I’m curious if you solved the tunneling issue from your relay to the block producer? I also set up wireguard and tried to use a similar prometheus job config as you by pointing at the BP node prometheus data ports, 10.0.0.1:9100 and 10.0.0.1:12798.
This does not work, though, because ports 9100 and 12798 are not open by UFW allow rule. If you try to do a telnet command from relay node to BP node, it will just hang.
telnet 10.0.0.1 9100
So, I assume one needs to set up port forwarding in wireguard configuration, so that you can tunnel in via the tunnel port (default 51820), then forward request to another port, i.e. 9100 or 12798. I’d love to set this up on a rainy day, but I ended up taking an easier approach, which I think is reasonably secure.
On my block producer node, I set a ufw rule to allow access to ports 9100 and 12798 only from the relay node IP specifically. Relay Node 1 is running the prometheus service to collect the stats.
# On BP node
sudo ufw allow from <RelayNode_IP> to any port 9100
sudo ufw allow from <RelayNode_IP> to any port 12798
Then, I changed the prometheus job config on relay1 to just use the IP address of BP Node
# On Relay Node 1
- targets: ['<BP_NODE_IP>:9100']
- targets: ['<BP_NODE_IP>:12798']
This works of course, but I’d prefer to do the wireguard with port forwarding approach. If you got that working, I’d love to see the config example.
Also, I’m curious how people are securing the grafana service running the relay node 1(port 3000). In my case, I don’t have a static IP on my local machine, so I chose to set up free dynamic DNS client on my local computer to get a DNS name. I was hoping you could set up UFW rule on Relay Node 1 with access to port 3000 only from my DNS name. But, UFW rules are IP based, so I set up a BASH script on the relay node to run cron job as root every 5 mins to update the UFW rule for port 3000 based on the current IP address of my DNS name. It’s kinda messy, but it’s working.