Skip to content

Instantly share code, notes, and snippets.


jshufro/ Secret

Last active Oct 16, 2022
What would you like to do?
Rocket Pool Over VPN


Staking over VPN provides an additional layer of privacy. Instead of your home IP address being exposed to the Ethereum p2p network, an anonymous IP address owned by the VPN will be exposed. This extra layer of privacy makes it harder for an attacker to physically locate your node.

In order to make this work, however, you will need a VPN provider that supports port forwarding. I'm using Mullvad, and this guide will be Mullvad-specific. The cost is 5€/month, and bandwidth is unlimited.

This set-up works with Tailscale!


Register for Mullvad

Go to the registration page and create an account number.

This account number is both your username and password, so keep it securely backed up!

Once you've registered, a number of payment options exist. Choose one, and top up the account.

Generating a key and copying the config to your node

Mullvad works over a protocol known as Wireguard.

Head to the Mullvad key generation page. Select:

  1. Linux
  2. Click Generate Key
  3. Pick a country/city/server near you
  4. Default DNS
  5. Click Download file. If the page says Download zip archive be sure to select a specific server on step 3.

You will need to copy the downloaded file to your node. The easiest way to do that is with scp... Fill out your user name and node IP and run:

scp ~/Downloads/mlvd-*.conf you_username@your_node_ip:

You will be prompted for your password and 2fa, if enabled. If this succeeds, skip to the next section.

If you are using a ssh key file with a non-standard path or name, the above command will fail. Instead you will have to update and run:

scp -i /path/to/your/key/file ~/Downloads/mlvd-*.conf you_username@your_node_ip:

Installing wireguard on your node


sudo apt update
sudo apt install wireguard resolvconf

Next, move your config file to the correct location and set its permissions:

sudo mv mlvd-*.conf /etc/wireguard/wg0.conf
sudo chmod 600 /etc/wireguard/wg0.conf

Start wireguard with:

sudo wg-quick up wg0

and verify that it's working using

sudo wg show wg0

You should see something like:

interface: wg0
  public key: E0jkhgdak/OoLteyaksjdjlhgkjhasd
  private key: (hidden)
  listening port: 51351
  fwmark: 0xca6c

peer: igdja678/hjkgdhakjhdkla
  endpoint: 12.234.567.890:86134
  allowed ips:, ::/0
  latest handshake: 42 seconds ago
  transfer: 948.58 MiB received, 852.90 MiB sent

Finally, enable VPN on reboots:

sudo systemctl enable wg-quick@wg0

Enable port forwarding

At this stage, your VPN is working, but you will have difficulty maintain good peer counts because port forwarding is not configured.

Head to the port forwarding settings page

  1. Under Select city select the same city that you used in the key generation step.
  2. Under Select key select the key you generated earlier (it should be the only option). If there are multiple keys, you can use sudo wg show wg0 to find the public key on your node.
  3. Click "Add port" twice. Write down the two port numbers that it generates, ie, if it displays se-ups-54321, write down "54321".

Configure smartnode

On the node, run

rocketpool service config
  1. In the section for Execution Client (ETH1) update your P2P Port to the first port you wrote down earlier.
  2. In the section for Consensus Client (ETH2) update your P2P Port to the second port you wrote down earlier.
  3. Save and exit. Restart containers when prompted (you will miss a few attestations here if doppelganger detection is enabled).

Update UFW

When you originally set up the node, you configured a firewall and opened the standardized ports for eth1 and eth2 peer-to-peer connections. You will want to update ufw to close those ports and expose the ones you're using with Mullvad.

First, delete the old rules with:

sudo ufw delete allow 30303/tcp
sudo ufw delete allow 30303/udp
sudo ufw delete allow 9001/tcp
sudo ufw delete allow 9001/udp

Next, replace with the first port you wrote down in the Enable port forwarding section in the following commands and run them:

sudo ufw allow <PORT>/tcp comment 'Execution client port - Mullvad'
sudo ufw allow <PORT>/udp comment 'Execution client port - Mullvad'

Then, replace with the second port you wrote down in the Enable port forwarding section in the following commands and run them:

sudo ufw allow <PORT>/tcp comment 'Consensus client port - Mullvad'
sudo ufw allow <PORT>/udp comment 'Consensus client port - Mullvad'

Finally, for good measure, run sudo ufw reload to make sure the changes are effective.

Verify everything is working

On the node, determine your new IP address.


In a browser, navigate to YouGetSignal and fill in Remote Address with your new IP. Test both of the ports you have written down and make sure they both show as open.

Extra steps for Tailscale users

If you're using tailscale, you need to edit /etc/wireguard/wg0.conf to include a couple extra lines in the [Interface] section:

PostUp = tailscale up && ip route replace dev tailscale0 || true
PreDown = ip route del dev tailscale0 && tailscale down || true

Once you've added these lines run sudo wg-quick down wg0 and sudo wg-quick up wg0 so they take effect.

Copy link

Woogz-git commented May 20, 2022

I got the following error when trying to run:
sudo wg-quick up wg0

/usr/bin/wg-quick: line 32: resolvconf: command not found

I had to run
sudo apt install openresolv

Alternatively I found a link that said I could have used

systemctl start wg-quick@<vpn-name>

"Or if you wish to start the VPN every time you start your machine use:"

systemctl enable wg-quick@<vpn-name>

I went ahead and ran that as well so that it would auto start.

Copy link

jshufro commented Aug 20, 2022

I got the following error when trying to run:

thanks, i've updated the gist

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment