github.com/decred/dcrlnd@v0.7.6/docs/remote_dcrwallet.md (about) 1 # Remote Dcrwallet Mode 2 3 `dcrlnd` can run in "remote dcrwallet mode", in which case instead of running an 4 embedded dcrwallet instance, it _connects_ to an already running wallet in order 5 to fetch the `dcrlnd`-specific account keys and to perform its on-chain operations. 6 7 The connection is made through dcrwallet's gRPC interface, therefore starting in 8 version 1.6.0, a client certificate is needed to authenticate against the 9 wallet instance. Also note that the wallet must be using individually locked 10 accounts (`setaccountpassphrase`). 11 12 The following is a quick guide on setting up such environment. 13 14 ## Create the client key and certs 15 16 While this assumes two different hosts (one running the wallet and one running 17 the ln node) this is optional: it could be done only on a single host or all 18 commands could be done on the wallet host and the final files copied to the ln 19 node. 20 21 Note that some OSs (notably: OpenBSD and macOS) ship by default with `libressl` 22 instead of `openssl` and may not specifically support `ed25519` keys and 23 signatures used in the example, so the following commands may need adjustment 24 depending on the environment. 25 26 Advanced users may also tweak specific properties of the CA and client certs 27 according to their specific security and privacy considerations. 28 29 ```shell 30 # Generate the CA key and cert (do it on wallet host) 31 $ openssl genpkey -algorithm ed25519 -out client-ca.key 32 $ openssl req -x509 -nodes -key client-ca.key -sha256 -days 1024 -out client-ca.cert 33 # (accept defaults) 34 35 # Generate the client key and CSR (do it on dcrlnd host) 36 $ openssl genpkey -algorithm ed25519 -out client.key 37 $ openssl req -new -key client.key -out client.csr 38 # (accept defaults) 39 40 # (copy the CSR from dcrlnd host to wallet host) 41 42 # Generate the client cert signed by the CA key. 43 $ openssl x509 -req -in client.csr -CA client-ca.cert -CAkey client-ca.key -CAcreateserial -out client.cert -days 1024 -sha256 44 45 # (copy client.cert and client.key to the dcrlnd host) 46 ``` 47 48 ## `dcrwallet` Config 49 50 Add the following to the applicable `dcrwallet.conf` file: 51 52 ```ini 53 [Application Options] 54 # Replace 127.0.0.1 for your private network IP. 55 # Replace 19221 for some other port (and adjust firewall). 56 grpclisten = 127.0.0.1:19221 57 58 # Replace for full path to client-ca.cert. 59 clientcafile = /path/to/client-ca.cert 60 61 ``` 62 63 ## `dcrlnd` Config 64 65 Add the following to the applicable `dcrlnd.conf` file. 66 67 **IMPORTANT**: this should only be done _before_ setting up an embedded wallet. 68 You cannot switch between an embedded and a remote wallet (or between different 69 remote wallets initialized with different seeds). 70 71 ```ini 72 [Application Options] 73 74 node = dcrw 75 76 # ... rest of config 77 78 [dcrwallet] 79 80 # Replace 127.0.0.1 with the private IP where the wallet is accessible. 81 # Replace 19221 for the correct port. 82 dcrwallet.grpchost = 127.0.0.1:19221 83 84 # This is a copy of the standard dcrwallet rpc.cert file. 85 # If you are running dcrwallet and dcrlnd on the same host 86 # this will be in ~/.dcrwallet/rpc.cert by default. 87 dcrwallet.certpath = /path/to/rpc.cert 88 89 # Account number from which the LN keys will be derived. DO NOT CHANGE after the 90 # dcrlnd wallet is setup. The account must already exist. 91 dcrwallet.accountnumber = 1 92 93 # Replace for the full path to the client.key and client.cert files previously 94 # created. 95 dcrwallet.clientkeypath = /path/to/client-ca.key 96 dcrwallet.clientcertpath = /path/to/client-ca.cert 97 ``` 98 On startup, dcrlnd will still prompt to unlock the wallet even if the dcrwallet instance is unlocked. 99 Execute **dcrlncli unlock**, typing the wallet's private passphrase so that dcrlnd extracts the keys needed for its operation.