Run Your Own Node: Stop Being a Tenant on the Network
Stop being a tenant on someone else's protocol. A working blueprint for full-validation nodes you actually trust.
TL;DR
Every 'decentralised' wallet you use through a hosted endpoint has quietly re-centralised. Running your own fully-validating node, Bitcoin Core on the Pi, reachable only over Tailscale, with your wallet pointed at it, closes that gap. One evening of setup plus a sync that runs while you sleep.
What you'll be able to do
- ▸A pruned, fully-validating Bitcoin Core node on your existing private server.
- ▸RPC bound to Tailscale only, no public exposure, no third-party balance leak.
- ▸Sparrow (or your wallet of choice) talking to your node, not Blockstream's.
- ▸A second protocol (Nostr relay) as the quickest sovereignty win after BTC.
- ▸An operational checklist that keeps the node alive for years.
Prerequisites
- ·Your First Private Server, Pi 5 with NVMe, hardened, Tailscale installed.
- ·Comfort with systemd units, journald, and signed-binary verification.
- ·Patience for a 1–3 day initial block download.
Threat model
Third-party RPC providers that see your balances, can censor your broadcasts, and represent a single point of failure or subpoena. Not nation-state chain analysis, that needs Tor, coinjoin, and a different guide.
Every protocol that calls itself decentralised has a quiet re-centralisation point: the endpoint your wallet actually talks to. Your Bitcoin app talks to a Blockstream or BlockCypher server. Your Ethereum wallet talks to Infura. Your "private" DNS resolves through Cloudflare. The protocol is trustless in the whitepaper; the request your laptop made is not. Someone owns that endpoint, sees your balances, can rate-limit you, can serve you a lie about the chain state, and can be subpoenaed about the IPs that asked.
The whole point of these networks was to remove the trusted third party. If you reach the network through one, you have chosen to keep the trusted third party, just renamed and hidden behind a nice mobile app. The fix is not complicated, it's just unsexy: run your own node, point your wallet at it, stop asking strangers to validate your view of reality.
This guide is the operator's version. Not "spin up a node and feel good about it", a working node, validating fully, reachable from your laptop over Tailscale, with a wallet actually pointed at it. By the end you will have replaced one re-centralisation point in your stack. From there, the rest falls in line.
Don't trust. Verify. And verify with your own hardware, or the verb means nothing.
By the end of an evening (plus a sync that runs while you sleep) you will have a fully-validating Bitcoin Core node running on the Pi from Your First Private Server, RPC bound to Tailscale only, a wallet on your laptop pointed at it, and an honest answer to "how would I add a second protocol" once you want one.
§ 01
What "running a node" actually means.
Half the noise online about "running a node" is people running something that doesn't actually validate anything. There are four flavours; only one buys you sovereignty.
| Mode | What it does | Trustless? | Storage cost |
|---|---|---|---|
| Full + archive | Validates every block + keeps full history forever | Yes | Very high (BTC ~700 GB, ETH ~14 TB) |
| Full (pruned) | Validates every block; discards old block data after verifying | Yes, same trust guarantees | Moderate (BTC ~10 GB, ETH ~1.2 TB) |
| Light / SPV | Trusts block headers from full nodes; doesn't validate scripts | Partial, trusts the headers source | Tiny (< 100 MB) |
| Hosted RPC (Infura, etc.) | You ask a stranger what the chain looks like | No | Zero, but you are the product |
§ 02
Pick the network that buys you something.
Which protocol you run depends on which sovereignty you actually want. Don't run all of them. Pick one, run it well, add a second when you have a real reason.
| Protocol | Sync time | Disk (pruned) | What sovereignty it buys |
|---|---|---|---|
| Bitcoin Core | 1–3 days on a Pi 5 with NVMe | ~10 GB (pruned) / ~700 GB (full) | Wallet privacy, fee estimation, no third-party balance leak |
| Lightning (LND or CLN) | Hours (after BTC syncs) | Small, but needs a full BTC node underneath | Custody-free payments without a wallet provider |
| Ethereum (Geth + Lighthouse) | 1–2 days | ~1.2 TB (snap-synced) | No Infura; private balance queries; signing on your terms |
| Monero | ~1 day on NVMe | ~200 GB | Privacy by default; no Kraken-side address linkability |
| Nostr relay (strfry) | Minutes | Grows with what you choose to mirror | Your own address for notes, censorship-resistant publish path |
§ 03
Hardware reality.
The Pi from the previous guide is enough for Bitcoin Core (pruned), a Nostr relay, and a small Lightning node. Anything more, Ethereum, Monero archive, a public relay handling real traffic, wants a real x86 box with proper NVMe.
2 TB NVMe (WD SN770 or Samsung 990)
Storage · the only spec that matters
DRAM-cached, TLC, with real endurance. Avoid QLC. A node writes constantly; cheap NVMe dies fast.
16 GB RAM
Memory · breathing room for utxo set + mempool
Pi 5 8GB works for pruned BTC. ETH or running multiple nodes wants 16GB+ on x86.
Wired ethernet (Cat 6)
Network · Wi-Fi is not a node uplink
Initial block download will pull hundreds of GB. Wi-Fi will rate-limit you and drop peers.
UPS (CyberPower CP685AVR or similar)
Power · the difference between a clean shutdown and a corrupt chainstate
Brief outages corrupt LevelDB. A $90 UPS pays for itself the first power blip.
x86 mini-PC (when you outgrow the Pi)
Compute · Minisforum / Beelink N100 or Ryzen mini
When you want ETH or a public-facing Bitcoin node. ~$300 buys what you need for years.
§ 04
Reference build: Bitcoin Core on the Pi.
Everything below assumes a working Pi from Your First Private Server with Tailscale already installed on it and on your laptop. If not, do that first, exposing RPC any other way is a different guide and a worse one.
- STEP 01
Dedicated user, dedicated directory.
Never run node software as your login user. A compromised node should not have shell access to your home directory.
▌ user.shsudo adduser --system --group --home /var/lib/bitcoin bitcoin sudo mkdir -p /var/lib/bitcoin/.bitcoin sudo chown -R bitcoin:bitcoin /var/lib/bitcoin
↳ One-time setup. Run from your ops user. - STEP 02
Install Bitcoin Core from upstream binaries.
Verify the signatures before running anything. The Core project signs every release; the Guix attestations let you verify the binaries were reproducibly built.
▌ install.shcd /tmp VERSION=27.1 # check current release curl -LO https://bitcoincore.org/bin/bitcoin-core-$VERSION/bitcoin-$VERSION-aarch64-linux-gnu.tar.gz curl -LO https://bitcoincore.org/bin/bitcoin-core-$VERSION/SHA256SUMS curl -LO https://bitcoincore.org/bin/bitcoin-core-$VERSION/SHA256SUMS.asc # Verify checksum grep "bitcoin-$VERSION-aarch64-linux-gnu.tar.gz" SHA256SUMS | sha256sum -c - # Install sudo tar -xzf bitcoin-$VERSION-aarch64-linux-gnu.tar.gz -C /opt/ sudo ln -sf /opt/bitcoin-$VERSION/bin/bitcoind /usr/local/bin/bitcoind sudo ln -sf /opt/bitcoin-$VERSION/bin/bitcoin-cli /usr/local/bin/bitcoin-cli
↳ Check bitcoincore.org/en/download for the current version + signing key fingerprints. - STEP 03
Write the config.
Pruned, with RPC bound only to the Tailscale interface. Replace
100.x.x.xwith the box's Tailscale IP fromtailscale ip -4.▌ bitcoin.conf# Network chain=main listen=1 maxconnections=40 # Pruning, keep ~10 GB of recent blocks prune=10000 # Performance on a Pi 5 dbcache=2048 par=3 # Indexing (off unless you need it) txindex=0 blockfilterindex=1 peerblockfilters=1 # RPC, bound to Tailscale only server=1 rpcbind=100.x.x.x # your tailscale ip rpcallowip=100.64.0.0/10 # tailscale CGNAT range rpcauth=ops:<salt>$<hash> # generated below
↳ /var/lib/bitcoin/.bitcoin/bitcoin.conf, keep it readable only by the bitcoin user. Generate the
rpcauthline with Core's helper script, never store a plain password in the config:▌ rpcauthcurl -sL https://raw.githubusercontent.com/bitcoin/bitcoin/master/share/rpcauth/rpcauth.py \ | python3 - ops
↳ Outputs the rpcauth= line and shows you the password once. Save the password into your password manager. - STEP 04
systemd unit so it stays up.
One file. Logs to journald, restarts on failure, runs unprivileged.
▌ bitcoind.service[Unit] Description=Bitcoin Core (mainnet) After=network-online.target tailscaled.service Wants=network-online.target [Service] ExecStart=/usr/local/bin/bitcoind -daemon=0 -conf=/var/lib/bitcoin/.bitcoin/bitcoin.conf -datadir=/var/lib/bitcoin/.bitcoin User=bitcoin Group=bitcoin Type=simple Restart=on-failure RestartSec=30 TimeoutStopSec=600 PrivateTmp=true ProtectSystem=full NoNewPrivileges=true [Install] WantedBy=multi-user.target
↳ /etc/systemd/system/bitcoind.service ▌ enablesudo systemctl daemon-reload sudo systemctl enable --now bitcoind sudo journalctl -u bitcoind -f
↳ Start it; watch the initial sync. - STEP 05
Wait for initial block download.
On a Pi 5 with NVMe over Tailscale-less ethernet, IBD takes 24–72 hours. Don't reboot. Don't worry. Check progress with
bitcoin-cli getblockchaininfofrom the box, or remotely once you've finished § 05.
§ 05
Point your wallet at it.
A node nobody uses is a houseplant. The whole point is to push your wallet's queries through it instead of through someone else's server.
- STEP 01
Sparrow (desktop), direct Bitcoin Core RPC.
Sparrow is the cleanest desktop wallet for self-hosted setups. It talks to Bitcoin Core directly, no Electrum server in the middle.
▌ sparrow.configURL: http://100.x.x.x:8332 # your Pi's Tailscale IP User: ops Password: <the rpcauth password from §04 step 3> Use proxy: off Test connection ──► green tick
↳ Preferences → Server → Bitcoin Core - STEP 02
Mobile (BlueWallet, Zeus), Electrum bridge.
Mobile wallets speak the Electrum protocol, not raw Bitcoin RPC. Run Fulcrum (faster) or Electrs alongside Bitcoin Core; both translate Electrum-protocol requests into Core RPC calls. Bind them to Tailscale the same way.
- STEP 03
Verify the wallet is actually using your node.
On the Pi, watch the RPC log while you refresh the wallet. Every wallet action should produce a line.
▌ verifysudo journalctl -u bitcoind -f | grep -i rpc
↳ If the wallet's balance updates without a single log line, you're not using your node.
§ 06
The cheap second win: a Nostr relay.
A personal Nostr relay is the fastest "I actually own this endpoint" feeling you can buy. Thirty minutes, no sync, immediate utility, your own publishing address and a censorship-resistant backup of your own notes.
sudo apt install -y build-essential git cmake libssl-dev zlib1g-dev \ liblmdb-dev libflatbuffers-dev libsecp256k1-dev libzstd-dev git clone https://github.com/hoytech/strfry /opt/strfry cd /opt/strfry && git submodule update --init && make setup-golpe && make -j$(nproc) sudo install -m755 strfry /usr/local/bin/strfry sudo mkdir -p /var/lib/strfry && sudo chown ops:ops /var/lib/strfry sudo cp strfry.conf /etc/strfry.conf # Edit /etc/strfry.conf: # db = "/var/lib/strfry/db" # bind = "100.x.x.x" # port = 7777 # Run it (write a systemd unit just like bitcoind): strfry --config /etc/strfry.conf relay
§ 07
Operational discipline.
A node is not fire-and-forget. It's close, but the once-a-week ten-second check below is what separates a node that lasts years from one you find dead after a power blip three months ago.
§ CHECKLIST, Weekly node check (≤ 60 seconds)
§ 08
Verification: confirm sovereignty is real.
The final test of a node is independent reality. Pick a recent block, ask your node about it, then ask a public explorer. They had better agree.
# Latest block on your node HEIGHT=$(bitcoin-cli getblockcount) HASH=$(bitcoin-cli getblockhash $HEIGHT) echo "Height $HEIGHT Hash $HASH" # Then check the same height on a public explorer like # https://mempool.space/block/<HASH> # The hash should match exactly.
§ CHECKLIST, End-of-build verification
§ 09
What this does NOT do.
✓ PROTECTS AGAINST
- +Wallet-balance leakage to third-party RPC providers.
- +Censorship of your own broadcast transactions by a hosted provider.
- +Reliance on an explorer's fee estimates and chain-tip view.
- +Identification of your IP with on-chain activity (when paired with Tor, see below).
- +Loss of access if a provider deprecates a chain or rate-limits free tiers.
✗ DOES NOT PROTECT AGAINST
- −Anonymize your network traffic, for that, route bitcoind through Tor (proxy=127.0.0.1:9050).
- −Custody your funds, keys still live in your wallet; this guide is about the view, not the spend.
- −Make you a miner or a validator, different protocol, different hardware, different threat model.
- −Protect against bugs in node software, run upstream releases, verify signatures, update on cadence.
- −Defend against a malicious peer, full validation does, but only if the node actually validates (i.e., not SPV).
- −Replace a backup, wallet.dat lives outside the node and needs its own offline strategy.
§ 10
Going further.
HARDWARE PERIMETER
The Protectli Vault →Before you expose anything to the public web.
REFERENCE BUILD
pfSense on Bare Metal →The firewall a public node deserves.
HARDENED WORKSTATION
Qubes OS →So the laptop signing transactions can't be owned.
§ REFERENCES
- [01]Bitcoin Core, full node documentation
- [02]Satoshi Nakamoto, Bitcoin: A Peer-to-Peer Electronic Cash System
- [03]Bitcoin Core, download and signing keys
- [04]Sparrow Wallet, Bitcoin Core integration
- [05]Fulcrum, Electrum-protocol bridge for Bitcoin Core
- [06]strfry, Nostr relay
- [07]Ethereum.org, running your own node