[DIY] Exposing electrs and bitcoind over LAN in StartOS 0.3

Until this functionality is included in StartOS (It’s coming, afaik), I used the following to expose Electrs and bitcoind to my LAN:

Login to StartOS over SSH, switch to the root user and run the chroot command:

sudo -i
/usr/lib/embassy/scripts/chroot-and-upgrade

Paste the following, this will install ‘socat’ and two new systemd services responsible for port forwarding 50001 (electrs) and 8332 (bitcoind):

apt install socat -y

cat > /lib/systemd/system/socat.electrs.service <<'EOL'
[Unit]
Description=socat electrs forward
Wants=docker.service
After=docker.service

[Service]
Type=simple
Restart=always
RestartSec=3
ExecStartPre=/bin/bash -c "/bin/systemctl set-environment IP=$(ip route | grep default | awk '{print $9}')"
ExecStart=/usr/bin/socat -dd tcp-l:50001,fork,reuseaddr,bind=${IP} tcp:electrs.embassy:50001

[Install]
WantedBy=multi-user.target
EOL

cat > /lib/systemd/system/socat.bitcoind.service <<'EOL'
[Unit]
Description=socat bitcoind rpc forward
Wants=docker.service
After=docker.service

[Service]
Type=simple
Restart=always
RestartSec=3
ExecStartPre=/bin/bash -c "/bin/systemctl set-environment IP=$(ip route | grep default | awk '{print $9}')"
ExecStart=/usr/bin/socat -dd tcp-l:8332,fork,reuseaddr,bind=${IP} tcp:bitcoind.embassy:8332

[Install]
WantedBy=multi-user.target
EOL

systemctl enable socat.bitcoind
systemctl enable socat.electrs

Now exit the chroot environment. Note: this will reboot StartOS!

exit

After rebooting both ports are exposed on the LAN ip of your StartOS instance.

Also note: electrs on StartOS uses port 50001 which is non-ssl. If your wallet software does not have a separate option/checkbox to enable/disable SSL, you can use the following format to specify a non-ssl connection:

adjective-noun.local:50001:t or ip-address:50001:t

The “:t” after the port means “don’t use ssl”

2 Likes

Hey thanks for the tutorial, I find it easy to implement. Quick question: Is it okay not to use SSL in a local LAN, even if it’s your home LAN when you don’t necessarily trust every device connected to it?

Theoretically, without SSL, someone within your LAN “could” set up a middleman attack and listen in on the traffic. Highly unlikely, but that’s something you have to decide for yourself.

awesome thanks for posting this…so much better than having to create an ssh tunnel everytime I wanted to run sparrow.

I assume this be done for any/all other services? where is the list of services names and their ports? I’m considering doing this for vaultwarden so I can port forward my router to my start9 box for non-tor access to vaultwarden on to go.