Virtual Private Node

A one-command installer for a private Lightning node on Debian — Bitcoin Core, LND, and Tor, configured and running in minutes.

After installation, manage your node with the terminal UI or bitcoin-cli, lncli, and systemctl. No wrappers, no abstractions. Your keys, your node.

What gets installed

Base (automatic)

• Bitcoin Core — pruned node, Tor-only P2P, GPG-verified with 5 independent signatures
• LND — Lightning Network daemon with Tor hidden services
• Tor — all traffic routed through Tor by default
• UFW firewall — deny all incoming except SSH
• fail2ban — brute force protection
• Unattended upgrades — automatic Debian security updates
• NTP clock sync — accurate time for block timestamps, HTLC timeouts, and macaroon expiry

Optional (from the TUI)

• Syncthing — automatic LND channel backup to your local device
• LndHub.go — Lightning accounts for family and friends

Quick start

Requirements

• Fresh Debian 13+ server
• 2 (v)CPU, 4+ GB RAM, 90+ GB SSD

SSH into your server and run:

curl -sL ripsline.com/install | sudo bash

This creates a ripsline user, copies your SSH key across automatically, downloads the rlvpn binary, installs Bitcoin Core + LND + Tor, and hardens the SSH daemon. Follow the on-screen instructions to SSH in as ripsline — Bitcoin Core begins syncing and the TUI opens to the wallet creation flow.

For testnet4:

curl -sL ripsline.com/install | sudo bash -s -- --testnet4

SSH key discovery. The bootstrap tries several ways to find an existing SSH key to copy to the new ripsline user: $SUDO_USER's authorized_keys, then logname, then who, then /root/.ssh/. This works for curl | sudo bash, sudo su - followed by curl, and bare-metal root installs. If no key is found, a random password is printed at the end and you can add a key later from the TUI.

Wallet creation

On first TUI launch after bootstrap, you go straight to the wallet creation flow:

1. Read the privacy and seed warnings, press Proceed
2. Wait for LND to become ready
3. Type a wallet password
4. Write down your 24-word seed on paper
5. Type I SAVED MY SEED to confirm

The confirmation phrase is required — there is no skip. Once confirmed, the flow transitions into auto-unlock configuration so you don't have to manually unlock on every reboot.

Pressing ctrl+c during the password prompt is a legitimate escape hatch (no seed has been generated yet). Once you've seen your seed, ctrl+c is blocked — the only way forward is typing the confirmation phrase.

Dashboard

Every SSH login as ripsline opens a terminal UI with five sections plus a dark/light theme toggle:

• Channels — open, close, and manage Lightning channels; view Node Info (pubkey, URIs, QR codes); channel history
• Wallet — send and receive Lightning payments; payment history
• On-Chain — send and receive on-chain; UTXO coin control; transaction history with anchor sweep detection
• Add-On — install and manage Syncthing (channel backup) and LndHub (Lightning accounts)
• System — service status and logs; SSH key management; auto-unlock configuration; P2P mode upgrade; self-update

Press ctrl+c to quit and drop to a shell:

bitcoin-cli getblockchaininfo
lncli getinfo
lncli walletbalance
systemctl status bitcoind
systemctl status lnd

Zeus wallet

Open the Wallet section in the TUI for Zeus pairing — scan a QR code or copy the connection string. Both Tor and clearnet pairings are supported if your node is in hybrid P2P mode.

Tor only (default)

1. Open the Wallet section → Pair Wallet
2. In Zeus: Advanced Set-Up → LND (REST)
3. Scan the QR code, or copy the server address, REST port (8080), and macaroon

Clearnet + Tor (hybrid mode)

1. Upgrade to hybrid P2P mode from System → P2P Upgrade
2. Open the Wallet section → Pair Wallet
3. Both clearnet (IP:8080) and Tor connection strings are available
4. First clearnet connection: accept the self-signed certificate warning — the connection is encrypted with LND's auto-refreshed TLS certificate

Clearnet is faster. Tor is more private. Both use the same macaroon.

Sharing your node

The Channels section has a Node Info tab that displays everything a peer needs to open a channel with you: node alias, pubkey, LND version, peer count, active channels, node capacity, balances, and QR codes for your advertised URIs.

P2P mode

LND is installed Tor-only by default. You can upgrade to hybrid mode later from System → P2P Upgrade:

• Tor only — maximum privacy, all connections through Tor
• Hybrid (Tor + clearnet) — better routing, your server IP is published to the Lightning Network

LndHub — Lightning accounts

LndHub.go provides separate Lightning wallet accounts backed by your LND node. Create accounts for family, friends, or AI agents from the Add-On section.

1. Install LndHub from the Add-On section
2. Create accounts from the LndHub management screen
3. Share the login, password, and server address with the user
4. They connect Zeus: Advanced Set-Up → LndHub → enter credentials
5. Fund their account by paying an invoice they generate

Privacy: Passwords are shown once at creation and never stored. The admin cannot see user balances through the TUI. LndHub uses a dedicated macaroon with minimal LND permissions.

Built from source: LndHub.go is cloned from GitHub at a pinned release tag and compiled on your server using the Go toolchain. No prebuilt binaries. PostgreSQL is installed as the database backend.

Syncthing — channel backups

Syncthing automatically syncs your LND channel.backup file to your local device. No cloud services. No trust. If your node dies, recover your channels with your seed phrase and the backup file.

The sync connection is direct between your node and your device over an encrypted channel. Syncthing uses mutual TLS authentication — only devices you explicitly approve can connect. Discovery servers and relays are disabled.

1. Install Syncthing on your device from syncthing.net
2. Disable discovery, relays, and NAT traversal in local Syncthing settings
3. Pair your device from the Add-On section in the dashboard
4. Add the node as a remote device in your local Syncthing
5. Accept the backup folder share and set it to Receive Only

Your channel.backup syncs automatically whenever both devices are online.

Security

• TUI runs as unprivileged user, sudo per-action (not root)
• All connections through Tor (SOCKS5 port 9050)
• IPv6 disabled to prevent Tor bypass
• Stream isolation (separate circuit per connection)
• UFW firewall: SSH only (+ 9735, 8080 for hybrid P2P, 3000 for LndHub hybrid, 22000 for Syncthing)
• Fail2ban: SSH brute-force protection
• Root SSH disabled after bootstrap
• SSH hardening: challenge-response, keyboard-interactive, and X11 forwarding disabled
• Services run as dedicated bitcoin system user
• GPG signature verification for all software
• Bad signature detection — any BADSIG is a hard stop
• Unattended security upgrades with auto-reboot
• Bitcoin Core wallet disabled
• All downloads after Tor installation route through torsocks
• apt configured to use Tor SOCKS proxy
• Atomic config writes with fsync + rename
• Auto-unlock uses a local password file with 0400 perms, never transmitted

Network traffic

Phase 1 (clearnet, unavoidable): apt-get update/upgrade, Tor installation, NTP time sync.

Phase 2 (all through Tor): rlvpn binary, GPG signing key, Bitcoin Core, LND, Go toolchain (LndHub), Syncthing repo key, all subsequent apt operations.

After bootstrap, the only ongoing clearnet traffic is NTP clock sync, Syncthing sync (if installed), and LND P2P (if hybrid mode). Everything else routes through Tor.

Software verification

• Bitcoin Core — 5 trusted builder keys from bitcoin-core/guix.sigs. Requires 2 of 5 valid signatures. A bad signature from any key is a hard stop.
• LND — Roasbeef's signing key verified against known fingerprint.
• LndHub.go — built from source at pinned release tag. No prebuilt binary.
• rlvpn binary — signed with a key hosted on an independent keyserver (not GitHub). Downloaded as a file through Tor.

Verification failure is a hard stop. After installation, review the log:

cat /var/log/rlvpn.log

Build from source

sudo apt update && sudo apt install -y git wget sudo curl
cd /tmp
wget https://go.dev/dl/go1.26.1.linux-amd64.tar.gz
sudo rm -rf /usr/local/go
sudo tar -C /usr/local -xzf go1.26.1.linux-amd64.tar.gz
echo 'export PATH=$PATH:/usr/local/go/bin' >> ~/.profile
source ~/.profile

cd ~
git clone https://github.com/ripsline/virtual-private-node.git
cd virtual-private-node
go mod tidy
go build -o rlvpn ./cmd/
sudo install -m 755 ./rlvpn /usr/local/bin/rlvpn
curl -sL ripsline.com/install | sudo bash

The bootstrap script detects that rlvpn is already installed and skips the download.

Premium Support

The premium support plan includes:

• Node Setup Assistance — reach us directly via email or Signal for node questions, troubleshooting, and guidance
• Mobile Remote Controller Setup Guide — remote guidance to set up a dedicated GrapheneOS device as a private Lightning wallet and node controller
• Node Recovery Assistance — help recovering your node using seed phrase and channel.backup
• 25% Off Virtual Server Provider — discount on Virtual Server via affiliate link, tested and verified to work with the node software

What to back up

1. SSH private key — how you access your node
2. Account number — how you manage your subscription and contact support
3. LND seed phrase — how you recover on-chain funds
4. channel.backup file — how you recover Lightning channels (auto-synced via Syncthing)

Recovery

If you lose Access to your Node: Contact support and we'll walk you through setting up a fresh node and recovering using your seed phrase and channel.backup file.

If you lose your account number: Contact support. We may be able to locate your account using payment history, but this is not guaranteed. Save your account number in a password manager.

Pricing

Premium Support: $100/year — Node Setup Assistance, Mobile Remote Controller Setup Guide, Node Recovery Assistance, 25% Off Virtual Server Provider (does not expire with your subscription).

Pay with Bitcoin, Lightning, or Monero. No email or personal information required.