Watchtower is an interesting or important tool/feature in the lightning network, which feature protects our funds from malicious peers. And penalize them, for breaching the channel, by adding the attacker's funds to the innocent client's balance. For a watchtower to successfully stop an attacker, it'll have to stay online always. Such watchtower takes no cut for saving your funds, it can be set up on a different location to watch on your main node.
This thread contains the configuration settings, safety measures and few resources that helps with the configuration of a watchtower. Setting up a watchtower is simple provided that the user has LND recent version installed.
Before configuring a watchtower the LND should be compile on the
watchtowerrpc to enable watchtower accessed via grpc or incli.
The command that activates a watchtower is watchtower.active=1
Then name the interfaces to listen on for watchtower clients. Attach one listening address per line. The default port for watchtower is 9911 and can be changed to any port with
watchtower.listen=0.0.0.0:PORT
in the config file e.g:
watchtower.listen=0.0.0.0:9912
Specify the external IP address for the watch tower, which can expose the URI of the watchtower via
WatchtowerRPC.Getinfo or
incli tower info. This setting doesn't make any changes to the behavior of your watchtower. It only fetch more info about the watchtower URIs; whether it's clearnet or TOR. E.g
$ lncli tower info
...
"uris": [
"03281d603b2c5e19b8893a484eb938d7377179a9ef1a6bca4c0bcbbfc291657b63@1.2.3.4:9911"
]
This can be shared with watchtower clients or node to be monitored, so that they can connect to your watchtower. Giving out the URIs to people online can expose the exact location of your watchtower, for privacy purposes TOR is encouraged.
Note: If you are using a watchtower, when the network is in a congested mempool state, it's recommended to set the
"wtclient.sweepfee-rate="(default is 10sats) in the lnd.conf.
Watchtower has a hidden TOR service, that can be activated using$ lnd --tor.active --tor.v3 --watchtower.active
When Incli tower info is queried again, it'll fetch the tor URI like below$ lncli tower info
...
"uris": [
"03281d603b2c5e19b8893a484eb938d7377179a9ef1a6bca4c0bcbbfc291657b63@bn2kxggzjysvsd5o3uqe4h7655u7v2ydhxzy7ea2fx26duaixlwuguad.onion:9911"
]
NOTE: The tor URIs can only be accessed via Tor, unless a node is set to be hybrid; support both clear net and Tor connections, using
Tor.skip-proxy-for-clearnet-targets=1
read more about Tor configuration
Configuring the tower's data directory is relevant for people that wants to move the database to a separate volume with more storage. This can be done using the
watchtower.towerdir= configuration option. Additionally, the entire set of watch tower configuration option can be found using
lnd -h
Since it's a self custody watchtower, it's very crucial the watchtower follows these guides:- Endeavor that your node is completely efficient to work as a watchtower, if it often goes offline, it'll cause more harm to your LND
- If your Tor network or connection is not efficient it's better to use a clearnet
A watchtower with multiple downtime or bad Tor connect can cause enormous backlog in LND, heavily loading the memory, and keeps trying to connect. Sometimes a LND can malfunction or need restarting if the watchtower keeps going offline. What will be the essence of running a watchtower, if instead of watching over your node, you now watch over the LND checking for offline watchtower.
Useful resources:
A sample of lnd.confhttps://github.com/lightningnetwork/lnd/blob/master/docs/watchtower.mdhttps://github.com/openoms/lightning-node-management/issues/4