wtclientrpc: prevent watchtower connections to local addresses

[anibilthare]

Change Description

Fixes 5522

Adds validation to prevent watchtower client connections to local addresses by:

• Implementing IsLocalAddress() to detect localhost/local network addresses
• Adding check in AddTower RPC to reject local tower connections
• Including unit tests for address validation

This helps prevent security issues from misconfigured watchtower setups that accidentally expose local addresses.

Steps to Test

Steps for reviewers to follow to test the change.

[coderabbitai]

Important

Review skipped

Auto reviews are limited to specific labels.

🏷️ Labels to auto review (1)

• llm-review

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai plan to trigger planning for file edits and PR creation.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[anibilthare]

@ellemouton Please review.

[ellemouton]

@anibilthare - I think the issue was more about connecting to your own watchtower on the same LND node. ie, connecting the wtclient to the watchtower server on the same LND node

[anibilthare]

Thanks for the quick response @ellemouton !!

I chose to check for all local addresses (rather than just same-node) for these reasons:

1. Security: Running multiple LND nodes on the same machine means they share the same failure domain - if the machine is compromised, all nodes including their watchtowers are compromised
2. Redundancy: The purpose of watchtowers is to provide backup/monitoring from an independent system. Having the watchtower on the same physical machine defeats this purpose since any hardware/system failure would affect both the node and its watchtower
3. Practical Implementation: Detecting "same LND node" would require comparing node identities, while checking local addresses provides a robust way to prevent all potentially problematic local configurations
4. Future-proofing: This approach also prevents users from accidentally creating other insecure local watchtower setups as they experiment with different configurations

Would you prefer we narrow the scope to only prevent same-node connections? I'm open to adjusting the approach if you think the current implementation is too broad.

[anibilthare]

@ellemouton Any feedback ?

[ellemouton]

@anibilthare - my concern is that this makes testing hard/impossible. We could just log a warning instead? Your points are all valid but i think the user should have the flexibility to run things how they want to & they themselves should be aware of the risks of certain run configurations

imo, the original issue isnt really an issue anyways... maybe others disagree.

[GustavoStingelin]

@anibilthare - my concern is that this makes testing hard/impossible. We could just log a warning instead? Your points are all valid but i think the user should have the flexibility to run things how they want to & they themselves should be aware of the risks of certain run configurations

imo, the original issue isnt really an issue anyways... maybe others disagree.

Agreed, a warning log is a good starting point.

[GustavoStingelin]

What happens if a public IP is configured to point to the same node? The local interface IP will never be the public IP, so I’m not sure this solution would work in that case. If it does, how can we test it? Also, what about onion addresses?

[mapaba79]

Hi @anibilthare, thanks for the PR! The implementation is clean and the unit tests are well-structured.

However, I agree with the previous feedback that a hard rejection for all local addresses might be too restrictive, especially for integration testing.

I suggest replacing the connection rejection with a log.Warnf. This informs the user about the redundancy risks without breaking valid local setups or stripping away their flexibility. What do you think?

[mapaba79]

Consider replacing this hard error with a log.Warnf. This prevents breaking integration tests or specific local setups while still fulfilling the goal of alerting the user about the lack of redundancy.

[lightninglabs-deploy]

@anibilthare, remember to re-request review from reviewers when ready