Request
Add TunnelSats to the official Umbrel App Store under the bitcoin category.
Tunnel⚡Sats provides a premium networking layer designed exclusively for LND and Core Lightning node runners. By utilizing high-performance WireGuard tunnels, it solves the 'Home IP' exposure conundrum and enables stable, anonymous clearnet connectivity without compromising your entire Umbrel’s traffic.
Architectural & Security Justification
TunnelSats requires the following elevated permissions to function as a routing daemon:
- Host Networking: Required to manage
nftables rules and intercept specific Lightning traffic at the system level.
- Root User: Mandatory for manipulation of network namespaces and routing tables.
- Docker Socket: Used by the
verify.sh diagnostic utility to identify peer container IPs (LND/CLN) for automated configuration.
Resolution
Impact
- Enables users behind CGNAT or dynamic home IPs to run stable, clearnet-reachable Lightning nodes.
- Provides NWC-based automated renewals for hands-off node management.
- Strengthens the privacy posture of the Umbrel ecosystem by segregating Lightning traffic from general node traffic.
Request
Add TunnelSats to the official Umbrel App Store under the
bitcoincategory.Tunnel⚡Sats provides a premium networking layer designed exclusively for LND and Core Lightning node runners. By utilizing high-performance WireGuard tunnels, it solves the 'Home IP' exposure conundrum and enables stable, anonymous clearnet connectivity without compromising your entire Umbrel’s traffic.
Architectural & Security Justification
TunnelSats requires the following elevated permissions to function as a routing daemon:
nftablesrules and intercept specific Lightning traffic at the system level.verify.shdiagnostic utility to identify peer container IPs (LND/CLN) for automated configuration.Resolution
Impact