# ThirdWeb RPC (VMID 2400) - Setup

**Last Updated:** 2026-02-05  
**Status:** Setup Guide  
**VMID:** 2400  
**IP:** 192.168.11.240  
**Domain:** `defi-oracle.io`  
**FQDN:** `rpc.public-0138.defi-oracle.io`, `rpc.defi-oracle.io`, `wss.defi-oracle.io`

---

## Recommended: Expose via NPMplus and Fastly/Direct

**Preferred path:** Expose ThirdWeb RPC (VMID 2400) through **NPMplus** (VMID 10233 at 192.168.11.167) with edge **Fastly** (Option A) or **direct to 76.53.10.36** (Option C). No cloudflared in VMID 2400 required.

- **DNS** (Cloudflare): `rpc.defi-oracle.io`, `wss.defi-oracle.io` → CNAME to Fastly or A to 76.53.10.36
- **NPMplus:** Proxy hosts for `rpc.defi-oracle.io` → `http://192.168.11.240:8545` (or :443 if Nginx in 2400), `wss.defi-oracle.io` → `http://192.168.11.240:8546`; WebSocket enabled
- See [05-network/CLOUDFLARE_ROUTING_MASTER.md](../05-network/CLOUDFLARE_ROUTING_MASTER.md) and [04-configuration/RPC_ENDPOINTS_MASTER.md](RPC_ENDPOINTS_MASTER.md)

---

## Alternative: Cloudflare Tunnel in VMID 2400 (Deprecated)

The following describes installing Cloudflared **inside VMID 2400** for a dedicated tunnel. This approach is **deprecated** in favour of NPMplus + Fastly/direct (above). Use only if edge port 76.53.10.36:80/443 is not reachable from the internet (Option B).

**Architecture (deprecated):**
```
Internet → Cloudflare → Cloudflare Tunnel (from VMID 2400) → Nginx (port 443) → Besu RPC (8545/8546)
```

---

## Prerequisites

1. **Access to Proxmox host** where VMID 2400 is running
2. **Access to VMID 2400 container** (via `pct exec 2400`)
3. **Cloudflare account** with access to `defi-oracle.io` domain
4. **Cloudflare Zero Trust access** (free tier is sufficient)

---

## Step 1: Create Cloudflare Tunnel

### 1.1 Create Tunnel in Cloudflare Dashboard

1. Go to: https://one.dash.cloudflare.com/
2. Navigate to: **Zero Trust** → **Networks** → **Tunnels**
3. Click **Create a tunnel**
4. Select **Cloudflared** as the connector type
5. Give it a name (e.g., `thirdweb-rpc-2400`)
6. Click **Save tunnel**

### 1.2 Copy the Tunnel Token

After creating the tunnel, you'll see a token. Copy it - you'll need it in the next step.

**Token format:** `eyJhIjoi...` (long base64 string)

---

## Step 2: Install Cloudflared on VMID 2400

### 2.1 Access the Container

**If you have SSH access to the Proxmox host:**

```bash
# Replace with your Proxmox host IP
PROXMOX_HOST="192.168.11.10"  # or your Proxmox host IP

# Enter the container
ssh root@${PROXMOX_HOST} "pct exec 2400 -- bash"
```

**If you have console access to the Proxmox host:**

```bash
# List containers
pct list | grep 2400

# Enter the container
pct exec 2400 -- bash
```

### 2.2 Install Cloudflared

Once inside the container, run:

```bash
# Update package list
apt update

# Install wget if not available
apt install -y wget

# Download and install cloudflared
cd /tmp
wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
dpkg -i cloudflared-linux-amd64.deb || apt install -f -y

# Verify installation
cloudflared --version
```

### 2.3 Install Tunnel Service

Replace `<TUNNEL_TOKEN>` with the token you copied from Step 1.2:

```bash
# Install tunnel service with token
cloudflared service install <TUNNEL_TOKEN>

# Enable and start service
systemctl enable cloudflared
systemctl start cloudflared

# Check status
systemctl status cloudflared
```

### 2.4 Verify Tunnel is Running

```bash
# Check service status
systemctl status cloudflared --no-pager -l

# List tunnels (should show your tunnel)
cloudflared tunnel list

# Check tunnel configuration
cat /etc/cloudflared/config.yml
```

---

## Step 3: Configure Tunnel Route in Cloudflare

### 3.1 Configure Public Hostname

1. Go back to Cloudflare Dashboard: **Zero Trust** → **Networks** → **Tunnels**
2. Click on your tunnel name (`thirdweb-rpc-2400`)
3. Click **Configure**
4. Go to **Public Hostname** tab
5. Click **Add a public hostname**

### 3.2 Add RPC Endpoint Configuration

**For HTTP RPC:**

```
Subdomain: rpc.public-0138
Domain: defi-oracle.io
Service Type: HTTP
URL: http://127.0.0.1:8545
```

**Note:** If you have Nginx configured on VMID 2400 with SSL on port 443, use:
```
URL: https://127.0.0.1:443
```
or
```
URL: http://127.0.0.1:443
```

### 3.3 Add WebSocket Support (Optional)

If you need WebSocket RPC support, you can either:

**Option A:** Use the same hostname (Cloudflare supports WebSocket on HTTP endpoints)
- The same `rpc.public-0138.defi-oracle.io` hostname will handle both HTTP and WebSocket
- Configure your Nginx to route WebSocket connections appropriately

**Option B:** Add a separate hostname for WebSocket:
```
Subdomain: rpc-ws.public-0138
Domain: defi-oracle.io
Service Type: HTTP
URL: http://127.0.0.1:8546
```

### 3.4 Save Configuration

Click **Save hostname** for each entry you add.

---

## Step 4: Configure Nginx on VMID 2400 (If Needed)

If VMID 2400 doesn't have Nginx configured yet, you'll need to set it up to handle the RPC endpoints.

### 4.1 Install Nginx

```bash
# Inside VMID 2400 container
apt install -y nginx
```

### 4.2 Configure Nginx for RPC

Create Nginx configuration:

```bash
cat > /etc/nginx/sites-available/rpc-thirdweb << 'EOF'
# HTTP to HTTPS redirect (optional)
server {
    listen 80;
    listen [::]:80;
    server_name rpc.public-0138.defi-oracle.io;
    
    # Redirect all HTTP to HTTPS
    return 301 https://$host$request_uri;
}

# HTTPS server - HTTP RPC API (port 8545)
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name rpc.public-0138.defi-oracle.io;
    
    # SSL configuration (you'll need to generate certificates)
    # For Cloudflare tunnel, you can use self-signed or Cloudflare SSL
    ssl_certificate /etc/nginx/ssl/rpc.crt;
    ssl_certificate_key /etc/nginx/ssl/rpc.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    
    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    
    # Increase timeouts for RPC calls
    proxy_connect_timeout 300s;
    proxy_send_timeout 300s;
    proxy_read_timeout 300s;
    
    # HTTP RPC endpoint (port 8545)
    location / {
        proxy_pass http://127.0.0.1:8545;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

# HTTPS server - WebSocket RPC API (port 8546)
server {
    listen 8443 ssl http2;
    listen [::]:8443 ssl http2;
    server_name rpc.public-0138.defi-oracle.io;
    
    # SSL configuration
    ssl_certificate /etc/nginx/ssl/rpc.crt;
    ssl_certificate_key /etc/nginx/ssl/rpc.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    
    # WebSocket RPC endpoint (port 8546)
    location / {
        proxy_pass http://127.0.0.1:8546;
        proxy_http_version 1.1;
        
        # WebSocket headers
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        # Long timeouts for WebSocket connections
        proxy_read_timeout 86400;
        proxy_send_timeout 86400;
    }
}
EOF

# Enable the site
ln -sf /etc/nginx/sites-available/rpc-thirdweb /etc/nginx/sites-enabled/
rm -f /etc/nginx/sites-enabled/default

# Test configuration
nginx -t

# Reload Nginx
systemctl reload nginx
```

**Note:** If using Cloudflare tunnel, you can point the tunnel directly to `http://127.0.0.1:8545` (bypassing Nginx) since Cloudflare handles SSL termination. In that case, Nginx is optional.

---

## Step 5: Configure DNS Record

### 5.1 Create DNS Record in Cloudflare

1. Go to Cloudflare Dashboard: **DNS** → **Records**
2. Select domain: `defi-oracle.io`
3. Click **Add record**

### 5.2 Configure DNS Record

**If using Cloudflare Tunnel (Recommended):**

```
Type: CNAME
Name: rpc.public-0138
Target: <your-tunnel-id>.cfargotunnel.com
Proxy: 🟠 Proxied (orange cloud)
TTL: Auto
```

**To find your tunnel ID:**
- Go to **Zero Trust** → **Networks** → **Tunnels**
- Click on your tunnel name
- The tunnel ID is shown in the URL or tunnel details

**Alternative: Direct A Record (If using public IP with port forwarding)**

If you prefer to use a direct A record with port forwarding on the ER605 router:

```
Type: A
Name: rpc.public-0138
Target: <your-public-ip>
Proxy: 🟠 Proxied (recommended) or ❌ DNS only
TTL: Auto
```

Then configure port forwarding on ER605:
- External Port: 443
- Internal IP: 192.168.11.240
- Internal Port: 443
- Protocol: TCP

---

## Step 6: Verify Setup

### 6.1 Check Tunnel Status

```bash
# Inside VMID 2400 container
systemctl status cloudflared
cloudflared tunnel list
```

### 6.2 Test DNS Resolution

```bash
# From your local machine
dig rpc.public-0138.defi-oracle.io
nslookup rpc.public-0138.defi-oracle.io

# Should resolve to Cloudflare IPs (if proxied) or your public IP
```

### 6.3 Test RPC Endpoint

```bash
# Test HTTP RPC endpoint
curl -k https://rpc.public-0138.defi-oracle.io \
  -X POST \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'

# Test WebSocket (using wscat)
wscat -c wss://rpc.public-0138.defi-oracle.io
```

---

## Troubleshooting

### Tunnel Not Connecting

```bash
# Check cloudflared logs
journalctl -u cloudflared -f

# Check tunnel status
cloudflared tunnel list

# Verify tunnel token
cat /etc/cloudflared/credentials.json
```

### DNS Not Resolving

1. Verify DNS record is created correctly in Cloudflare
2. Wait a few minutes for DNS propagation
3. Check if tunnel is healthy in Cloudflare Dashboard

### Connection Refused

```bash
# Check if Besu RPC is running
systemctl status besu-rpc

# Test Besu RPC locally
curl -X POST http://127.0.0.1:8545 \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'

# Check Nginx (if using)
systemctl status nginx
nginx -t
```

### SSL Certificate Issues

If using Nginx with SSL, you may need to generate certificates. For Cloudflare tunnel, SSL is handled by Cloudflare, so you can use HTTP internally.

---

## Summary

After completing these steps:

✅ Cloudflared installed on VMID 2400  
✅ Cloudflare tunnel created and connected  
✅ Tunnel route configured for `rpc.public-0138.defi-oracle.io`  
✅ DNS record created (CNAME to tunnel)  
✅ RPC endpoint accessible at `https://rpc.public-0138.defi-oracle.io`

**Next Steps:**
- Verify the endpoint works with Thirdweb SDK
- Update Thirdweb listing with the new RPC URL
- Monitor tunnel status and logs

---

## Related Documentation

- [RPC_DNS_CONFIGURATION.md](RPC_DNS_CONFIGURATION.md) - DNS configuration overview
- [RPC_DNS_CONFIGURATION.md](RPC_DNS_CONFIGURATION.md) - RPC and DNS setup
- [cloudflare/CLOUDFLARE_TUNNEL_CONFIGURATION_GUIDE.md](cloudflare/CLOUDFLARE_TUNNEL_CONFIGURATION_GUIDE.md) - General tunnel configuration