sudocarlos/Start9 access using a VPS and Tailscale

## Start9 access using a VPS and Tailscale
# Start9 access using a VPS and Tailscale

This guide is a combination of articles from BTCPayServer Docs and Tailscale KBs.
They did a great job, so most of what you see here are unaltered parts of the
pages listed in the [sources](#sources) section.

This guide describes how to use a VPS and Tailscale to connect to Core Lightning on
your Start9 from Zeus. You can also expose and connect to other Start9 services
as described in the end.

## Sources

- https://tailscale.com/kb/1019/subnets
- https://docs.btcpayserver.org/Deployment/ReverseSSHtunnel/
- https://docs.btcpayserver.org/Deployment/ReverseProxyToTor
- https://docs.start9.com/0.3.5.x/service-guides/lightning/zeus-cln-direct

## Benefits

- no changes on your Start9 or home router
- encrypted connection (SSH) inside of an encrypted connection (Tailscale/Wireguard)
- hides the IP of your home network

## Requirements

- a Virtual Private Server (VPS) - eg. a minimal package on Lunanode for ~3.5$/month
- a computer with Tailscale in the same LAN as your Start9
- root access on the VPS - you need to set up webserver and install packages
- a domain or subdomain - this will be setup on the proxy webserver


## Same-LAN host setup

For more details on the following steps, see [sources](#sources)

[Download and install Tailscale](https://tailscale.com/download/) onto your
subnet router machine.

Assuming a Linux machine, see [sources](#sources) for details about enabling IP
forwarding and firewalls. I didn't have to bother with either in my case
(Synology DSM 7.2).

Advertise subnet routes

```bash
sudo tailscale up --advertise-routes=192.168.0.0/24,192.168.1.0/24
```

Replace the subnets in the example above with the right ones for your network. Both
IPv4 and IPv6 subnets are supported.

[Enable subnet routes from the admin console](https://tailscale.com/kb/1019/subnets?tab=linux#enable-subnet-routes-from-the-admin-console)


## VPS Setup

You will create a nginx reverse proxy and autossh service, which forwards requests
to your Start9.

### Install dependencies

Login to VPS as root and install the required dependencies: (example assumes a
Debian based system)

```bash
# switch to root user (if not logged in as root)
sudo su -

# install dependencies
apt update
apt install -y certbot nginx autossh
```

### Tailscale setup

[Download and install Tailscale](https://tailscale.com/download/) on your VPS.

[Use your subnet routes from other machines](https://tailscale.com/kb/1019/subnets?tab=linux#use-your-subnet-routes-from-other-machines)

```bash
# enable automatic route discovery
sudo tailscale up --accept-routes
```

### SSH tunnels setup

#### Authorize SSH key

```bash
# check for an existing ssh public key
cat ~/.ssh/*.pub
```

If there is no existing SSH public key, generate one (keep pressing ENTER):

```bash
ssh-keygen -t rsa -b 4096
```

This will generate the SSH keypair `id_rsa` (private key) and `id_rsa.pub` inside `~/.ssh`.
View this file so that you can add your SSH public key to your Start9

```bash
cat .ssh/id_rsa.pub
```

Copy the output

**On your Start9**, go to System > SSH and click 'Add New Key'. Paste the key and submit.

To verify that it works, SSH into the Start9 – this should not prompt for the password anymore:

```bash
ssh start9@START9_LOCAL_ADDRESS
```

#### Create the service file

```bash
sudo nano /etc/systemd/system/autossh-tunnel.service
```

Paste the following and fill in the `START9_LOCAL_ADDRESS`.

```ini
[Unit]
Description=AutoSSH tunnel service
After=network.target

[Service]
User=root
Group=root
Environment="AUTOSSH_GATETIME=0"
ExecStart=/usr/bin/autossh -C -M 0 -v -N -o "ServerAliveInterval=60" -L 8443:c-lightning.embassy:3001 start9@START9_LOCAL_ADDRESS
StandardOutput=journal

[Install]
WantedBy=multi-user.target

```

Enable and start the service:

```bash
sudo systemctl enable autossh-tunnel
sudo systemctl start autossh-tunnel
```

The port forwarding with a reverse ssh-tunnel is now complete.
You should be able access the ports/services of the host computer through the IP of the VPS.

#### Monitoring

Check if there are any errors on the host computer:

```bash
sudo journalctl -f -n 20 -u autossh-tunnel
```

To check if tunnel is active on the VPS:

```bash
netstat -tulpn
```

### Webserver setup

#### Point domain to the VPS

Create the A record on the DNS server of your domain/subdomain and point it to your VPS IP address.

#### Prepare SSL and Let's Encrypt

```bash
# generate 4096 bit DH params to strengthen the security, may take a while
openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

# create directory for Let's Encrypt files
mkdir -p /var/lib/letsencrypt/.well-known
chgrp www-data /var/lib/letsencrypt
chmod g+s /var/lib/letsencrypt
```

#### nginx configuration: http

Create a variable mapping to forward the correct protocol setting and check if the Upgrade header is sent by the client, e.g. `/etc/nginx/conf.d/map.conf`:

```nginx
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  default $http_x_forwarded_proto;
  ''      $scheme;
}

map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}
```

Create a config file for the domain, e.g. `/etc/nginx/sites-available/cln.conf`:

```nginx
server {
  listen 80;
  server_name cln.MYDOMAIN.COM;

  # Let's Encrypt verification requests
  location ^~ /.well-known/acme-challenge/ {
    allow all;
    root /var/lib/letsencrypt/;
    default_type "text/plain";
    try_files $uri =404;
  }

  # Redirect everything else to https
  location / {
    return 301 https://$server_name$request_uri;
  }
}
```

We will configure the https server part in the same config file once we obtained the SSL certificate.

Enable the web server config by creating a symlink and restarting nginx:

```bash
ln -s /etc/nginx/sites-available/cln.conf /etc/nginx/sites-enabled/cln.conf

systemctl restart nginx
```

#### Obtain SSL certificate via Let's Encrypt

Run the following command with adapted email and domain parameters:

```bash
certbot certonly --agree-tos --email admin@.MYDOMAIN.COM --webroot -w /var/lib/letsencrypt/ -d cln.MYDOMAIN.COM
```

#### nginx configuration: https

Now that we have a valid SSL certificate, add the https server part at the end of `/etc/nginx/sites-available/btcpayserver.conf`:

```nginx
server {
  listen 80;
  server_name cln.MYDOMAIN.COM;

  # Let's Encrypt verification requests
  location ^~ /.well-known/acme-challenge/ {
    allow all;
    root /var/lib/letsencrypt/;
    default_type "text/plain";
    try_files $uri =404;
  }

  # Redirect everything else to https
  location / {
    return 301 https://$server_name$request_uri;
  }
}

server {
  listen 443 ssl http2;
  server_name cln.MYDOMAIN.COM;

  # SSL settings
  ssl_stapling on;
  ssl_stapling_verify on;

  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;

  # Update this with the path of your certificate files
  ssl_certificate /etc/letsencrypt/live/cln.stubby.dev/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/cln.stubby.dev/privkey.pem;

  ssl_dhparam /etc/ssl/certs/dhparam.pem;
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
  ssl_prefer_server_ciphers off;

  resolver 9.9.9.9 149.112.112.112 valid=300s;
  resolver_timeout 30s;

  add_header Strict-Transport-Security "max-age=63072000" always;
  add_header Content-Security-Policy "frame-ancestors 'self';";
  add_header X-Content-Type-Options nosniff;

  # Proxy requests to the ssh tunnel
  location / {
    proxy_pass https://localhost:8443/;
    proxy_http_version 1.1;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
  }
}
```

Restart nginx once more:

```bash
systemctl restart nginx
```

Now, visiting `cln.MYDOMAIN.com/v1/getinfo` should show an error, like

```json
{"message":"Authentication Failed!","error":"Bad Macaroon!"}
```

### Zeus wallet setup

**On your Start9**, make sure you have C-Lightning-REST enabled.
Services > Core Lightning > Config > Advanced > Plugins > C-Lightning-REST

Copy your REST Macaroon (Hex) for Zeus wallet setup
Services > Core Lightning > Properties > REST Properties > REST Macaroon (Hex)

**In Zeus wallet**, add a new node
Settings > (tap the active node) > **+**

Setting | Value
---
Node interface | Core Lightning (c-lightning-Rest)
Host | cln.MYDOMAIN.COM
Macaroon (Hex format) | *see last step*
REST Port | 443
Certificate Verification | *enabled*

SAVE NODE CONFIG

Party time!
	# Start9 access using a VPS and Tailscale

	This guide is a combination of articles from BTCPayServer Docs and Tailscale KBs.
	They did a great job, so most of what you see here are unaltered parts of the
	pages listed in the [sources](#sources) section.

	This guide describes how to use a VPS and Tailscale to connect to Core Lightning on
	your Start9 from Zeus. You can also expose and connect to other Start9 services
	as described in the end.

	## Sources

	- https://tailscale.com/kb/1019/subnets
	- https://docs.btcpayserver.org/Deployment/ReverseSSHtunnel/
	- https://docs.btcpayserver.org/Deployment/ReverseProxyToTor
	- https://docs.start9.com/0.3.5.x/service-guides/lightning/zeus-cln-direct

	## Benefits

	- no changes on your Start9 or home router
	- encrypted connection (SSH) inside of an encrypted connection (Tailscale/Wireguard)
	- hides the IP of your home network

	## Requirements

	- a Virtual Private Server (VPS) - eg. a minimal package on Lunanode for ~3.5$/month
	- a computer with Tailscale in the same LAN as your Start9
	- root access on the VPS - you need to set up webserver and install packages
	- a domain or subdomain - this will be setup on the proxy webserver


	## Same-LAN host setup

	For more details on the following steps, see [sources](#sources)

	[Download and install Tailscale](https://tailscale.com/download/) onto your
	subnet router machine.

	Assuming a Linux machine, see [sources](#sources) for details about enabling IP
	forwarding and firewalls. I didn't have to bother with either in my case
	(Synology DSM 7.2).

	Advertise subnet routes

	```bash
	sudo tailscale up --advertise-routes=192.168.0.0/24,192.168.1.0/24
	```

	Replace the subnets in the example above with the right ones for your network. Both
	IPv4 and IPv6 subnets are supported.

	[Enable subnet routes from the admin console](https://tailscale.com/kb/1019/subnets?tab=linux#enable-subnet-routes-from-the-admin-console)


	## VPS Setup

	You will create a nginx reverse proxy and autossh service, which forwards requests
	to your Start9.

	### Install dependencies

	Login to VPS as root and install the required dependencies: (example assumes a
	Debian based system)

	```bash
	# switch to root user (if not logged in as root)
	sudo su -

	# install dependencies
	apt update
	apt install -y certbot nginx autossh
	```

	### Tailscale setup

	[Download and install Tailscale](https://tailscale.com/download/) on your VPS.

	[Use your subnet routes from other machines](https://tailscale.com/kb/1019/subnets?tab=linux#use-your-subnet-routes-from-other-machines)

	```bash
	# enable automatic route discovery
	sudo tailscale up --accept-routes
	```

	### SSH tunnels setup

	#### Authorize SSH key

	```bash
	# check for an existing ssh public key
	cat ~/.ssh/*.pub
	```

	If there is no existing SSH public key, generate one (keep pressing ENTER):

	```bash
	ssh-keygen -t rsa -b 4096
	```

	This will generate the SSH keypair `id_rsa` (private key) and `id_rsa.pub` inside `~/.ssh`.
	View this file so that you can add your SSH public key to your Start9

	```bash
	cat .ssh/id_rsa.pub
	```

	Copy the output

	On your Start9, go to System > SSH and click 'Add New Key'. Paste the key and submit.

	To verify that it works, SSH into the Start9 – this should not prompt for the password anymore:

	```bash
	ssh start9@START9_LOCAL_ADDRESS
	```

	#### Create the service file

	```bash
	sudo nano /etc/systemd/system/autossh-tunnel.service
	```

	Paste the following and fill in the `START9_LOCAL_ADDRESS`.

	```ini
	[Unit]
	Description=AutoSSH tunnel service
	After=network.target

	[Service]
	User=root
	Group=root
	Environment="AUTOSSH_GATETIME=0"
	ExecStart=/usr/bin/autossh -C -M 0 -v -N -o "ServerAliveInterval=60" -L 8443:c-lightning.embassy:3001 start9@START9_LOCAL_ADDRESS
	StandardOutput=journal

	[Install]
	WantedBy=multi-user.target

	```

	Enable and start the service:

	```bash
	sudo systemctl enable autossh-tunnel
	sudo systemctl start autossh-tunnel
	```

	The port forwarding with a reverse ssh-tunnel is now complete.
	You should be able access the ports/services of the host computer through the IP of the VPS.

	#### Monitoring

	Check if there are any errors on the host computer:

	```bash
	sudo journalctl -f -n 20 -u autossh-tunnel
	```

	To check if tunnel is active on the VPS:

	```bash
	netstat -tulpn
	```

	### Webserver setup

	#### Point domain to the VPS

	Create the A record on the DNS server of your domain/subdomain and point it to your VPS IP address.

	#### Prepare SSL and Let's Encrypt

	```bash
	# generate 4096 bit DH params to strengthen the security, may take a while
	openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

	# create directory for Let's Encrypt files
	mkdir -p /var/lib/letsencrypt/.well-known
	chgrp www-data /var/lib/letsencrypt
	chmod g+s /var/lib/letsencrypt
	```

	#### nginx configuration: http

	Create a variable mapping to forward the correct protocol setting and check if the Upgrade header is sent by the client, e.g. `/etc/nginx/conf.d/map.conf`:

	```nginx
	map $http_x_forwarded_proto $proxy_x_forwarded_proto {
	default $http_x_forwarded_proto;
	'' $scheme;
	}

	map $http_upgrade $connection_upgrade {
	default upgrade;
	'' close;
	}
	```

	Create a config file for the domain, e.g. `/etc/nginx/sites-available/cln.conf`:

	```nginx
	server {
	listen 80;
	server_name cln.MYDOMAIN.COM;

	# Let's Encrypt verification requests
	location ^~ /.well-known/acme-challenge/ {
	allow all;
	root /var/lib/letsencrypt/;
	default_type "text/plain";
	try_files $uri =404;
	}

	# Redirect everything else to https
	location / {
	return 301 https://$server_name$request_uri;
	}
	}
	```

	We will configure the https server part in the same config file once we obtained the SSL certificate.

	Enable the web server config by creating a symlink and restarting nginx:

	```bash
	ln -s /etc/nginx/sites-available/cln.conf /etc/nginx/sites-enabled/cln.conf

	systemctl restart nginx
	```

	#### Obtain SSL certificate via Let's Encrypt

	Run the following command with adapted email and domain parameters:

	```bash
	certbot certonly --agree-tos --email admin@.MYDOMAIN.COM --webroot -w /var/lib/letsencrypt/ -d cln.MYDOMAIN.COM
	```

	#### nginx configuration: https

	Now that we have a valid SSL certificate, add the https server part at the end of `/etc/nginx/sites-available/btcpayserver.conf`:

	```nginx
	server {
	listen 80;
	server_name cln.MYDOMAIN.COM;

	# Let's Encrypt verification requests
	location ^~ /.well-known/acme-challenge/ {
	allow all;
	root /var/lib/letsencrypt/;
	default_type "text/plain";
	try_files $uri =404;
	}

	# Redirect everything else to https
	location / {
	return 301 https://$server_name$request_uri;
	}
	}

	server {
	listen 443 ssl http2;
	server_name cln.MYDOMAIN.COM;

	# SSL settings
	ssl_stapling on;
	ssl_stapling_verify on;

	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;

	# Update this with the path of your certificate files
	ssl_certificate /etc/letsencrypt/live/cln.stubby.dev/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/cln.stubby.dev/privkey.pem;

	ssl_dhparam /etc/ssl/certs/dhparam.pem;
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
	ssl_prefer_server_ciphers off;

	resolver 9.9.9.9 149.112.112.112 valid=300s;
	resolver_timeout 30s;

	add_header Strict-Transport-Security "max-age=63072000" always;
	add_header Content-Security-Policy "frame-ancestors 'self';";
	add_header X-Content-Type-Options nosniff;

	# Proxy requests to the ssh tunnel
	location / {
	proxy_pass https://localhost:8443/;
	proxy_http_version 1.1;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $remote_addr;
	proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection $connection_upgrade;
	}
	}
	```

	Restart nginx once more:

	```bash
	systemctl restart nginx
	```

	Now, visiting `cln.MYDOMAIN.com/v1/getinfo` should show an error, like

	```json
	{"message":"Authentication Failed!","error":"Bad Macaroon!"}
	```

	### Zeus wallet setup

	On your Start9, make sure you have C-Lightning-REST enabled.
	Services > Core Lightning > Config > Advanced > Plugins > C-Lightning-REST

	Copy your REST Macaroon (Hex) for Zeus wallet setup
	Services > Core Lightning > Properties > REST Properties > REST Macaroon (Hex)

	In Zeus wallet, add a new node
	Settings > (tap the active node) > +

	Setting \| Value
	---
	Node interface \| Core Lightning (c-lightning-Rest)
	Host \| cln.MYDOMAIN.COM
	Macaroon (Hex format) \| see last step
	REST Port \| 443
	Certificate Verification \| enabled

	SAVE NODE CONFIG

	Party time!