Entirely possible (I have a similar setup). Ideally you need a wireguard tunnel between that different machine and your lightning node.

1. Setup the wireguard tunnel
2. Configure lnd to bind its grpc interface to the node"s wireguard IP
3. Make sure lnd grpc port 1009 is open in the firewall so that the oher machine can access it through the wireguard tunnel
4. Copy the cert and macaroon files to that other machine
5. Adjust the lnurl-server flags accordingly, namely --lnd-host <wireguard IP of the lnd node>

You can look at my wireguard guide for help with step 1:

quoting naddr1qq…2ag8

Why wireguard?

If you are already sold on why you need this, skip to the next section.

A motivational story

The year is 2025. You’re at the small coffeshop you found on btcmap and want to pay for your morning double expresso.

A LN invoice flashes before your sleepy eyes, you pull out your phone and try to open your Zeus wallet connected to your sovereign self-custodial LN node running in your basement.

You wait for Zeus to load. And you wait. And you wait. And you wait some more. The barista gets impatient, there is a line of NPCs behind you rushing to get to their fiat mines.

Finally you curse, pay with your slave VISA CBDC card and uninstall Zeus as you walk out.

The Issue

You used Tor to connect to your node. Tor was being DDOSed by some state-level actors.

You’re using Tor because either it was the easiest thing to setup, or it was just the default in your node distribution.

Have you stopped to wonder if it really makes sense to use an anonymity network designed to be censorship resistant just to connect to your own home server?

You obviously don’t want to expose your node to the public internet (which would expose what you are using as well as make you vulnerable to attacks).

The Solution

The best solution (as far as I’m aware of) is to connect to your home node using an encrypted VPN point-to-point tunnel using something called WireGuard.

The only information you leak to potential traffic sniffers is encrypted UDP packets (which are already hard to sniff) to your home IP address, which is pretty harmless information.

The (not ideal) Alternative

Many people find Wireguard hard to setup on its own (don’t worry, that is why I wrote this guide) and prefer a more seamless corporate solution based on Wireguard called Tailscale.

Tailscale has 2 major drawbacks:

• It’s an additional third party that knows every encrypted packet you send over it as well as all your public IPs.

• It’s permissioned and requires setting up an account, not very sovereign

  Setup

Requirements

• Access to your home router admin page: if your node is behind a NAT (usually that is the case when it’s behind a home router), you’re going to need to forward a port to your node LAN IP. If you don’t know how to do this, you can try to follow the guide for your router model at portforward.com.
• Either a fixed home public IP address, or a domain name that points to your dynamic home IP address. Even if you don’t have this, you can still follow the guide and manually update your home IP in the configuration file.
• Shell root access in your node.

Node setup

Gather network information

Find your node’s LAN IP address:

$ ip -human --brief address show
lo               UNKNOWN        127.0.0.1/8 ::1/128
eth0            UP             192.168.1.2/24 metric 1024

In this case, the your node’s LAN IP is 192.168.1.2.

Find your home public IP address:

$ curl ipecho.net/plain

### Install wireguard tools

The wireguard module is actually built into any modern linux kernel by default, what we actually need to install is the tooling to generate valid wireguard cryptographic keys.

For debian/ubuntu based distros:

$ sudo apt install wireguard

For other distros, check wireguard.com/install.

Generate keys

You manually need to generate 1 keypair for each device (called peer) that will use your wireguard VPN (including your home node).

To generate a keypair for your node (let’s call it node):

$ wg genkey | (umask 0077 && tee node.key) | wg pubkey > node.pub

This will create 2 files: node.key and node.pub containing your private and public keys, respectively. Keep these files safe and after being done configuring wireguard you can even delete them.

Create extra keypairs for your other devices, e.g.:

• Your phone:

$ wg genkey | (umask 0077 && tee phone.key) | wg pubkey > phone.pub

• Your laptop:

$ wg genkey | (umask 0077 && tee laptop.key) | wg pubkey > laptop.pub

Create as many as you wish.

Configure the tunnel

Using a text editor create and edit the file /etc/wireguard/mytunnelname.conf with the content:

[Interface]
Address = 10.0.0.1/24
ListenPort = 50000
PrivateKey = <NODE_PRIVATE_KEY>

[Peer]
PublicKey = <PHONE_PUBLIC_KEY>
AllowedIPs = 10.0.0.2/32

[Peer]
PublicKey = <LAPTOP_PUBLIC_KEY>
AllowedIPs = 10.0.0.3/32

Subsitute *_KEY with the relevant keys found in the files you generated earlier (which you can see the contents using cat node.key for instance).

Generate configurations for the other peers

For your phone/laptop, create a files (can be anywhere, does not matter) with the contents:

• phone.conf

[Interface]
Address = 10.0.0.2/24
PrivateKey = <PHONE_PRIVATE_KEY>

[Peer]
PublicKey = <NODE_PUBLIC_KEY>
AllowedIPs = 10.0.0.1/32
Endpoint = <HOME_PUBLIC_IP>:50000

• laptop.conf :

[Interface]
Address = 10.0.0.3/24
PrivateKey = <PHONE_PRIVATE_KEY>

[Peer]
PublicKey = <NODE_PUBLIC_KEY>
AllowedIPs = 10.0.0.1/32
Endpoint = <HOME_PUBLIC_IP>:50000

Now you need to either transfer these files to their respective devices (how you do it is your business) or generate an easy to use QR code to use to configure your phone.

Optional: generate QR code for the phone configuration

Install qrencode

sudo apt install qrencode

Print the QR code on your terminal:

$ qrencode -r phone.conf -t ansiutf8

Or save it (and transfer) as png image:

$ qrencode -r phone.conf -o phone.png

Run wireguard the wireguard tunnel

$ sudo systemctl enable --now [email protected]

Now when you do ip -human --brief address show you should see an extra interface:

lo                   UNKNOWN        127.0.0.1/8 ::1/128
eth0                 UP                      192.168.1.2/24 metric 1024
mytunnelname         UNKNOWN        10.0.0.1/24

Open UDP wireguard port

If your node has a firewall, we need to open our chosen UDP port (50000).

If using ufw:

$ sudo ufw allow 50000/udp

if just using iptables:

$ sudo iptables -A UDP -p udp -m udp --dport 50000 -j ACCEPT

Home router setup

Forward port 50000 UDP to your node’s LAN IP. If you don’t know how to do this, you can try to follow the guide for your router model at portforward.com.

Phone setup

1- Install the wireguard app, you can find links in wireguard.com/install.

2 - Open the app 3 - Click on the + button 4 - Choose if you want to import the phone.conf configuration file, the your generated QR or input everything manually. 5 - Activate the tunnel by tapping the switch

You should have a working tunnel between your node and your phone. You can try pinging your phone wireguard IP (10.0.0.2) from your node’s terminal (ping 10.0.0.2) to check that it is working.

Now on every app you connect to your node (e.g. Zeus), instead of using the onion address, you can just use your node’s wireguard IP (10.0.0.1).

Laptop setup

If it’s a linux laptop: place (and rename) laptop.conf to /etc/wireguard/mytunnelname.conf and do:

$ sudo systemctl enable --now [email protected]

Ping your node wireguard IP ping 10.0.0.1 to make sure it’s working.

Now you can use that IP instead of the onion address to connect to your node (e.g. in Sparrow).

Help

If you have questions feel free to contact me (NIP-05: [email protected]).

For the other steps, you need to get a bit comfortable with linux and networking.