Setting up your own Monero node on any x86 computer is incredibly simple, thanks to the fantastic “simple-monerod” Docker image from @sethforprivacy.
Not only is it super simple to deploy, but thanks to Watchtower, your system will automatically update Monero whenever a new version is tagged on GitHub. This really is a “set and forget” option for those less interested in fancy features and GUIs but wanting a highly reliable node that works without maintenance.
As we are running Monero in a Docker container and have deployed Watchtower along with it, the node will automatically be restarted with the latest version of monerod whenever a new version is tagged in Github.
Nothing else needs to be done manually!
sethforprivacy
You can check out the source repo on GitHub.
The system requirements for operating a Monero node are minimal, but the more resources you have available, the better the overall experience.
- 2+ vCPUs/cores.
- 4GB+ RAM.
- 175GB+ SSD.
It’s also worth looking at your system’s BIOS to see if it has any “auto-on” power settings. These settings, if available, are helpful in power loss scenarios, ensuring that your node automatically powers back up when power resumes, minimising potential downtime.
The first step is to install Ubuntu Server on your machine. If you’re unfamiliar with the installation process, you can check out my previous article.
Once you have a fresh Ubuntu install, you can prepare your system with Docker, UFW and Curl.
sudo apt-get update && sudo apt-get upgrade -y
sudo apt-get install -y ufw curl
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
sudo usermod -aG docker $USER
su - $USER
Now that UFW is installed, you can harden your system by locking down any ports not required by Monero.
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow 18080/tcp
sudo ufw allow 18089/tcp
sudo ufw enable
Your next step will be deciding whether you want to operate a public or private Monero node. Most users will set up a node only for themselves or close family/friends, so I recommend choosing a private node in almost all scenarios.
If using a private node, you have the option also to define RPC login credentials. Whilst not a necessary step, it does add an extra layer of security to your RPC port. Even without login credentials, there is still no risk of harmful commands being run by attackers due to the default security protocols of monerod.
####Private node
docker run -d --restart unless-stopped --name="monerod" -p 18080:18080 -p 18089:18089 -v bitmonero:/home/monero sethsimmons/simple-monerod:latest --rpc-restricted-bind-ip=0.0.0.0 --rpc-restricted-bind-port=18089 --no-igd --no-zmq --enable-dns-blocklist
docker run -d \
--name watchtower --restart unless-stopped \
-v /var/run/docker.sock:/var/run/docker.sock \
containrrr/watchtower --cleanup \
monerod tor
####Private node with RPC credentials
####Modify username:password to chosen credentials
docker run -d --restart unless-stopped --name="monerod" -p 18080:18080 -p 18089:18089 -v bitmonero:/home/monero sethsimmons/simple-monerod:latest --rpc-restricted-bind-ip=0.0.0.0 --rpc-restricted-bind-port=18089 --no-igd --no-zmq --enable-dns-blocklist --rpc-login username:password
docker run -d \
--name watchtower --restart unless-stopped \
-v /var/run/docker.sock:/var/run/docker.sock \
containrrr/watchtower --cleanup \
monerod tor
####Public node
docker run -d --restart unless-stopped --name="monerod" -p 18080:18080 -p 18089:18089 -v bitmonero:/home/monero sethsimmons/simple-monerod:latest --rpc-restricted-bind-ip=0.0.0.0 --rpc-restricted-bind-port=18089 --public-node --no-igd --no-zmq --enable-dns-blocklist
docker run -d \
--name watchtower --restart unless-stopped \
-v /var/run/docker.sock:/var/run/docker.sock \
containrrr/watchtower --cleanup \
monerod tor
Monerod will immediately start and begin downloading block data. The amount of time required to synchronise the node will vary, depending on your available bandwidth and system resources, but it can often complete in as little as 24 hours.
You can monitor your node’s sync progress by running the following command.
docker logs --follow monerod
Remote Wallet Connections.
One of the great things about Monero is that it exposes a restricted RPC but not any potentially harmful commands, so it’s perfectly safe to forward the RPC port.
The exact steps will vary depending on the model of router you own, but the details remain the same. You must open RPC port 18089 to ensure remote wallets remain connected outside your home network.
Whilst on your router’s port forwarding page, it’s also a great idea to support the Monero network by also opening P2P port 18080.
Running a Monero node for yourself not only helps to give you the stronger network-level privacy guarantees, but also helps to increase the decentralization, stability, and speed of the Monero network.
Sethforprivacy
If you are unsure how to use port forwarding, you can find excellent step-by-step guides for many router manufacturers at portforward.com.
Once you have forwarded the RPC port, you can connect remote wallets using a combination of your node’s public IP address and port 18089, for example;
82.140.312.218:18089
If you used RPC login credentials, those must also be entered into your wallet’s settings page when adding your node, or the connection will fail.
If you do not know the public IP address of your node, you can run the following command. Your public IP will be displayed in the output next to where it says “myip.opendns.com has address“.
host myip.opendns.com resolver1.opendns.com
Remote Wallet Connections via Tor.
Those unable, or not wanting, to open ports can also make remote connections over Tor. This option has the benefit of bypassing the need to open ports but comes with a tradeoff of wallet efficiency due to the bandwidth limitations and occasional instabilities of the Tor network. You will need to check whether your wallet has Tor integrated; otherwise, a Tor client will need to be installed on the remote device, like Orbot.
Suppose your Android phone already has an active VPN. In that case, you could always create a new user profile, specifically for your Monero activities, and set Orbot as your VPN within that profile only. If following this model, I recommend using GrapheneOS as it gives you much more control over your permissions to individual applications and services.
If choosing to use Tor, you first need to install it on your node.
docker run -d --restart unless-stopped --link monerod:monerod --name tor --volume tor-keys:/var/lib/tor/hidden_service/ goldy/tor-hidden-service
Once installed, you can get your new hidden service address by running the following command.
docker exec -ti tor onions
You can then add your new onion address and Monero RPC port number into your remote wallets settings, for example;
wvpa9xf4atwyc4jn5dkvfr6d4tqlx2wmy3vcn73xsa1xrhiwo4tb5gpd.onion:18089
Clearnet or Tor?
Whether it’s necessary to connect to the Monero network via a hidden service or if it’s OK to use clearnet is a highly debated topic. There is no right or wrong answer since it’s highly dependent on your geographical location and the attitude of your local authority towards Monero and Tor.
Due to the default architecture of Monero, transactional privacy is not decreased when using clearnet because of its use of Ring Signatures. Your only consideration is whether or not you feel it’s a privacy risk for your ISP to know that you’re connecting to the network. Generally speaking, ISPs don’t care about your online activity as long as you’re not breaking local law. Still, they will and do, work with authorities at request, usually without a fight for their customer’s privacy rights.
Tor solves this problem; however, in some locations, Tor is highly frowned upon or even banned entirely and may pose more of a risk than the use of Monero would itself.
You could choose to use clearnet but then configure a VPN, hiding online activities from your ISP, but now your VPN provider can see your online activities instead, so it depends on what you feel more comfortable with.
Some even configure both Tor and a VPN, bringing the highest level of privacy. When configuring this method correctly, your ISP cannot see that you’re using either Monero or Tor, and your VPN provider can only see that you are using Tor but not Monero; However, this has had reported stability issues and has a much more complex setup process.
Using a VPN.
If choosing to use a VPN, you must first ensure that the provider offers port forwarding. One great VPN provider with this service is Mullvad, which allows users to forward up to 5 ports. This is recommended only for users experienced with networking and configuring VPNs, but you can find more information in their port forwarding guide. You can then either install the Mullvad application on the node or configure it at the router level, not forgetting to adjust your node’s UFW and router’s port forwarding settings to account for any new ports you use.
Another popular solution for remotely accessing devices inside your LAN is Tailscale. Tailscale is incredibly simple to use and very user-friendly; however, while most of the Tailscale project is open source, it uses a closed-source coordinator. Those wanting only to use open-source software can replace the coordinator with an open-source alternative named Headscale, which is actually encouraged by the Tailscale team; however, Headscale has a more advanced configuration process, recommended only towards users familiar with the command line and networking.
Generally speaking, for users not comfortable with connecting to Monero via clearnet, Tor is the best option due to its simplicity to configure.
Thanks for reading and for participating in the Monero network. Don’t forget to check out my guide to using Agoradesk, in my opinion, the best P2P platform for both the purchase and sale of XMR and bitcoin.
Credit: sethforprivacy.com.
