This post will describe how to setup a SSH connection between a Monero wallet and a remote Monero node. This can be helpful when you run the Monero node on a VPS or remote server. The setup works with the graphical user interface (GUI) and the command line interface (CLI). And should work with Linux, FreeBSD, OpenBSD and Apple OSX. On Windows you can use putty to setup a connection to the SSH server, but this is not within the scope of this article.
If you already have a publicly available SSH server on your Monero blockchain node, then you can connect your wallet client to it in a matter of minutes.
Why use SSH to connect to a remote Monero node
By default the connection between the wallet and the blockchain daemon is not encrypted. This is fine when you run them on same system or in a trusted environment. But when you want to connect them over an untrusted network, like the internet, you want to encrypt the traffic. Otherwise surveillance can observe the plain text traffic. This includes transaction information. If you use Monero to keep your financial life private, then not encrypting this traffic can defeat its purpose.
This is where SSH comes in. SSH provides encryption, authentication and integrity for the connection. This will prevent eavesdroppers from reading and forging the data between the wallet and the remote blockchain system.
Running Monero via SSH forwarding also provides another minor privacy benefit. SSH forwarding allows you to use the default SSH port (22) and let SSH forward data to the default Monero port (18081). This will make it harder for outside snoopers to see that Monero traffic is sent over the connection.
However sophisticated traffic analysis might pickup on certain patterns between the wallet and the blockchain node. So do not count on this. You should look into Tor or I2P to thwart sophisticated traffic analysis. I2P integration is a work in progress for the Monero project. But it might take a while before we can see it in action.
SSH server security tips
We assume that you already have setup and secured your SSH server on the remote blockchain node. We will only provide some basic security notes:
- Disable password authentication in favor of key based authentication or multi factor authentication: “PasswordAuthentication no“
- Disable weak crypto in favor of strong crypto, for example: “ciphers firstname.lastname@example.org“, “kexalgorithms email@example.com“
- Disable all the options you don’t use, for example: “X11Forwarding no“, “UsePAM no” and “UseDNS no“
- Limit the users and hosts that can login, for example: “AllowUsers exampleuser“, “AllowGroups firstname.lastname@example.org“
Check your current SSH configuration with:
Validate changes to the SSH configuration with:
And do not forget to reload the SSH server configuration after you have made any changes.
Forward traffic between the monero wallet and monero blockchain node
Start the blockchain synchronization service on the remote system. You don’t have to give it any special configuration options:
Or when you want to run the daemon in the background:
On the wallet system you issue the following command (change ‘username’ and ‘ip-remote-monero-node’ to the correct values):
ssh -N -f -L 18081:127.0.0.1:18081 username@ip-remote-monero-node
ssh -N -f -L 18081:127.0.0.1:18081 email@example.com
Explanation of the options:
-N = Do not execute a remote command. This is useful for just forwarding ports.
-f = Put ssh to the background
-L = Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side.
18081:127.0.0.1:18081 = Listen locally on 18081, forward traffic on the local port to the remote system to '127.0.0.1:18081'.
You can now start your wallet and let it sync to the latest blockchain updates. For the command line version use:
Or when you want to run the Monero GUI:
Initial wallet sync
To use a Monero wallet it has to sync to the latest blockchain updates. A full sync will use 30+ megabytes of traffic per wallet. This full sync will only be run once. If you are on a tight (mobile) bandwidth plan it is recommended to do the initial sync for the wallet(s) when your are locally connected to the blockchain node.
The next article describes how to setup and connect to a Monero blockchain node that is hosted via a Tor onion service. A Tor onion service can be a nice solution when the Monero blockchain system is behind a NAT router or restrictive firewall.
If you have any questions, comments or suggestions you can leave a comment below or send an (encrypted) email.
Support us by donating to: