Table of Contents
1. Overview & Requirements
2. Network Architecture
3. pfSense Configuration
4. Docker Host Setup
5. Docker Container Configuration
6. Starting the Nodes
7. Verification & Testing
8. Troubleshooting
1. Overview & Requirements
This guide walks you through setting up 4 Mysterium Network VPN provider nodes, each with its own unique public IP address. This configuration allows you to maximize earnings by running multiple nodes on a single server.
What You'll Need
Ubuntu 24 server with Docker installed (snap version supported)
pfSense firewall
A /29 public IP subnet (8 IPs total, 5 usable)
SSH access to your Ubuntu server
Web access to pfSense admin interface
Basic command line knowledge
Example IP Allocation
IP Address | Purpose |
210.10.10.0/29 | Network address |
210.10.10.1 | ISP Gateway |
210.10.10.2 | pfSense WAN IP |
210.10.10.3 | Mysterium Node 1 |
210.10.10.4 | Mysterium Node 2 |
210.10.10.5 | Mysterium Node 3 |
210.10.10.6 | Mysterium Node 4 |
210.10.10.7 | Broadcast address |
2. Network Architecture
The setup uses a dual-NAT approach:
Docker containers run on private bridge networks (172.30.x.0/24)
Docker host uses iptables SNAT to translate container IPs to secondary LAN IPs (192.168.1.210-213)
pfSense translates LAN IPs to public IPs (210.10.10.3-6)
Traffic Flow Diagram
Container (172.30.1.2) → Docker iptables → LAN IP (192.168.1.210) → pfSense → Public IP (210.10.10.3)
3. pfSense Configuration
Step 3.1: Create Virtual IPs
Log into pfSense web interface
Navigate to Firewall → Virtual IPs
Click 'Add' and create 4 virtual IPs:
Type | Interface | IP Address | Subnet |
IP Alias | WAN | 210.10.10.3 | /29 |
IP Alias | WAN | 210.10.10.4 | /29 |
IP Alias | WAN | 210.10.10.5 | /29 |
IP Alias | WAN | 210.10.10.6 | /29 |
Note: Replace the example IPs (210.10.10.x) with your actual public IP subnet.
Step 3.2: Create 1:1 NAT Rules
Navigate to Firewall → NAT → 1:1
Click 'Add' and create 4 mappings:
Interface | External IP | Internal IP | Description |
WAN | 210.10.10.3 | 192.168.1.210 | Myst Node 1 |
WAN | 210.10.10.4 | 192.168.1.211 | Myst Node 2 |
WAN | 210.10.10.5 | 192.168.1.212 | Myst Node 3 |
WAN | 210.10.10.6 | 192.168.1.213 | Myst Node 4 |
Step 3.3: Configure Outbound NAT
Navigate to Firewall → NAT → Outbound
Select 'Manual Outbound NAT rule generation'
Click 'Save'
Click 'Add' to create 4 new rules with these settings:
Rule 1: Node 1
Interface: WAN
Protocol: any
Source: Type = Network, Address = 192.168.1.210/32
Destination: Any
Translation Address: 210.10.10.3 (from dropdown)
Static Port: CHECKED ✓
Description: Mysterium Node 1 Outbound NAT
Rules 2-4: Repeat for Remaining Nodes
Create similar rules for Node 2, 3, and 4 changing only:
Node 2: Source = 192.168.1.211/32 → Translation = 210.10.10.4
Node 3: Source = 192.168.1.212/32 → Translation = 210.10.10.5
Node 4: Source = 192.168.1.213/32 → Translation = 210.10.10.6
⚠️ CRITICAL: These 4 rules MUST be positioned ABOVE any other LAN outbound NAT rules. Use the move arrows to reorder if needed.
Step 3.4: Create WAN Firewall Rule
Navigate to Firewall → Rules → WAN
Click 'Add' (arrow pointing up) to add a rule at the top
Configure the rule:
Action: Pass
Interface: WAN
Protocol: Any
Source: Any
Destination: Type = Network, Address = 210.10.10.0/30
Description: Allow Mysterium Nodes
Click 'Save' and 'Apply Changes'
4. Docker Host Setup
Step 4.1: Add Secondary IP Addresses
SSH to your Ubuntu server and edit the network configuration:
sudo nano /etc/netplan/01-netcfg.yaml
Add the secondary IP addresses to your network interface:
network: version: 2 ethernets: ens1f0: addresses: - 192.168.1.101/24 - 192.168.1.210/24 - 192.168.1.211/24 - 192.168.1.212/24 - 192.168.1.213/24 gateway4: 192.168.1.1 nameservers: addresses: [8.8.8.8, 8.8.4.4]
Note: Replace 'ens1f0' with your actual interface name (find it with 'ip link show').
sudo netplan apply
Step 4.2: Create Docker Networks
sudo docker network create --driver bridge --subnet=172.30.1.0/24 mysterium_net_1sudo docker network create --driver bridge --subnet=172.30.2.0/24 mysterium_net_2sudo docker network create --driver bridge --subnet=172.30.3.0/24 mysterium_net_3sudo docker network create --driver bridge --subnet=172.30.4.0/24 mysterium_net_4
Step 4.3: Configure iptables SNAT Rules
Add SNAT rules to translate container IPs to LAN IPs:
sudo iptables -t nat -I POSTROUTING 1 -s 172.30.1.0/24 -j SNAT --to-source 192.168.1.210sudo iptables -t nat -I POSTROUTING 1 -s 172.30.2.0/24 -j SNAT --to-source 192.168.1.211sudo iptables -t nat -I POSTROUTING 1 -s 172.30.3.0/24 -j SNAT --to-source 192.168.1.212sudo iptables -t nat -I POSTROUTING 1 -s 172.30.4.0/24 -j SNAT --to-source 192.168.1.213
💡 TIP: The '-I POSTROUTING 1' inserts rules at the TOP so they're processed before Docker's automatic rules.
Step 4.4: Make iptables Rules Persistent
sudo apt-get updatesudo apt-get install -y iptables-persistentsudo netfilter-persistent save
When prompted, select 'Yes' to save current IPv4 and IPv6 rules.
5. Docker Container Configuration
Step 5.1: Create Project Directory
mkdir -p ~/Mysterium-node/IP{1..4}cd ~/Mysterium-node
Step 5.2: Create docker-compose.yml
nano docker-compose.yml
Copy and paste the following configuration:
services:
mysterium-node-1:
image: mysteriumnetwork/myst:latest
container_name: mysterium-node-1
restart: unless-stopped
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun
environment:
- AGREED_TERMS_AND_CONDITIONS=true
networks:
mysterium_net_1:
ipv4_address: 172.30.1.2
volumes:
- /home/peter/Mysterium-node/IP1:/var/lib/mysterium-node
ports:
- "44491:4449"
command: daemon
mysterium-node-2:
image: mysteriumnetwork/myst:latest
container_name: mysterium-node-2
restart: unless-stopped
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun
environment:
- AGREED_TERMS_AND_CONDITIONS=true
networks:
mysterium_net_2:
ipv4_address: 172.30.2.2
volumes:
- /home/peter/Mysterium-node/IP2:/var/lib/mysterium-node
ports:
- "44492:4449"
command: daemon
mysterium-node-3:
image: mysteriumnetwork/myst:latest
container_name: mysterium-node-3
restart: unless-stopped
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun
environment:
- AGREED_TERMS_AND_CONDITIONS=true
networks:
mysterium_net_3:
ipv4_address: 172.30.3.2
volumes:
- /home/peter/Mysterium-node/IP3:/var/lib/mysterium-node
ports:
- "44493:4449"
command: daemon
mysterium-node-4:
image: mysteriumnetwork/myst:latest
container_name: mysterium-node-4
restart: unless-stopped
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun
environment:
- AGREED_TERMS_AND_CONDITIONS=true
networks:
mysterium_net_4:
ipv4_address: 172.30.4.2
volumes:
- /home/peter/Mysterium-node/IP4:/var/lib/mysterium-node
ports:
- "44494:4449"
command: daemon
networks:
mysterium_net_1:
external: true
mysterium_net_2:
external: true
mysterium_net_3:
external: true
mysterium_net_4:
external: true
Save the file (Ctrl+O, Enter, Ctrl+X).
6. Starting the Nodes
Step 6.1: Start Containers
sudo docker-compose up -d
Wait 30 seconds for containers to initialize, then check status:
sudo docker ps | grep mysterium
All 4 containers should show 'Up' status.
Step 6.2: Create Node Identities
Nodes 2, 3, and 4 need identities created manually:
sudo docker exec mysterium-node-2 myst cli --agreed-terms-and-conditions identities new --passphrase=""sudo docker exec mysterium-node-3 myst cli --agreed-terms-and-conditions identities new --passphrase=""sudo docker exec mysterium-node-4 myst cli --agreed-terms-and-conditions identities new --passphrase=""
Each command will output an identity address (0x...). Keep these safe!
Step 6.3: Unlock Identities
Unlock the newly created identities (replace 0x... with your actual identity addresses):
sudo docker exec mysterium-node-2 myst cli --agreed-terms-and-conditions identities unlock 0xYOURIDENTITY --passphrase=""sudo docker exec mysterium-node-3 myst cli --agreed-terms-and-conditions identities unlock 0xYOURIDENTITY --passphrase=""sudo docker exec mysterium-node-4 myst cli --agreed-terms-and-conditions identities unlock 0xYOURIDENTITY --passphrase=""
Step 6.4: Start Provider Services
Start WireGuard service on each node (again, replace 0x... with your identities):
sudo docker exec mysterium-node-2 myst cli --agreed-terms-and-conditions service start 0xYOURIDENTITY wireguardsudo docker exec mysterium-node-3 myst cli --agreed-terms-and-conditions service start 0xYOURIDENTITY wireguardsudo docker exec mysterium-node-4 myst cli --agreed-terms-and-conditions service start 0xYOURIDENTITY wireguard
7. Verification & Testing
Step 7.1: Verify Public IP Detection
Check that each node detects its correct public IP:
echo "Node 1:" && sudo docker exec mysterium-node-1 wget -qO- http://ipinfo.io/ipecho "Node 2:" && sudo docker exec mysterium-node-2 wget -qO- http://ipinfo.io/ipecho "Node 3:" && sudo docker exec mysterium-node-3 wget -qO- http://ipinfo.io/ipecho "Node 4:" && sudo docker exec mysterium-node-4 wget -qO- http://ipinfo.io/ip
Expected output:
Node 1: 210.10.10.3Node 2: 210.10.10.4Node 3: 210.10.10.5Node 4: 210.10.10.6
✓ SUCCESS: If all 4 nodes show their unique public IPs, NAT configuration is working correctly!
Step 7.2: Check Service Status
for i in {1..4}; do echo "=== Node $i ===" sudo docker exec mysterium-node-$i myst cli --agreed-terms-and-conditions service listdone
Each node should show [Running] services (wireguard, data_transfer, scraping, etc.).
Step 7.3: Access Web UI
Open your web browser and navigate to:
Node 1: http://YOUR_SERVER_IP:44491
Node 2: http://YOUR_SERVER_IP:44492
Node 3: http://YOUR_SERVER_IP:44493
Node 4: http://YOUR_SERVER_IP:44494
Replace YOUR_SERVER_IP with 192.168.1.101 (or your actual Docker host IP).
Each node should show:
Node Status: Online (green)
Node Quality: Great
NAT: Moderate or Full Cone
Services: B2B Data Scraping and B2B VPN enabled
8. Troubleshooting
Problem: All Nodes Show Same Public IP
Cause: iptables SNAT rules are not at the top of the POSTROUTING chain.
Solution:
# Remove old rulessudo iptables -t nat -D POSTROUTING -s 172.30.1.0/24 -j SNAT --to-source 192.168.1.210sudo iptables -t nat -D POSTROUTING -s 172.30.2.0/24 -j SNAT --to-source 192.168.1.211sudo iptables -t nat -D POSTROUTING -s 172.30.3.0/24 -j SNAT --to-source 192.168.1.212sudo iptables -t nat -D POSTROUTING -s 172.30.4.0/24 -j SNAT --to-source 192.168.1.213# Insert at TOP (position 1)sudo iptables -t nat -I POSTROUTING 1 -s 172.30.1.0/24 -j SNAT --to-source 192.168.1.210sudo iptables -t nat -I POSTROUTING 1 -s 172.30.2.0/24 -j SNAT --to-source 192.168.1.211sudo iptables -t nat -I POSTROUTING 1 -s 172.30.3.0/24 -j SNAT --to-source 192.168.1.212sudo iptables -t nat -I POSTROUTING 1 -s 172.30.4.0/24 -j SNAT --to-source 192.168.1.213# Savesudo netfilter-persistent save
Problem: Containers Won't Start
Cause: Docker networks not created or Docker iptables chains broken.
Solution:
# Restart Dockersudo snap restart docker# Wait 10 secondssleep 10# Create missing chainssudo iptables -N DOCKER-FORWARD 2>/dev/null || true# Remove old networkssudo docker network rm mysterium_net_1 mysterium_net_2 mysterium_net_3 mysterium_net_4 2>/dev/null# Recreate networkssudo docker network create --driver bridge --subnet=172.30.1.0/24 mysterium_net_1sudo docker network create --driver bridge --subnet=172.30.2.0/24 mysterium_net_2sudo docker network create --driver bridge --subnet=172.30.3.0/24 mysterium_net_3sudo docker network create --driver bridge --subnet=172.30.4.0/24 mysterium_net_4# Restart containerscd ~/Mysterium-nodesudo docker-compose downsudo docker-compose up -d
Problem: No Services Running on Nodes 2-4
Cause: Identities not unlocked or services not started.
Solution:
Get each node's identity:
sudo docker exec mysterium-node-2 myst cli --agreed-terms-and-conditions identities list
Unlock identity:
sudo docker exec mysterium-node-2 myst cli --agreed-terms-and-conditions identities unlock 0xYOURIDENTITY --passphrase=""
Start service:
sudo docker exec mysterium-node-2 myst cli --agreed-terms-and-conditions service start 0xYOURIDENTITY wireguard
Repeat for nodes 3 and 4.
Problem: UI Shows 'Loading' Forever
Cause: Identity locked or node not fully initialized.
Solution:
Hard refresh browser (Ctrl+Shift+R)
Unlock identity (see previous problem)
Wait 2-3 minutes for full initialization
Try in incognito/private browser window
Congratulations!
You now have 4 Mysterium Network VPN provider nodes running, each with its own unique public IP address. Your nodes are:
Connected to the Mysterium Network
Accepting customer connections
Earning MYST tokens
Operating with unique public IPs
Monitoring Your Nodes
Check your node statistics and earnings at:
Enter each node's identity address (0x...) to track individual node performance and earnings.
Need Help?
Join the Mysterium community:
Discord: https://discord.gg/n3vtSwc
Telegram: https://t.me/mysterium_network
Happy Earning!
🔮 ✨ 🚀