This is a tutorial/AMA on how you can be running a full node, in the AWS cloud, for very low cost or even free.
I used to run a node on my local network but there is a problem with this; your public IP is broadcast, and then it gets associated with Bitcoin. Node owners are likely to own Bitcoin, and this raises your personal threat profile, validated against my IDS/IPS logs.
Run a VPN? Many VPNs are automatically blocked, or sketchy. Tor is also blocked on a large portion of the internet. Neither provide you with a real static IP, and that helps out the network.
There is a easy solution to this; run a node on the AWS free tier, and use an elastic IP so you have a static address. Bandwidth is free in, and low cost out, and you can control how much of that you use easily, and control your spent. The problem is that Amazon charges a LOT for online storage and even with a 1MB blocksize, the blockchain is very large and growing steadily! We mitigate this by using a VPN back to your network, where you can store the blockchain on a SMB share.
It is not complicated to do, but there are very many moving pieces to keep track of and configure. In order to fully trust your node, the best way is to build it from scratch. This is my goal in walking you through the process.
There are lots of ways to accomplish this same task; I only want to present one that works, and you can go from there. Once you have access to the blockchain in the cloud for reasonable prices, you can also look at things like the Lightning Network.
This article makes four major assumptions:
- That you have a OpenVPN server on your network and know how to configure it. I use pfSense and OpenVPN; others will work just as well, but you'll need to do a little work to figure out the particulars. If you don't know how, do not fret! There are loads of good tutorials for just about every platform. Or ask below. I also limited the user with access to the share at the firewall specifically to the IP hosting the share to lower the threat envelope.
- That you have the blockchain downloaded locally and reasonably up to date. If you don't, head on over to bitcoin.org and download it for OSX or Windows or Linux, whatever you use for your workstation. Follow the directions to set up the software and download/synchronize it to the network. This will take awhile! Once you've synchronized, copy the data directory to your SMB share you want the AWS instance to access. You could also synchronize everything directly on AWS too, but it will likely take longer and may cost a bit for the bandwidth.
- That you're on windows. OSX and Linux will have slightly different processes to connect to the instance via the terminal and SSH. If you need help, ask, and I am sure we can get you fixed up.
- That you've read the excellent bitcoin.org full node tutorial here: https://bitcoin.org/en/full-node
With that, on with the show!
First: Head on over to https://aws.amazon.com/ and make yourself an account.
Once you've set up you'll need to start the process of creating a virtual machine on AWS. Look for this graphic and click on it:
Start by launching a new machine
Follow the rabbit hole, and you'll be looking to create a plain jane Amazon AMI Linux instance. It looks like this:
Keep in mind you want to pick the x86 version, which is the default.
Continue clicking, you'll want to select the t2.micro instance that is eligible for the free tier for new accounts.
Now, you're going to need a way to connect to your soon-to-be-created node in the cloud. Amazon uses SSH keys to do this, so the next step means you're going to make some. You need to save this file, as if you lose it, you won't be able to access your node anymore. Much like your wallet private keys!
If you've made it this far, you're almost launched!
Now we need to convert the key to a format that we can use to connect to the instance from Windows. I recommend using Putty! https://www.putty.org/ if you don't have it already; if you're on OSX or Linux, you likely have what you need already.
Follow the guide here to get connected: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html
Next you'll need to set up a opening in the firewall if you want incoming connections. This is done by adding to the security group in the "Network and Security" section; edit it to look like this:
Change the inbound security rules for the instance to accept incoming connections on 8333.
The hard part is over!
Optional: Configuring a static IP. Amazon calls their implementation "elastic" IPs, but it's really a static IP that you can move around between instances very easily. It will ensure your public address on AWS does not change; it isn't required, but it is better if you intend on allowing outgoing connections.
Go back to the main dashboard display.
In "Network and Security", click on "Elastic IPs".
Select Allocate New Address (blue button on top) and then select it in the table. In actions, you will see "Associate Address". Select this then assign the address to the instance you have previously configured. Done!
Next up: Log into your machine, and immediately update everything. Use the IP provided by Amazon, or the Elastic IP if you assigned one to the instance in the last step.
type: "sudo yum update"
Now, let's get the VPN configured.
First step is to install OpenVPN. We need to install the extended package library to do this.
type: "sudo amazon-linux-extras install epel"
type: "sudo yum-config-manager --enable epel"
Now you can install OpenVPN.
type: "sudo yum install openvpn"
You will need your credential file from OpenVPN; it's a file you generate that will have a .ovpn extension. But you're going to need to upload it to the instance. You can do this through the scp command on OSX or Linux, but if you're on Windows, you'll need another utility. Get WinSCP here: https://winscp.net/eng/download.php
But we'll have to tell it where your key file is so you can login. Select "New Session", then use the same IP and username as you did to connect before. We'll need to tell it about the key file though! Select the "Advanced" tab then under the SSH section, click on "Authentication" and then select your private key file you generated in the tutorial above.
Connect and upload the .ovpn file that you generated when you added a user for the VPN. This step depends on your OpenVPN configuration - ask below if you have problems.
Next, let's verify we can connect to the VPN!
type: "openvpn --config my-configuration-file-made-by-openvpn.ovpn &"
You will be prompted for a password if you configured one.
Verify operation by pinging your LAN router, e.g.
type: "ping 192.168.2.1" or the address of the SMB server where you shared the information.
Allllrighty! Next up is getting connected to your blockchain. Create a directory where the data directory will be mounted.
type: "mkdir blockchain"
We need to install samba and some utilities to get things mounted.
type: "sudo yum install samba"
type: "sudo yum install cifs-utils"
Now let's mount the folder:
type: "sudo mount -t cifs //192.168.2.100/Bitcoin ./blockchain -o user=bitcoin,vers=2.0,uid=ec2-user,gid=ec2 user,file_mode=0777,dir_mode=0777"
Where " //192.168.2.100/Bitcoin" is the address of the SMB server and share where you put the data directory from your initial sync. If you didn't, and just want to sync everything from AWS, then make sure it's a folder where your user has access. In this case, I'm assuming you've made a SMB user with the name "Bitcoin". The command will prompt you for the password to access the share. The other bits ensure you can have read and write access to the share once it's mounted in AWS.
Now we're ready for some Bitcoin! Props to the tutorial here: https://hackernoon.com/a-complete-beginners-guide-to-installing-a-bitcoin-full-node-on-linux-2018-edition-cb8e384479ea
But I'll summarize for you:
Download and then re-upload with WinSCP, or download directly to your instance with wget, the most current Bitcoin core. In this case, it's bitcoin-0.18.0-i686-pc-linux-gnu.tar.gz downloaded from https://bitcoin.org/en/bitcoin-core/.
Let's verify it hasn't been tampered with once you have it uploaded to the terminal:
type: "sha256sum bitcoin-0.18.0-i686-pc-linux-gnu.tar.gz"
Then compare that with the hash value that's listed in the SHA256SUMS.asc file on bitcoin.org. In this case, "36ce9ffb375f6ee280df5a86e61038e3c475ab9dee34f6f89ea82b65a264183b" all matches up, so we know nobody has done anything evil or nefarious to the file.
Unzip the file:
type: "tar zxvf bitcoin-0.18.0-i686-pc-linux-gnu.tar.gz"
There is a warning about a symbolic link; everything seems to work OK regardless, but if anyone knows what or how to fix, please comment.
We'll need to get some missing libraries before we can run it; these aren't in the basic AMI instance.
type: "sudo yum install glibc.i686"
type: "yum install libgcc_s.so.1"
FINALLY! We are ready to launch the program. Go to the "bin" directory inside where you unzipped the Bitcoin Core tarball. (e.g. /home/ec2-user/blockchain/bitcoin-0.18.0/bin)
./bitcoind -datadir=/home/ec2-user/blockchain/data
You will see the program either start to sync and download, or start to read the existing blockchain file that you put in the share from before.
Congrats!
There are a couple extra steps to have it automatically start on reboot, but let's see if anyone gets this far first. I use the "screen" program to do this, but there's also a daemon mode, and some other functionality that is discussed in the hackernoon tutorial.
The primary cost will be outgoing bandwidth. AWS charges $0.10/GB beyond 15GB; You can limit the outgoing bandwidth easily according to your budget: https://bitcoin.org/en/full-node#reduce-traffic
Hope this encourages people to try running a free, or very low cost, cloud node, with a substantially reduced threat profile.
Submitted June 08, 2019 at 02:04AM by xtal_00 http://bit.ly/2WwPDtu
No comments :
Post a Comment