How TunnelSats Leverages Public APIs for Confined VPN Management

At TunnelSats, providing a "Set It & Forget It" privacy tool for node runners means navigating strict environment boundaries. With our new Umbrel App, we demonstrate how to orchestrate a Lightning-centric VPN solution using the TunnelSats Public API across a segmented architecture.

💡

The Challenge
Umbrel environments are strictly confined. How do you allow a self-hosted node to securely fetch and configure a WireGuard VPN tunnel natively, while handling continuous subscription renewals without locking the logic inside the local machine?

The Solution:
A decoupled, API-first architecture.

Local App Provisioning: The Umbrel App uses our public API List Servers to fetch all available servers, followed by subscribing Create Subscription and fetch Claim Subscription active WireGuard tunnel configurations tailored to the user's selected continent. This keeps the local app lightweight and focused entirely on the networking layer (Killswitches, LND/CLN routing).

Centralized NWC Renewals: Rather than forcing the Umbrel node to negotiate auto-renewals internally, users log into the tunnelsats.com dashboard.

API Orchestration: On the dashboard, users import their Umbrel config and provide a Nostr Wallet Connect (NWC) string. The backend API handles the rest—pinging the node via NWC and orchestrating the Lightning invoice payment to renew the subscription outside of the confined Umbrel environment.

This guarantees the local node focuses exclusively on uptime, while the API handles the financial abstraction. Check out the API documentation here and see how you can interact with TunnelSats programmatically:

👉 api.tunnelsats.com