# Configuring Hush for secure peer-to-peer connections ## Connection settings: ### Default (Mixed TLS + regular connections): This option is on by default and enables only minimal privacy since a large portion of peer-to-peer connections will likely still be regular connections. No additional actions are required to enable this option. ### Basic Privacy and Security (Forced TLS connections + no certificate verification): This option enables basic privacy since all peer-to-peer connections are forced over TLS, however, certificates for peers are not validated. To enable this option turn on the following flag in your `hush.conf` file: 1. `tlsforce=1` ### Highest Privacy and Security (Forced TLS connections + certificate verification): This option enables the highest privacy + security by forcing TLS connections and validating peer certificates. To enable this option turn on the following two flags in your `hush.conf` file: 1. `tlsforce=1` 2. `tlsvalidate=1` ## Standing up your own "secure" node with a valid certificate: This guide requires having your own domain. You can still use all of the above connection options without setting up your own secure node, however, peers using the `tlsvalidate=1` flag will not connect to your node. ### Install a free certificate from LetsEncrypt and use it with Hush: 1. Create an A record pointing to the IP address of your node on the DNS control panel for your domain. You can set the `host` entry to anything you like such as `hnode`. This A record should then be reachable as `host.mydomain.com` (we will refer to this as your `FQDN` from now on). 2. Ensure your domain name as propagated and matches the public IP address of your node by pinging your `FQDN` * `ping FQDN` 3. Install the acme script to create a certificate: * `sudo apt install socat` * `cd ~/` * `git clone https://github.com/Neilpang/acme.sh.git` * `cd acme.sh` * `./acme.sh --install` 4. Create the certificate: * `MY_FQDN=FQDN` * Where `FQDN` is the full `host.mydomain.com` * `echo $MY_FQDN` * `~/.acme.sh/acme.sh --issue --standalone -d $MY_FQDN` * Make a note of where your certificates are: * They should be in `~/.acme.sh/FQDN` 5. Add a crontab to check the script expiration date and renew if necessary: * `sudo crontab -e` * `6 0 * * * "/home//.acme.sh"/acme.sh --cron --home "/home//.acme.sh" > /dev/null` * Where `` is your username 6. Add the intermediate authority certificate to the certificate store and install it: * `MY_FQDN=FQDN` * `sudo cp /home/$USER/.acme.sh/$MY_FQDN/ca.cer /usr/share/ca-certificates/ca.crt` * `sudo dpkg-reconfigure ca-certificates` * Use `space` to select, and `tab \ enter` to navigate. 7. Stop the `hushd` (if running) and add the certificate flags to `hush.conf` * `MY_FQDN=FQDN` * `cat <> ~/.hush/hush.conf tlscertpath=/home/$USER/.acme.sh/$MY_FQDN/$MY_FQDN.cer tlskeypath=/home/$USER/.acme.sh/$MY_FQDN/$MY_FQDN.key EOF` 8. Restart `hushd` and verify you have a valid certificate! * `hush-cli getnetworkinfo` * You should see a line reading `“tls_cert_verified”: true` License ------- For license information see the file [COPYING](COPYING).