lnproxy
lnproxy is a simple privacy tool that makes Lightning Network invoices more private. It works like a "Poor man's rendez-vous routing" - providing privacy for users without taking custody of their funds.
The Problem
Lightning Network invoices reveal the destination of payments. This creates several privacy issues:
- Public node operators reveal the identity of their node with every Lightning invoice they generate
- Custodial wallet users reveal the destination of every Lightning invoice they pay to their custodians
- Anyone paying an invoice can be linked to the recipient's node ID
What Is lnproxy?
lnproxy acts as a proxy between the sender and receiver. Instead of paying the original invoice directly, you pay a "proxy invoice" generated by an lnproxy relay. The relay then pays the original invoice on your behalf.
This means:
- The sender does not know the final recipient's node ID
- The recipient does not know the sender's node ID
- The relay never holds your funds - it only routes the payment
How It Works
Proxy invoices are HTLC invoices (specifically, hodl invoices). Here is the flow:
- You have an original invoice from someone you want to pay
- You send the invoice to an lnproxy relay (via a simple API call)
- The relay generates a proxy invoice with the same payment hash as the original
- You verify the proxy invoice - check that the payment hash matches, the description matches, and the amount is reasonable
- You pay the proxy invoice instead of the original
- The relay immediately pays the original invoice when it receives your payment, using the revealed preimage to settle the proxy invoice
The key insight: the relay cannot settle the proxy invoice without paying the original invoice first. This means you do not need to trust the relay with your funds.
Why Use lnproxy?
If you use a custodial Lightning wallet, your custodian can see the destination of every payment you make. With lnproxy, you can obfuscate the destination of your payment from your custodian.
If you operate a public Lightning Network node, every invoice you generate reveals your node ID. With lnproxy, you can generate proxy invoices that hide your node ID from payers.
Even if you do not fall into the above categories, lnproxy is a simple way to add an extra layer of privacy to your Lightning payments without any complex setup.
How to Use lnproxy
Using lnproxy is straightforward:
- Get the original invoice from the person or service you want to pay
- Send it to an lnproxy relay - this is a simple HTTP POST request
- Receive the proxy invoice back from the relay
- Verify the proxy invoice:
- The payment hash matches the original
- The description matches (or is what you expect)
- The amount is the original amount plus a small relay fee
- Pay the proxy invoice using your Lightning wallet
Example API Call
curl --header "Content-Type: application/json" \
--request POST \
--data '{"invoice":"<bolt11 invoice>"}' \
<relay URL>
The relay returns a JSON response with the proxy invoice:
Trust Model
lnproxy is designed to be trustless:
- The relay never holds your funds - it only routes the payment
- The proxy invoice has the same payment hash as the original, so the relay can only settle it by paying the original invoice
- You verify everything before paying - payment hash, description, and amount
The only trust assumption is that the relay will actually pay the original invoice. But since the relay must pay the original to settle the proxy, it has no choice but to do so if it wants to receive the payment.
Limitations
- AMP invoices not supported: Relays cannot create proxy invoices for Atomic Multi-Path Payment invoices since there is no payment hash reveal mechanism
- Relay fees: The proxy invoice amount will be slightly higher than the original to cover routing costs
- Relay availability: You need to trust that the relay will be online and responsive when you need it
- Single relay: Using a single relay means the relay itself knows both parties. Using multiple relays in sequence would improve privacy but is not currently supported