• econoalchemist

Build a Self-Custodial Lightning Node with RaspiBlitz

This article offers a step-by-step guide to build your own Bitcoin full node and Lightning client running the RaspiBlitz implementation.

Image Source

Here is an index of the topics covered in this guide:

  1. Introduction

  2. Required Materials

  3. RaspberryPi Assembly

  4. Building the OS

  5. Connecting to RaspberryPi with SSH

  6. Initial RaspiBlitz Configuration

  7. Ride The Lightning Webinterface

  8. Fund & Open a Channel

  9. Inbound & Outbound Liquidity

  10. Watchtowers & Backups

  11. Connecting to Mobile

  12. Creating & Paying Invoices

  13. RaspiBlitz Extras

  14. Resources

  15. Conclusion


Lightning is a layer-2 payment network built on top of layer-1, Bitcoin. This layer-2 network consists of nodes running the Lightning Network protocol, with bidirectional payment channels open between them. These payment channels allow for many fast payments to be made between nodes without the slower on-chain, layer-1 transactions. There is no need to wait for layer-1 block confirmations when making Lightning payments in established channels. Channels are opened and closed with an on-chain transaction while any number of Lightning payments can be made so long as the channels remain open and funded.

Like this, many Lightning payments can be made instantly and with minimal transaction fees since this is an off-chain network of peers maintaining balances between themselves. For every Lightning transaction between peers, each party updates their mutually agreed upon balance state. The payment channel between them can be closed at anytime by either party and then the most recent mutually signed balance state is then broadcast to the on-chain, layer-1 Bitcoin network. So with only two on-chain transactions, one to open the channel and one to close the channel, any number of smaller transactions can be made instantly and with low fees while the channel is open. Lightning transactions are not limited to only direct peers. Any number of funded intermediate Lightning nodes can be used to facilitate the necessary and shortest connections from Alice to Zach for example, with each directly connected peer updating the balance state with their respective connections.

Another potential benefit of Lightning transactions is that there is less information being stored on the immutable layer-1 ledger. By conducting transactions between peers on layer-2, the amount of information is limited to channel openings & closings. This can still reveal information that you may not want public, for example, if you use CoinJoin outputs to fund your Lightning channels then they can be linked together by this activity as they have a common link at your Lightning node. There are no privacy guarantees in Lightning. While fast, off-chain transactions can save on fees during low hash events, the benefits of Lightning are not without their tradeoffs however; connecting your node via Tor helps conceal your IP address, RaspiBlitz now connects via Tor by default. Opening public channels will expose information about your node such as capacity, number of public channels, number of connected nodes, and more. Anthony Ronning wrote an excellent article on Lightning Network privacy implications and also had a great discussion on the topic with Matt Odell and Openoms on Citadel Dispatch episode 0.2.1. I highly recommend investigating the inherent privacy limitations on the Lightning network. I was certainly surprised to learn that the Lightning Network does not afford one the kind of blanket privacy I was lead to believe. For example, receiving sats will expose your nodes pubkey. With a pubkey, one can observe your nodes total bitcoin capacity, IP address if not using Tor, and current channels. Check this link to see what kind of information about your Lightning node will be available to anyone you share an invoice with and be sure that you are comfortable with revealing that information about yourself and potentially connecting it to you.

Further noteworthy limitations are that offline peers can cause network routing disruptions, a peer must be online in order to receive a payment, and non-cooperative channel closures could expose funds to theft. There are safe guards that can be leveraged to mitigate theft risk, such as Justice Transactions and Lightning Watch Towers.

There are several DIY Lightning node implementations to choose from:

Required Materials:

This guide focuses on the RaspiBlitz implementation. The RaspiBlitz documentation is methodical & thorough; community support is strong in their Telegram channel; and there seems to be more contributors, reviews, and commitments to this project than any of the others.

You will need a few things before getting started. Some of the steps you need to take are performed on your desktop computer. In this guide, you will be communicating with your RaspiBlitz Node via Secure Shell (SSH) connection from your desktop.

Check out these Bitcoin Magazine affiliate links for the same materials I used in this guide. There is a wide variety of single board computers, cases, kits, & accessories to choose from, but these are the items I used:

  • Raspberry Pi 4 Case w/ Power & Fan: https://amzn.to/3g4n4MO *the power supply that comes with the Smraza Case is rated at 5v/3a. Some people have experienced issues powering their SSD with the standard power supply. If you have trouble, consider using an official RaspberryPi power supply such as this.

This is the RaspiBlitz repository that I used to learn from, so be sure to bookmark this one: https://github.com/rootzoll/raspiblitz

If you want to connect to a mobile wallet, I would also recommend getting a small LCD display like this. And if you want to create a Watchtower then get two of everything listed above.

Here is a time table of various steps so you can be sure to plan accordingly:

Step 1: Build Raspberry Pi

In this step you will see how to assemble the materials listed above to build a case for your Raspberry Pi with a cooling fan and install the heat sinks.

Once you are finished assembling your Raspberry Pi you can set it aside for now, there are a few steps that you will need to take on your desktop now.

Step 2: Build OS Image

These instructions are for Windows. In this step you will see how to build the Raspberry Pi Operating System (OS) and flash it onto your MicroSD Card. There are four things that need to be done in this step:

First navigate to this website and then download the latest Zip Archive File along with the hash file you prefer, e.g., SHA256 and the signature file so you can verify. Leave the zip file compressed, the flashing process will take care of extracting the contents later.

It is recommended to verify what you have downloaded. The RaspberryPi PGP public key can be downloaded here.

  • Import & certify the Public Key to your keychain, e.g., Kleopatra.

  • With the zip file and signature file in the same folder, right click on the signature file, select "More GpgEX options" Then "Verify".

  • After a moment you should receive the valid signature message.

Now you know the signature file containing the hash value of the zip file was in fact signed by the Raspberry Pi Downloads Signing Key.

Then compare the hash value from the hash file you downloaded with the hash value you calculate on your downloaded zip file. I like to use a hex editing program called HxD for calculating hash values.

Second, you will need to download the Raspberry Pi Imager. This is an executable file that will help you flash the OS image file you just downloaded onto your MicroSD Card. Unfortunately, I wasn't able to find any PGP verification tools for the imager.

Once you have this executable file downloaded, save it in a folder along with the compressed OS Image archive zip file. These should be the only two things in your folder:

Go ahead and insert the MicroSD card into the MicroSD Card adapter or USB adaptor and then insert this into your computer. Generally, I like to verify the capacity of the MicroSD Card and also ensure there is no data stored on it.

Navigate to your folder with the imager.exe & OS Image Zip file. Then simply double-click on the imager.exe file and the software should automatically start, which will display this screen to you:

Select "Choose OS", this will launch a menu, select "Use custom" and then navigate to your zip archive:

Next select "Choose Storage", select the 32GB MicroSD Card:

Then select "Write". You will be prompted that this will erase all data on the MicroSD Card, select "Yes".

The OS Image writing will then start, which should take ~10 minutes. Then the Imager software will verify the image, which should take another ~5 minutes.

Once verification is complete, you will be notified, select "Continue" and then you can close the Raspberry Pi Imager. Your desktop will probably automatically eject the MicroSD Card. Remove it and reinsert it because you need to add a file to it before starting the Raspberry Pi.

  • After reinserting the MicroSD Card, open the file explorer, right-click in the root folder, select "New" then "Text Document".

  • You will be asked what to name this file, name it "ssh" with no file extension.

  • You will receive a warning asking if you are sure you want to do this. Select "Yes".

  • Then eject the MicroSD Card.

This empty file that you just created will allow you to make the SSH connection to your Raspberry Pi so you can talk to it from your desktop.

Insert the microSD card into the Raspberry Pi. Connect the SSD. Connect the Ethernet cable from your router. Then connect the power supply and turn on. You should see a red light on the front-right corner when the Raspberry Pi turns on.

You should now have a functioning Raspberry Pi ready to turn into your very own Lightning Node. Next you'll see how to make your SSH connection and then how to build RaspiBlitz.

Step 3: SSH into the Raspberry Pi

In this step you will see how to make the SSH connection from your desktop computer to your Raspberry Pi computer. Once this connection is established, you will then build the RaspiBlitz software, setup the initial configuration, and start the Initial Blockchain Download (IBD).

I recommend using a simple SSH tool like Putty.exe. Learn more about Putty here and download it from here. Verify the download, then run the .msi file and follow the install wizard prompts.

Once you run Putty, you will need to enter the IP address of your Raspberry Pi. To find this, log into your home router from a web browser, usually by simply entering in the URL dialog box.

Most routers have basic log in credentials like Admin/1234, check online for your brand of router and login instructions.

Once logged into your router, you should be able to locate a list of connected devices on your home network. For example, the connected devices on my home network and their IP address can be viewed from navigating to: Basic Router>DHCP

Then in Putty, in the Host Name dialog box, enter your user, which will be "pi" the "@" symbol followed by your RaspberryPi IP local address. For example, all together, mine was: "pi@" and then select "Open" at the bottom.

A terminal window will automatically open on your desktop then you may get a warning about the host key not being registered, select "Yes" to add this key to your registry.

Then you will be asked for the password: "raspberry".

Then you should be ready to continue when you see this screen:

Once you made it to this point, simply run the two following commands, and the RaspiBlitz software will be compiled. Make sure to check their GitHub repository here for the latest version as this is updated often. You can find the appropriate syntax all the way towards the bottom of the their GitHub page under the "Build the Sd Card Image" section.

wget https://raw.githubusercontent.com/rootzoll/raspiblitz/v1.7/build_sdcard.sh


bash build_sdcard.sh true

The software will start to compile, this process should take ~20 minutes.

When finished, run the command:

sudo reboot

Once built and rebooted, then the new username is "admin" and the new password is "raspiblitz". When SSH'ing in from now on, it will look more like "admin@".

Now you have turned your Raspberry Pi into your own RaspiBlitz Lightning client. There are some initial configurations that need to be taken care of in order to turn this into a fully validating Bitcoin node and your own self-custodial Lightning node. Then we'll take a look at some advanced features.

Initial Configuration:

If everything went according to plan, then you should be presented with the RaspiBlitz welcome screen:

Select Bitcoin. The system will check for bitcoind (which is not running yet).

Then enter a name for your new RaspiBlitz. I chose "JeremyReed", the protagonist from the 1995 film, Powder. Use a name that doesn't reveal any personal information about yourself and don't use any spaces or special characters. This name will be publicly available to the rest of the internet.

Next, you will be asked to create 2 new passwords. By the end, you will need 4 different passwords in total. I recommend making them all different and high entropy. I found using a password manager is a great tool for this kind of stuff.

You will need to confirm each password and will receive a notification when each password has been set.

After setting the User & RPC passwords (A & B), the system will format your SSD. Select "Yes".

Next you can choose to synchronize the entire Bitcoin blockchain from other nodes in the wild or copy it from another node on your local network. In this example, I chose to select SYNC, and then a quick script is going to run and then automatically the Initial Blockchain Download will begin.

Now the IBD will begin, make sure to leave your RaspberryPi on and connected to power and internet. This process took me 3-days and 6 hours in total.

After a little while, the terminal screen will display this screen and you can go ahead and setup your LND Wallet and secure your seed phrase while the IBD is running in the background:

The software will do a quick check for Bitcoind, this is normal. Then you will be asked to set & confirm a wallet password (this is the third of four total passwords you will set). This is a BIP39 passphrase.

Then you will be displayed your 24 seed words. Write these down & secure them. Do not take a screen shot, do not share these words with anyone, do not save these words in a text file, do not take a picture of them. Anyone who gains access to these words will have access to your funds.

Write these words down on a piece of paper and secure that paper like it were gold or jewelry. There is a recovery work sheet made for the RaspiBlitz that you can download here.

Once you have written down your words and selected "OK", the system will run a quick script and then prompt you for a reboot. IBD will continue after reboot.

Remember, you will need to reinitialize your Putty session and use the updated password you set. You will be asked to unlock your wallet as well. Then you will see the IBD progress.

You may want to set your desktop sleep settings so that it doesn't interrupt the SSH connection, otherwise you will need to re-establish that connection each time you want to check the IBD progress.

Also, you may have noticed that my initial screenshots of the terminal interface used "qqqqqqqqqqqq" as the boarder. This can be changed in Putty by going to Window>Translation>Remote Character Set and then selecting "Use font encoding" from the drop down menu. Then save your default session and the series of "qqqqqqqqqqqq" will be displayed as a clean line in your terminal window from now on. h/t @nyxnor for the advice.

Once the blockchain has downloaded (~340GB at writing) the RaspiBlitz should reboot and then you can log back in and wait a few moments for everything to activate.

...Three days later...

Ride The Lightning Webinterface:

Working in the terminal window is not always necessary. There is a great web browser based tool you can use as the interface with your RaspiBlitz. Once the steps above have been completed, you should be looking at this screen:

Congratulations! You now have a RaspiBlitz Lightning Node. But there is still some work to do to enable the basic things that probably brought you here in the first place; such as funding your wallet, opening a channel, and sending/receiving some sats.

We'll cover the basics right now to get you up and running and then we'll cover a few select advanced topics afterwards for those of you who are curious.

You can continue working in the terminal window, or you can work in the RTL webinterface that may be more user-friendly with a more familiar UI.

Select "SERVICES Additional Apps & Services" from the main menu.

Then you will see a menu with all sorts of cool and powerful features. For now, select "RTL Webinterface" using the spacebar.

Once you hit "OK" the RaspiBlitz will run some scripts and then reboot, this should take less than 10 minutes. After the reboot, you will be presented with instructions for accessing your Webinterface via Tor. Open the Tor Browser on your desktop and copy/paste the ".onion" Hidden Service address that is presented to you from this window. Make sure to copy the whole address and do not insert "https://" in front of it.

Then each time you log in, you will see an option on the main menu for "RTL Web Node Manager". Just select it to be presented with the Hidden Service address again and enter the password you set for Password B.

Once you get logged in, you will be at your dashboard where you can monitor your network status, Lightning & on-chain balances, routing fees, channels, and more.

Start exploring RTL, it has an intuitive interface and it is easy to navigate through all the tabs to find all kinds of information about your Lightning node.

Fund & Open a Lightning Channel:

Opening Lightning channels is probably one of the primary reasons you read this guide to begin with. By opening Lightning channels with other nodes, you are connecting to the network that helps facilitate the routing of fast and cheap payments around the globe. Opening a Lightning channel involves some privacy considerations that you should be aware of. For example, take a look at this random Lightning node I selected from 1ML, all the information about this node is the same kind of information that anyone on the internet will be able to see about your node.

Generally, there are two kinds of channels: Public channels and private (or unannounced) channels. There is a lot of available information about your Lightning node when you open a public channel. Such as capacity of bitcoin, number of public channels, connected nodes, IP address if not running over Tor, and more. To see for yourself, check this example.

RaspiBlitz connects via Tor by default so your IP address is not shared to the general public, it is displayed as an onion address which helps preserve your privacy. Another piece of information that you will share when opening either a public or private channel is your pub key. When opening a public channel, your pub key will be viewable along with all your other associated public information. Private channel information is not shared publicly however. So a node operator can have a couple public channels open for better routing & connectivity, then also have many private channels open that only the connected peer on the other side knows of. Although there are some advanced techniques which can be utilized to discover private channel capacity, again, refer to Anthony Ronning's article here.

There is a lot to be learned about the privacy implications of the Lightning network. I recommend familiarizing yourself with these additional resources here and here.

The first step in opening a Lightning channel is to deposit some bitcoin in your LND on-chain wallet. From your RTL Webinterface, select the "On-chain" tab, then "Generate Address".

This will display your address QR code. Simply scan this QR code from your mobile Bitcoin wallet for example, and send a small amount of funds. Something to the tune of 2,100,000 sats should be more than enough to get started.

You can make multiple deposits over time. LND will generate a new address each time you call for one. It is best practice to avoid reusing the same address.

Once you have some bitcoin deposited in your on-chain wallet, then you can click on the "Open Channel" button from your dashboard.

Next, you will want to make sure you are connected to some network peers. This should happen automatically and you can add more and specific peers if you want. Being connected to peers and opening a channel with peers is two different things. Just being connected to a peer means that your node is sending and receiving network information to and from your peers. But by opening a channel with a peer, you will initiate the on-chain transaction and begin keeping track of a balance state between you and your opened channel peer. If you want to open a channel with someone specifically, like a friend that you wish to open a private channel with, then you will first need to add them as a peer.

So select the "Peers" tab and then the "Add Peer" button.

Then copy/paste your peers pubkey. You will have either received this pubkey from your friend or you will have found it exploring 1ml.com. The pub key should look something like this example:


Then click the "Add Peer" button.

You will have the option to open a channel with your new peer. Enter the amount you want the channel to be open for, for example 1,000,000 sats. Then enable the private channel toggle switch to make this an unannounced channel. I recommend just leaving the transaction type and "spend unconfirmed output" settings on their defaults unless you have a good reason to change them. Then click on the "Open Channel" button and the request to open a channel for 1,000,000 sats will be sent to your new peer. This request will remain in a pending state until it is approved by your peer.

Try opening a channel with a friend at first or alternatively, check out 1ML to find other nodes that you can request to open channels with. When observing information about Lightning nodes on 1ML, you will see some ratings listed below the node's pubkey QR code. These ratings can give you an idea of how well connected the node is, how much capacity it has, and it's stability. I wasn't able to find out how 1ML calculates these statistics exactly but basically the way you read them is that the lower the number is then the better the rating is.

In the image below for example, you can see that ACINQ (pronounced "a sink") is the best ranking node on the Lightning network. This raises concerns over centralization as a majority of Lightning node have a channel open with ACINQ. However it is also providing a lot of connectivity to the network. You can see that Lommy's node is doing ok and also that my node has some catching up to do.

After your peer confirms the channel opening request on their end, then the on-chain transaction will be broadcast to layer-1 and the channel will officially be open. For the remainder of this channel being open, your node and your peer's node will each maintain a balance state of your channel. If you look at your channel balances though, you will notice that all the liquidity is on your side of the channel.

Another way to connect with some peers is to join a Ring of Fire. This is a good exercise to go through to help you get started as community support is strong in the Telegram channels.

Inbound & Outbound Liquidity:

Inbound liquidity is the number of sats you can receive on a channel. Outbound liquidity is the number of sats you can send on a channel. Here is a screen shot of one of my channel's capacity. The local (outbound) balance is the amount of sats that I can send to my peer. The remote (inbound) balance is the amount I can receive from my peer. This channel is considered unbalanced since all the liquidity is on my side of the channel.

There are a couple different methods for balancing channels that I'll go over here. The two tools we will look at here are Lightning Terminal (Lit) Loop Out and RTL Circular Rebalance.

A) Lightning Terminal Loop:

Loop is another service that can be built into your RaspiBlitz as part of the Lightning Terminal package from Lightning Labs. It is another web browser based interface that can be used to alter channel balances without needing to close and reopen your channels. I would consider this a custodial service, even though the transaction is based on a Hash Time Lock Contract (HTLC) that defaults to no state change if unsuccessful and even though if you do get a successful Loop Out the custodianship may only be for a very brief period before they transfer the on-chain funds to your wallet. You are still relying on a 3rd party to fulfil an obligation on your behalf who accepts a payment from layer-2 and then transfers you back funds on layer-1.

Loop works by taking the sats you send to your peer's side of the channel and then giving you back those sats in on-chain BTC. There is a small fee for this service. But this can be a good way to get some inbound liquidity so that you can receive payments. For example, let's say you had 1 million sats on a custodial Lightning Wallet that you wanted to gain control over again. Using Loop, you could open a channel for 2 million sats with a peer, all the liquidity will be on your side of the channel. Then you could Loop the maximum amount, leaving you with a little less than 2 million sats liquidity on your peer's side of the channel. The ~2 million sat Loop Out will make it's way to Lightning Labs and then they will send you that amount in on-chain bitcoin. The receive address is automatically generated from the on-chain wallet built into your RaspiBlitz, but you can also change it if you want during the Loop Out transaction setup. Then you can send yourself your custodially held 1 million sats since you now have ~2 million sats of inbound liquidity available. This would not only give you control over your sats again but it would then rebalance your channel with your peer giving you ~1 million sats on both sides. However, this does depend on Lightning Labs sending you the on-chain funds which introduces some level of trust, I suppose. This is done through a HTLC so if the loop out attempt fails or doesn't execute by a specific block height then you don't lose anything and you can try again.

To construct a Loop Out, first the LiT service needs to be built and added. From your terminal window, select the "SERVICES Additional Apps & Services" option. Then select "LIT (loop, pool, faraday)", use the space bar to select.

You will see a script start to run and then you will be presented with another onion address like the one you used to open the RTL interface. Copy/paste this onion address into your Tor browser including the "https://" part for this one and use the "B" Password that you setup during the initial configuration to log in. You will also be presented with a SHA1 finger print from your Raspberry Pi that you can verify in your Tor browser before continuing.

This is the login screen you should be looking at. Enter your "B" Password here.

This is the welcome screen, I recommend taking the tour to get familiar with the interface.

Once you get through the tour, you will be looking at your home screen and you should be able to see, like in mine for example, that I have 984,844 Lightning sats available. With 1,092,594 on-chain sats remaining. And that I can receive 0 sats but I can spend the 984,944 sats with my peer. The goal here is to be able to also receive some sats from my peer. Click on the "Loop" button above your channels.

Then click on "Loop Out".

Then use the slider to select the amount of inbound liquidity you want, I chose roughly half the total amount. Then click on "Next".

Then review the Loop information and confirm.

Processing the loop takes some time as it involves an on-chain transaction. Once the Loop out is initiated, it will attempt to execute until a pre-determined block height expiration. Don't be alarmed if the Loop out is not immediately successful and you cannot see the funds you are attempting to Loop Out with. Just go to your RTL Webinterface then the "Peers/Channels" sidebar then the "Active HTLCs" tab. Here you can review your active HTLC's, what amount they are for, and at what block height they will expire. If these contracts fail to execute by the block expiration then you will just have your funds released back to you, so no loss.

Hopefully, you get a successful loop within a reasonable amount of time. Sometimes it can take a while to be successful depending on factors like routing and awareness of your node through the gossip network. Try sending some small payments to bring network attention to your node. Here is an example of several failed Loop Out attempts that I made before getting a successful one, so don't give up.

Once you get a successful loop then you should be able to send and receive sats, having liquidity on both sides of a balanced channel.

Now I have two well balanced channels, one achieved through a Loop Out and the other through the Ring of Fire I established with some other peers.

Loop Out can require some patience but it is a great tool to get some funds back into your on-chain wallet and give you the inbound liquidity you need to start receiving Lightning payments. Another tool for balancing channels is the Circular Re-Balance in the RTL Webinterface.

B) Circular Re-Balance:

Another liquidity related issue that you will eventually run into is that at some point your liquidity may all move from one side of your channel to the other. So for example, if I open a channel with a peer for 1 million sats and I spend 1 million sats to them then this channel's liquidity has dried up on my side of the channel. I can receive 1 million sats to my side from them but if no payments are coming my way then this channel has been rendered kind of useless. The channel needs to be balanced so that payments can flow both ways. And ideal channel will be balanced 50/50.

The Circular Rebalance tool is built into the RTL Webinterface, so if you followed that step then you have this functionality and do not need to construct an additional service.

In the screen shot above, I have 3 channels open right now for example. My channel with GO Satoshi NL (2) is very well balanced and nearly an equal amount of liquidity can flow in either direction. This is ideal.

My next channel, with SkiDaClouds, is closer to an 80/20 liquidity balance. This means that I can spend roughly 4 times the amount of liquidity than I can receive on this channel.

My third channel, with ACINQ, has a 100/0 balance. I cannot receive any sats on this channel but I can spend all the liquidity that is on my side.

The more nodes you can connect to, open channels with, and payments you make should increase your overall gossip network activity and give you more routing flexibility. You may have an easier time getting requests like this to complete the more active and connected you are. However, this also requires that you fund your node with more and more sats to be able to open channels. The RTL tool will basically take sats from one channel and send them to another one of your channels.

  • From your RTL home screen go to the "Peers/Channels" tab on the left-hand side.

  • Then on the "Actions" drop down menu on the channel that needs balancing select "Circular Rebalance".

  • Then enter the amount of sats you want to move and select the peer to receive those sats from. Then hit "Estimate Fee".

  • Then select "Use Estimate" and hit "Rebalance".

Fair warning, I have not been able to find a successful connection to make a circular rebalance happen and I keep running into the error in the image below. I will need to just keep trying despite having opened channels with my peers' peers' peers, if that makes sense. Hopefully the liquidity doesn't get completely moved to one side before hand.

Hopefully you have better luck than I did with this particular tool, although I will keep trying. Keeping your channels balanced is a matter of trial and error. There is no silver bullet. But if you want to be able to send and receive payments and have a well connected node then get in there and start messing around with this stuff until you figure out what works for you.

Another service you may want to try out is Boltz.Exchange. I haven't tried this one myself but I hear good things about it, h/t @BitcoinQ_A. The basic idea is that you enter the amount in sats you will spend from your Lightning wallet, then the website will give you the amount back in on-chain bitcoin minus the fee. Again, I do consider this a type of custodial service, even though it may only be for a brief moment. Please take careful considerations when using a custodial service.

Watchtowers & Backups:

In this section I'll demonstrate how to set up a Watchtower and also how to make a backup of your RaspiBlitz wallet & channel states. A watchtower is a secondary node that will observe the Bitcoin block chain for any transactions that attempt to steal funds from your RaspiBlitz Lightning node if it is off-line. An attempted theft could occur if one of your peers initiates a forced close of your channel but with a previous version of the balance state, thus depriving you of a payment or more that they may have made to your side of the channel.

Your watchtower is a secondary node that you operate, preferably in a separate physical location to mitigate against local power/internet outages. This secondary node will sync with your primary Lightning node and will know all of your current channel balance states. By watching the Bitcoin blockchain for transactions that involve the closure of any of your channels and comparing that information to your known channel states, the Watchtower will broadcast a justice transaction if necessary to counter an attempted theft.

A justice transaction will take all of the channel funds and deliver them to the victim node. This means that not only will the dishonest node lose the funds they were attempting to steal but they will also lose any funds they had in the channel as well. This is made possible if the Watchtower broadcasts the justice transaction within the time-lock period which is typically 144 blocks.

If you are building your secondary node, go ahead and follow all the same steps you followed above to build the RaspberryPi, flash the OS, build RaspiBlitz, & sync the blockchain. This includes securing the 24-word seed phrase for your new LND wallet. I also recommend using all new passwords as well. If you are doing this on the same local network as your primary node you can transfer the block chain data locally instead of downloading, which in my case saved me 75 hours. The local transfer only took me roughly 3 hours. Just follow the prompts for local blockchain transfer instead of network sync when you get to that step.

Once your secondary node is setup and you are at the RaspiBlitz main menu, select "Exit at the bottom.

Now you are in the terminal and will enter a few commands to configure your WatchTower behind Tor. Note that this is the secondary node we are working on, not your primary node, so you should be in a separate Putty terminal window opened with the appropriate local IP.

  • First the LND configuration file needs to be edited:

    sudo nano /mnt/hdd/lnd/lnd.conf

Then add the following two lines of text at the bottom of the file:


Then hit ctrl+X, followed by "Y", followed by Enter.

  • Now the Tor configuration file needs to be edited:

    sudo nano /etc/tor/torrc

Then add the following lines exactly as they appear here to the bottom of the file:

 # Hidden Service for incoming LND WatchTower connections
 HiddenServiceDir /mnt/hdd/tor/lndWT9911
 HiddenServicePort 9911

Then hit ctrl+X, followed by "Y", followed by Enter.

  • Now Tor and LND need to be restarted with the following two commands:

    sudo systemctl restart tor
    sudo systemctl restart lnd

*At this point you will want to open a new text document so you can copy down the hostname and pubkey of your WatchTower.

  • Then back in the terminal window run the following command:

    sudo cat /mnt/hdd/tor/lndWT9911/hostname

You should see returned a long string of random characters followed by ".onion". Copy that whole string and save it to your text document.

To get your pubkey you will need to unlock the LND wallet you set with your "C" password.

lncli unlock

*Enter "C" password.

lncli tower info

Now copy the pubkey and paste that into your text document. Then Hit ctrl+C to exit.

  • Check the logs with the following command to make sure everything looks good:

sudo tail -f -n 10000 /mnt/hdd/lnd/logs/bitcoin/mainnet/lnd.log | grep WTWR

You should then see something like this:

*note the WTWR in red.

That takes care of the WatchTower configuration, now we need to set you your primary node also known as the client so that it can talk to the WatchTower.

Now logged into your primary node via the Putty terminal window.

  • First the LND configuration file needs to be edited:

    sudo nano /mnt/hdd/lnd/lnd.conf

Then add the following two lines of text at the bottom of the file:


Then hit ctrl+X, followed by "Y", followed by Enter.

  • Now LND needs to be restarted with the following command:

    sudo systemctl restart lnd

  • Using the pubkey and the hostname information you saved to your text file, enter the following command inserting your pubkey and your hostname in the following format.

lncli wtclient add YourPubKey@YourHostname.onion:9911

*If you encounter an error related to the wallet being locked then you may need to run the "lncli unlock" command and enter your "C" Password to unlock the LND wallet. Then try to run the command above again:

  • Now LND needs to be restarted again with the following command:

    sudo systemctl restart lnd

  • Check to see if the WatchTower is listening by running this command:

$ lncli wtclient towers

You should get a return that looks like this:

          "towers": [
                          "pubkey": "02b745aa2c27881f2494978fe76494137f86fef6754e5fd19313670a5bc639ea82",
                          "addresses": [
                         "active_session_candidate": true,
                          "num_sessions": 0,
                          "sessions": []
Check the logs with the following command to make sure everything looks good:

  • You can check the logs to make sure it's working by running this command:

sudo tail -f -n 10000 /mnt/hdd/lnd/logs/bitcoin/mainnet/lnd.log | grep WTCL

Then you should then see something like this:

*note the WTCL in red.

And that's it for setting up your WatchTower behind Tor. Anytime you want to verify that the Watchtower is still working just run the following command from your WatchTower terminal:

 sudo tail -f -n 10000 /mnt/hdd/lnd/logs/bitcoin/mainnet/lnd.log | grep WTWR

And then if you want to make sure your RaspiBlitz Client is still actively communicating with your Watchtower, just run the following command from that terminal window:

sudo tail -f -n 10000 /mnt/hdd/lnd/logs/bitcoin/mainnet/lnd.log | grep WTCL

Comparing the two side by side:

Now your RaspiBlitz node will have a watchful eye making sure non of your channel peers try to broadcast an outdated channel state that would otherwise deprive you of your funds. If you can move your WatchTower to a separate physical location, that would be ideal.


It is also a good idea to keep a backup of your RaspiBlitz channels to keep your Lightning funds safe in the event of some catastrophic failure. The simplest and most effective way to do this in my opinion is with a USB drive connected directly to your RaspiBlitz. You can set your RaspiBlitz to automatically update the backup each time a channel is opened or closed. This is called the Static Channel Backup (SCB) and it is a file named channel.backup located on your SSD in the following directory: /home/admin/.lnd/data/chain/

The idea here is to also save a copy of this file to a USB drive just in case. However, there are ways to save a backup file remotely and encrypted, check here for those details.

First power off your RaspiBlitz completely. Then plug the USB drive into one of the USB 2.0 ports. Then power the RaspiBlitz back on and log in.

  • Simply navigate to "SETTINGS Node Settings & Options" from the main menu.

  • Then using the spacebar, select "StaticChannelBackup on USB Drive.

  • Then ensure the correct drive has been selected for format and hit "FORMAT". You want to make sure it is not your SSD that has been selected.

  • A quick script will run to format your USB drive and that's it, you're done.

To make sure your channels.backup file is actually being written to your USB drive, you can verify this by exiting the RaspiBlitz main menu to enter the terminal. Then run the following commands:

cd /mnt/backup && ls -l

The returned information should show you the name of the backup file on the USB drive with a date format so you know the latest date the file was written.

In order to restore your channel backup it will be necessary to have your 24 seed words and the channels.backup file and your "C" password. So be sure to have your 24 seed words written down and secured. Also make sure you have your A, B, C, & D passwords secured. Preferably on a piece of paper and not in a digital format.

The 24 seed words and "C" password will allow you to recover any on-chain funds in your LND wallet. What is not captured by your 24 seed word backup however is your channels. This is why you will also need your channels.backup file in order to recover the funds in your channels.

There is another type of backup which is all of your LND data. This type of backup is meant for a scenario where you are transferring data from one machine to another, not necessarily attempting to restore due to a catastrophic failure. The two scenarios are different and it is important to note that if you attempt to restore your channels with just your LND data then it is possible to replay an outdated channel balance state. If you do this, it is likely that your peer will automatically assume that you are a dishonest node trying to steal funds, the likely outcome is that your peer's WatchTower broadcasts a justice transaction thus resulting in you losing all your funds from that channel. For more information on the LND backup or backups in general, check here, where you will also find these restoration instructions:

  • Setup a new RaspiBlitz from scratch.

  • During the initial setup, at the point of creating the LND wallet, select "OLD - I had an old Node I want to recover/restore" option and then select the "SEED+SCB - Seed & channel.backup file" option.

  • Then follow the instructions to upload your channel.backup file and enter your 24 seed words and your original "C" Password.

LND will then take some time to re-scan the blockchain. Then your LND on-chain wallet should be restored. You may need to wait for your old channel peers to force close the old channels until you see the funds again. For a detailed understanding of the process behind restoring a Static Channel Backup and how the funds are attempted to be reclaimed, I copied the following excerpt from this guide.

  1. "Given the set of channels to recover, the server will then will insert a series of "channel shells" into the database. These contain only the information required to initiate the DLP (data loss protection) protocol and nothing more. As a result, they're marked as "recovered" channels in the database, and we'll disallow trying to use them for any other process.

  2. Once the channel shell is recovered, the chanbackup package will attempt to insert a LinkNode that contains all prior addresses that we were able to reach the peer at. During the process, we'll also insert the edge for that channel (only in the outgoing direction) into the database as well.

  3. lnd will then start up, and as usual attempt to establish connections to all peers that we have channels open with. If lnd is already running, then a new persistent connection attempt will be initiated.

  4. Once we connect with a peer, we'll then initiate the DLP protocol. The remote peer will discover that we've lost data, and then immediately force close their channel. Before they do though, they'll send over the channel reestablishment handshake message which contains the unrevoked commitment point which we need to derive keys (will be fixed in BOLT 1.1 by making the key static) to sweep our funds.

  5. Once the commitment transaction confirms, given information within the SCB we'll re-derive all keys we need, and then sweep the funds."

Connecting to Mobile:

Connecting your RaspiBlitz to your own mobile wallet is a great way to take the utility of your node with you where ever you go. This will allow you to monitor your channel states, create/receive Lightning invoices, and deposit on-chain BTC while on the go.

For this guide I am using Zeus Bitcoin/Lightning Wallet. You can visit their website here and download the Android .apk file directly, along with the PGP signature. Or using the F-Droid repository here.

Always check the Zeus Lightning Wallet website for the latest details. But you should be able to add the Zeus LN PGP public key to your local keychain using Kleopatra for example. Then you can verify the developer signature of the hash value is true. Then you can calculate the hash value on the .apk file you downloaded yourself to verify that it matches the signed hash value. This way you know you have the actual application that was signed by the developers.

Then, with your Android phone connected to your desktop, go ahead and drag & drop the verified .apk file and install it.

Next, if you purchased an LCD display, connect it to the RaspberryPi. You may need to restart your RaspberryPi in order for the display to be recognized by the system. The reason I recommend using the LCD display for this is because I had trouble configuring the display settings in my SSH tool so that the necessary QR code would display correctly in the terminal window on my desktop. Connecting an LCD display directly to the Raspberry Pi makes this QR code display properly.

From your desktop terminal window, scroll down the RaspiBlitz main menu to "CONNECT Connect Apps & Show Credentials" and then select that.

Then select "MOBILE Connect Mobile Wallet".

Then select "ZEUS_ANDROID Zeus Wallet (Android)" and then "Continue" on the screen after that.

In this next step, you can choose to display the QR code in the terminal window or on the LCD display by selecting "Continue" instead. Again, I was not able to get the QR code to display properly in the terminal window but you may have better luck. Pro tip from @BitcoinQ_A: try using ctrl - to zoom out in the terminal window, this may resolve the issue.

Open the Zeus Lightning app on your Android, select the "Scan lndconnect config" option. Then at the Node Interface drop-down menu at the top, select "lnd" and then scan the QR code on the LCD screen. This will automatically import all the necessary information and connect your RaspiBlitz to your mobile device.

Make sure to select the "Use Tor" and "Certificate Verification" options from the Zeus configuration page before saving the configuration file. Tor will help conceal your IP and you may be susceptible to MITM attacks if you don't install your RaspiBlitz certificate on your Android device.

To retrieve and install the certificate from RaspiBlitz, navigate to "CONNECT Connect Apps & Show Credentials" from the RaspiBlitz main menu. Then go down to "Export Get Macaroons and TLS.cert". Then "HTTP Browserdownload (bit risky)."

In the terminal screen you will be given the local IP address for your RaspiBlitz node along with the appropriate port number. Type that into a web browser on your desktop and then you will see the hyperlink to download the certificate to your desktop.

Once that file is downloaded, connect your Android device, enable file sharing, then drag and drop the certificate file to your Android. These instructions are for a Pixel 4a running CalyxOS, your device may vary.

Then from your Android, navigate to Settings>Security>Encryption & Credentials>Install Certificate.

Then you will see a menu of three options, select "CA Certificate" then read the warning and select "Install Anyway". Your device will grab the certificate file and give that information to Zeus Wallet and then you are all set.