Frequently Asked Questions

Q.Tunnel⚡Sats - Introduction

Why should I use this service?

Providing Lightning ⚡ Services is about privacy, reliability, connectivity, speed, and liquidity. Relying on Tor alone for node connectivity poses risks regarding network stability, as many node runners can testify.

With Hybrid¹ connectivity, your payment and routing services are faster and more reliable. However, using your home IP exposes your approximate location and opens your node to potential attacks.

Tunnel⚡Sats offers the best of both worlds. Your node and home IP remain hidden behind Tor, while our VPS public IP acts as your node's public face. This setup typically results in higher reliability, improved uptime, fewer offline peers, and better routing performance.

Why choose Tunnel⚡Sats over other VPN providers?

Running a lightning node behind a VPN requires specific features that general public VPN providers usually do not offer. Tunnel⚡Sats is designed specifically for the lightning node use case:

• Anonymous Payment: Pay via Lightning (we do not know the sender).
• Static VPN IP: No disconnects due to changing IPs and no Dynamic DNS hassle.
• Static Forwarded Ports: We assign a specific port to your node config.
• Secure Tunnels: Quantum-safe VPN tunnels using pre-shared keys.
• Split-Tunneling: We exclude everything except lightning P2P traffic from the VPN. Unlike "Tor over VPN," this ensures redundancy: if Tor goes down, the VPN remains active, and vice versa.

How do I know what value I get from subscribing?

Value is subjective, but we recommend monitoring your latency, uptime, and routing volume week-over-week. You should observe fewer offline peers and improved connectivity compared to a Tor-only setup.

What does the connection setup look like?

Below is a flowchart comparing a Tor-only setup versus the Tunnel⚡Sats hybrid setup.

What can be found in the "My Dashboard" section?

After logging in with your Nostr extension (e.g. Alby, nos2x) you will find:

• Subscription Details: Exact expiry date and plan status.
• Easy Renewal: A streamlined renewal process.
• Referral Link: Your unique link to earn free months.
• API Key Management: Access to your API keys and configuration details.

Q.Trust & Safety Measures

What services are used?

• Payment Backend: LNbits.
• VPN Endpoints: Rented virtual servers from Digital Ocean (EU, Asia, NA), Hetzner (EU), and Vultr (LatAM).
• Management: WireGuard Manager and API for secure account handling.
• Monitoring: A fork of upptime running from our repository. Response times are gathered via Global Ping.

What about data storage and privacy?

Website: We use internal essential cookies for session management only (authentication). We do not use any third-party, tracking or marketing cookies. We stick to a strict privacy policy where only the first two octets of IP addresses are stored in web server logs (e.g., 1.12.123.234 becomes 1.12.0.0).

Login & Accounts: We allow users to Login to manage their subscription conveniently.

• We are anonymity-first: Accounts are created using a secure npub (Nostr Public Key).
• We store this npub to associate your subscription with you.
• No email, password, or personal data is required. This allows you to retrieve your subscription info across devices or browsers securely.

VPN Endpoints: We store WireGuard public keys, pre-shared keys, forwarded ports, and total bandwidth used. Note: While a connection is active, the client's IP address must be held in memory to maintain the tunnel, but we never write it to disk.

Payments: Since payments are via Lightning, we do not know the source of the funds, only that an invoice was paid.

Notifications & Privacy: The Notifications dashboard tab allows you to manage how we communicate with you.

• Encrypted Storage: Any email address you provide is stored salted and encrypted in our database using your session key. We cannot read your email without your active session.
• Strict Opt-out: You can toggle "Disable Notifications" to permanently opt-out. This clears your email from our system and prevents any future automated synchronization during purchases or key linking.
• Failures Only: We primarily use your email for automated renewal failure alerts and essential subscription recovery. We do not send marketing newsletters or spam.

Is your service reliable?

We use premium VPS services with proven high uptime (99.99%) and distribute servers across different providers for redundancy. Our systems are monitored with alert mechanisms covered by three operations engineers.

Do you store my data?

We do not log IPs in our web server access data. For greater anonymity, you can visit our onion site: http://tunnelpasz3fpxhuw6obb5tpuqkxmcmvqh7asx5vkqfwe7ix74ry22ad.onion

We do not store packets or logfiles from your node once the tunnel is established. We only store:

1. The payment hash (for accounting).
2. Your node's IP in volatile memory (RAM) only while the tunnel is active.

Important: Save your WireGuard configuration file immediately. We cannot retrieve it for you later.

Q.Prerequisites & Installation

Which setups are supported?

We have successfully tested the following:

• RaspiBlitz (LND / CLN) v1.8.0+
• Umbrel-OS (LND) on Raspberry Pi
• Umbrel-OS (CLN - requires tech-savviness) on Raspberry Pi
• myNode (LND) v0.3+
• RaspiBolt (LND / CLN) - See Pre-Check

For other setups, please contact us on Telegram to discuss viability.

Is there a data transfer limit?

Yes, 100GB per month. This is sufficient for the vast majority of lightning nodes.

What happens if I reach the 100GB limit?

If you exceed 100GB within a single month, your VPN connection will be restricted. However, you don't have to wait until the next month:

1. Go to your Dashboard.
2. If your usage is above 70%, a "Reset Bandwidth" option will appear.
3. You can reset your 100GB counter immediately for a small fee ($1).
4. Limits: To prevent abuse, resets are limited to 2 per month.

Note: LND versions older than 18.4 may have a bug causing excessive data usage. Please update your node software.

Where do I find my lightning configuration file?

Directories vary by node software. Current (12/2025) paths include:

LND:

ini
RaspiBlitz: /mnt/hdd/lnd/lnd.conf
RaspiBolt:  /data/lnd/lnd.conf
Umbrel:     /home/umbrel/umbrel/lnd/lnd.conf
Umbrel 0.5+: /home/umbrel/umbrel/app-data/lightning/data/lnd/lnd.conf
Start9:     /embassy-data/package-data/volumes/lnd/data/main/lnd.conf
myNode:     /mnt/hdd/mynode/lnd/lnd.conf

CLN:

ini
RaspiBlitz: /mnt/hdd/app-data/.lightning/config
RaspiBolt:  /data/cln/config
Umbrel 0.5+: /home/umbrel/umbrel/app-data/core-lightning/data/lightningd/bitcoin/config

If you can not locate a file (e.g., the tunnelsats_[server].conf or your lightning config) you can always use the find command.

• Locate TunnelSats config: sudo find / -maxdepth 5 -type d \( -path /etc/wireguard -o -path /sd-root \) -prune -o -type f -name "tunnelsats*.conf" -print
• Locate LND config: sudo find / -name "lnd.conf"
• Locate CLN config: sudo find / -name "conf"

How do I finalize the configuration for Umbrel 0.5+?

Umbrel 0.5+ moves many settings to the UI.

1. Complete the standard guide. Note your externalhost and externalVPNPort.

2. Backup and edit lnd.conf:

   sh
   cp ~/umbrel/app-data/lightning/data/lnd/lnd.conf ~/umbrel/app-data/lightning/data/lnd/lnd.bak
   nano ~/umbrel/app-data/lightning/data/lnd/lnd.conf
   

3. Add the following lines:

   ini
   [Application Options]
   externalhosts=${vpnExternalDNS}:${vpnExternalPort}
   

4. In the Umbrel UI (LND > Settings > Advanced):

   • Activate Hybrid Mode.

   • Deactivate Separate Tor Connections.

5. Restart your node.

How to transfer tunnelsats_[server].conf to my node?

Use scp from your local computer to your node. Example for Umbrel:

sh
scp tunnelsats_[server].conf [email protected]:/home/umbrel/

Syntax: scp <local_file> <user>@<ip/hostname>:<destination_path>

Alternatively, create a new file on your node using nano and paste the content.

How can I extend my subscription?

1. Go to tunnelsats.com and select "Renew Subscription".

2. Enter your WireGuard public key (found in your tunnelsats config or via sudo wg show).

3. Click "Query", select the extension term, and pay the invoice.

Note: No new config file is required. The server simply updates your expiration date.

Am I still able to connect to gRPC or Rest via Tailscale/Zerotier?

Yes. As of commit 24f0f3c, ports 10009 (gRPC) and 8080 (REST) are no longer tunneled by TunnelSats. You can use ZeroTier or Tailscale to access these ports remotely.

Running TunnelSats v2 and Mullvad in parallel?

Yes, but adjustments are required to IP rules and nftables.

1. Ensure Mullvad starts before TunnelSats.

2. Create exclude.rules to bypass Mullvad firewall rules:

   sh
   table inet excludeTraffic {
     chain allowIncoming {
       type filter hook input priority -100; policy accept;
       ip saddr  <IP_OF_TUNNELSATS_VPN> ct mark set 0x00000f41 meta mark set 0x6d6f6c65
       iifname tunnelsatsv2 ct mark set 0x00000f41;
     }
   
     chain allowOutgoing {
       type route hook output priority -100; policy accept;
       ip daddr  <IP_OF_TUNNELSATS_VPN> ct mark set 0x00000f41 meta mark set 0x6d6f6c65
       oifname tunnelsatsv2 ct mark set 0x00000f41;
     }
   }
   
   

3. Replace <IP_OF_TUNNELSATS_VPN> with your assigned server IP.

4. Flush rules: sudo nft -f exclude.rules.

Is it possible to run another WireGuard Tunnel besides TunnelSats?

Yes. Create a separate config file (e.g., myvpn.conf) with a different address range (do not use 10.9.0.0/24).

ini
[Interface]
PrivateKey = <YOUR_PRIVATE_KEY>
Address = <YOUR_IP> 
Table = off

[Peer]
PublicKey = <PEER_PUBLIC_KEY>
Endpoint = <PEER_ENDPOINT>
AllowedIPs = 0.0.0.0/0

Start it with wg-quick up myvpn.conf.

Q.Troubleshooting & Verification

I'm stuck with the setup process, can you help?

Please raise an issue on Github or join our Telegram group. Describe your issue without sharing private keys.

How do I verify the tunnel and my connection are working correctly?

1. Verify Outbound Traffic (The "face" of your node)

Check if outbound connection go through the tunnel therefore you can use the following:

Docker Setup

sh
docker run -ti --rm --net=docker-tunnelsats curlimages/curl https://api.ipify.org 

This makes an outbound request to the api.ipify.org website through the tunnel and should show the VPN IP.

Non-Docker Setup

For non-docker setups you have to run the command in the specific cgroup. The equivalent command to docker setup is

sh
cgexec -g net_cls:splitted_processes curl --silent https://api.ipify.org

2. Verify Inbound Connections (Reachability)

Check if the VPN port allows traffic in. Replace de3.tunnelsats.com and 32320 with your assigned server and port.

sh
nc -zv de3.tunnelsats.com 32320

Success Output: Connection to de3.tunnelsats.com port 32320 [tcp/*] succeeded!

3. Verify WireGuard Status

Run sudo wg show to see connection statistics (look for the "latest handshake"). Alternatively, use our helper script in the same directory as your config-file:

sh
wget -O tunnelsats.sh https://github.com/tunnelsats/tunnelsats/raw/main/scripts/tunnelsats.sh
sudo bash tunnelsats.sh status

4. Bot Verification

Use the Tunnel⚡Sats Bot on Telegram. Send /ping [pubkey@tunnelsats-clearnetIP:port] to test connectivity.

What options do I have if I'm not happy?

Please contact us directly. We are approachable and dedicated to finding a solution for your specific issue.

Q.Payment & Costs

Why are you charging fees?

We incur significant costs for premium VPS providers, bandwidth (even idle nodes consume bandwidth), and development hours for security and infrastructure maintenance. Fees cover these operational costs and fund further development.

Are you offering any discounts?

Yes.

• 3 months: 5% off
• 6 months: 10% off
• 12 months: 20% off

How do Automatic NWC Renewals Work?

Tunnel⚡Sats supports Nostr Wallet Connect (NWC) for seamless, non-custodial auto-renewals.

• Logic: We automatically renew your subscription for the same duration as your last purchase. For example, if you bought 12 months (to get the 20% discount), we will renew for another 12 months, with the same discount applied.
• Timing: Renewals are triggered 1-3 days before expiry.
• Budget: You control the spending. We recommend setting a budget slightly higher than your expected renewal cost (e.g., if you pay 20k sats/year, set a 25k sats/year budget).

Why shouldn't I just do it myself?

You can! We encourage learning. However, Tunnel⚡Sats offers a managed service that removes the burden of server maintenance, security patching, and complex networking configuration.

Q.Referral Program

How does the Referral Program work?

You can generate a unique referral link from your Dashboard. Share this link with friends or other node runners.

When someone uses your link to purchase a subscription:

• They get bonus months: +1 month for 3-month plans, +2 months for 6-month plans, +3 months for 12-month plans.
• You get bonus months: The same bonus amounts are automatically added to your active subscription.

It's a Win-Win! Both you and the referee get extended service time for free.

I referred a friend but didn't get my bonus?

Bonuses are applied automatically once the payment is confirmed. Ensure you have an active subscription yourself, as we extend your existing service. If your subscription has expired significantly long ago, you may need to renew first.

Q.Public API

How do I use the TunnelSats API?

Our Public API enables programmatic subscription management. Perfect for automated renewals, custom integrations with node management software (Umbrel apps, RaspiBlitz scripts), and bulk subscriptions for multiple nodes.

Quick Start Flow:

1. GET /api/public/v1/servers → List available servers
2. POST /api/public/v1/subscription/create → Get Lightning invoice
3. Pay invoice with any Lightning wallet
4. POST /api/public/v1/subscription/claim → Get WireGuard config

Example - Create a Subscription:

bash
curl -X POST https://tunnelsats.com/api/public/v1/subscription/create \
  -H "Content-Type: application/json" \
  -d '{"serverId": "de1", "duration": 3}'

What are the API pricing discounts?

Where can I find full API documentation?

Check out our Postman Collection for complete endpoint documentation with examples, including response schemas, error codes, referral program integration, and renewal workflows.

Q.Miscellaneous & Advanced

How do I switch from phased out servers (e.g. from us1 to us3)?

We're increasing capacity and elasticity for our US-East Coast Server, and as a result we are phasing out us1.tunnelsats.com slowly. If you are running your node on this VPN (AMER continent), please take a minute to read how to switch your connection to the new vpn: us3.tunnelsats.com

In fact there are five simple steps to take:

1. Edit your tunnelsats_[server].conf and change Endpoint entry to Endpoint = us3.tunnelsats.com:51820
2. Fetch latest version of setup script:

sh
wget -O tunnelsats.sh https://github.com/tunnelsats/tunnelsats/raw/main/scripts/tunnelsats.sh

3. Run it: sudo bash tunnelsats.sh install

Important: before changing the config, it is good practice to backup your config.

• To backup the conf use sudo cp <path/to/conf> <path/where/tosafe/backup>
• E.g., for raspiblitz and lnd: sudo cp /mnt/hdd/lnd/lnd.conf ~/lnd_backup.conf

4. Edit your lightning config file and change the DNS entry accordingly:

   • LND: externalhosts=us3.tunnelsats.com:<yourVPNport>
   • CLN: announce-addr=us3.tunnelsats.com:<yourVPNport>

5. Restart your lightning implementation

Verify the switch to us3.tunnelsats.com
To verify that the switch worked, you can run

• LND: lncli getinfo | jq '.uris'
• CLN: lightning-cli getinfo | jq '.address'

The public IP should start with 178.156.x.x

Where do I find the config files?
For the most common lightning node packages we documented the default location of the configuration files, see: Where do I find my lightning configuration file? If you run into any trouble please reach out (Where to get help?)

Renewing your subscription during migration If you try to renew your subscription and our system detects that you are still active on the legacy us1 server, you will be prompted to confirm your migration.

1. We will ask you to verify your Internal WireGuard IP (e.g. 10.9.x.x) to prove you are the owner of the config.
2. Upon confirmation, we will disable your legacy us1 key to prevent conflicts.
3. Your renewal will then proceed on the new us3 server automatically. This ensures you don't accidentally keep using the old server.

Tuning Tor

To stabilize Tor connectivity alongside the VPN, you can add these experimental settings to the end of your torrc file:

ini
LongLivedPorts 21,22,706,1863,5050,5190,5222,5223,6523,6667,6697,8300,9735,9736,9911
UseEntryGuards 1
NumEntryGuards 8

Do you offer full-service VPNs too?

No. We specialize in Lightning node connections. For a general privacy-preserving VPN that accepts Lightning, check out LNVPN.net.

I have ideas or want to help. Where can I reach you?

Reach out via Telegram, Nostr, X, email (info @ tunnelsats.com), or open a GitHub issue.

Who built this?

From Node Runners for Node Runners 🧡