$ man sentry
Run a RogueLayer Sentry (newbie track)
What's a sentry? A separate server that takes public P2P traffic on behalf of your validator. Your validator is hidden behind it. If attackers want to DDoS the validator, they have to hit the sentries first — and you can spin up more sentries.
You need this if: you're running a validator with real stake. You don't need this if: you're just running a full node, or your validator has trivial stake on testnet.
Time: 1–2 hours once you already have a working full node.
Chain constants
| Key | Value |
|---|---|
| Chain ID | roguelayer-1 |
| Binary | rogued |
| Native denom | urogue (micro-ROGUE) |
| Display denom | ROGUE (10^6 urogue) |
| Genesis URL | TBD — set during launch |
| Seed peers | TBD — set during launch |
| Persistent peers | TBD — set during launch |
| P2P port | 26656 |
| RPC port | 26657 |
| REST/API port | 1317 |
| gRPC port | 9090 |
| EVM JSON-RPC | 8545 |
| Min Go version | 1.22 |
| Recommended OS | Ubuntu 22.04 LTS / Debian 12 |
Note:
TBDrows are intentional. They are filled in at chain launch. Doc lint toleratesTBDonly in this shared file.
Prerequisites
| Resource | Minimum | Recommended |
|---|---|---|
| CPU | 4 cores | 8 cores |
| RAM | 8 GB | 16 GB |
| Disk (SSD) | 200 GB | 500 GB |
| Network | 100 Mbps symmetric | 1 Gbps |
| OS | Ubuntu 22.04 / Debian 12 | same |
| Open ports | 26656/tcp (P2P) inbound | 26656/tcp |
| Go | 1.22+ | 1.22+ |
| Tools | git, make, jq, curl |
+ systemd |
Open P2P (26656) at your firewall. RPC/REST/gRPC ports should NOT be exposed to the public internet on a validator — bind to localhost or to a sentry.
How it works
Imagine your validator as a vault inside a building. Sentries are the lobby. The public can talk to the lobby, but only the lobby talks to the vault. If the lobby gets attacked, the vault keeps running because the attackers can't see it.
public peers ↔ [sentry-1, sentry-2, ...] ↔ validator
You want at least two sentries, on separate hosts, ideally in different geographic regions.
Step 1 — Provision a full node
Follow the full node newbie track on each sentry host. Get them synced. Skip the RPC exposure step — sentries should NOT serve public RPC.
Step 2 — Configure each sentry
SSH into your validator host and run:
rogued tendermint show-node-id
Copy the output. It's a long hex string — that's the validator's node ID.
On each sentry, edit ~/.rogued/config/config.toml. Find the [p2p] section and set:
[p2p]
pex = true
addr_book_strict = false
max_num_inbound_peers = 100
max_num_outbound_peers = 40
persistent_peers = "VALIDATOR_NODE_ID@VALIDATOR_PRIVATE_IP:26656"
private_peer_ids = "VALIDATOR_NODE_ID"
unconditional_peer_ids = "VALIDATOR_NODE_ID"
Replace VALIDATOR_NODE_ID with the value above. Replace VALIDATOR_PRIVATE_IP with the IP your sentries use to reach the validator (NOT a public IP).
private_peer_ids tells the sentry: "don't tell other peers about this one." That's how the validator stays hidden.
Restart: sudo systemctl restart rogued.
Step 3 — Lock down the validator
Back on the validator, edit ~/.rogued/config/config.toml:
[p2p]
pex = false
persistent_peers = "SENTRY_1_NODE_ID@SENTRY_1_IP:26656,SENTRY_2_NODE_ID@SENTRY_2_IP:26656"
addr_book_strict = false
pex = false means "don't tell anyone who I am or who I know." The validator now only talks to its sentries.
If your validator was previously listening on a public IP, change [p2p].laddr to bind to a private IP only. Block port 26656 at the public firewall.
Restart the validator: sudo systemctl restart rogued.
Step 4 — Restart and verify
On a sentry:
curl -s localhost:26657/net_info | jq '.result.peers | length'
Should show several peers (mostly public).
On the validator:
curl -s localhost:26657/net_info | jq -r '.result.peers[].node_info.id'
Should ONLY show your sentry node IDs. If anything else appears, your private network rules aren't tight enough — fix that before continuing.
Run a RogueLayer Sentry (dev track)
A sentry is a public-facing full node that protects a validator from direct P2P exposure. The validator only peers with its sentries; the sentries peer with the public network.
Chain constants
| Key | Value |
|---|---|
| Chain ID | roguelayer-1 |
| Binary | rogued |
| Native denom | urogue (micro-ROGUE) |
| Display denom | ROGUE (10^6 urogue) |
| Genesis URL | TBD — set during launch |
| Seed peers | TBD — set during launch |
| Persistent peers | TBD — set during launch |
| P2P port | 26656 |
| RPC port | 26657 |
| REST/API port | 1317 |
| gRPC port | 9090 |
| EVM JSON-RPC | 8545 |
| Min Go version | 1.22 |
| Recommended OS | Ubuntu 22.04 LTS / Debian 12 |
Note:
TBDrows are intentional. They are filled in at chain launch. Doc lint toleratesTBDonly in this shared file.
Prerequisites
| Resource | Minimum | Recommended |
|---|---|---|
| CPU | 4 cores | 8 cores |
| RAM | 8 GB | 16 GB |
| Disk (SSD) | 200 GB | 500 GB |
| Network | 100 Mbps symmetric | 1 Gbps |
| OS | Ubuntu 22.04 / Debian 12 | same |
| Open ports | 26656/tcp (P2P) inbound | 26656/tcp |
| Go | 1.22+ | 1.22+ |
| Tools | git, make, jq, curl |
+ systemd |
Open P2P (26656) at your firewall. RPC/REST/gRPC ports should NOT be exposed to the public internet on a validator — bind to localhost or to a sentry.
Architecture
public peers ↔ [sentry-1, sentry-2, ...] ↔ validator (private)
You need at least two sentries on separate hosts, ideally in different regions.
Step 1 — Provision a full node
Follow the full node dev track through Step 4 on each sentry host. Skip the optional RPC exposure step.
Step 2 — Configure each sentry
Get the validator's node ID by running on the validator host:
rogued tendermint show-node-id
On each sentry, edit ~/.rogued/config/config.toml:
[p2p]
pex = true
addr_book_strict = false
max_num_inbound_peers = 100
max_num_outbound_peers = 40
persistent_peers = "VALIDATOR_NODE_ID@VALIDATOR_PRIVATE_IP:26656"
private_peer_ids = "VALIDATOR_NODE_ID"
unconditional_peer_ids = "VALIDATOR_NODE_ID"
Step 3 — Lock down the validator
On the validator (separate host), edit ~/.rogued/config/config.toml:
[p2p]
pex = false
persistent_peers = "SENTRY_1_NODE_ID@SENTRY_1_IP:26656,SENTRY_2_NODE_ID@SENTRY_2_IP:26656"
addr_book_strict = false
The validator listens on a private network only — no public 26656.
Step 4 — Restart and verify
sudo systemctl restart rogued on both validator and sentries, then:
# on sentry
curl -s localhost:26657/net_info | jq '.result.peers | length' # > 1
# on validator
curl -s localhost:26657/net_info | jq -r '.result.peers[].node_info.id' # only sentry node IDs
If the validator shows any peer that isn't a sentry, lockdown failed — fix that before continuing.