How to set up your own Bitcoin node, Electrum wallet and Server


The second post in this series is up!

So you bought some bitcoin from an exchange, and your privacy is violated… You can practically hear voices coming from the dark corridors of the NSA, throbbing through your ears…

Oof that was intense. Let’s fix this mess… Recommended article on Bitcoin privacy.

This is the first post in a series to reclaim your privacy, autonomy, sovereignity and independence of your coins. The setup I will describe will allow you to connect to your Electrum wallet from any supported Electrum clients (Win/OSX/Linux/Android at the time of writing) through a secure and private connection, remotely.

Why have your own wallet? #

“Not your keys, not your coins” - Andreas M. Antonopoulos

Security #

Exchanges don’t actually allow you to see your keys (a seed phrase phrase being one form of key combination). Whenever you use your exchange to transfer funds (or store them) you are relying on them to keep it safe. This means your coins are not in your custody and belong to the exchange.

Now, you might say, an exchange probably has better security than I ever will, therefore it’s safer to just let their engineers take care of it. Well, as it turns out exchanges being hacked is quite a common occurrence, do, I, need, to, keep going? Anyways, you get the point.

Besides external risks, the actual exchange company owners have the keys to your keys and have every incentive to get them. Also if an investigation into an exchange gets launched, your funds might get frozen.

Probably the best you can do for your crypto security is getting a hardware wallet, I can highly recommend the Trezor Model T, which is stellar and fully open-source. (If you purchase with the link, I get a bit of revenue which helps a lot)

Privacy #

Every single exchange that is not p2p (e.g. Bisq, locally acquiring coins) has KYC/AML requirements, by law. Not only that, chain analysis companies and software are a real thing. If you keep your funds in your exchange wallet, you have no hope of ever anonymizing your Bitcoin (we’ll get to that later). This is also why DEFI (decentralized finance) could be so revolutionary and why decentralized exchanges should be used if your aim is privacy.

In Bisq there’s currently not much liquidity, so expect to lose a bit of coins (~2-5% at the time of writing).

Flexibility #

Having your own wallet not only gives you more privacy and security, but can also gives you more options. For example the Wasabi wallet is a privacy focused wallet, that automagically sets up Tor for you, for network anonymity and provides an easy to use interface for CoinJoins (for cleaning/washing/tumbling coins). Some other features you might like:

  • Lightning network support
  • Bech32 addresses
  • sendtomany (multiple payment outputs)
  • Labeling your transactions
  • Fee controls

And many more…

Recommendations #

Probably the best you can do for your crypto security is getting a hardware wallet, I can highly recommend the Trezor model T, which is stellar and fully open-source. Use this link if you’d like to help my blog out.

I will preface this by saying, that the following process is detailed and is not necessarily required, but I prefer to do things this way for more flexibility. If you are holding your funds in an exchange right now, simply downloading a non-custodial, generally accepted to be good wallet is already a massive improvement. The following steps are not required to hodl your btc. There are very simple to use wallets, such as Pheonix. However, these steps will get us closer to maximal privacy (total privacy/security is never possible) and will provide us with a lot of flexibility.

In this post we’re going to set up a pruned Bitcoin node, an Electrum wallet, with an Electrum Personal Server (EPS) to sync with (as 3rd party electrum servers can violate your privacy and security). Obviously, this will be set up on a *nix system.

In the next posts, I will write about how to securely connect to your remote electrum server with WireGuard VPN, and how to wash/tumble/clean/CoinJoin your coins to effectively make coin analysis software useless and improve bitcoin’s fungibility.

First, we need to get a Bitcoin node up and running.

Bitcoin node #

Any computer that connects to the Bitcoin network is called a node. Nodes that fully verify all of the rules of Bitcoin are called full nodes.

Why? #

  • Privacy
  • Participating in the network’s consensus rules
  • Keeping your funds safe
  • Broadcasting your own transactions in the network

If you believe in the bitcoin project and its decentralized future, and you would like to help, running your own node is the best way of doing that. The more nodes that are being run, the more decentralized and secure the network is. Besides that, the gains are not merely altruistic, there are incentives that I mentioned before - security, privacy and others.

BIG NOTE BEFORE THE NEXT STEPS: I highly recommend you first sync the node with the blockchain on a more powerful device if you are planning to run it on a low-powered device (e.g. a rPI). Synchronizing the initial block download (IBD) on these devices would take forever. Once you finish the IBD you can then rsync (or ftp/scp) your data to your destination device/server.

A pruned node #

Since I will be running my Bitcoin node on a cheap Hetzner VPS cloud instance without much storage, I will run my node in pruned mode. This will allow me to only use ~5GB of storage instead of the normal ~200GB of storage that a non-pruned node normally requires. This means the node will only store the last n blocks on its copy of the blockchain (you can alter the amount of blocks kept in the config).

A Hetzner Cloud CX21 instance.

You can actually run a lot of things on such a cheap instance. Actually you could run your node on an even lower powered one.

Pruned nodes require significantly less storage to run, ~5GB, instead of the normal ~350GB at the time of writing.

The bare minimum requirements to run a bitcoin-core node are:

  • Disk space: 5 GB
  • Download: 150 MB/day (5 GB/month, plus the IBD)
  • Upload: 10 MB/day (300 MB/month)
  • RAM: 256 MB
Pros & Cons of pruning your node

Pros:

  • Lower storage requirements
  • You don’t have store all blockchain database on your computer

Cons:

  • You don’t have a full blockchain database on your computer.
  • Other nodes won’t be able to download blockchain data from your node
  • You have to re-sync your wallet with blockchain if you import a wallet.dat file that contains data synchronized outside the data stored in your prune node.
  • Can’t run full electrum servers, such as Electrs, ElectrumX (you can still run lightweight servers, such as EPS, which we will do later)
  • Can’t run your own Lightning Node (e.g. lnd does not have full support yet)

How to configure Tor and Bitcoin-core for maximal privacy #

I will not go through the details of setting up your own node, as there are countless tutorials on how to do this. However, I will go into how to configure the node and Tor for maximal privacy.

Our goal is to not leak any Bitcoin traffic into the public internet. With this setup, our bitcoin traffic will be routed through the anonymous Tor network, until it finally reaches the public internet.

You need to set the Tor and bitcoin-core configuration before you make the IBD!

Tor configuration #

  1. Install Tor

    On my Ubuntu 20.04 LTS server, I have apt, so:

    sudo apt install tor

  2. Enable and run the Tor systemd service

    sudo systemctl enable --now tor

  3. Edit your tor configuration file

    sudoedit /etc/tor/torrc (make sure $EDITOR is available)

    Uncomment/Add these lines to your config:

    ControlPort 9051
    CookieAuthentication 1
    CookieAuthFileGroupReadable 1
    
    ControlSocket /var/lib/tor/control_socket
    ControlSocketsGroupWritable 1
    DataDirectoryGroupReadable 1
    CacheDirectoryGroupReadable 1 # workaround for tor bug #2691
    
  4. Add your user to the Tor group

    1. Find out what group Tor is part of

      $ groups
      users sudo docker debian-tor
      

      debian-tor is my group.

    2. Add your user to the group

      sudo usermod -a -G TOR_GROUP USER

Bitcoin-core configuration #

Verify the digital signatures of any binaries before running them, or compile from source. Don’t be lazy and risk losing your funds.

  1. Before starting to sync our node, we need to set up some configuration so that we don’t leak any identifying information:

    # Keep the last 550 blocks (the minimum allowed)
    prune=550
    
    daemon=1
    # RPS server needs to be on for EPS
    server=1
    listen=1
    
    proxy=127.0.0.1:9050
    bind=127.0.0.1
    # only connect to Tor hidden services, not even IPv4/IPv6 nodes
    onlynet=onion
    
    # Bitcoin Core will still query for peer addresses via DNS lookup
    # if low on addresses these 2 options disable this functionality.
    dns=0
    dnsseed=0
    
    # we won't actually use the bitcoin-core wallet
    disablewallet=0
    walletbroadcast=0
    

    Now, since we have dns=0 and dnsseed=0, we have to start with some nodes that we can sync from (you can use your own that you can find online, I could theoretically control all of these and be malicious):

    seednode=nkf5e6b7pl4jfd4a.onion:8333
    seednode=f3nyyjba6kpxznhk.onion:8333
    seednode=ptescnygpehx2naf.onion:8333
    seednode=xvopzmni6k6kcgad.onion:8333
    seednode=4tfl37omwlm6oydy.onion:8333
    seednode=tha2oa3jj4ozk437.onion:8333
    
    addnode=aogoxdhf3pnwqs6k.onion:8333
    addnode=y47vymu6jmvltvv2.onion:8333
    addnode=ggdy2pb2avlbtjwq.onion:8333
    addnode=azlvnosmumkfday4.onion:8333
    addnode=hl633ysj3eciraok.onion:8333
    
  2. Now, we need to restart the Tor systemd service:

    sudo systemctl restart tor
    
  3. Log-out and log back into your user to make sure your new user permissions are effective.

    Note: Since we are running our node on Tor, we do not need to forward any ports.

  4. Verify Tor is working

    systemctl status tor

  5. Start bitcoin-core

    bitcoind -listenonion

  6. Verify your node is working properly

    less ~/.bitcoin/debug.log

  7. Wait for your node to finish the IBD… (this might take a while)

Setting up your own Electrum wallet and server #

“If bitcoin is digital gold, then a full node wallet is your own personal goldsmith who checks for you that received payments are genuine.” - Chris Belcher

We will be setting up an Electrum wallet wallet, with EPS. First, we should set up EPS. We aren’t using a full Electrum server, as our node is pruned, otherwise I would use something like Electrs. (If I had the space, I’d also set up a lightning node with LND as well)

  1. Download the software

    1. The latest EPS release
    2. The latest Electrum release
  2. Verify the digital signatures of any binaries before running them, or compile from source. Don’t be lazy and risk losing your funds.

  3. Create a wallet with bitcoin-core for EPS

    bitcoin-cli createwallet electrumpersonalserver true

  4. Extract EPS

  5. Run electrum with these options to stay private

    Normally, electrum will connect to a third-party electrum server, which will leak your IP address and thus, compromise your privacy. So we only let it connect to one server and 10.0.0.1 (my WireGuard server IP). Though you could set it to 127.0.0.1 or localhost if you’re running EPS on the same machine.

    Edit your config in ~/.electrum/config. This is a minimal config for maximized privacy:

    {
      "auto_connect": false,
      "oneserver": true,
      "confirmed_only": true,
      "server": "10.0.0.1:50002:s", <-- replace with your IP
      "skipmerklecheck": true,  <-- this is important if your node is pruned
      "use_rbf": false
    }
    
  6. Create an Electrum wallet, preferrably with a 25th word

    1. Standard Wallet (or multisig for extra security, but that’s out of scope for this guide). However, I highly recommend using a harwdare wallet, like the Trezor model T. Use this link if you’d like to help my blog out.
    2. Create a new seed (or use a hardware device for extra security)
    3. Segwit (cheaper transactions, as they use up less block space)
    4. Write down your 12 seed words, click options and enable the seed extension parameter (back that up too). It is very important that you back these up, as without these, you will not be able to recover your funds. As Electrum states, do not back up your seed phrase anywhere online, for security (unless dealing with insignificant amounts of coins). However, you could keep your seed phrase extension on, e.g. a password manager. This way you can distribute risk and convenience.
    5. Create a password for your wallet (this is only to encrypt your wallet file, it will be lost if you delete your wallet)

    “TL;DR The best way to store bitcoin is to either use a hardware wallet, a multisignature wallet or a cold storage wallet. Have your wallet create a seed phrase, write it down on paper and store it in a safe place (or several safe places, as backups). Ideally the wallet should be backed by your own full node.” Source on how to store your bitcoin.

  7. Edit your EPS config

    1. cp config.ini_sample config.ini

    2. Get your Electrum wallet master public key from the client menu and paste it in the config

      Wallet -> Information

    3. In the [bitcoin-rps], add your wallet name that you created in bitcoin-core

      wallet_filename = electrumpersonalserver

    4. Add your datadir (bitcoin)

      datadir = /home/youruser/.bitcoin

    5. Add your [electrum-server] settings

      broadcast_method = own-node
      
      tor_host = localhost
      tor_port = 9050
      
      # this is my WireGuard server IP
      host = 10.0.0.1
      port = 50002
      

      Host should be localhost or 127.0.0.1 if on the same machine, if not enter the proper host details. I personally connect with my WireGuard VPN (check out this post I wrote about it) with 10.0.0.1 (set on the WireGuard server config). If you are connecting with a VPN, make sure you set some whitelist IPs. Running EPS on a remote server also allows you to connect to your wallet with an Android device, which is why I do that (Android has a WireGuard client, but you could use OpenVPN).

      Another way to connect to your Electrum server is through a ssh tunnel:

      ssh username@host -L 50002:localhost:50002

  8. Install EPS

    pip3 install --user .

  9. Run the electrum personal server

    electrum-personal-server config.ini

  10. Connect Electrum to your EPS

    Tools->Server Make sure your port is in there.

Electrum wallet network connection window.

My wallet connected to my WireGuard VPN.

BOOM! You’re connected! (hopefully)

Side note: EPS can only handle 1 client at a time, so if you want to connect with your Android smartphone, disconnect from your other devices

The Future #

Very importantly, you should get educated, this is a very good article on Bitcoin privacy by Chris Belcher (he also wrote EPS).

In future posts, I will go into detail, on how to set up:

  • WireGuard VPN, to securely connect to your node (and use Dnsmasq to block ads on devices that support WireGuard e.g. smartphones). The post is finished, you can find it here.

  • JoinMarket to wash your coins and break coin analysis software, to make your coins infeasible to track

  • Hardware wallet comparisons - Probably the best you can do for your crypto security is getting a hardware wallet, I can highly recommend the Trezor model T, which is stellar and fully open-source. Use this link if you’d like to help my blog out.

Credits #

The featured picture is by Gioia Best, take a look at her Instagram.


2475 Words

2020-09-01 00:00