ATTENTION! KelVPN service-providing is currently at the testing stage, and KelVPN team is not approving community VPN nodes right now. However, you can already get started by setting up a validator role on the KelVPN network.
What is needed to become a KelVPN service provider?
A home PC, a VPS or a Raspberry Pi will be suitable.
The more consistently your KelVPN service node is online, the more revenue it will make. When it is offline, it cannot earn by providing service.
At the moment, it is possible to set up a KelVPN service node using Linux or MacOS.
A public IP address is necessary for becoming KelVPN service provider.
The option to use an IP address with IPv6 protocol will be implemented in the future.
Your KelVPN wallet balance must have:
Stable internet connection
This is one of the key requirements for a KelVPN service node.
NOTE: your 100000 $KEL or 100 mKEL should be in a wallet on the KelVPN network, not on the Backbone network!
Everything you see written in the guide inside the < and > symbols is an example. This information can and should be changed to your own information for each step of the process.
The < and > symbols shouldn't be included when executing the commands.
We recommend changing to root user for the setup of the master node. This will simplify the process.
In Linux, user can be switched with command:
sudo -i
In MacOS, it can be done with similar command:
sudo -s
All the commands presented in this instruction imply that the root user is being used.
Linux build: <link>
Linux build for devices based on ARM architecture: <link>
MacOS build: <link>
Command for downloading files using the terminal:
wget <link>
Command to install:
apt install ./<file_name>
You will be asked a few questions about the cellframe-node configuration. Below are the recommended answers.
If a mistake was made in initial configuration, it can be changed with the command:
dpkg-reconfigure cellframe-node
/opt/cellframe-node/etc/cellframe-node.cfg
/opt/cellframe-node/etc/network/KelVPN.cfg
apt -y install bind9
To enable IPv4 forwarding, you need to edit the sysctl.conf file.
Open the file with editor nano using the command:
nano /etc/sysctl.conf
Find the following line:
#net.ipv4.ip_forward=1
Uncomment the line:
net.ipv4.ip_forward=1
NOTE: If your configuration file is missing this line, you may add it manually to the end of the file.
To apply changes to the file, press Ctrl+X, answer Y to Save modified buffer and press Enter.
Enable the new settings with the command:
sysctl -p
NOTE: Setting up this section is extremely important and making an error may deprive you of access to the VPS server. Please be careful. If in doubt, ask for help in the KelVPN Support group.
First of all, you need to figure out which network interface you are using for internet connection. To find that out, use the following command to see current network interface:
ip -brief address show
The output can look like this:
lo UNKNOWN 127.0.0.1/8 ::1/128
ens33 UP 192.168.48.129/24 fe80::6cd2:a975:b910:ad69/64
In this example, the network interface is ens33.
Save this information. It will be needed later in the process.
Second, check the available tunnel devices from your system with the command:
ls /dev/net
The output can look like this:
tun
If you have only one tun device available on your system, you should use tun0 as the tunnel device when configuring the firewall. However, if you have configured another VPN server for your system, you might have multiple tunnel devices available. For example, if you have tun, tun0, tun1, tun2 devices when doing the ls /dev/net/ command, you should use tun3 in the firewall configuration.
Save this information. It will be needed later in the process.
NOTE: Setting up this section is extremely important and making an error may deprive you of access to the VPS server. Please be careful. If in doubt, ask for help in KelVPN Support group.
To configure Linux firewall (iptables), we are going to use arno-iptables-firewall, an iptables configuration script.
Command to install it:
apt -y install arno-iptables-firewall
Command to reconfigure it if it is already installed:
dpkg-reconfigure arno-iptables-firewall
You are going to be asked a few questions. Here are the recommended answers:
This is the network interface you checked with ip -brief address show command.
NOTE: If you're running other services on your computer (for example like SSH port 22), you should open those ports too, so that you can access them!
If you are using VPS, not including port 22 will result in losing connection via SSH to your device.
ls /dev/net command.This information (IP / Mask) will also be used in cellframe-node.cfg later in the process.
This question will be asked twice. Answer No, as we need to continue the configuration.
In the next step, use the following command to continue configuration:
dpkg-reconfigure -plow arno-iptables-firewall
NOTE: When installing the package for the first time, the installer will ask some of the same questions you have already answered. Read them carefully, and if the displayed answer is correct, press Enter.
NOTE: Usually the answer is “Yes”. However, answer “No” only if you have static network configuration for external connections.
This information (IP / Mask) will also be used in cellframe-node.cfg later in the process.
Command to create a new wallet:
cellframe-node-cli wallet new -w <wallet_name> -restore <hash>
"-restore" is an important parameter that allows you to restore a created wallet on another machine in case anything happens with the current one.
<hash> value needs to be entered manually. Recovery hash requirements are:
0xIf your wallet was created in cellframe-node with a hash that does not fit these requirements, then the -restore_legacy parameter should be used with the hash of old format instead of the -restore parameter.
If you would like to restore a wallet that was created in cellframe dashboard in cellframe-node, the following needs to be done:
sha256-restore parameter after the 0x prefixYou can convert a SEED phrase into the required hash using the SHA256 algorithm in the terminal in Linux, macOS, or using one of the web resources that provide such functionality.
Correct format is -restore 0x<hash>
Command to restore a wallet:
cellframe-node-cli wallet new -w <wallet_name> -sign sig_dil -restore <hash> -force
Command to restore a wallet with password:
cellframe-node-cli wallet new -w <wallet_name> -sign sig_dil -restore <hash> -password <password> -force
Please take a note of parameter -force at the end of command line. Its presence is necessary to restore the wallet!
Before interacting with a protected wallet, it needs to be activated with command:
cellframe-node-cli wallet activate -w <wallet_name> -password <password>
After successful creation or restoration of a wallet, its address and balance can be checked with the following command:
cellframe-node-cli wallet info -net KelVPN -w <wallet_name>
First, you need to go to the /opt/celframe-node/bin folder and check the availability of the permissions to run cellframe-node executable files.
/opt/celframe-node/bin:cd /opt/cellframe-node/bin
ls -la
masternode@ubuntu:/opt/cellframe-node/bin$ ls -la
total 16156
drwxrwxr-x 2 root root 4096 Jul 13 22:20 .
drwxrwxr-x 9 root root 4096 Jul 13 22:20 ..
-rwxrwxr-- 1 root root 8714248 Jul 13 10:21 cellframe-diagtool
-rwxrwxr-- 1 root root 4214888 Jul 13 10:23 cellframe-node
-rwxrwxrwx 1 root root 73056 Jul 13 10:23 cellframe-node-cli
-rwxrwxr-- 1 root root 3522760 Jul 13 10:23 cellframe-node-tool
The line with cellframe-node-tool is the one you should take a look at.
If the first column ends with - and not x, then the following command should be executed:
cellframe-node-tool:chmod +x /opt/cellframe-node/bin/cellframe-node-tool
After that, the last symbol will change to x:
-rwxrwxr-x 1 root root 3522760 Jul 13 10:23 cellframe-node-tool
cellframe-node-tool cert create <kelvpn.cert_name> sig_dil
It is recommended to use the CRYSTALS-Dilithium signature.
sig_dil parameter represents this signature type.
Use the following command to check node status in the network and find its address:
cellframe-node-cli net -net KelVPN get status
# Expected result:
Network "KelVPN" has state NET_STATE_ONLINE (target state NET_STATE_ONLINE), active links 3 from 5, cur node address XXXX::XXXX::XXXX::XXXX
We are interested in the last record in the format XXXX::XXXX::XXXX::XXXX.
Save the cur node address as it will be required in the next steps.
The configuration file is located at:
/opt/cellframe-node/etc/network/KelVPN.cfg
This file should be opened with an editor to make changes to it. To do this, a terminal-based text editor nano will be used.
nano /opt/cellframe-node/etc/network/KelVPN.cfg
In this file, changes should be made in two sections.
[general] section and add the following lines:node_addr_type=static
node-addr=XXXX::XXXX::XXXX::XXXX
For the node address a value from the previous step should be used.
[esbocs] section and make the necessary changes to match the example below:[esbocs]
# Here we specify the name of our certificate
blocks-sign-cert=<kelvpn.cert_name>
#minimum_fee=
# We specify the address of our wallet to collect the fees
fee_addr=<kelvpn_wallet_address>
set_collect_fee=5
Do not forget that symbols < and > should not be used!
To save changes to the file, use the keyboard shortcut Ctrl + O.
To exit the editor, use the keyboard shortcut Ctrl + X.
The configuration file is located at:
/opt/cellframe-node/etc/cellframe-node.cfg
To edit it, use a nano editor:
nano /opt/cellframe-node/etc/cellframe-node.cfg
The value of the auto_proc parameter needs to be changed from false to true in the [mempool] section:
[mempool]
# Automatically false, for enabling need role master or higher
auto_proc=true
To save changes to the file, use the keyboard shortcut Ctrl + O.
To exit the editor, use the keyboard shortcut Ctrl + X.
To enable VPN service sharing in cellframe node, edit the cellframe node configuration file with the following command:
nano /opt/cellframe-node/etc/cellframe-node.cfg
Find [srv_vpn] section and make the following change:
Uncomment line #grace_period=60 and change its value:
grace_period=900
Three lines need to be added:
To save changes to the file, use the keyboard shortcut Ctrl + O.
To exit the editor, use the keyboard shortcut Ctrl + X.
After applying the changes, the configuration should look like this:
# VPN stream channel processing module
[srv_vpn]
# Turn to true if you want to share VPN service from you node
enabled=true
debug_more=false
# Grace period for service , 60 second by default
grace_period=900
# List of loca security access groups. Built in: expats,admins,services,nobo>
network_address=10.11.12.0
network_mask=255.255.255.0
net=KelVPN
wallet_addr=<kelvpn_wallet_address>
receipt_sign_cert=<kelvpn.cert_name>
In order for the made changes to apply, the node must be restarted.
To do this, use the following commands:
service cellframe-node stop
service cellframe-node start
To check that the node is running, you can use the command:
systemctl status cellframe-node.service
The expected result:
● cellframe-node.service - Cellframe Node
Loaded: loaded (/etc/systemd/system/cellframe-node.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2023-07-27 05:14:24 PDT; 4s ago
Main PID: 52072 (cellframe-node)
Tasks: 8 (limit: 4558)
Memory: 568.6M
CGroup: /system.slice/cellframe-node.service
└─52072 /opt/cellframe-node/bin/cellframe-node
This can be done with the following command:
cellframe-node-cli node add -net KelVPN -ipv4 <public_ip_address> -port 8079
<public_ip_address> should be changed to the IP address of your VPS or other device. A simple way to get your external IP address is to just Google "what is my IP".
Result of the command execution:
node added
Creating a transaction that locks mKEL and delegates the certificate you created:
cellframe-node-cli srv_stake delegate -cert <kelvpn.cert_name> -net KelVPN -wallet <wallet_name> -value 100.0e+18 -node_addr XXXX::XXXX::XXXX::XXXX -fee 0.05e+18
#Expected result:
SAVE TO TAKE ===>>> Stake transaction <transaction hash> has done
Save the obtained hash. You will need to send this information to KelVPN team.
In this command, the -value parameter is the number of mKEL you are locking.
100.0e+18 = 100 mKEL Cellframe node uses the datoshi format for managing token values.
Datoshi is a format of recording values that allows accuracy of up to 18 decimals after the decimal point.
Command to create your order:
cellframe-node-cli net_srv -net KelVPN order create -direction sell -srv_uid 1 -price <price> -price_unit SEC -price_token KEL -units <units> -node_addr <node_address> -cert <kelvpn.mycert> -region <country_name> -continent <continent_name>
Description of arguments
-direction buy or sell. For VPN service providing it must be sell.-srv_uid Service UID. For VPN service, set 1.-price Price for the number of units specified in the parameter -units. For example, 100 datoshi for 3600 seconds of the service.-price_unit Set SEC for Seconds.-price_token Ticker of the token that will be used for payment.-units The number of units in one portion of the service.-node_addr Address of the node in KelVPN network.-cert Certificate of the master node.-region The region in which the node is located.-continent The continent in which the node is located.Result of the command execution:
Created order <hash>
Save the obtained hash. You will need to send this information to the KelVPN team.
NOTE: You should use your real region and country names to keep the list of available servers accurate. Orders with incorrect location data will be deleted.
To check already published orders in the network, use command:
cellframe-node-cli net_srv -net KelVPN order find -srv_uid 0x0000000000000001 -direction sell
This command will display a list of all available orders.
Here's an example of an order in the list:
== Order 0x06A9E4F65E3538E596F3C802F42C100CDADC4F3CF02967C7E8CADF6B6FB3A3FB ==
version: 3
direction: SERV_DIR_SELL
srv_uid: 0x0000000000000001
price: 0.000000000000001 (1000)
price_unit: SECOND
node_addr: 53DF::4976::1653::3E0A
node_location: Europe - Poland
tx_cond_hash: 0x0000000000000000000000000000000000000000000000000000000000000000
ext: 0x5202506F6C616E6400
pkey: 0x2D6DE20716028F66DEA4B7DB727CE54359239868A12EA37344D3DBACB1773D1D
units: 1800
Obtained hashes of locking mKEL and a VPN service order must be sent to the KelVPN team. There are multiple ways to request approval of your KelVPN service node:
If using the Contact Us form, please specify the topic of your request as KelVPN service providing node and leave a valid e-mail address for the team to contact you.
After receiving approval from the KelVPN team, the node needs to be restarted.
sudo service cellframe-node stop
sudo service cellframe-node start
To check that the node is running, you can use the command:
systemctl status cellframe-node.service
The expected result:
● cellframe-node.service - Cellframe Node
Loaded: loaded (/etc/systemd/system/cellframe-node.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2023-07-27 05:14:24 PDT; 4s ago
Main PID: 52072 (cellframe-node)
Tasks: 8 (limit: 4558)
Memory: 568.6M
CGroup: /system.slice/cellframe-node.service
└─52072 /opt/cellframe-node/bin/cellframe-node
Hooray! Your node now not only has a master role in the KelVPN network and participates in the network consensus, but also provides a VPN service!
Cellframe-node log file is located at:
/opt/cellframe-node/var/log/cellframe-node.log
All node activity is written into it. To display only the entries related to the VPN service, use the following command:
cat /opt/cellframe-node/var/log/cellframe-node.log | grep "dap_stream_ch_chain_net_srv\|dap_chain_mempool\|dap_chain_net_srv_vpn" | grep -v "Filter removed:"
Below are some of the most frequent interactions between a client and a VPN node.
Client connects to a VPN node.
[10/26/23-08:01:41] [ * ] [dap_stream_ch_chain_net_srv_session] created service session
[10/26/23-08:01:41] [ * ] [dap_stream_ch_chain_net_srv_session] Added service riemann:0x0000000000000001 , usage id: 230796362
[10/26/23-08:01:41] [INF] [dap_stream_ch_chain_net_srv] Valid pricelist is founded. Start service in pay mode.
[10/26/23-08:01:41] [ * ] [dap_stream_ch_chain_net_srv] Transaction 0x36D92BE34E603850610B34900CF955372AF6DC9625832FB5DC4AE93005D341EE can't be found. Start the grace period for 600 seconds
[10/26/23-08:01:41] [INF] [dap_chain_net_srv_vpn] s_callback_response_success is called
[10/26/23-08:01:41] [ * ] [dap_chain_net_srv_vpn] Enable VPN service
[10/26/23-08:01:41] [INF] [dap_stream_ch_chain_net_srv] Start grace timer successfuly..
[10/26/23-08:01:42] [INF] [dap_chain_net_srv_vpn] Received address request
[10/26/23-08:01:42] [DBG] [dap_chain_net_srv_vpn] new_address = 10.11.12.2
new_address_max = 10.11.12.255
[10/26/23-08:01:42] [INF] [dap_chain_net_srv_vpn] VPN client new IP address 10.11.12.2 leased
gateway 10.11.12.1
net mask 255.255.255.0
net addr 10.11.12.0
last_addr 10.11.12.2
[10/26/23-08:01:42] [DBG] [dap_chain_net_srv_vpn] Tun:1 message: addr 10.11.12.2 assigned for worker #1 on tun #u
[10/26/23-08:01:42] [DBG] [dap_chain_net_srv_vpn] Tun:0 message: addr 10.11.12.2 assigned for worker #1 on tun #u
A transaction made by the client is processed by the network. Grace period ends and service providing begins.
Part of the grace period that client used for VPN service is accounted for when paid VPN service begins.
[10/26/23-08:08:14] [INF] [dap_stream_ch_chain_net_srv] Found tx in ledger by notify. Finish grace.
[10/26/23-08:08:14] [INF] [dap_stream_ch_chain_net_srv] Grace period is over! Check tx in ledger.
[10/26/23-08:08:14] [INF] [dap_stream_ch_chain_net_srv] Tx is found in ledger.
[10/26/23-08:08:14] [DBG] [dap_chain_net_srv_vpn] Checkout user 0xBCE3BFE876D75733DB57C872DC29A3680527A518202455810340F23C91B0F16E in group local.srv_pay.riemann.vpn_srv.remain_limits
[10/26/23-08:08:14] [INF] [dap_stream_ch_chain_net_srv] Send first receipt to sign
[10/26/23-08:08:14] [ * ] [dap_stream_ch_chain_net_srv] Trying create input tx cond from tx 0x36D92BE34E603850610B34900CF955372AF6DC9625832FB5DC4AE93005D341EE with active receipt
[10/26/23-08:08:14] [ * ] [dap_chain_mempool] Datum transaction with hash 0x563A568DB15C9C369C7A46B0BD33367822A7D3FA72D72303057F76BF1867EBB7 was placed in mempool group riemann.chain-main.mempool
[10/26/23-08:08:14] [ * ] [dap_stream_ch_chain_net_srv] Formed tx 0x563A568DB15C9C369C7A46B0BD33367822A7D3FA72D72303057F76BF1867EBB7 for input with active receipt
[10/26/23-08:08:14] [ * ] [dap_stream_ch_chain_net_srv] Receipt with client sign is accepted, start service providing
Client closes connection to a VPN node.
[10/26/23-07:35:18] [INF] [dap_chain_net_srv_vpn] Unassigned 10.11.12.2 address from tun sock #0
[10/26/23-07:35:18] [DBG] [dap_stream_ch_chain_net_srv] Stream ch chain net srv delete
[10/26/23-07:35:18] [INF] [dap_chain_net_srv_vpn] Unassigned 10.11.12.2 address from tun sock #1
Client tried to connect to a VPN node and wasn't able to pay for service.
After the end of the grace period, the client is added to the ban list for the time of grace period.
[10/26/23-07:49:04] [INF] [dap_stream_ch_chain_net_srv] Grace period is over! Check tx in ledger.
[10/26/23-07:49:04] [WRN] [dap_stream_ch_chain_net_srv] No tx cond transaction
[10/26/23-07:49:04] [WRN] [dap_chain_net_srv_vpn] Response error code 0x00000400
[10/26/23-07:49:04] [DBG] [dap_stream_ch_chain_net_srv] Add client to banlist
[10/26/23-07:49:04] [INF] [dap_chain_net_srv_vpn] Usage inactivation: switch off packet input & output channels
[10/26/23-07:49:04] [INF] [dap_chain_net_srv_vpn] Unassigned 10.11.12.2 address from tun sock #1
[10/26/23-07:49:04] [INF] [dap_chain_net_srv_vpn] Unassigned 10.11.12.2 address from tun sock #0
[10/26/23-07:49:04] [DBG] [dap_stream_ch_chain_net_srv] Stream ch chain net srv delete
Banned client attempts to connect to a VPN node.
[10/26/23-07:58:36] [ * ] [dap_stream_ch_chain_net_srv_session] Added service riemann:0x0000000000000001 , usage id: -1538328107
[10/26/23-07:58:36] [INF] [dap_stream_ch_chain_net_srv] Valid pricelist is founded. Start service in pay mode.
[10/26/23-07:58:36] [INF] [dap_stream_ch_chain_net_srv] Client pkey is banned!
[10/26/23-07:58:36] [WRN] [dap_chain_net_srv_vpn] Response error code 0x00000503
[10/26/23-07:58:36] [DBG] [dap_stream_ch_chain_net_srv] Stream ch chain net srv delete
Client closes connection to a VPN node, and paid VPN service period wasn't used fully.
[10/26/23-08:26:53] [INF] [dap_chain_net_srv_vpn] Unassigned 10.11.12.2 address from tun sock #1
[10/26/23-08:26:53] [INF] [dap_chain_net_srv_vpn] Unassigned 10.11.12.2 address from tun sock #0
[10/26/23-08:26:53] [DBG] [dap_stream_ch_chain_net_srv] Stream ch chain net srv delete
[10/26/23-08:26:53] [DBG] [dap_chain_net_srv_vpn] Save user 0xBCE3BFE876D75733DB57C872DC29A3680527A518202455810340F23C91B0F16E remain service into group local.srv_pay.riemann.vpn_srv.remain_limits
[10/26/23-08:26:53] [INF] [dap_stream_session] Close session id 1217913730 ...
[10/26/23-08:26:53] [INF] [dap_stream_session] Delete session context [stm_sess:0x7fb3c407e8e0, id:1217913730, ts:1698307301]
[10/26/23-08:26:53] [ * ] [dap_stream] Stream connection is over
Upon the client's next connection, the period that was left over is taken into consideration.
[10/26/23-08:27:44] [ * ] [dap_stream_ch_chain_net_srv_session] Added service riemann:0x0000000000000001 , usage id: 359293158
[10/26/23-08:27:44] [INF] [dap_stream_ch_chain_net_srv] Valid pricelist is founded. Start service in pay mode.
[10/26/23-08:27:44] [DBG] [dap_chain_net_srv_vpn] Checkout user 0xBCE3BFE876D75733DB57C872DC29A3680527A518202455810340F23C91B0F16E in group local.srv_pay.riemann.vpn_srv.remain_limits
[10/26/23-08:27:44] [INF] [dap_stream_ch_chain_net_srv] User has 893 SEC remain service. Start service without paying.
[10/26/23-08:27:44] [INF] [dap_chain_net_srv_vpn] s_callback_response_success is called
[10/26/23-08:27:44] [ * ] [dap_chain_net_srv_vpn] Enable VPN service
[10/26/23-08:27:44] [INF] [dap_chain_net_srv_vpn] Received address request
[10/26/23-08:27:44] [DBG] [dap_chain_net_srv_vpn] new_address = 10.11.12.2
new_address_max = 10.11.12.255
[10/26/23-08:27:44] [INF] [dap_chain_net_srv_vpn] VPN client new IP address 10.11.12.2 leased
gateway 10.11.12.1
net mask 255.255.255.0
net addr 10.11.12.0
last_addr 10.11.12.2
[10/26/23-08:27:44] [DBG] [dap_chain_net_srv_vpn] Tun:1 message: addr 10.11.12.2 assigned for worker #1 on tun #u
[10/26/23-08:27:44] [DBG] [dap_chain_net_srv_vpn] Tun:0 message: addr 10.11.12.2 assigned for worker #1 on tun #u