Staking over VPN provides an additional layer of privacy. Instead of your home IP address being exposed to the Ethereum p2p network, an anonymous IP address owned by the VPN will be exposed. This extra layer of privacy makes it harder for an attacker to physically locate your node.
In order to make this work, however, you will need a VPN provider that supports port forwarding. I'm using Mullvad, and this guide will be Mullvad-specific. The cost is 5€/month, and bandwidth is unlimited.
This set-up works with Tailscale!
Register for Mullvad
Go to the registration page and create an account number.
This account number is both your username and password, so keep it securely backed up!
Once you've registered, a number of payment options exist. Choose one, and top up the account.
Generating a key and copying the config to your node
Mullvad works over a protocol known as Wireguard.
Head to the Mullvad key generation page. Select:
- Pick a country/city/server near you
Download file. If the page says
Download zip archivebe sure to select a specific server on step 3.
You will need to copy the downloaded file to your node. The easiest way to do that is with
Fill out your user name and node IP and run:
scp ~/Downloads/mlvd-*.conf you_username@your_node_ip:
You will be prompted for your password and 2fa, if enabled. If this succeeds, skip to the next section.
If you are using a ssh key file with a non-standard path or name, the above command will fail. Instead you will have to update and run:
scp -i /path/to/your/key/file ~/Downloads/mlvd-*.conf you_username@your_node_ip:
Installing wireguard on your node
sudo apt update sudo apt install wireguard resolvconf
Next, move your config file to the correct location and set its permissions:
sudo mv mlvd-*.conf /etc/wireguard/wg0.conf sudo chmod 600 /etc/wireguard/wg0.conf
Start wireguard with:
sudo wg-quick up wg0
and verify that it's working using
sudo wg show wg0
You should see something like:
interface: wg0 public key: E0jkhgdak/OoLteyaksjdjlhgkjhasd private key: (hidden) listening port: 51351 fwmark: 0xca6c peer: igdja678/hjkgdhakjhdkla endpoint: 12.234.567.890:86134 allowed ips: 0.0.0.0/0, ::/0 latest handshake: 42 seconds ago transfer: 948.58 MiB received, 852.90 MiB sent
Finally, enable VPN on reboots:
sudo systemctl enable wg-quick@wg0
Enable port forwarding
At this stage, your VPN is working, but you will have difficulty maintain good peer counts because port forwarding is not configured.
Head to the port forwarding settings page
Select cityselect the same city that you used in the key generation step.
Select keyselect the key you generated earlier (it should be the only option). If there are multiple keys, you can use
sudo wg show wg0to find the public key on your node.
- Click "Add port" twice. Write down the two port numbers that it generates, ie, if it displays
se-ups-54321, write down "54321".
On the node, run
rocketpool service config
- In the section for
Execution Client (ETH1)update your
P2P Portto the first port you wrote down earlier.
- In the section for
Consensus Client (ETH2)update your
P2P Portto the second port you wrote down earlier.
- Save and exit. Restart containers when prompted (you will miss a few attestations here if doppelganger detection is enabled).
When you originally set up the node, you configured a firewall and opened the standardized ports for eth1 and eth2 peer-to-peer connections. You will want to update ufw to close those ports and expose the ones you're using with Mullvad.
First, delete the old rules with:
sudo ufw delete allow 30303/tcp sudo ufw delete allow 30303/udp sudo ufw delete allow 9001/tcp sudo ufw delete allow 9001/udp
Next, replace with the first port you wrote down in the Enable port forwarding section in the following commands and run them:
sudo ufw allow <PORT>/tcp comment 'Execution client port - Mullvad' sudo ufw allow <PORT>/udp comment 'Execution client port - Mullvad'
Then, replace with the second port you wrote down in the Enable port forwarding section in the following commands and run them:
sudo ufw allow <PORT>/tcp comment 'Consensus client port - Mullvad' sudo ufw allow <PORT>/udp comment 'Consensus client port - Mullvad'
Finally, for good measure, run
sudo ufw reload to make sure the changes are effective.
Verify everything is working
On the node, determine your new IP address.
In a browser, navigate to YouGetSignal and fill in
Remote Address with your new IP.
Test both of the ports you have written down and make sure they both show as open.
Extra steps for Tailscale users
If you're using tailscale, you need to edit
/etc/wireguard/wg0.conf to include a couple extra lines in the
PostUp = tailscale up && ip route replace 100.64.0.0/10 dev tailscale0 || true PreDown = ip route del 100.64.0.0/10 dev tailscale0 && tailscale down || true
Once you've added these lines run
sudo wg-quick down wg0 and
sudo wg-quick up wg0 so they take effect.