• econoalchemist

Build a Self-Custodial Lightning Node with RaspiBlitz

This article offers a step-by-step guide to build your own Bitcoin full node and Lightning client running the RaspiBlitz implementation.

Image Source

Here is an index of the topics covered in this guide:

  1. Introduction

  2. Required Materials

  3. RaspberryPi Assembly

  4. Building the OS

  5. Connecting to RaspberryPi with SSH

  6. Initial RaspiBlitz Configuration

  7. Ride The Lightning Webinterface

  8. Fund & Open a Channel

  9. Inbound & Outbound Liquidity

  10. Watchtowers & Backups

  11. Connecting to Mobile

  12. Creating & Paying Invoices

  13. RaspiBlitz Extras

  14. Resources

  15. Conclusion


Lightning is a layer-2 payment network built on top of layer-1, Bitcoin. This layer-2 network consists of nodes running the Lightning Network protocol, with bidirectional payment channels open between them. These payment channels allow for many fast payments to be made between nodes without the slower on-chain, layer-1 transactions. There is no need to wait for layer-1 block confirmations when making Lightning payments in established channels. Channels are opened and closed with an on-chain transaction while any number of Lightning payments can be made so long as the channels remain open and funded.

Like this, many Lightning payments can be made instantly and with minimal transaction fees since this is an off-chain network of peers maintaining balances between themselves. For every Lightning transaction between peers, each party updates their mutually agreed upon balance state. The payment channel between them can be closed at anytime by either party and then the most recent mutually signed balance state is then broadcast to the on-chain, layer-1 Bitcoin network. So with only two on-chain transactions, one to open the channel and one to close the channel, any number of smaller transactions can be made instantly and with low fees while the channel is open. Lightning transactions are not limited to only direct peers. Any number of funded intermediate Lightning nodes can be used to facilitate the necessary and shortest connections from Alice to Zach for example, with each directly connected peer updating the balance state with their respective connections.

Another potential benefit of Lightning transactions is that there is less information being stored on the immutable layer-1 ledger. By conducting transactions between peers on layer-2, the amount of information is limited to channel openings & closings. This can still reveal information that you may not want public, for example, if you use CoinJoin outputs to fund your Lightning channels then they can be linked together by this activity as they have a common link at your Lightning node. There are no privacy guarantees in Lightning. While fast, off-chain transactions can save on fees during low hash events, the benefits of Lightning are not without their tradeoffs however; connecting your node via Tor helps conceal your IP address, RaspiBlitz now connects via Tor by default. Opening public channels will expose information about your node such as capacity, number of public channels, number of connected nodes, and more. Anthony Ronning wrote an excellent article on Lightning Network privacy implications and also had a great discussion on the topic with Matt Odell and Openoms on Citadel Dispatch episode 0.2.1. I highly recommend investigating the inherent privacy limitations on the Lightning network. I was certainly surprised to learn that the Lightning Network does not afford one the kind of blanket privacy I was lead to believe. For example, receiving sats will expose your nodes pubkey. With a pubkey, one can observe your nodes total bitcoin capacity, IP address if not using Tor, and current channels. Check this link to see what kind of information about your Lightning node will be available to anyone you share an invoice with and be sure that you are comfortable with revealing that information about yourself and potentially connecting it to you.

Further noteworthy limitations are that offline peers can cause network routing disruptions, a peer must be online in order to receive a payment, and non-cooperative channel closures could expose funds to theft. There are safe guards that can be leveraged to mitigate theft risk, such as Justice Transactions and Lightning Watch Towers.

There are several DIY Lightning node implementations to choose from:

Required Materials:

This guide focuses on the RaspiBlitz implementation. The RaspiBlitz documentation is methodical & thorough; community support is strong in their Telegram channel; and there seems to be more contributors, reviews, and commitments to this project than any of the others.

You will need a few things before getting started. Some of the steps you need to take are performed on your desktop computer. In this guide, you will be communicating with your RaspiBlitz Node via Secure Shell (SSH) connection from your desktop.

Check out these Bitcoin Magazine affiliate links for the same materials I used in this guide. There is a wide variety of single board computers, cases, kits, & accessories to choose from, but these are the items I used:

  • Raspberry Pi 4 Case w/ Power & Fan: https://amzn.to/3g4n4MO *the power supply that comes with the Smraza Case is rated at 5v/3a. Some people have experienced issues powering their SSD with the standard power supply. If you have trouble, consider using an official RaspberryPi power supply such as this.

This is the RaspiBlitz repository that I used to learn from, so be sure to bookmark this one: https://github.com/rootzoll/raspiblitz

If you want to connect to a mobile wallet, I would also recommend getting a small LCD display like this. And if you want to create a Watchtower then get two of everything listed above.

Here is a time table of various steps so you can be sure to plan accordingly:

Step 1: Build Raspberry Pi

In this step you will see how to assemble the materials listed above to build a case for your Raspberry Pi with a cooling fan and install the heat sinks.

Once you are finished assembling your Raspberry Pi you can set it aside for now, there are a few steps that you will need to take on your desktop now.

Step 2: Build OS Image

These instructions are for Windows. In this step you will see how to build the Raspberry Pi Operating System (OS) and flash it onto your MicroSD Card. There are four things that need to be done in this step:

First navigate to this website and then download the latest Zip Archive File along with the hash file you prefer, e.g., SHA256 and the signature file so you can verify. Leave the zip file compressed, the flashing process will take care of extracting the contents later.

It is recommended to verify what you have downloaded. The RaspberryPi PGP public key can be downloaded here.

  • Import & certify the Public Key to your keychain, e.g., Kleopatra.

  • With the zip file and signature file in the same folder, right click on the signature file, select "More GpgEX options" Then "Verify".

  • After a moment you should receive the valid signature message.

Now you know the signature file containing the hash value of the zip file was in fact signed by the Raspberry Pi Downloads Signing Key.

Then compare the hash value from the hash file you downloaded with the hash value you calculate on your downloaded zip file. I like to use a hex editing program called HxD for calculating hash values.

Second, you will need to download the Raspberry Pi Imager. This is an executable file that will help you flash the OS image file you just downloaded onto your MicroSD Card. Unfortunately, I wasn't able to find any PGP verification tools for the imager.

Once you have this executable file downloaded, save it in a folder along with the compressed OS Image archive zip file. These should be the only two things in your folder:

Go ahead and insert the MicroSD card into the MicroSD Card adapter or USB adaptor and then insert this into your computer. Generally, I like to verify the capacity of the MicroSD Card and also ensure there is no data stored on it.

Navigate to your folder with the imager.exe & OS Image Zip file. Then simply double-click on the imager.exe file and the software should automatically start, which will display this screen to you:

Select "Choose OS", this will launch a menu, select "Use custom" and then navigate to your zip archive:

Next select "Choose Storage", select the 32GB MicroSD Card:

Then select "Write". You will be prompted that this will erase all data on the MicroSD Card, select "Yes".

The OS Image writing will then start, which should take ~10 minutes. Then the Imager software will verify the image, which should take another ~5 minutes.

Once verification is complete, you will be notified, select "Continue" and then you can close the Raspberry Pi Imager. Your desktop will probably automatically eject the MicroSD Card. Remove it and reinsert it because you need to add a file to it before starting the Raspberry Pi.

  • After reinserting the MicroSD Card, open the file explorer, right-click in the root folder, select "New" then "Text Document".

  • You will be asked what to name this file, name it "ssh" with no file extension.

  • You will receive a warning asking if you are sure you want to do this. Select "Yes".

  • Then eject the MicroSD Card.

This empty file that you just created will allow you to make the SSH connection to your Raspberry Pi so you can talk to it from your desktop.

Insert the microSD card into the Raspberry Pi. Connect the SSD. Connect the Ethernet cable from your router. Then connect the power supply and turn on. You should see a red light on the front-right corner when the Raspberry Pi turns on.

You should now have a functioning Raspberry Pi ready to turn into your very own Lightning Node. Next you'll see how to make your SSH connection and then how to build RaspiBlitz.

Step 3: SSH into the Raspberry Pi

In this step you will see how to make the SSH connection from your desktop computer to your Raspberry Pi computer. Once this connection is established, you will then build the RaspiBlitz software, setup the initial configuration, and start the Initial Blockchain Download (IBD).

I recommend using a simple SSH tool like Putty.exe. Learn more about Putty here and download it from here. Verify the download, then run the .msi file and follow the install wizard prompts.

Once you run Putty, you will need to enter the IP address of your Raspberry Pi. To find this, log into your home router from a web browser, usually by simply entering in the URL dialog box.

Most routers have basic log in credentials like Admin/1234, check online for your brand of router and login instructions.

Once logged into your router, you should be able to locate a list of connected devices on your home network. For example, the connected devices on my home network and their IP address can be viewed from navigating to: Basic Router>DHCP

Then in Putty, in the Host Name dialog box, enter your user, which will be "pi" the "@" symbol followed by your RaspberryPi IP local address. For example, all together, mine was: "pi@" and then select "Open" at the bottom.

A terminal window will automatically open on your desktop then you may get a warning about the host key not being registered, select "Yes" to add this key to your registry.

Then you will be asked for the password: "raspberry".

Then you should be ready to continue when you see this screen:

Once you made it to this point, simply run the two following commands, and the RaspiBlitz software will be compiled. Make sure to check their GitHub repository here for the latest version as this is updated often. You can find the appropriate syntax all the way towards the bottom of the their GitHub page under the "Build the Sd Card Image" section.

wget https://raw.githubusercontent.com/rootzoll/raspiblitz/v1.7/build_sdcard.sh


bash build_sdcard.sh true

The software will start to compile, this process should take ~20 minutes.

When finished, run the command:

sudo reboot

Once built and rebooted, then the new username is "admin" and the new password is "raspiblitz". When SSH'ing in from now on, it will look more like "admin@".

Now you have turned your Raspberry Pi into your own RaspiBlitz Lightning client. There are some initial configurations that need to be taken care of in order to turn this into a fully validating Bitcoin node and your own self-custodial Lightning node. Then we'll take a look at some advanced features.

Initial Configuration:

If everything went according to plan, then you should be presented with the RaspiBlitz welcome screen:

Select Bitcoin. The system will check for bitcoind (which is not running yet).

Then enter a name for your new RaspiBlitz. I chose "JeremyReed", the protagonist from the 1995 film, Powder. Use a name that doesn't reveal any personal information about yourself and don't use any spaces or special characters. This name will be publicly available to the rest of the internet.

Next, you will be asked to create 2 new passwords. By the end, you will need 4 different passwords in total. I recommend making them all different and high entropy. I found using a password manager is a great tool for this kind of stuff.

You will need to confirm each password and will receive a notification when each password has been set.

After setting the User & RPC passwords (A & B), the system will format your SSD. Select "Yes".

Next you can choose to synchronize the entire Bitcoin blockchain from other nodes in the wild or copy it from another node on your local network. In this example, I chose to select SYNC, and then a quick script is going to run and then automatically the Initial Blockchain Download will begin.

Now the IBD will begin, make sure to leave your RaspberryPi on and connected to power and internet. This process took me 3-days and 6 hours in total.

After a little while, the terminal screen will display this screen and you can go ahead and setup your LND Wallet and secure your seed phrase while the IBD is running in the background:

The software will do a quick check for Bitcoind, this is normal. Then you will be asked to set & confirm a wallet password (this is the third of four total passwords you will set). This is a BIP39 passphrase.

Then you will be displayed your 24 seed words. Write these down & secure them. Do not take a screen shot, do not share these words with anyone, do not save these words in a text file, do not take a picture of them. Anyone who gains access to these words will have access to your funds.

Write these words down on a piece of paper and secure that paper like it were gold or jewelry. There is a recovery work sheet made for the RaspiBlitz that you can download here.

Once you have written down your words and selected "OK", the system will run a quick script and then prompt you for a reboot. IBD will continue after reboot.

Remember, you will need to reinitialize your Putty session and use the updated password you set. You will be asked to unlock your wallet as well. Then you will see the IBD progress.

You may want to set your desktop sleep settings so that it doesn't interrupt the SSH connection, otherwise you will need to re-establish that connection each time you want to check the IBD progress.

Also, you may have noticed that my initial screenshots of the terminal interface used "qqqqqqqqqqqq" as the boarder. This can be changed in Putty by going to Window>Translation>Remote Character Set and then selecting "Use font encoding" from the drop down menu. Then save your default session and the series of "qqqqqqqqqqqq" will be displayed as a clean line in your terminal window from now on. h/t @nyxnor for the advice.

Once the blockchain has downloaded (~340GB at writing) the RaspiBlitz should reboot and then you can log back in and wait a few moments for everything to activate.

...Three days later...

Ride The Lightning Webinterface:

Working in the terminal window is not always necessary. There is a great web browser based tool you can use as the interface with your RaspiBlitz. Once the steps above have been completed, you should be looking at this screen:

Congratulations! You now have a RaspiBlitz Lightning Node. But there is still some work to do to enable the basic things that probably brought you here in the first place; such as funding your wallet, opening a channel, and sending/receiving some sats.

We'll cover the basics right now to get you up and running and then we'll cover a few select advanced topics afterwards for those of you who are curious.

You can continue working in the terminal window, or you can work in the RTL webinterface that may be more user-friendly with a more familiar UI.

Select "SERVICES Additional Apps & Services" from the main menu.

Then you will see a menu with all sorts of cool and powerful features. For now, select "RTL Webinterface" using the spacebar.

Once you hit "OK" the RaspiBlitz will run some scripts and then reboot, this should take less than 10 minutes. After the reboot, you will be presented with instructions for accessing your Webinterface via Tor. Open the Tor Browser on your desktop and copy/paste the ".onion" Hidden Service address that is presented to you from this window. Make sure to copy the whole address and do not insert "https://" in front of it.

Then each time you log in, you will see an option on the main menu for "RTL Web Node Manager". Just select it to be presented with the Hidden Service address again and enter the password you set for Password B.

Once you get logged in, you will be at your dashboard where you can monitor your network status, Lightning & on-chain balances, routing fees, channels, and more.

Start exploring RTL, it has an intuitive interface and it is easy to navigate through all the tabs to find all kinds of information about your Lightning node.

Fund & Open a Lightning Channel:

Opening Lightning channels is probably one of the primary reasons you read this guide to begin with. By opening Lightning channels with other nodes, you are connecting to the network that helps facilitate the routing of fast and cheap payments around the globe. Opening a Lightning channel involves some privacy considerations that you should be aware of. For example, take a look at this random Lightning node I selected from 1ML, all the information about this node is the same kind of information that anyone on the internet will be able to see about your node.

Generally, there are two kinds of channels: Public channels and private (or unannounced) channels. There is a lot of available information about your Lightning node when you open a public channel. Such as capacity of bitcoin, number of public channels, connected nodes, IP address if not running over Tor, and more. To see for yourself, check this example.

RaspiBlitz connects via Tor by default so your IP address is not shared to the general public, it is displayed as an onion address which helps preserve your privacy. Another piece of information that you will share when opening either a public or private channel is your pub key. When opening a public channel, your pub key will be viewable along with all your other associated public information. Private channel information is not shared publicly however. So a node operator can have a couple public channels open for better routing & connectivity, then also have many private channels open that only the connected peer on the other side knows of. Although there are some advanced techniques which can be utilized to discover private channel capacity, again, refer to Anthony Ronning's article here.

There is a lot to be learned about the privacy implications of the Lightning network. I recommend familiarizing yourself with these additional resources here and here.

The first step in opening a Lightning channel is to deposit some bitcoin in your LND on-chain wallet. From your RTL Webinterface, select the "On-chain" tab, then "Generate Address".

This will display your address QR code. Simply scan this QR code from your mobile Bitcoin wallet for example, and send a small amount of funds. Something to the tune of 2,100,000 sats should be more than enough to get started.

You can make multiple deposits over time. LND will generate a new address each time you call for one. It is best practice to avoid reusing the same address.

Once you have some bitcoin deposited in your on-chain wallet, then you can click on the "Open Channel" button from your dashboard.

Next, you will want to make sure you are connected to some network peers. This should happen automatically and you can add more and specific peers if you want. Being connected to peers and opening a channel with peers is two different things. Just being connected to a peer means that your node is sending and receiving network information to and from your peers. But by opening a channel with a peer, you will initiate the on-chain transaction and begin keeping track of a balance state between you and your opened channel peer. If you want to open a channel with someone specifically, like a friend that you wish to open a private channel with, then you will first need to add them as a peer.

So select the "Peers" tab and then the "Add Peer" button.

Then copy/paste your peers pubkey. You will have either received this pubkey from your friend or you will have found it exploring 1ml.com. The pub key should look something like this example:


Then click the "Add Peer" button.

You will have the option to open a channel with your new peer. Enter the amount you want the channel to be open for, for example 1,000,000 sats. Then enable the private channel toggle switch to make this an unannounced channel. I recommend just leaving the transaction type and "spend unconfirmed output" settings on their defaults unless you have a good reason to change them. Then click on the "Open Channel" button and the request to open a channel for 1,000,000 sats will be sent to your new peer. This request will remain in a pending state until it is approved by your peer.

Try opening a channel with a friend at first or alternatively, check out 1ML to find other nodes that you can request to open channels with. When observing information about Lightning nodes on 1ML, you will see some ratings listed below the node's pubkey QR code. These ratings can give you an idea of how well connected the node is, how much capacity it has, and it's stability. I wasn't able to find out how 1ML calculates these statistics exactly but basically the way you read them is that the lower the number is then the better the rating is.

In the image below for example, you can see that ACINQ (pronounced "a sink") is the best ranking node on the Lightning network. This raises concerns over centralization as a majority of Lightning node have a channel open with ACINQ. However it is also providing a lot of connectivity to the network. You can see that Lommy's node is doing ok and also that my node has some catching up to do.

After your peer confirms the channel opening request on their end, then the on-chain transaction will be broadcast to layer-1 and the channel will officially be open. For the remainder of this channel being open, your node and your peer's node will each maintain a balance state of your channel. If you look at your channel balances though, you will notice that all the liquidity is on your side of the channel.

Another way to connect with some peers is to join a Ring of Fire. This is a good exercise to go through to help you get started as community support is strong in the Telegram channels.

Inbound & Outbound Liquidity:

Inbound liquidity is the number of sats you can receive on a channel. Outbound liquidity is the number of sats you can send on a channel. Here is a screen shot of one of my channel's capacity. The local (outbound) balance is the amount of sats that I can send to my peer. The remote (inbound) balance is the amount I can receive from my peer. This channel is considered unbalanced since all the liquidity is on my side of the channel.

There are a couple different methods for balancing channels that I'll go over here. The two tools we will look at here are Lightning Terminal (Lit) Loop Out and RTL Circular Rebalance.

A) Lightning Terminal Loop:

Loop is another service that can be built into your RaspiBlitz as part of the Lightning Terminal package from Lightning Labs. It is another web browser based interface that can be used to alter channel balances without needing to close and reopen your channels. I would consider this a custodial service, even though the transaction is based on a Hash Time Lock Contract (HTLC) that defaults to no state change if unsuccessful and even though if you do get a successful Loop Out the custodianship may only be for a very brief period before they transfer the on-chain funds to your wallet. You are still relying on a 3rd party to fulfil an obligation on your behalf who accepts a payment from layer-2 and then transfers you back funds on layer-1.

Loop works by taking the sats you send to your peer's side of the channel and then giving you back those sats in on-chain BTC. There is a small fee for this service. But this can be a good way to get some inbound liquidity so that you can receive payments. For example, let's say you had 1 million sats on a custodial Lightning Wallet that you wanted to gain control over again. Using Loop, you could open a channel for 2 million sats with a peer, all the liquidity will be on your side of the channel. Then you could Loop the maximum amount, leaving you with a little less than 2 million sats liquidity on your peer's side of the channel. The ~2 million sat Loop Out will make it's way to Lightning Labs and then they will send you that amount in on-chain bitcoin. The receive address is automatically generated from the on-chain wallet built into your RaspiBlitz, but you can also change it if you want during the Loop Out transaction setup. Then you can send yourself your custodially held 1 million sats since you now have ~2 million sats of inbound liquidity available. This would not only give you control over your sats again but it would then rebalance your channel with your peer giving you ~1 million sats on both sides. However, this does depend on Lightning Labs sending you the on-chain funds which introduces some level of trust, I suppose. This is done through a HTLC so if the loop out attempt fails or doesn't execute by a specific block height then you don't lose anything and you can try again.

To construct a Loop Out, first the LiT service needs to be built and added. From your terminal window, select the "SERVICES Additional Apps & Services" option. Then select "LIT (loop, pool, faraday)", use the space bar to select.

You will see a script start to run and then you will be presented with another onion address like the one you used to open the RTL interface. Copy/paste this onion address into your Tor browser including the "https://" part for this one and use the "B" Password that you setup during the initial configuration to log in. You will also be presented with a SHA1 finger print from your Raspberry Pi that you can verify in your Tor browser before continuing.

This is the login screen you should be looking at. Enter your "B" Password here.

This is the welcome screen, I recommend taking the tour to get familiar with the interface.

Once you get through the tour, you will be looking at your home screen and you should be able to see, like in mine for example, that I have 984,844 Lightning sats available. With 1,092,594 on-chain sats remaining. And that I can receive 0 sats but I can spend the 984,944 sats with my peer. The goal here is to be able to also receive some sats from my peer. Click on the "Loop" button above your channels.

Then click on "Loop Out".

Then use the slider to select the amount of inbound liquidity you want, I chose roughly half the total amount. Then click on "Next".

Then review the Loop information and confirm.

Processing the loop takes some time as it involves an on-chain transaction. Once the Loop out is initiated, it will attempt to execute until a pre-determined block height expiration. Don't be alarmed if the Loop out is not immediately successful and you cannot see the funds you are attempting to Loop Out with. Just go to your RTL Webinterface then the "Peers/Channels" sidebar then the "Active HTLCs" tab. Here you can review your active HTLC's, what amount they are for, and at what block height they will expire. If these contracts fail to execute by the block expiration then you will just have your funds released back to you, so no loss.

Hopefully, you get a successful loop within a reasonable amount of time. Sometimes it can take a while to be successful depending on factors like routing and awareness of your node through the gossip network. Try sending some small payments to bring network attention to your node. Here is an example of several failed Loop Out attempts that I made before getting a successful one, so don't give up.

Once you get a successful loop then you should be able to send and receive sats, having liquidity on both sides of a balanced channel.

Now I have two well balanced channels, one achieved through a Loop Out and the other through the Ring of Fire I established with some other peers.

Loop Out can require some patience but it is a great tool to get some funds back into your on-chain wallet and give you the inbound liquidity you need to start receiving Lightning payments. Another tool for balancing channels is the Circular Re-Balance in the RTL Webinterface.

B) Circular Re-Balance:

Another liquidity related issue that you will eventually run into is that at some point your liquidity may all move from one side of your channel to the other. So for example, if I open a channel with a peer for 1 million sats and I spend 1 million sats to them then this channel's liquidity has dried up on my side of the channel. I can receive 1 million sats to my side from them but if no payments are coming my way then this channel has been rendered kind of useless. The channel needs to be balanced so that payments can flow both ways. And ideal channel will be balanced 50/50.

The Circular Rebalance tool is built into the RTL Webinterface, so if you followed that step then you have this functionality and do not need to construct an additional service.

In the screen shot above, I have 3 channels open right now for example. My channel with GO Satoshi NL (2) is very well balanced and nearly an equal amount of liquidity can flow in either direction. This is ideal.

My next channel, with SkiDaClouds, is closer to an 80/20 liquidity balance. This means that I can spend roughly 4 times the amount of liquidity than I can receive on this channel.

My third channel, with ACINQ, has a 100/0 balance. I cannot receive any sats on this channel but I can spend all the liquidity that is on my side.

The more nodes you can connect to, open channels with, and payments you make should increase your overall gossip network activity and give you more routing flexibility. You may have an easier time getting requests like this to complete the more active and connected you are. However, this also requires that you fund your node with more and more sats to be able to open channels. The RTL tool will basically take sats from one channel and send them to another one of your channels.

  • From your RTL home screen go to the "Peers/Channels" tab on the left-hand side.

  • Then on the "Actions" drop down menu on the channel that needs balancing select "Circular Rebalance".

  • Then enter the amount of sats you want to move and select the peer to receive those sats from. Then hit "Estimate Fee".

  • Then select "Use Estimate" and hit "Rebalance".

Fair warning, I have not been able to find a successful connection to make a circular rebalance happen and I keep running into the error in the image below. I will need to just keep trying despite having opened channels with my peers' peers' peers, if that makes sense. Hopefully the liquidity doesn't get completely moved to one side before hand.

Hopefully you have better luck than I did with this particular tool, although I will keep trying. Keeping your channels balanced is a matter of trial and error. There is no silver bullet. But if you want to be able to send and receive payments and have a well connected node then get in there and start messing around with this stuff until you figure out what works for you.

Another service you may want to try out is Boltz.Exchange. I haven't tried this one myself but I hear good things about it, h/t @BitcoinQ_A. The basic idea is that you enter the amount in sats you will spend from your Lightning wallet, then the website will give you the amount back in on-chain bitcoin minus the fee. Again, I do consider this a type of custodial service, even though it may only be for a brief moment. Please take careful considerations when using a custodial service.