Home / Lightning Network & Layer 2 / Lightning Watchtower Setup Guide
Lightning Network & Layer 2

Lightning Watchtower Setup Guide

Feb 4, 2026 · 10 min read
Lightning Network watchtower setup guide for Bitcoin node protection
Reading Time: 7 minutes

Why You Need a Lightning Watchtower

When you run a Lightning node, your funds depend on your ability to monitor the blockchain for cheating attempts. If your channel counterparty broadcasts an outdated commitment transaction — one where they had a higher balance — you have a limited window (typically 144-2016 blocks) to respond with a penalty transaction and claim the entire channel balance.

The problem: your node must be online to detect and respond to these breach attempts. If you lose power, your internet goes down, or your hardware fails during that window, you cannot defend yourself. A watchtower solves this by monitoring the blockchain on your behalf and broadcasting penalty transactions automatically if a breach is detected.

This guide covers setting up watchtower protection for your Lightning node, whether you run LND or Core Lightning.

How Watchtowers Work

The Breach Detection Process

  1. Registration: Your Lightning node registers with a watchtower, providing encrypted breach hints for each channel state update. These hints contain enough information for the watchtower to construct a penalty transaction but do not reveal your channel balances or transaction history.
  2. Monitoring: The watchtower watches every new block for transactions that match any registered breach hint.
  3. Response: If a match is found (meaning a counterparty broadcast an old commitment transaction), the watchtower decrypts the corresponding penalty data and broadcasts the penalty transaction, claiming all funds in the channel.
  4. Settlement: The penalty transaction sends all channel funds to the honest party (you). Some watchtower implementations charge a small reward fee from the recovered funds.

Privacy Considerations

Well-designed watchtower protocols minimize the data exposed to the watchtower operator:

  • The watchtower only learns about a channel when a breach actually occurs. Encrypted hints reveal nothing about your channels during normal operation.
  • The watchtower cannot determine your channel balances, counterparties, or payment history from the hints alone.
  • The watchtower only learns the channel details if it needs to construct a penalty transaction — which only happens during an actual cheating attempt.

This design means using a watchtower does not significantly compromise your Lightning privacy, though the watchtower operator does learn your node’s identity when you connect to register.

LND Watchtower Setup

LND includes a built-in watchtower client and server. You can use your own second server as a watchtower or connect to a trusted third-party watchtower.

Prerequisites

  • LND version 0.17.0 or later (watchtower features are mature in current releases)
  • Access to your LND node’s command line or API
  • If running your own watchtower: a separate server or device with LND installed

Option A: Connect to an Existing Watchtower

The simplest approach is connecting your node to someone else’s watchtower. Several community-operated watchtowers are available.

  1. Enable the watchtower client in your lnd.conf:
[wtclient]
wtclient.active=true
  1. Restart LND to apply the configuration:
sudo systemctl restart lnd
  1. Add a watchtower using its public key and address:
lncli wtclient add pubkey@host:port
  1. Verify the connection:
lncli wtclient towers

This command lists all registered watchtowers and their status. You should see the tower you added with connection status information.

  1. Check that sessions are being created:
lncli wtclient stats

This shows the number of backup updates sent to your watchtowers. The count should increment as you make Lightning transactions.

Option B: Run Your Own Watchtower Server

For maximum sovereignty, run your own watchtower on a separate device. This eliminates trust in a third-party operator.

  1. On your watchtower server, install LND and enable the watchtower server in lnd.conf:
[watchtower]
watchtower.active=true
watchtower.listen=0.0.0.0:9911
  1. Start LND on the watchtower server. The watchtower will begin listening on port 9911.
  1. Retrieve the watchtower’s public key and URI:
lncli tower info

This outputs the tower’s public key and listening addresses.

  1. On your primary Lightning node, add your watchtower as described in Option A using the URI from step 3.

Hardware suggestion: A Raspberry Pi Zero 2 W or any low-power device with internet connectivity can serve as a watchtower. The watchtower does not need a full Bitcoin node — it only needs to monitor the blockchain, which it can do via a connected Bitcoin Core instance or a lightweight monitoring approach. However, running it alongside a pruned Bitcoin Core node is the most reliable setup.

Umbrel/Start9 Watchtower Setup

If you run Umbrel or Start9, you can configure watchtower connections through the command line via SSH access:

  1. SSH into your node:
ssh [email protected]
  1. Access the LND container (Umbrel):
docker exec -it lightning_lnd_1 bash
  1. Run the watchtower client commands as described above.

Some node management interfaces like ThunderHub and RTL are beginning to include watchtower management in their GUIs, though CLI remains the most reliable method for configuration. For general node management guidance, see our Lightning node infrastructure guide.

Core Lightning Watchtower Options

Core Lightning (CLN) does not include a built-in watchtower system like LND. Instead, the CLN ecosystem uses external watchtower implementations:

The Eye of Satoshi (teos)

TEOS is a standalone watchtower implementation compatible with CLN. It is developed as an independent project and follows the BOLT watchtower specification proposals.

  1. Install the teos watchtower server on your secondary device:
git clone https://github.com/talaia-labs/rust-teos.git
cd rust-teos
cargo build --release
  1. Configure teos with your Bitcoin Core RPC credentials:
# teos.toml configuration
btc_network = "mainnet"
btc_rpc_user = "your_rpc_user"
btc_rpc_password = "your_rpc_password"
btc_rpc_connect = "127.0.0.1"
btc_rpc_port = 8332
  1. Start the teos server:
./target/release/teosd
  1. On your CLN node, install the teos client plugin:
git clone https://github.com/talaia-labs/rust-teos.git
cd rust-teos/watchtower-plugin
cargo build --release
  1. Load the plugin in CLN:
lightning-cli plugin start /path/to/watchtower-plugin
  1. Register with your teos server:
lightning-cli registertower tower_id@host:port

Best Practices for Watchtower Configuration

Use Multiple Watchtowers

Do not rely on a single watchtower. LND supports registering multiple watchtowers simultaneously. If one goes offline, others continue monitoring. Aim for 2-3 independent watchtowers:

  • Your own watchtower on separate hardware
  • One or two community-operated watchtowers
  • Optionally, a watchtower hosted on a VPS in a different geographic location

Verify Watchtower Operation

Periodically check that your watchtower connections are active:

# Check tower status
lncli wtclient towers

# Check backup statistics
lncli wtclient stats

The stats should show incrementing backup counts corresponding to your channel activity. If numbers stagnate while you are making payments, investigate the watchtower connection.

Geographic Distribution

Place your watchtower on different infrastructure than your primary node. If both run on the same hardware, a single failure takes out both your node and its protection. If both are in the same house, a power outage disables both. Ideal setup: primary node at home, watchtower on a separate hosted server or at a trusted friend’s location.

Storage Considerations

Watchtower servers store breach hints for all registered clients. Storage requirements grow with the number of clients and their channel update frequency, but the data per hint is small (roughly 600 bytes). A watchtower serving a few dozen nodes needs negligible additional storage.

When Are Watchtowers Actually Needed?

The realistic threat model for watchtowers centers on these scenarios:

  • Extended node downtime: If your node goes offline for days or weeks, a malicious counterparty could broadcast an old state. Watchtowers protect during this window.
  • Hardware failure: If your node’s storage fails and you lose channel state, you cannot respond to breaches yourself. A watchtower retains the breach hints independently.
  • Natural disasters: Fire, flood, or other events that destroy your hardware. A geographically separate watchtower continues monitoring.

In practice, breach attempts are extremely rare on the Lightning Network. The economic incentive is weighted heavily against cheating — a failed attempt results in total loss of channel funds via the penalty mechanism. However, the cost of running a watchtower is so low that the protection is worth having as insurance, particularly as your channel balances grow. Effective channel management combined with watchtower protection provides the strongest defense for your Lightning funds.

Watchtower Costs

Approach Setup Effort Monthly Cost Trust Level
Community watchtower 5 minutes Free Trust the operator
Own Pi Zero W watchtower 1-2 hours $1-2 electricity Self-sovereign
VPS-based watchtower 30 minutes $3-5 VPS Trust VPS provider

For most home node operators, the combination of one self-hosted watchtower and one community watchtower provides robust protection at minimal cost. For more on overall node operation and security, see our comprehensive guide.

Part of our free Bitcoin course: This topic is covered in depth in
Running a Lightning Node from the
Lightning Network & Bitcoin Nodes course.

FAQ

Does a watchtower see my Lightning payments or channel balances?

No. During normal operation, the watchtower only stores encrypted breach hints that it cannot decrypt. The watchtower only learns channel details if an actual breach occurs and it needs to construct a penalty transaction. Your payment history, channel balances, and counterparty identities remain private under normal conditions.

What happens if my watchtower goes offline at the same time as my node?

If both your node and your watchtower are offline simultaneously, you have no protection during that window. This is why using multiple watchtowers on independent infrastructure is recommended. Geographic and infrastructure diversity ensures that a single event (power outage, ISP failure, natural disaster) cannot disable all your watchtowers at once.

Can a watchtower steal my funds?

No. The watchtower only has the information needed to construct penalty transactions, which send funds to your address. It cannot construct transactions that redirect funds to itself. The worst a malicious watchtower can do is fail to act during a breach — which is why you should use multiple independent watchtowers rather than trusting any single operator.

Do I need a watchtower if my node is always online?

A node that is reliably online 24/7 — as described in our guide on running a Lightning node at home — can detect and respond to breaches on its own. However, no system is truly “always online.” Hardware failures, software crashes, power outages, and internet disruptions happen to everyone eventually. A watchtower costs almost nothing to run and provides insurance against these inevitable events. The question is not whether your node will go offline, but when — and whether you are protected when it does.

For a broader perspective, explore our running your own Bitcoin node guide.

{“@context”: “https://schema.org”, “@type”: “FAQPage”, “mainEntity”: [{“@type”: “Question”, “name”: “Does a watchtower see my Lightning payments or channel balances?”, “acceptedAnswer”: {“@type”: “Answer”, “text”: “No. During normal operation, the watchtower only stores encrypted breach hints that it cannot decrypt. The watchtower only learns channel details if an actual breach occurs and it needs to construct a penalty transaction. Your payment history, channel balances, and counterparty identities remain private under normal conditions.”}}, {“@type”: “Question”, “name”: “What happens if my watchtower goes offline at the same time as my node?”, “acceptedAnswer”: {“@type”: “Answer”, “text”: “If both your node and your watchtower are offline simultaneously, you have no protection during that window. This is why using multiple watchtowers on independent infrastructure is recommended. Geographic and infrastructure diversity ensures that a single event (power outage, ISP failure, natural disaster) cannot disable all your watchtowers at once.”}}, {“@type”: “Question”, “name”: “Can a watchtower steal my funds?”, “acceptedAnswer”: {“@type”: “Answer”, “text”: “No. The watchtower only has the information needed to construct penalty transactions, which send funds to your address. It cannot construct transactions that redirect funds to itself. The worst a malicious watchtower can do is fail to act during a breach — which is why you should use multiple independent watchtowers rather than trusting any single operator.”}}, {“@type”: “Question”, “name”: “Do I need a watchtower if my node is always online?”, “acceptedAnswer”: {“@type”: “Answer”, “text”: “A node that is reliably online 24/7 — as described in our guide on running a Lightning node at home — can detect and respond to breaches on its own. However, no system is truly “always online.” Hardware failures, software crashes, power outages, and internet disruptions happen to everyone eventually. A watchtower costs almost nothing to run and provides insurance against these inevitable events. The question is not whether your node will go offline, but when — and whether you are protected wh…”}}]}

Continue Reading

← Back to All Articles
Privacy Policy Cookie Policy Terms & Conditions

Search on Knowing Bitcoin