[DIY] Exposing electrs and bitcoind over LAN in StartOS 0.3

Until this functionality is included in StartOS (It’s coming, afaik), I used the following to expose Electrs and bitcoind to my LAN:

Login to StartOS over SSH and switch to the root user:

sudo -i

Run the following command to switch to the “chrooted” environment, any system changes made now will be persisted across reboots.

/usr/lib/startos/scripts/chroot-and-upgrade

Paste the following, this will install ‘socat’ and two new systemd services responsible for port forwarding 50001 (electrs) and 8332 (bitcoind):

apt install socat -y

cat > /lib/systemd/system/socat.electrs.service <<'EOL'
[Unit]
Description=socat electrs forward
Wants=podman.service
After=podman.service

[Service]
Type=simple
Restart=always
RestartSec=3
ExecStartPre=/bin/bash -c "/bin/systemctl set-environment IP=$(ip route | grep default | awk '{print $9}')"
ExecStart=/usr/bin/socat tcp-l:50001,fork,reuseaddr,su=nobody,bind=${IP} tcp:electrs.embassy:50001

[Install]
WantedBy=multi-user.target
EOL

cat > /lib/systemd/system/socat.bitcoind.service <<'EOL'
[Unit]
Description=socat bitcoind rpc forward
Wants=podman.service
After=podman.service

[Service]
Type=simple
Restart=always
RestartSec=3
ExecStartPre=/bin/bash -c "/bin/systemctl set-environment IP=$(ip route | grep default | awk '{print $9}')"
ExecStart=/usr/bin/socat tcp-l:8332,fork,reuseaddr,su=nobody,bind=${IP} tcp:bitcoind.embassy:8332

[Install]
WantedBy=multi-user.target
EOL

systemctl enable socat.bitcoind
systemctl enable socat.electrs

Now exit the chroot environment. Note: this will reboot StartOS!

exit

After rebooting both ports are exposed on the LAN ip of your StartOS instance.

Also note: electrs on StartOS uses port 50001 which is non-ssl. If your wallet software does not have a separate option/checkbox to enable/disable SSL, you can use the following format to specify a non-ssl connection:

adjective-noun.local:50001:t or ip-address:50001:t

The “:t” after the port means “don’t use ssl”

Hey thanks for the tutorial, I find it easy to implement. Quick question: Is it okay not to use SSL in a local LAN, even if it’s your home LAN when you don’t necessarily trust every device connected to it?

Theoretically, without SSL, someone within your LAN “could” set up a middleman attack and listen in on the traffic. Highly unlikely, but that’s something you have to decide for yourself.

awesome thanks for posting this…so much better than having to create an ssh tunnel everytime I wanted to run sparrow.

I assume this be done for any/all other services? where is the list of services names and their ports? I’m considering doing this for vaultwarden so I can port forward my router to my start9 box for non-tor access to vaultwarden on to go.

After executing the command I got the following in console:

THIS IS NOT A STANDARD DEBIAN SYSTEM
USING apt COULD CAUSE IRREPARABLE DAMAGE TO YOUR START9 SERVER
PLEASE TURN BACK NOW!!!

If you are SURE you know what you are doing, and are willing to accept the DIRE CONSEQUENCES of doing so, you can run the following command to disable this protection:
    sudo rm /usr/local/bin/apt

Otherwise, what you probably want to do is run:
    sudo /usr/lib/startos/scripts/chroot-and-upgrade
You can run apt in this context to add packages to your system.
When you are done with your changes, type "exit" and the device will reboot into a system with the changes applied.
This is still NOT RECOMMENDED if you don't know what you are doing, but at least isn't guaranteed to break things.

Is that Ok?

I haven’t done any suggestions from this message and just executed the next command “exit”.

After that StartOS hasn’t rebooted and electrs still not acessible via LAN.
I rebooted StartOS manually but after reboot electrs still not acessible via LAN.

For now I don’t know if the changes has been finally made or not.

Could you help?

you probably forgot to first execute the command: “/usr/lib/embassy/scripts/chroot-and-upgrade”.

If you didn’t do that, but still made changes to the system, they will be lost on reboot.

No, I executed it.

Here the full console:

sudo -i

/usr/lib/embassy/scripts/chroot-and-upgrade

root@xxx-yyy:~# apt install socat -y

cat > /lib/systemd/system/socat.electrs.service <<'EOL'

[Unit]

Description=socat electrs forward

Wants=docker.service

After=docker.service

[Service]

Type=simple

Restart=always

RestartSec=3

ExecStartPre=/bin/bash -c "/bin/systemctl set-environment IP=$(ip route | grep default | awk '{print $9}')"

ExecStart=/usr/bin/socat -dd tcp-l:50001,fork,reuseaddr,bind=${IP} tcp:electrs.embassy:50001

[Install]

WantedBy=multi-user.target

EOL

cat > /lib/systemd/system/socat.bitcoind.service <<'EOL'

[Unit]

Description=socat bitcoind rpc forward

systemctl enable socat.electrsdp-l:8332,fork,reuseaddr,bind=${IP} tcp:bitcoind.e

THIS IS NOT A STANDARD DEBIAN SYSTEM

USING apt COULD CAUSE IRREPARABLE DAMAGE TO YOUR START9 SERVER

PLEASE TURN BACK NOW!!!

If you are SURE you know what you are doing, and are willing to accept the DIRE CONSEQUENCES of doing so, you can run the following command to disable this protection:

sudo rm /usr/local/bin/apt

Otherwise, what you probably want to do is run:

sudo /usr/lib/startos/scripts/chroot-and-upgrade

You can run apt in this context to add packages to your system.

When you are done with your changes, type "exit" and the device will reboot into a system with the changes applied.

This is still NOT RECOMMENDED if you don't know what you are doing, but at least isn't guaranteed to break things.

Created symlink /etc/systemd/system/multi-user.target.wants/socat.bitcoind.service → /lib/systemd/system/socat.bitcoind.service.

Created symlink /etc/systemd/system/multi-user.target.wants/socat.electrs.service → /lib/systemd/system/socat.electrs.service.

root@xxx-yyy:~# exit

logout

-bash: /usr/lib/embassy/scripts/chroot-and-upgrade: No such file or directory

after executing the “chroot-and-upgrade” command, you should see that is is syncing the embassy filesystem. Make sure to run this command first, before pasting the rest of the commands.

You can check if you are in the ‘chrooted’ environment, by running “apt”. If you see the big warning message, you are NOT in the chrooted environment and any changes will be lost on reboot.

I just checked, it seems in the last 0.3 update, the location of the script changed.

Execute “/usr/lib/startos/scripts/chroot-and-upgrade” first. I updated the instructions in the first post.

Thanks.

I did this:

**start9@xxx-yyy**:**~**$ sudo -i

/usr/lib/startos/scripts/chroot-and-upgrade

root@xxx-yyy:~# apt install socat -y

cat > /lib/systemd/system/socat.electrs.service <<'EOL'

[Unit]

Description=socat electrs forward

Wants=docker.service

After=docker.service

[Service]

Type=simple

Restart=always

RestartSec=3

ExecStartPre=/bin/bash -c "/bin/systemctl set-environment IP=$(ip route | grep default | awk '{print $9}')"

ExecStart=/usr/bin/socat -dd tcp-l:50001,fork,reuseaddr,bind=${IP} tcp:electrs.embassy:50001

[Install]

WantedBy=multi-user.target

EOL

cat > /lib/systemd/system/socat.bitcoind.service <<'EOL'

[Unit]

Description=socat bitcoind rpc forward

Wants=docker.service

After=docker.service

[Service]

Type=simple

Restart=always

RestartSec=3

ExecStartPre=/bin/bash -c "/bin/systemctl set-environment IP=$(ip route | grep default | awk '{print $9}')"

ExecStart=/usr/bin/socat -dd tcp-l:8332,fork,reuseaddr,bind=${IP} tcp:bitcoind.embassy:8332

[Install]

WantedBy=multi-user.target

EOL

systemctl enable socat.bitcoind

systemctl enable socat.electrs

THIS IS NOT A STANDARD DEBIAN SYSTEM

USING apt COULD CAUSE IRREPARABLE DAMAGE TO YOUR START9 SERVER

PLEASE TURN BACK NOW!!!

If you are SURE you know what you are doing, and are willing to accept the DIRE CONSEQUENCES of doing so, you can run the following command to disable this protection:

sudo rm /usr/local/bin/apt

Otherwise, what you probably want to do is run:

sudo /usr/lib/startos/scripts/chroot-and-upgrade

You can run apt in this context to add packages to your system.

When you are done with your changes, type "exit" and the device will reboot into a system with the changes applied.

This is still NOT RECOMMENDED if you don't know what you are doing, but at least isn't guaranteed to break things.

Created symlink /etc/systemd/system/multi-user.target.wants/socat.bitcoind.service → /lib/systemd/system/socat.bitcoind.service.

Created symlink /etc/systemd/system/multi-user.target.wants/socat.electrs.service → /lib/systemd/system/socat.electrs.service.

root@xxx-yyy:~# exit

logout

Must be run as root

After that rebooted manually and still cannot connect to the server locally.

Not sure what’s happening then. Looking at your output, you are still not in the chrooted environment.

Make sure to get this working first:

sudo -i
/usr/lib/startos/scripts/chroot-and-upgrade

It shows some “Syncing…” progress now

apt

Last command should show regular apt help output. If you still get the warning message, then it looks like you have a non-standard installation or something, and I don’t know anymore

This command didn’t work:

sudo -i
/usr/lib/startos/scripts/chroot-and-upgrade

However if I split it in two and executed one by one:
sudo -i
and
/usr/lib/startos/scripts/chroot-and-upgrade

it works!

Great! I updated the instructions to make this a bit clearer.

This is awesome, thanks!

Might I suggest ,su=nobody (or some other unprivileged user) on your socat tcp-ls

Good suggestion! updated.

where is the list of services names and their ports?

Each service will list its interfaces under Services > The Service > Interfaces (and possibly under Properties).

I assume this be done for any/all other services?

This particular socat method will only work for non http(s) services.

I’m considering doing this for vaultwarden so I can port forward my router to my start9 box for non-tor access to vaultwarden on to go.

Unfortunately it’s not that simple for web services – you would need at the very least the host header that specifies the .local name of each service, necessitating a reverse proxy that can modify/add http headers, at least as things stand currently, for each service interface you want to forward that uses http(s).

Starting in StartOS v0.3.6, services are moving to IP:port to facilitate port forwarding. Currently there’s no release date yet, but it’s in development. So luckily we won’t even need this socat service much longer.

ah ok, makes sense. Thanks for the response. I set it up for electrs per your instructions and it worked beautifully. thanks!

Hi team, I’m looking for some clarity about the docker commands that are referenced in this script. Given StartOS migrated to podman as of v0.3.5, how is it that the docker commands would still support the desired behavior here?

We have a user reporting that when they attempted replacing the commands

Wants=docker.service
After=docker.service

with

Wants=podman.service
After=podman.service

Socat freezes up and is sporadic at best. Waiting to learn more about if the user attempts to use the original docker commands as laid out in @remcoros’ first post, but documenting the above for visibility/discussion. Thanks!

Hi everyone, just following up to confirm that we had a couple of team members test out & validate the original script with the docker commands rather than the podman ones.

For further context/discussion: Core Lightning with Tor AND IPv4 clearnet

I was the user. Confirm, it works with docker.service too. Seems my issue was just that it took a long time to initialize electrs