I have recently set up my stake pool Copenhagen Vertigo following the guides from Coincashew. The recently updated instructions for the 1.26.1 release are excellent – and I will have to buy them a beer.
They also have an easy-to-follow guide on how to setup Wireguard VPN between a BP/local node and a relay/remote node to enhance security. [How to setup WireGuard - CoinCashew]
The wireguard guide is for a single relay node setup and I have added a second relay node to my setup. It is not covered in the guide how to do that, so I have worked a bit on how that could be done. Here are the steps i have found to work to add wireguard in a dual relay node setup. Perhaps it can save time for others to know this.
On the second relay node:
1. Follow the coincashew instructions for installing a relay node
1. Install Wireguard
2. Setup Public / Private Keypair (you will only need the remotenode key pair)
3. Configure Wireguard. A few changes are needed:
- change to a different address than the first relay node: e.g. use 10.0.0.3/32 instead of 10.0.0.2/32
- use the second relay node’s private key
- everything else is the same as for your first relay node (incl. The same local node public key and address)
- configure your firewall
'4. Setup autostart with systemd
On the block producer node:
1. Stop wireguard
I tried changing the wg0.conf file while wireguard was running. They were ignored. In the end I ended up copying the content into a new file with the same name while wireguard was stopped, but I think it is enough to stop wireguard while you change the file.
2. Amend the wg0.conf file to look like this:
# local node WireGuard Configuration
[Interface]
# local node address
Address = 10.0.0.1/32
# local node private key
PrivateKey = <local node’s private key>
# local node wireguard listening port
ListenPort = 51820
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp9s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp9s0 -j MASQUERADE
# remote node
[Peer]
# remote node's publickey
PublicKey = <relay node 1’s public key>
# remote node's public ip address or dns address
Endpoint = < relay node 1’s public IP address>
# remote node's interface address
AllowedIPs = 10.0.0.2/32
# send a handshake every 21 seconds
PersistentKeepalive = 21
# remote node2
[Peer]
# remote node's publickey
PublicKey = <relay node 2’s public key>
# remote node's public ip address or dns address
Endpoint = < relay node 2’s public IP address>
# remote node's interface address
AllowedIPs = 10.0.0.3/32
# send a handshake every 21 seconds
PersistentKeepalive = 21
'3. restart wireguard
Final step:
Step 4 in the Coincashew guide: Verify that the connection is working and configure the topology.json files with the new addresses.
Comments are welcome. Let me know if I have missed something or there is a better way.