Are you interested in making some extra money out of Bitcoin mining at home privately? Well, if you wish to do so, then I must say that you can exactly do this and that you have landed in the right place. For this, you are going to require a home network. It is an essential part of maintaining a permissionless operation to build a secure and private network for mining. By following this how to mine bitcoin privately at home guide, you will be able to build a robust and customizable home mining network featuring the following benefits:
- VPN tunneling or Virtual Private Network tunneling for securing and encrypting your internet traffic.
- Enhanced privacy from the detecting eyes of your ISP or Internet Service Providers.
- Mitigation of the IP address’s potential risk logging from the mining pool.
- Configuration of a pfSense firewall
- Creating sequestered home networks for keeping your ASICs separate from your guest WiFi network.
- Setting up of a mesh WiFi network access point.
- Configuring an ad-blocker at the firewall level.
In this Mine Bitcoin Privately guide, we will take you through some of the free and open-source bitcoin mining software such as the WireGuard and pfSense in addition to some of the premium open source software such as Mullvad VPN.
How To Mine Bitcoin At Home Privately
Now, let us get right into the actual guide and get your home mining network set up in such a way that it makes you happy and also keeps your ASICs private and secure. However, if you are interested in how to start bitcoin mining for free, then I must say that you would have to spend some amount on the equipment but that is not going to make a hole in your pockets.
Building a pfSense Firewall From An Existing Old Desktop
In the following steps, we will show you how to use an old desktop (how to mine bitcoin on pc) for building a pfSense firewall and how to configure it from the comfort of your home. You can also go ahead and read the detailed guide of pfSense on their website that is not covered in this guide. Additionally, you can also purchase a Netgate device with an already installed pfSense and good to go out of the box.
In case you chose the last option and do not wish to build your own, then you can directly skip to the step number 4 below.
Step 1: Installing The New Network Card
In this step, you would require an old desktop. The best is to use a Dell Optiplex 9020 Small Form Factor (SFF). This serves as a powerful piece of hardware for the firewall as it features an Intel i7-4790 3.6GHz CPU, 16 GB of RAM and a 250 GB hard drive.
By default, this computer solely possesses only one RJ45 Ethernet port. However, if this is going to serve as a firewall, then it will definitely require at least two Ethernet ports. For achieving this, you can purchase an Intel i350 network card that comes equipped with four Ethernet ports. The Intel i350 network card has been designed to be used in the four-lane PCIe slot on the motherboard of the desktop.
For the SFF chassis, you need to swap out the full frame size metal bracket with the included smaller bracket on the network card. Next, you will simply have to open the chassis and flip open the external clamp covering the empty PCI slots. With the help of a screwdriver, you can remove the blank metal bracket insert in front of the four-lane PCI slot and then insert the network card. Now, close the clamp and put the chassis side cover back on.
As soon as it is installed, it becomes important to note which of the Ethernet ports is for the WAN or Wide Area Card and which ports are for the LAN or Local Area Network. WAN refers to what faces out to the wide open public internet and the LAN is what faces into your local home network.
After you have successfully completed the installation process, you can go ahead and set your desktop to the side for now. You will also want to utilize your network connected computer for downloading and verifying the pfSense image and flash it to a USB drive.
Step 2: Downloading & Verification Of pfSense Image File And Flashing It To A USB Drive
First you need to visit the pfSense download page and as soon as you land there, do the following:
- Select the “AMD64” architecture
- Select the “USB Memstick Installer”
- Select the “VGA” Console.
- Now, select any one mirror that is closest to your geographic location like the one that has been demonstrated below. Now click on the download.
Next, you can calculate the SHA-256 checksum on the compressed file that you have downloaded and verify it against the checksum that has been displayed on the pfSense download page. You can also use a freeware hex editor named HXD in order to calculate the checksums. All you need to do is open the file that you are interested in and navigate to the “Tools” and then to the “Checksums”. Select the “SHA256” from the menu. In case the hash values do not match, you must not run the executable file.
The easiest way to flash an image file to a USB drive is to use a program named “balenaEtcher”. As soon as it is installed, you need to launch the application and click on the “Flash from file” option. Navigate to the folder where you have the compressed pfSense image file.
Now, you have to select your blank USB drive and then click on the “Flash” option. BalenaEtcher will then begin the flashing process and then automatically decompress the pfSense image file. This process will take a couple of minutes.
As soon as the flashing is completed, you must get a green check mark that indicates that everything checks out. If BalenaEtcher displays any error, then you might need to try flashing to a different USB drive.
After this, you can safely eject the flashed USB drive from your desktop and you are also ready to flash the other desktop.
Step 3: Flashing The Desktop & Installing pfSense
You need to connect a keyboard, monitor, power cable and the flashed USB drive to your desktop where you have installed the network card. The monitor needs to be connected via the VGA connections. The DisplayPort connections would not work ideally. But, you must not connect the Ethernet cables yet.
Once everything is connected, you would need to turn on your desktop. Some of the computers will automatically detect that there is a bootable USB drive inserted. They will ask you which drive you would like to choose to boot from. In other cases, the computer defaulted to booting from the “C:\” drive and might launch Windows automatically.
If the second one happens to you, then you must shut down the computer and then hold down the F12 button on the keyboard and then turn it on back. This will launch the BIOS settings where you can instruct the computer the exact drive that you want to boot from.
After selecting this option, shortly a script will run and then the pfSense installer will launch. Following this, the first thing that you need to do is accept the terms and conditions. Then you need to select the option “Install pfSense”. After this choose the keymap that is appropriate for you. If your native language is English and you live in the United States, then you would probably just want to use English by default.
Next, you have to choose the “Auto ZettaByte File System” or ZFS option as you might be using a hardware platform that has way over specifications for a nome firewall. The ZFS option has even more features and is much more reliable than the UNIX File System or UFS option. However, ZFS might be even more memory hungry.
This will be followed by some partitioning and redundancy options that you can keep as simple as possible such as no redundancy and the default configuration options. Now select “Install”.
After this, you will be asked which drive you would like to choose to install the pfSense onto. You might get a lot of options. Otherwise, you might also get only two options, the USB and the computer’s hard drive. Obviously, you would not want to install in the USB drive, so choose the other option which is the hard drive of the computer. If you are doing this, then you need to make sure that any data you want to save gets copied to an external drive first as it will erase your existing hard drive.
The installer will then warn you that this operation will destroy all of the existing data on the hard drive. If you are dedicating this computer to be your firewall and do not need to have Windows on it anymore, then accept the installer’s warning. After you have confirmed this choice, you can see a few scripts running and the flashing process will consume a couple of minutes.
After this, you will see a couple of confirmations that the pfSense installation has been successful. A prompt will ask you if you wish to manually make any final modifications. You might choose not to. Next, it will ask you if you want to reboot. You need to select “Yes”. Immediately remove the USB drive at this point before the reboot occurs as otherwise it will thrash you to the beginning of the wizard again. You must wind up at the main terminal menu as soon as the reboot is completed. It is this time that you are ready to connect your new firewall to your home network.
Step 4: Connecting The pfSense In A Home Network
The following steps will be completely done with the help of the keyboard and monitor that is connected to the new firewall. The following are the steps that you need to follow.
- First, power off your ISP provider router, switch off the modem and disconnect the Ethernet cables from your router and modem.
- After this, you have to power on your new firewall and let the pfSense load. Then, switch on your modem and wait for it to link it to the internet.
- In the pfSense menu, you need to select the first option that says “Assign Interfaces”. It will then ask you if you wish to set up the VLANs now. You need to enter “n” that refers to no. It will then ask you to enter the WAN interface name. Enter the alphabet “a” that refers to auto-detect.
- Now, connect it to an Ethernet cable from your modem output to your new firewall network card interface. You need to remember that the port on the far right side if the RJ45 release tabs are facing up is your WAN port, or the far-left side if the RJ45 release tabs are facing down.
- Once it is connected, you need to hit “enter”. It must detect the link-up on the interface port igb0. If it is igb3, then you need to switch the Ethernet cable to the opposite side and try again.
- It will then ask you to enter the LAN interface name. For this, you need to enter the alphabet “a” that refers to auto detect. You need to connect an Ethernet cable from the next available port on the new firewall network card to your Ethernet switch or the other access points. You also need to keep in mind that if your intention is to run a Virtual Local Area Network (VLAN), you would require a managed switch.
- Once it is connected, you need to hit “Enter”. This should detect the link-up on the interface port igb1.
- Next, hit “Enter” again for “nothing” as no other network connections are configured at this time.
- It will then inform you that the interfaces will be assigned to as follows: WAN = igb0 and LAN = igb1.
- You need to enter the alphabet “y” meaning yes and the pfSense will write the configuration as well as bring you back to the main menu with your WAN IP v4 and IP v6 addresses that will be displayed on top.
You may follow the below mentioned signal path configuration setup.
At this point, you must be able to enter the “192.168.1.1” into your web browser on your regular desktop and then launch the pfSense web interface. This is a self-signed certificate. Thus, you need to accept the risk when prompted and then continue. The login credentials are:
Login ID: admin
You can now disconnect the keyboard and the monitor from the newly created firewall. The remaining steps will be completed via the web interface on your regular desktop.
Step 5: Configuring The pfSense Basic Settings
In this step, you will learn how you can configure the basic settings such as the setup wizard, changing the TCP port, enabling the Secure Shell SSH and setting up the hairpinning by default. The broad majority of the information that is presented in the steps five and six is generally based on the video by Tom Lawrence. You can watch the video on YouTube.
First you need to click on the red warning dialog at the top of the page for changing the password that you have been using to login to your new firewall. High entropy, single use passwords with an accompanying password manager is what is always recommended. Then you need to log out and then again log in for testing your changes.
Once you have logged back in, you need to open the Setup Wizard from the system tab. After this, the wizard will take you through nine basic steps for receiving your new pfSense configured firewall. On the first step, Click “Next”.
Then on the second step, you will be given the opportunity to configure the hostname, primary/secondary DNS servers and the domain. If you want, you can leave the “Hostname” and “Domain” to what they are by default or set them to anything you want. You can select “100.64.0.3” for the primary DNS server in the bid to get out to the internet and then uncheck the “Override DNS” box if you want to avoid having DHCP override the DNS servers. We will go over why we used “100.64.0.3” in step 10 of this guide.
Then in three steps, you can set your timezone.
On the fourth step, you might select “DHCP” for the WAN interface and leave all the remaining fields to their defaults. If you wish to spoof your MAC address, then you have to do it in this step only. As far as the last two fields are concerned, ensure these blocks are checked: “Block RFC1918 Private Networks” box and the “Block bogon networks” box. This will automatically add the appropriate rules to your firewall.
In the fifth step, you can change the IP address of your firewall. Most of the home local networks make use of 192.168.0.1 or 192.168.1.1 for accessing the firewall or the router. The reason that you might want to change this to a non-default local IP address is owing to the fact that if you are on someone else’s network and you are trying to VPN back into your home network, then you might run into an issue where you bear the same address on both the ends and the system would not know if you are trying to connect to the local or the remote addresses.
In this case, we have changed the local IP address to “192.168.69.1.”
Then in the sixth step, you might set your admin password. If this is the second time the changed password is displayed, then enter the same high-entropy password from before, assuming that it was asking for the same password that will be used for logging into the router.
In the seventh step, you can click on the “Reload” button. As this gets to reloading, you need to unplug the power cable from the switch. Since the local Ip address of the Router has been changed to “192.168.69.1” in this case, or whatever you might have chosen for you, all the devices on the network now, will have their IP address updated to that range.
Thus, if you have PuTTY or any other SSH sessions that are configured to your Raspberry Pi node (for instance), you will be needing to update those connection configurations. Unplugging the power from the switch and then plugging it back in after the router has been rebooted, aids to get all your devices reassigned.
For figuring out the IP addresses for the devices on your local network, you might navigate to the “Status” tab and then select the “DHCP Leases” for seeing everything listed out.
Following the reload in step seven, the wizard might just skip both the steps eight and nine. Thus, it is not sure what exactly happens in those steps. However, we will move on and address all the necessary things.
A couple of the other basic settings that you need to note right now are located just under “System>Advanced>Admin Access.” If you want you can also update the TCP port to “10443” just like in the guide, so that you can run some services that will access the same default ports such as 443 and 80. This will also minimize the congestion.
Additionally, you can also enable SSH. Then, you can also choose how the SSH is secured. This could be either with keys, or with a password or even with both. Upon saving, you would have to give the interface a minute to update to the new port. You might also have to reload the page utilizing the local IP address and the new port that is “192.168.69.1:10443.” You must ensure that you have saved the changes at the bottom of the page.
Now comes the last basic setting where we will cover the hairpinning. For example, you can have your network setup helping you to open a port to a security camera system with the help of a public IP address. This public IP address can also be utilized inside your network that is much more convenient if you are at home and accessing the camera system from your cellphone on your LAN.
In this case, you do not have to change where it connects to manually. This is owing to the fact that hairpinning will check that you are solely trying to access a local IP and then it will loop you back around by default with the enabled setting. Now follow the below-mentioned steps:
- Under the “System” tab, navigate to “Advanced>Firewall & NAT”.
- Next scroll down to the “Network Address Translator” section.
- Select “Pure NAT” from the “NAT Reflection Mode” drop-down menu.
- At the bottom of the page, click “Save” and at the top of the page select “Apply Changes”.
This is all about the basic settings. The best part is that pfSense is rather secure in its default installation so that you do not require change for having a great basic foundation. Usually, the pfSense developers if there is a more secure way to roll out the pfSense, they would just make that the default setting.
One of the other things that you need to note occurring by default is that pfSense enables WAN IPv6 network address translation mapping or NAT. You can choose to disable this. Thus, if you do so, you would not require to open up an IPv6 gateway to the wide open internet.
You can do so by visiting the “Interfaces>Assignments” and then clicking on the “WAN” hyperlink on the very first assignment. This will open up the configuration page for you and then make sure that the “IPv6 Configuration Type” has been set to “None.” Following this, save and apply the changes.
Finally, you can navigate to the “Firewall>NAT” and scroll down to the “WAN” interface with the help of an IPv6 source and delete it.
Step 6: Configuring The pfSense Advanced Settings
In this section, we will go over some of the advanced features that you might be interested in to mine bitcoin privately at home. Here, you will be able to see how you can seat up separate networks from your pfSense router so that the guests can access the wide open internet from a WiFi access point in your home. However, they cannot access your ASICs from that network.
If you have used the i350 network card, then you will have four Ethernet ports available. And if you have used the Dell Optiplex , you will also have a fifth Ethernet port on the motherboard. This means that you will have five interfaces that you can configure of which four can be secondary local networks.
What you can do here is keep your work desktop and your dedicated Bitcoin (BTC) desktop on one network or LANwork. After this, you can configure a secondary LAN that your home’s WiFi access point will be one or LANhome. In this way, you can keep the traffic from your family’s web browsing completely separate from your work and Bitcoin related activities.
Then, you will have to set another LAN that you will dedicate to your ASICs or the LANminbers, that will remain completely separate from the other two networks. You can also create a test network named LANtest that you will use for integrating new ASICs and ensure that there is no malicious firmware on them before exposing your other ASICs to them. You might also go ahead and add a security camera network on one of the interfaces and that the possibilities are endless.
If you navigate to the “Interfaces” tab, then under the “Interface Assignments” you will be able to see all of your available network card RJ45 ports. They must be labeled “igb0,” “igb1,” “igb2,” etc. Now, all you have to do is simply add the one that you are interested in by selecting if from the drop down menu and then clicking on the green “Add” box.
Then, you would need to click on the hyperlink located on the left side of the interface that you have just added for opening up the “General Configuration” page for that interface. Now follow the below mentioned steps.
- Click on the “Enable Interface” box.
- Change the “Description” to something that will aid in identifying its function such as “LANhome”.
- Next, set the “IPv4 Configuration” type to “Static IPv4” and assign a new IP range. You can use “192.168.69.1/24” for your first LAN so for this one, you can use the next sequential IP range, “192.168.70.1/24.”
As far as the other settings are concerned, you can leave them to their defaults. Click on the “Save” at the bottom of the page and then “Apply Changes” at the top of the page.
Next, you will need to set up some of the firewall rules for the new LAN. Go to the “Firewall” tab and then on to the “Rules”. Now, click on to the newly added network named “LANhome” for instance. Next, click on the green box with the up arrow and the word “Add”.
Now you have to follow the below mentioned instructions on the next page:
- You need to make sure that the “Action” has been set to “Pass”.
- The “Interface” has been set to “LANhome” or whatever you have named your secondary LAN.
- Ensure that you have set the “Protocol” to “Any”, else this network will restrict the type of traffic that might be passed on it.
- After this, you can go ahead and add a short note to indicate what this rule is for like “Allow All Traffic”.
- After this all the other settings can remain in their default settings. Following this, click on the “Save” at the bottom of the page and then “Apply Changes” at the top of the page.
Now it is time to test your new network. But before you can do so, you would require to have an IP address set up on it:
- Move to the “Services” then to the “DHCP Server”.
- Next, click on the tab for your new LAN.
- Click on the “Enable” box following which, you would need to add your Ip address range in the two “Range” boxes. For instance, you can use the range from “192.168.70.1 to 192.168.70.254.” Following this, click on the “Save” at the bottom of the page and then “Apply Changes” at the top of the page.
After you are done with this, you can test your new network by connecting physically a computer to the corresponding RJ45 port on the network card and then trying to access the internet. If everything worked fine, then you must be able to browse the wide open web.
However, you might notice that if you are on the secondary LAN and you try to login to your firewall, then you will be able to do so making use of the “192.168.70.1” IP address.
In another case, you would only want your firewall accessible from your “LANwork” network and do not want your wife and kids or even the guests to be able to log into the firewall from their designated “LANhome” network. Although you might have a high-entropy password to get into the firewall, you might still want to configure the other LANs so that they cannot talk to the router.
One of the concerns about this case that you want to have is that this kind of configuration will help mitigate, is if you plug an ASIC into your network with some of the malicious firmware installed on it, you can keep that device isolated and restrict that security concern from affecting the other devices and the information that you might have. This is the reason why you must set up one of the LANs as the “LANtest” that will be completely dedicated to keep the new ASICs isolated from the rest and that you can test them in safety without permitting any potential attack to occur on the other ASICs or any other devices on your home’s networks.
For setting up a rule so that port 10443 cannot be accessed from the other LAN networks, you need to navigate to the setting “Firewall>Rules” and then choose the tab for the corresponding network of interest. You need to click on the green box with the up arrow and the word “Add” written on it. Now follow the below mentioned:
- Ensure that the “Action” has been set to “Block”.
- Then under the “Destination” section, you need to set the “Destination” to “This Firewall (self)” and then the “Destination Port Range” to “10443” using the “Custom” boxes for the “From” and “To” fields.
- You can also add a description for helping you remember what this rule is for. Following this, click on the “Save” at the bottom of the page and then “Apply Changes” at the top of the page.
Possessing a high-entropy password for logging into the router and then locking down the port is great as a start. However, you can further sequester your LAN networks and ensure that the devices on one network must not get into any of the other networks at all by setting up an alias for your primary LAN. Navigate to “Firewall>Aliases,” then under the “IP” tab click on the “Add” button. Now, follow the steps mentioned below.
- Now you can name this alias “SequesteredNetworks0”.
- Enter a description to remind you later about the functions.
- As you will be adding a firewall rule to your “LANhome” network referencing this alias. You will need to add the other LANs to the “Network” list. This way, the “LANhome” network cannot talk to the “LANwork,” “LANminers” or “LANtest” networks.
- Following this, click on the “Save” at the bottom of the page and then “Apply Changes” at the top of the page.
Now you can add the additional aliases that will be referenced in the firewall rules on the other LANs for preventing “LANminers” from talking to “LANwork,” “LANhome,” and “LANtest” and the other networks until all your networks are sequestered in such a way that your firewall can see what is connected on the other networks.
With the created alias, a new firewall rule can be applied referencing this alias on the secondary LAN. Now, follow the below mentioned steps:
- Go to “Firewall>Rules” and select the LAN where you want to apply the rule, say, “LANhome”.
- Set the “Action” To “Block”.
- Set the “Protocol” to “Any”
- Set the “Destination” to “Single host or alias”.
- Now enter your alias name.
- Following this, click on the “Save” at the bottom of the page and then “Apply Changes” at the top of the page.
Once you have created the aliases and set all the firewall rules, you will be able to connect your laptop to each of the network card RJ45 interface ports and attempt to ping each other’s networks. You could get out to the wide-open internet from each LAN. However, you might not be able to communicate with any of the other LANs or the firewall. At this point you must know that any devices on any of your LANs will not be having access to the devices on any of your other LANs. You will be able to see what is connected on all the other LANs only from your primary “LANwork” network.
This takes care of the advanced features. You need to have some firewall rules set up and the multiple networks sequestered. After this, we will move on to setting up the WiFi access point on one of the secondary LANs.
Step 7: Setting Up & Configuring A WiFi Access Point
In this section, you will see how you can configure the home mesh WiFi utilizing the secondary “LANhome” network. The key points that you are required to keep in mind in this case is that you are making this a dedicated LAN specifically for a WiFi access point for your guests and family to link to without the need to provide them access to your pfSense firewall or any other LANs. However, they still have unrestricted access to your wide open internet. You will need to add a VPN tunnel for this LAN later.
To ensure that you are providing enough WiFi signal to the entire house, you can go ahead with a NetGear Nighthawk AX1800 kit. Inside this kit, you will receive a WiFi router and a repeater satellite. The basic idea of this is that the WiFi router will directly get connected to the pfSense firewall with the help of an Ethernet cable on the igb2 “LANhome” port. Next, the WiFi router will broadcast the signal to the repeater satellite in a different area of the house. In this way, you can increase the WiFi signal coverage to an even wider area.
If you want to accomplish this, you must follow the below mentioned steps:
- First, plug the WiFi router in the pfSense firewall on the “LANhome” igb2 port making use of the Ethernet cable to the port that has been labeled “Internet” on the back of the WiFi router.
- Plug a laptop into the labeled port “Ethernet” on the back of the WiFi router bearing an Ethernet Cable.
- Now, plug the WiFi router into the power making use of the supplied power adapter.
- Wait a few seconds for the light to turn on. The color of the light will be solid blue and you can easily locate it in the front side of the WiFi router.
- On your laptop, open a web browser and type in the Ip address for the WiFi router. You might locate the IP address next to the “MR60” device in your pfSense dashboard under the “Status>DHCP Leases.”
- As soon as you are done, you will be prompted to change the password. Again, you have to use a high-entropy and random password bearing an accompanying password manager. If you do not want your family or guests to access this WiFi access point administrative settings, it is recommended that you place a strong password. You might also be prompted to update the firmware that will result in a reboot.
- Following this, you can log in again with your new admin password and change the default network name to anything you wish to. Additionally, add a WiFi password for accessing the WiFi network. This is the password that you share with your guests and family. You can make this password easy to remember and share. Even if a malicious actor cracks the password and gains access to the WiFi network, it remains completely sequestered from everything else and the WiFi router itself bears a high entropy password.
- Now, navigate to the “Advanced>Wireless AP” and enable “AP Mode.” “AP” refers to the access point. Then, apply the changes.
- The router will reboot again. The local IP address will be updated at this point. You can monitor this change in the “DHCP Leases” status page. After this, you can unplug the laptop from the WiFi router and then log in to the router from the same machine as the pfSense interface is running.
- After you have logged in again, you need to click on the “Add Device” and you will be prompted to set the satellite repeater in place and then connect it to the power. Next, follow the prompts on the interface for syncing the satellite.
Now, all your guests and family members including you can browse the wide open web from the devices from the WiFi having no dropouts in the complete house. Thus, you do not need to be concerned with anyone accessing your sensitive work network or your ASIC network or even your test network.
We are done with this step and we will move toward adding the VPN tunnels to the networks that we have created by now.
Step 8: Installing & Configuring The WireGuard Package With Mullvad
Before you start, you need to know that the WireGuard is a VPN software protocol that you can install on your pfSense firewall and then you can make use of the protocol for defining how to construct your tunnels with the help of your VPN provider.
The VPNs create a secure and encrypted tunnel from your computer to the server of your VPN provider. This restricts your ISP from seeing your data or where the final destination of it is. There are various types of VPN protocols like the OpenVPN, IKEv2/IPSec, L2TP/IPSec and WireGuard. However, they all essentially have the same goal to outline the instructions for creating a secure tunnel for encrypting your data that is to be sent over the public networks.
The recent addition to the lineup of the VPN protocols is the WireGuard. It is an open source VPN that is comparatively light weight bearing less codes and faster speeds than some of the others. The speed part might be a key factor for you if you consider that the added latency can reduce the efficiency of an ASIC.
Another advantage of the VPNs is that your geographic location might be spoofed. This means that you are in one part of the world and you can make use of a VPN tunnel to a VPN provider’s server in another part of the world. It will appear that your internet traffic is coming from that server. This is generally useful for the people who reside in the authoritative countries where the access to specific websites and the services are restricted.
You need to keep this in mind that you need to rely that your VPN provider is not logging in to your IP address or that it might submit this information to the authorities if pressed. Thus, if you are using Mullvad, it ensures that it does not collect any personal information about you, not even the email address. Additionally, it accepts cash or Bitcoin so that you can pay for the service without getting into the risk of linking your bank account details. Simultaneously, it offers a “No-Logging Policy” that you can read on their website.
In this case specifically, you will be using a VPN to ensure that your ISP does not check that you are mining Bitcoin. Additionally, this will prevent your mining pool and slush pool from seeing your real IP address. This is not because you are doing anything illicit or because you think that the Slush pool is logging on to your IP address, but simply owing to the fact that these are the critical times bearing a very quick changing political environment and the things that you legally do today might get outlawed tomorrow.
Or might be if some legislations are passed making it illicit for a person to operate a Bitcoin miner in the US or any part of the world without a money transmitter’s license, then you can spoof your geolocation so that if the slush pool had been forced to block the IP addresses coming from your location, you could still continue mining as it would appear that your hash rate was originating from outside your location.
Taking into consideration that the blockchain is forever while the future is still uncertain, we think that it is worth taking the time to figure out how you can guard your privacy. By taking the steps today for increasing your security and privacy, you can ensure that your freedom and the pursuit of your happiness are guarded.
The vast majority of the information that we have included in this segment comes from the YouTube video of Christian McDonald. Mullavad is a paid VPN subscription where the fee is €5 each month. Before we get on to the Mullavad subscription set up, you will need to get your WireGuard package installed to your pfSense firewall. After this, we will set up a Mullvad account and also generate the configuration files. We can after this receive multiple tunnels set up and conduct some fancy configurations in pfSense.
Navigate to “System>Package Manager>Available Packages” in pfSense and scroll down to the WireGuard link and click on the “Install” option. On the next page, you need to click on the “Confirm”. Now, the installer will run and let you know when it has successfully completed the installation.
Now, you can go to the “VPN>WireGuard” and check that the package has been successfully installed. However it is not configured yet. Now as the WireGuard is ready, we will be working on the installation of the VPN client.
Visit the https://mullvad.net/en/ and click on the “generate Account”. Mullvad will never acquire any information that is personal. It will generate a unique account number and this is the sole identifying information that you receive related to your account. Thus, you need to write it down or save somewhere and secure it.
Next, choose your payment method. If you are using Bitcoin for the payment, you will receive a 10% discount. The subscription works for as long as you want to pay even for up to 12 months at the rate of €5 per month. This means that a one year of subscription would cost you €60 or 0.0019 BTC at the time of writing. You will be also presented with a Bitcoin address QR code for sending your payment to.
You need to check the mempool to see when your Bitcoin transaction will get confirmed. You might also need to wait some time depending on the network congestion.
After the transaction is confirmed on the chain, your Mullvad account is topped off and your account must show you the time remaining for the next subscription. You must make considerations in selecting a server location from the long list of servers available on Mullvad. If you are planning on running the ASICs behind your VPN, then it is recommended to connect to a server that is relatively close to your actual geolocation for reducing any latency as much as possible.
The method in which Mullvad works is with the configuration files that assigns a unique public or private key pair for each of the tunnel addresses. The basic idea here is that you might want to have a primary tunnel set up for the ASICs. However, if you also want a secondary tunnel setup with another server in a different geographic location just in case you feel anytime the primary tunnel connection goes offline.
If you do so, this way your mining internet traffic will switch over to the other tunnel automatically. There will be no interruption in concealing your public IP address or encrypting your traffic data. You can also set up other tunnels specifically for your WiFi network and your “LANwork” network.
For doing this, you will require as many key pairs as you want in the tunnels. A single Mullvad connection offers you up to five key pairs. Next, you will need to navigate to https://mullvad.net/en/account/#/wireguard-config/ and select the appropriate platform, in this case, Windows. Next, you have to click on the “Generate Keys” for as many key pairs you wish to have. But with a single subscription, you would not be able to get more than 5 key pairs. Then you need to click on the “Manage Keys” to check your list.
On saying that, it needs to be mentioned especially that all the keys and sensitive information that are presented in this guide have already been nuked before publishing. You must be cautious regarding sharing this information with anyone else. Additionally, you would also want to keep your Mullvad keys private. Now follow the below mentioned steps:
- Choose the “Public Key” that you are interested in creating a configuration file by selecting the circle under the “Use” column next to the appropriate public key.
- Choose the country, city and the server that you want to configure with the help of this public key.
- Now click on the “Download File”.
- Now you need to save the configuration file in a very convenient place as you will require to open it in a moment.
At this point, you would need to remember that for each tunnel to a new server that you want to configure, you would need to make use of a separate public key. If you attempt to assign two tunnels to the same key, the pfSense will encounter several problems with your VPN.
You will have to repeat this process for all of the generated keys. You will have to choose a different server for each of the unique keys and generate the configuration file. You might make this easier by naming the configuration filer as the city and the server used.
Now you need to navigate back to the pfSense and visit the “VPN>WireGuard>Settings”. Now click on the “Enable WireGuard” and then “Save.” Next, follow the below steps:
- Go to the “Tunnels” tab and select the option “Add Tunnel”.
- Now open your very first Mullvad configuration file with the help of a text editor such as Notepad and keep it aside.
- In the WireGuard, you need to add a “Description” for your tunnel that describes what it exactly is.
- Now, copy-paste the “Private Key” from the Mullvad configuration file and add it to the “Interface Keys” dialog box.
- Click on the “Save Tunnel” and then “Apply Changes” at the top of the page.
After this, the WireGuard will generate the public key automatically when you paste the private key and hit the “Tab” key on your keyboard. You can also verify that the public key was correctly generated by comparing it to the key on the Mullvad website that you have generated earlier.
Next you will have to repeat this process for as many tunnels as you want. Make sure that you use the correct Mullvad configuration file for each one as they all contain various public and private key pairs, endpoints and IP addresses. Each of the tunnels will receive its own peer. You might also add a “Peer” by first navigating to the “Peer” tab located next to the “Tunnels” tab that you were just on. Now click on the “Add Peer”. Next, follow the below instructions:
- First select the appropriate tunnel from the drop-down menu for this peer.
- Add a proper “Description” for your tunnel that describes what it is such as “Mullvad Atlanta US167.”
- Now Uncheck the “Dynamic Endpoint” box.
- Copy-paste the “Endpoint” IP address and port from the Mullvad configuration file into the “Endpoint” fields in WireGuard.
- You can also give 30 seconds to the “Keep Alive” field.
- Now copy-paste the “Public Key” from the Mullvad configuration file into the “Public Key” field located in WireGuard.
- Next, change the “Allowed IPs” to “0.0.0.0/0” for IPv4. You can even add a descriptor such as “Allow All IPs” if you want.
- Click on the “Save” and then “Apply Changes” at the top of the page.
You would need to repeat this process for as many peers as you have tunnels. Ensure that you use the right Mullvad configuration file for each one as they contain the various public and private key pairs, endpoints and IP addresses. At this point, you will be able to navigate to the “Status” tab and observe the handshakes that are taking place by clicking on the “Show Peers” located in the lower right-hand corner.
Next, you have to assign the interfaces for each tunnel.For this, you have to navigate to “Interfaces>Interface Assignments” and select each of the tunnels from the drop-down menu and add it to the list.
After all of your tunnels are added, click on the blue hyperlink next to each added tunnel for configuring the interface. Follow the below instructions.
- Click on the “Enable Interface” box.
- Now, enter your description. You can also use the VPN server name like “Mullvad_Atlanta_US167”.
- Now select the “Static IPv4”.
- Type “1420” in the “MTU & MSS” boxes.
- Now, copy and paste the host IP address from your Mullvad configuration file in the “IPv4 Address” dialog box.
- Next, click on the “Add A New Gateway”.
After you have clicked on the “Add A New Gateway,” you will be provided with a pop-up dialog box. Here, you have to enter your new gateway that needs to be something easy. The best thing is to append the name with either “GW” or “GateWay”. Now, enter the same host IP address from the Mullvad configuration file. Simultaneously, you can also add a description if you want like the “Mullvad Atlanta US167 Gateway.” Now, click on the option “Add”.
As soon as you are back at the interface configuration page, you need to click on the option “Save” at the bottom of the page and finally click on the option “Apply Changes” at the top of the page.
You need to repeat the process for creating a gateway for each of the tunnel interfaces that you have added. You need to make sure that you use the right Mullvad configuration file for each one as they all bear separate host IP addresses.
At this point, you can also navigate to your dashboard and the monitor status of your gateways. If you have already done this by far, then you can customize your dashboard for monitoring several statistics of the pfSense. All you need to do is click on the “+” sign in the upper hand side of your dashboard and then you will find a list of the available statistics monitors in the drop down format and you might select the ones that you prefer.
On the dashboard you might find three columns starting with the “System Information”/ The second column consists of the “Installed Packages” summary, a list of the interfaces and the “WireGuard” status. In the third column, you might have the “Gateway” status and the “Services” status. This way you will be able to quickly check and monitor the status of various kinds of things.
What you need to focus on in the dashboard is the “Gateways” section. You might notice that all the gateways are online. It is a fact that the gateways will always remain online as long as the tunnel is active even if the remote side is unresponsive. They are owing to the fact that they are the local interface. Thus, right now they are completely useless as even if the remote side goes down, they will still be seen as online. For enabling the ability to monitor the latency so that these gateways can offer some useful status, you need to offer these gateways a public domain name or DNS address for monitoring.
You will also notice that all the ping time of the tunnels are zero milliseconds. This is because at this point you are not sending any data out through these tunnels. By pinging the public DNS server, the pfSense might get some very useful metrics and then make decisions about the tunnel that will offer the least latency or if a remote server goes down to reroute the traffic.
You might also find a public DNS server for monitoring at this DNS checker website or a number of the other public DNS server listings. You need to watch for the recorded uptime percentage , the more it is the better it is. You would also want to find public DNS IPv4 IP addresses for monitoring on your IPv4 gateways. Each of the gateways will require a separate DNS address for monitoring.
Once you receive your public DNS addresses, you have to navigate to the “System>Routing>Gateways” in pfSense. Now, you need to click on the pencil icon located next to your gateway. You will be able to find that the “Gateway Address” and the “Monitor IP” address are the exact same on all of the gateways. This is the reason why the ping time is zero milliseconds and this is also the reason for pfSense to think that the gateway is always up.
Now, enter the public DNS IP address that you are looking forward to monitoring in the “Monitor IP” field and then click on the “Save” at the bottom of the screen. Next, click on the “Apply Changes” at the top of the screen. Always remember that the gateways cannot share the same DNS monitor address thus you need to use a different public DNS server for each of the gateways to monitor.
Now, if you go back to your dashboard and check your gateway monitor, you will be able to see that there are some actual latency metrics that you need to observe. With this information, you can go ahead and set up your gateways in the order of priority based on which ones have the lowest latency for the traffic of your internet.
Thus, for example, if you are mining Bitcoin, you would want to prioritize your ASICs for going through the lowest latency tunnel first. If that tunnel fails, then automatically the firewall can switch them to the next tier gateway having the sequence second to smallest latency and so on.
So far, everything is looking pretty decent. The tunnels are active and there is data going through the gateways. Next, you would require to define some outbound network address or NAT mapping on the firewall. Follow the below mentioned instructions:
- Navigate to the “Firewall” tab and then to the “NATm” and finally to the “Outbound” tab. This will pull up a list of all of your network mappings from your WANs to your LANs. As we have defined some of the new interfaces, we would like to add these mappings to the list.
- Now click on the “Hybrid Outbound NAT Rule Generation” located under the “Outbound NAT Mode” section.
- Scroll to the bottom of the page and click on the “Add” option.
- Now choose your interface from the drop-down menu
- Select “IPv4” for the “Address Family” and “Any” for the “Protocol”.
- Ensure that the “Source” is on the “Network” and then you have to enter the local IP address range for the Local Area Network that you want it to go down this tunnel. For example, if you want your “LANwork” to go through the tunnel to Atlanta, you have to enter “192.168.69.1/24.”
- Next, you have to enter a description if you wish to like the “Outbound NAT for LANwork to Mullvad Atlanta US167.”
- Following this, click on the “Save” at the bottom of the page and then “Apply Changes” at the top of the page.
You are required to repeat this process for each of the interfaces for the tunnels. You will also notice that our “LANwork” network is going to the Atlanta tunnel, our “LANhome” network is going to the New York tunnel, and we have “LANminers” network set up for both the Miami and the Seattle tunnels. You can also set a mapping for your mining LAN to all the five of the tunnels if you really wish to. There is a lot of flexibility.
With all the mappings in place, you can go ahead and add the firewall rules. Go to the “Firewall>LAN,” then click on “Add,” where the “LAN” is any LAN that you want to add a rule to. For example, you can set up your “LANwork” network in this manner. Now follow the below instructions:
- Set the “Action” to “Pass”
- Next set the “Address Family” to “IPv4”
- Set the “Protocol” to “Any”
- Finally, click on the “Display Advanced”
- Now scroll down to the “Gateway” and choose the gateway that you have set up for this LAN.
Now, do the exact same thing with the other LANs until all the LANs are set up with a gateway rule. In the following image, you will find the LAN gateway rules where you will notice two of the gateway rules to the “LANminers” network have been added. In the later steps you will be learning how to set up the automatic load balancing between the tunnels for mining the LANs that is going to replace the two rules that were just added to the “LANminers”. But before that you need to make sure that everything is set up and that everything is working perfectly.
For double checking that everything is working superb so far and that each of the LANs are receiving the different public-facing IPs, we will enter into “ifconfig.co” via a web browser from each LAN. If everything is working as it must have been doing, then you can have different locations for each of the LANs that you are plugging into and pinging from.
First try that everything is working as planned. While you are connected to each of the LANs, you will be able to disable the corresponding firewall rule and then refresh the page watching your IP address to change back to your actual geolocation.
If you can recall that you have set two tunnels for your “LANminers” network. When you disabled the one firewall rule that is in correspondence to the Miami tunnel and then refresh the browser, it will immediately and automatically switch to an IP address in Seattle.
So each of the LAN is sending the traffic via a different tunnel and all of the tunnels are working as expected. However, in regards to the “LANminers” network, you would want the pfSense to switch between the Miami and Seattle tunnels automatically based on the latency or the downed servers. With just a few more steps, you can get this configured to automatically switch and replace the two existing firewall rules with a single new rule.
Now, navigate to “System>Routing” and then the “Gateway Groups” tab. Follow the given instructions:
- Enter a group name such as “Mullvad_LB_LANMiners.” The term “LB” refers to the “Load Balance”.
- Now set all the gateway priorities to the option “Never”, except for the two gateways that you are interested in for your miners. In such a case, you can use your Miami and Seattle gateways. You need to set the priorities for both to “Tier 1”. You may also use all the five of your tunnels if you really want to.
- Now set the trigger level to “Packet Loss or High Latency”.
- You might add a description if you want. You might choose a description such as “Load Balance LANminers Mullvad Tunnels”.
If you visit the “Status>Gateways” and then the “Gateway Groups” tab, you would be able to check your new gateway group to be online. Theoretically, if you route your traffic to “Mullvad_LB_LANminers”, then it must balance the traffic between the two gateways depending on the latency.
Now this particular gateway group can be used in a firewall rule to the policy route of that traffic accordingly. Go to the “Firewall>Rules” and then to the “LANminers” tab or whatever your mining LAN is named.
Disable the two rules that you have set previously for testing the VPN tunnels by clicking the crossed out circle located next to the rule. Choose the “Apply Changes” and then go to the bottom and click on the “Add” option. Follow the below rules:
- Set the “Protocol” to “Any”
- Click on the “Display Advanced”.
- Now scroll down to the “Gateway” and choose the load balance gateway group that you have created.
This is all that you will need to get your ASICs to switch from one VPN tunnel to the other automatically depending on the latency or the downed servers. For testing this, you need to plug a laptop into your dedicated Ethernet port on your network card for your mining LAN. Check whether you have used “igb3” in your case.
At this point, you must make sure that your WiFi is turned off. You need to open a web browser and type the ifconfig.co” in the URL bar. The results must put you in the location of one of your VPN tunnels. In this case, it is Miami.
Then, you must go back to pfSense and navigate to “Interfaces>Assignments”. Next, click on the hyperlink for the same tunnel interface. In this case, it is the “Mullvad_Miami_US155” interface.
At the very top of that configuration page, you need to uncheck the box for “Enable Interface”. Following this, click on the “Save” at the bottom of the page and then “Apply Changes” at the top of the page. You have successfully disabled the Miami tunnel that your LANminers have been sending the traffic through.
Go back to your laptop, refresh the browser with the ifconfig.co page. It now must be putting you to the Seattle location or wherever you have set your secondary tunnel. Sometimes, you might need to completely shut down your browser and reopen it for clearing the cache.
Now, you need to make sure that you go back to the Miami interface and recheck the box for enabling that interface. Follow by Save and then Apply. Then you should navigate back to the “Firewall>Rules,” then to your mining LAN and then delete the two rules that you have had disabled. That is it. You are good to go. You must keep this in mind that the firewall rules work in a top down manner. Next, we will discuss how you can prevent ad tracking.
Step 9: Incorporating Ad Blocking
The advertising companies are pretty interested in both you and your information as much as they can get about you. Unfortunately, when you browse the internet, it is easier to leak this sought after information.
What you may not know is that this information is monetized for targeting the specific audiences with the products and services with surgical-like precision. You might remember conducting an online search for something and then later on noticed ads popping up in your social media feed matching your latest searches.
This has been made possible by accumulating the huge amount of information about what you search on the internet, the websites that you visit, the pictures you look at, stuffs that you download, songs or podcasts that you listen to, the location you use, what you shop online or save in your cart, the payment method that you use to clear your bills, the time and date of all of these activities. Then the ads are linked to that information in addition to the various identifiable constants such as the browser you are using and the device on which you are using.
Combining all of this information with your IP address, social media profile and the ISP account you will begin to see how there exists a honeypot of information about you that you might not want to make readily available to the law enforcement, corporations, hackers or strangers. Between the browser fingerprinting, cookies and the behavioral tracking, it might appear that the odds are stacked against you. However, there are simple steps that you need to adopt to begin guarding your privacy from right now. Nothing should hold you back from getting started.
In this section, we will discuss how to incorporate the ad blocking capabilities by modification of the DNS server and the DHCP server settings in your firewall. At the high level, when you type the name of a website into your web browser, that is sent to the DNS server which is usually the DNS server of your ISP. Then the server translates the human readable text into an IP address and sends that back to your browser for knowing which web server you are trying to reach. In addition to this, the targeted ads are also sent to you in the same manner.
The best thing to do at this point is to visit https://mullvad.net/en/ and click on the “check for leaks” link at the top to see where you have a provision to improve. If you see there are DNS leaks, based on the browser you are using, you might find some helpful instructions from Mullvad for hardening your browser and helping it to prevent ad and tracking at the browser level. You must try again. If you encounter issues while blocking the ads with your preferred browser, then you can consider using an even more privacy focussed browser such as the UnGoogled Chromium. Now follow the below mentioned steps:
- Choose your operating system and the latest version.
- Download the installer.exe file.
- Next, verify the hash value.
- Run the installer and then configure your basic settings such as the default search engine.
You can also consider another most promising browser “Tor” or otherwise known as “The Onion Router”. This is one such browser that is highly recommended. Additionally, Mullvad offers a couple of different DNS resolving servers. For example, you can use the “100.64.0.3” server for blocking the ad tracker. You must make sure that you are referring to the Mullvad website for the latest updated DNS server IP addresses as these might change occasionally.
Now in the pfSense, go to the “System>General” and then scroll down to the “DNS Server Settings” section and type “100.64.0.3” into the DNS Server field with your selected WAN gateway. If you are using the recommendation from the beginning of this guide, then this must have been set already but you will also need to follow the DHCP instructions as stated below:
Click on the “Save” option at the bottom of the page.
Next, you have to go to the “Services>DHCP Server” settings and enter “100.64.0.3” and then click on the “Save” option at the bottom of the page. You are required to repeat this step for all of your LANs in case you have multiple networks setup.
At this point, you must have an ad-tracker blocking DNS server configured at the firewall level for aiding in the protection of all your internet browsing. After this, if you focus on the additional measures of configuring your web browser or even upgrading to a privacy focused web browser, then you have taken a great step in guarding your privacy on your desktop.
You might also consider using the Bromite or UnGoogled chromium on mobile if you are looking for how to mine bitcoin on android.
Step 10: Checking For Latency Caused By The VPN
There exists a reasonable concern that utilizing a VPN might introduce latency to your mining traffic. The issue with this is that you will receive fewer rewards.
When latency exists, your ASIC might continue hashing a block header that is no longer valid. The more time your ASICs spend on hashing an invalid block header, the more stale hash rate you are going to send to the mining pool. When the pool checks that the hashes that are coming in for a block header are no longer valid, the pool automatically rejects that work. This points out that your ASIC has just wasted some computing power for nothing. However, this is on the scale of milliseconds, when the ASIC is calculating trillions of the hashes each second, it can quickly add up.
Ordinarily, this is a pretty small ratio as compared to the amount of work that is accepted by the pool. You can also start to see how continuous and significant latency might have an impact on your mining rewards.
Speaking generally, the closer the two servers are to each other, there will be less latency. With the help of a VPN, you have to send your mining traffic to the server of the VPN and then from there it will go to the server of the pool. In an effort to attempt and mitigate the latency by geographic proximity, you can use three VPN servers that are between your location and the server of the pool. If you want to be conscious of the risk in possessing a regional internet outage, you can also add two VPN servers that are not between you and the pool. With your “LANminers” network configured to load the balance traffic between five different tunnels, you can go ahead and start a five-day test.
In this, you will see that the first 60 hours or two and a half days are spent mining with the VPN on. The second two and a half days are spent mining with the VPN turned off. Here is what you can find:
In the first 60 hours, your ASIC might accept 43,263 packets and 87 rejected packets. This equates to 0.201%, or in other words, 0.201%, of your expended resources not being rewarded.
After 120 hours, your ASIC might have 87,330 accepted packets and 187 rejected packets. By subtracting the initial 60-hour readings, you will be left with 44,067 accepted packets and 100 rejected packets while the VPN was turned off. This equates to 0.226%. Astonishingly, this is slightly more of a rejection ratio without the privacy benefits of a VPN that has been given the same amount of time.
To conclude on how to mine bitcoin privately at home, it can be stated that this is the easiest way to mine bitcoin by balancing your mining traffic between the five VPN tunnels, you will be able to gain a VPN’s privacy benefits without diminishing the efficiency of your mining operation. The fact remains that in terms of the rejected ratio, your miner will perform better using the VPN thn not using it at all.
- Crypto License: How To Get It Now? - 03/02/2023
- Android For Bitcoin Traders: What Is The Important Potential? - 31/01/2023
- 10 Best Crypto Trading Techniques To Master This Year - 28/01/2023