SPN community nodes are servers not hosted by Safing, but by the Portmaster and SPN community. Hosting a node is very beneficial to all users, as it increases diversity in server ownership for even better privacy and increases the available SPN network capacity. These servers also improve coverage, as people living around the world know best where to host servers in their country.
Except for one aspect, SPN community nodes are treated exactly the same as SPN nodes operated by Safing.
The only difference, is that unencrypted network connections - like plain HTTP - will never exit the network at SPN community nodes. Instead, they exit the network at specially managed and trusted servers, which are a subset of the servers operated by Safing.
SPN community nodes will therefore never see any connection contents, as the connections are always encrypted for the destination server. This makes SPN community nodes safe to use. Not only are they safe to use, but they are recommended, as they provide even better privacy due to more diverse server ownership in the nodes you use.
Before you decide to run an SPN community node, take a moment to consider any potential legal implications, especially if your ISP is in a Five Eyes (FVEY) country. To limit personal liability, we strongly recommend against running an SPN community node from your home. You also want to familiarize yourself with your ISP policies and note any explicit statements about running TOR or VPN nodes. Although these are very different from SPN community nodes, the ISP is likely to invoke these policies due to lack of understanding of the SPN. Whenever possible, choose an ISP that has clear and explicit policies about how they handle any security-related issues, and that you are comfortable abiding by those policies. Be prepared to respond to any issues promptly to avoid escalation. SPN community nodes auto-update and do not require reboots or other regular maintenance. Other than being prepared to act promptly in the very rare situation that your ISP requires your attention, running an SPN community node is typically set-it-and-forget-it and is largely hands-off after initial configuration.
You can easily install a SPN community node with our installer, which is compatible with systemd-based Linux systems. To ensure good performance, trouble-free operation, and security of your SPN community node, we recommend using a dedicated server just for the SPN community node and nothing else.
Before installing the SPN community node, you should go about hardening the server to prevent unauthorized access. If you are new to hosting and securing servers, please do some research before you start. At an absolute minimum you should enable the server firewall and block all incoming access except as described below.
The SPN community node will attempt to configure itself automatically during installation, using:
If the server itself has multiple public IP addresses, you will need to manually configure the IP address allocated to the SPN community node using the settings listed below, in Appendix I.
You will also need to configure your firewall to allow incoming connections to ports 17 and 80.
Pro Tip:
The--no-startswitch is very useful during the first-time installation of a new node, as it will give you opportunity to review theconfig.jsonfile contents before starting your node for the first time. The installation script will ask for a metrics comment before displaying the defaultconfig.jsonfile contents. Enter whatever descriptive information you want to share publicly about your node. Use the below script to install the SPN node without starting the service.
sudo sh -c "$(curl -fsSL https://raw.githubusercontent.com/safing/spn/master/tools/install.sh) --no-start"
After the installation script finishes execution, review the contents of the config.json file located in /opt/safing/spn before starting the node for the first time. For a minimum configuration it is recommended that you add IP4 and IP6 (if available) lines with the IP addresses that you expect to use for SPN traffic. These values cannot be changed after the system is seen by the network, so ensure that they are set up properly before you start the node for the first time. When you have configured your config.json file you can start the service with: systemctl start spn.service.
Please note that your server will start handling user traffic soon after you launch it. Starting and stopping your server will negatively impact user experience, so please be mindful every time that you restart your server after it has joined the SPN network.
See Appendix I below for details about the
config.jsonfile.
If you immediately want to start the SPN node service without configuring the config.json file execute one of these scripts:
# Run as root
sudo sh -c "$(curl -fsSL https://raw.githubusercontent.com/safing/spn/master/tools/install.sh)"
# As an alternative, you can first download the install script and run it afterwards:
wget https://raw.githubusercontent.com/safing/spn/master/tools/install.sh
sudo sh ./install.sh
Please note that your server will start handling user traffic soon after you launch it. Starting and stopping your server will negatively impact user experience, so please be mindful every time that you restart your server after it has joined the SPN network.
After your server has successfully joined the SPN network, it may take some time before it appears on the node map in Portmaster. This propagation process involves distributing your server's information across the decentralized network. However, you should see active connections being made to your new SPN community node soon after it first connects to the SPN network.
The install script accepts the following optional switches (add these in between the closing parenthesis and the quotes when executing the script remotely):
-y, --unattended Don't ask for confirmation.
-n, --no-start Do not immediately start SPN hub.
-t, --target PATH Configure the installation directory.
-h, --help Display this help text
-a, --arch Configure the binary architecture.
-u, --url URL Set download URL for portmaster start.
-S, --no-systemd Do not install systemd service unit.
-s, --service-path PATH Location for the systemd unit file.
The minimum config.json file to bring your SPN community node online looks like this:
{
"core": {
"metrics": {
"instance": "my-node-name",
"comment": "my-node-description",
"push": ""
}
},
"spn": {
"publicHub": {
"name": "my-node-name",
"ip4": "public-ipv4",
}
}
}
Once you are satisfied with a minimum configuration, you can start the node manually (if you used the --no-start switch in the installer) by executing the systemctl start spn.service command. After you confirm that SPN is running, you can then make additional modifications to the config.json file, as needed, and restart the SPN service to load the additional configuration elements.
To verify SPN community node operation look in your system syslog or use the journalctl -u spn.service command. To confirm first-time successful installation, you want to see a [pmstart] message followed by no errors. Warnings are okay, as the SPN community node is started with warnings logging enabled by default. Once SPN is running you can confirm connections by issuing the ss | grep qotd command, which will show any active SPN connections. Seeing active connections confirms that your node is visible and available to the SPN network even if it has not yet appeared in the Portmaster SPN map.
The most common problem when starting a SPN community node is related to changing its IP. If the IP changes the server will kick itself out of the network. If you need to change the SPN community node IP address, you will also have to change its name. To confirm that this is the problem, search your syslog for “address changed” and “aborting, shutting down” messages.
We are extremely thankful for everyone who joins in strengthening the network and are planning to reward community node operators in the future. Please get in touch via mail or Discord.
Keys represent the json path in the config file. See example below.
Key: spn/publicHub/name
Human readable name of the Hub, which is shared publicly and is viewable in the UI for users.
Key: spn/publicHub/group
Name of the hub group this Hub belongs to. This will be used in the future to optimize privacy of routes through the network. Should be the same for all nodes controlled by one entity.
Key: spn/publicHub/contactAddress
Contact address where the Hub operator can be reached.
Key: spn/publicHub/contactService
Name of the service the contact address corresponds to, if not email. For example, you could specify that the contact address is to be found on matrix.
Key: spn/publicHub/datacenter
Identifier of the datacenter this Hub is hosted in.
We try to conform to this style until we find a better way: COUNTRYCODE-COMPANY-INTERNALCODE (eg: DE-Hetzner-FSN1-DC5)
Key: spn/publicHub/hosters
List of all involved entities and organisations that are involved in hosting this Hub. This includes the reseller, datacenter operator and datacenter owner, for example.
Key: spn/publicHub/ip4
IPv4 address of this Hub. Must be globally reachable. This will be verified by other nodes. Make sure IP is reachable through all defined transports below.
Leave empty to detect automatically, set to empty string to forcibly deactivate.
Key: spn/publicHub/ip6
IPv6 address of this Hub. Must be globally reachable. This will be verified by other nodes. Make sure IP is reachable through all defined transports below.
Leave empty to detect automatically, set to empty string to forcibly deactivate.
Key: spn/publicHub/transports
List of transports this Hub supports. Transports are listeners where clients and other nodes can connect.
Transports use the URL format. Simple protocols use type:port, eg tcp:17.
Support transports are:
tcp: Basic tcp transport, with the SPN protocol on top.http: HTTP with a Connection Upgrade to the SPN protocol. Can define a domain and path in the config URL in order to put the node behind a http proxy - which must support connection upgrades.A good default set is ["tcp:17", "http:80", "http:8080", "tcp:17017", "http:17080"].
Key: spn/publicHub/entry
Define an entry policy. The format is the same for the endpoint lists. Permits if no rule matches.
Key: spn/publicHub/exit
Description: Define an exit policy. The format is the same for the endpoint lists. Permits if no rule matches.
Default is ["- * TCP/25"].
Key: spn/publicHub/allowUnencrypted
Advertise that this Hub is available for handling unencrypted connections, as detected by clients. This is opt-in on purpose, as to reduce legal liability by default as far as possible to improve hosting experience in more restricted countries. Please note that the node must be also trusted by users in order to be used for unencrypted connections.
Key: spn/publicHub/bindToAdvertised
Only connect from and bind to the advertised IP addresses. This is useful if your servers has multiple IPs and you want to confine SPN to just the advertised ones. It is recommended to leave this disabled if possible, as especially with IPv6, most servers OSs will automaticially rotate IP addresses for outgoing connections.
This is an example config file with some data replaced for a node hosted by Hetzern in Falkenstein, Germany.
{
"core": {
"log": {
"level": "warning"
},
"releaseChannel": "stable",
"metrics": {
"instance": "my-node-name",
"comment": "DE, Falkenstein, Hetzner",
"push": "https://my-victoriametrics-server.example.com/api/v1/import/prometheus"
}
},
"spn": {
"publicHub": {
"name": "my-node-name",
"ip4": "public-ipv4",
"ip6": "public-ipv6",
"group": "my-group-name",
"contactAddress": "my-contact-email",
"contactService": "email",
"hosters": ["Hetzner"],
"datacenter": "DE-Hetzner-FSN",
"exit": ["- * TCP/25"],
"transports": ["tcp:17", "http:80", "http:8080", "tcp:17017", "http:17080"]
}
}
}