current bull run gave me some money and past black Friday gave me interesting discounts to buy my first home server. Waiting for delivery, I want to better understand how can I self host and use a Zcash full node from my home preserving my privacy.
This is the setup idea I came up with, I would appreciate if you could review it and possibly point me to helpful resources.
home server with proxmox (1 Gbit FTTH + ~300 Mbit 5G as failover)
a linux VM with Zcash full node stack + tailscale client
a lightweight VPS in cloud with headscale installed (ie. by mynymbox)
a lightweight VPS with unmetered traffic (ie. by ionos) as tailscale exit node for the VM
a wallet (ie. zashi) that sends transactions and sync through private tailnet
Hey Jenkin! If you’re just looking to relay blocks and not mine than your home server is more than adequate given current network conditions which is great, because it gives you room to run other services on the same box like Prometheus and Grafana for monitoring. You could also run a lightwalletd node if you want to contribute even more to the network.
Your main constraints are going to be bandwidth (you’re also fine there) and disk space for the blockchain cache (300GB recommended, I use a 1TB SSD in my home server for example)
I’d run zebrad, expose metrics and RPC only on your LAN/tailnet for monitoring, put lightwalletd behind HTTPS with Let’s Encrypt, and then use Tailscale so your devices (including Zashi, if you want to point it at your own server) can reach it privately. No need to punch big public holes in your firewall for v1.
Another option is to run your own explorer locally which can be exposed to your mobiles via tail/head scale. zcashd works for sure, and zebrad support is coming along ( h/t @pacu ) can share the latest with the zebrad version. Looks like a fun project, enjoy!
Do you confirm that using an exit node, only its IP is shared with other zcash nodes and my home IP remains always hidden? It’s my primary concern…
If your threat model is “I don’t want other peers on the Zcash network to see my home IP” then yes, Tailscale is fine. Your ISP and the VPN provider can see more than users on the Zcash network though. You’d need something like Tor/Arti to protect against that.
I managed to send ZEC from a Zashi configured with zec.rocks server to another Zashi configured with my own public server backed by my home-hosted full node (zebra + zaino).
I’m running the z3 stack with docker on my home server in a VM. Outgoing and incoming traffic passes through a VPS (exit node) using tailscale (another VPS with headscale manages the network, so all services are self-hosted). On the exit node, the incoming traffic on port 8233/tcp (zebra) is forwarded to the VM through tailscale tunnel. Incoming traffic on https port (443) is reverse proxied by Caddy to port 8137 (zaino) on tailscale network. All other ports are closed by ufw.
During the holiday I’ll write down a step-by-step tutorial. But I also want to install and configure other pieces of the puzzle (monitoring, block explorer, …).
I bought a quite powerful home server, but my goal is running several services other than zcash stack: a minisforum ai x1 pro with 128 GB of ram and 9 tb of nvme (2x4 + 1): ~ $2,500.
Now I have zebra + zaino and lightwalletd running in a VM with 4 cores and 16 GB of ram and 1 TB of disk without issues (but very low traffic). I have a FTTH connection up to 1 GB and 1 GB lan: ~$15 per month plus maybe $300 for switches and cables. I have also a backup 5G connection: ~8 per month plus ~$250 for router and external antenna. I also rent two VPS for external access (unmetered traffic): $6 per month.
Love this. What I find most valuable here is the clear separation between validation, indexing, and exposure. Home-hosted Zebra as authority with a VPS used purely as an edge keeps trust boundaries explicit and reproducible. This reads like a solid reference pattern for running modern Zcash infrastructure without collapsing roles.
which is great, because it gives you room to run other services on the same box like Prometheus and Grafana for monitoring. You could also run a lightwalletd node if you want to contribute even more to the network.
