tun0 and with iprange 10.11.0.0/16. The DNS server IP address 10.11.0.1 will be pushed to VPN clients with DHCP. Now 10.11.0.1 DNS address points to the exit node itself, seen from the VPN client. So in order for this to work you must have set up unbound DNS forwarding as described erlier (optional but recommended). The setup also allows for VPN clients to use any DNS server accessible from the exit node so it can be a public DNS on internet like cloudflare 1.1.1.1, Google 8.8.8.8 or something else. If you haven't set up unbound your best bet is probably to just use the same IP address as the exit node use. You can just take a look in the /etc/resolv.conf file on the exit node. Use that IP address on dns setting in dispatcher.ini, unless resolv.onf points to 127.0.0.1 (then set it to 10.11.0.1 as in example above).
We still have unsolved issues with DNS leak. This pull does not implement my suggested push "block-outside-dns" which is a very good way to solve it for Windows users without any negative effects on Linux or MacOSX. Devs told me that "Leaking of DNS queries will be solved by another way". I have not seen this solution yet but my guess is on client side. There is nothing that stops to make this work for Windows users by applying a small mod like I will describe below.
We also have the issue that we need to improve speed, especially for windows users. It is possible to do some tweaks on server side in OpenVPN configuration. For Linux users txqueuelen 1000
seems to help somewhat. Tweaking buffers is said to help for Windows users. The speed issue can be found here. These tweaks can probably be further improved but so far they seems to not harm compared to default settings.
So we edit the /etc/lthn/openvpn_server.tmpl template configuration file to address the issues above.
$ sudo nano /etc/lthn/openvpn_server.tmpl
Add following lines to the bottom of the file:
txqueuelen 1000
sndbuf 0
rcvbuf 0
push "sndbuf 393216"
push "rcvbuf 393216"
push "block-outside-dns"
Save the file in nano editor with Ctrl-O and exit nano with Ctrl-X.
We need to restart the service to use the changed configuration files.
$ sudo systemctl restart lethean-vpn-server.service
Check that there are no errors:
$ systemctl status lethean-vpn-server.service
Should be no fail. Should be "active (running)" in green colour.
Check logs:
$ sudo journalctl -u lethean-vpn-server.service -fe
Should be no error. Stop viewing with Ctrl-C
When we have modified sdp.json (as we did above) we need to upload it to the sdp server again to make the new VPN service visible in the GUI wallet to allow users to connect. This time we don't need to pay again becuase it was less than one month ago we paid it (if you are quick enough following this guide).
$ lvmgmt -U
You should get this line if it was successful:
WARNING:lvmgmt:SDP upload succeeded!
Before rebooting I have a habit to always install upgrades:
$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo reboot
Log in again and check there are no services with errors:
$ systemctl status
It should now be ready for use. Connect with Lethean GUI v4 for windows. Sheck that you don't have DNS leaks: https://www.dnsleaktest.com/ Check that you get protected status on top of https://lethean.io/ Check speed on https://www.speedtest.net/