Run a RogueLayer Sentry (newbie track)

What's a sentry? A separate server that takes public P2P traffic on behalf of your validator. Your validator is hidden behind it. If attackers want to DDoS the validator, they have to hit the sentries first — and you can spin up more sentries.

You need this if: you're running a validator with real stake. You don't need this if: you're just running a full node, or your validator has trivial stake on testnet.

Time: 1–2 hours once you already have a working full node.

Chain constants

Key	Value
Chain ID (Cosmos)	rogue_4221-1 — use in every tx
EVM chain-id	4221 (0x107d) — MetaMask only; not needed to validate
Binary	rogued (Cosmos SDK v0.53 / CometBFT v0.38 — use rogued comet …, not tendermint)
Node home	~/.evmd
Native denom	arogue — atto-ROGUE, 18 decimals (1 ROGUE = 1000000000000000000 arogue)
Min gas price	0.0001arogue
Account prefix	rogue1… / valoper roguevaloper1… (keys are eth_secp256k1, coin-type 60)
One-command install	bash <(curl -sL http://dl.roguelayer.one/install.sh)
Binary download	http://dl.roguelayer.one/rogued-linux-{amd64,arm64} — musl-static, runs on any Linux distro (sha256 at the same URL + .sha256)
Genesis	http://dl.roguelayer.one/genesis.json (sha256 1899469fc55dc292891e4d3d12d997524939a5bd7f1ddb1a37f4a831a8e5bf4d)
Seed / peer	a4a5cdc25a5809acaedc68325019855f01fa8b35@seed.roguelayer.one:26656 (put in seeds and persistent_peers)
Sync method	blocksync from the seed (state-sync not yet available — fine on a young chain)
Test ROGUE	public faucet → https://faucet.roguelayer.one (~11,000 ROGUE per address / 24h; accepts rogue1… or 0x…)
Ports	P2P 26656 (open inbound) · CometBFT RPC 26657 · REST 1317 · gRPC 9090 · EVM JSON-RPC 8545 (keep everything but 26656 bound to localhost on a validator)
OS / arch	any modern x86-64 or arm64 Linux — static binary, no glibc or Go required

All values verified live (2026-06-18). The one-command installer wires the seed, genesis, gas price, and a hardened cosmovisor + systemd service for you; pick the right hardware from the prerequisites below.

Prerequisites

Resource	Minimum	Recommended
CPU	4 cores (x86-64 or arm64)	8 cores
RAM	16 GB	32 GB
Disk	200 GB NVMe SSD	500 GB NVMe
Network	broadband; 26656/tcp outbound	+ port-forward 26656 inbound

NVMe is a hard requirement. CometBFT fsyncs every block. A spinning HDD or microSD will cause missed blocks and jail you within minutes. Do not cut corners here.

Port 26656/tcp is the only inbound port you must open. Behind home NAT you can get away with outbound-only (you dial the seed), but port-forwarding 26656 lets other peers dial you and improves connectivity. RPC (26657), REST (1317), gRPC (9090), and EVM (8545) must stay bound to localhost on a validator.

Device examples

• Raspberry Pi 4/5 (8 GB RAM), 64-bit OS — arm64; the installer pulls rogued-linux-arm64.gz automatically. Mount your data directory on a USB3 NVMe/SSD enclosure — never use the microSD as the chain data drive. Fine for a light testnet validator.
• Cloud VM — e.g. Hetzner CX42, GCP e2-standard-4, or DigitalOcean 4 vCPU · 16 GB; pick a plan labelled NVMe or SSD storage, and open port 26656 in the firewall dashboard.
• Home bare-metal / mini-PC (NUC) — any modern x86-64 machine with 16 GB+ RAM and an NVMe drive. Behind home NAT is fine; the node dials out to the seed. Port-forwarding 26656 is optional but recommended.

How it works

Imagine your validator as a vault inside a building. Sentries are the lobby. The public can talk to the lobby, but only the lobby talks to the vault. If the lobby gets attacked, the vault keeps running because the attackers can't see it.

public peers ↔ [sentry-1, sentry-2, ...] ↔ validator

You want at least two sentries, on separate hosts, ideally in different geographic regions.

Step 1 — Provision a full node

Follow the full node newbie track on each sentry host. Get them synced. Skip the RPC exposure step — sentries should NOT serve public RPC.

Step 2 — Configure each sentry

SSH into your validator host and run:

rogued tendermint show-node-id

Copy the output. It's a long hex string — that's the validator's node ID.

On each sentry, edit ~/.rogued/config/config.toml. Find the [p2p] section and set:

[p2p]
pex = true
addr_book_strict = false
max_num_inbound_peers = 100
max_num_outbound_peers = 40
persistent_peers = "VALIDATOR_NODE_ID@VALIDATOR_PRIVATE_IP:26656"
private_peer_ids = "VALIDATOR_NODE_ID"
unconditional_peer_ids = "VALIDATOR_NODE_ID"

Replace VALIDATOR_NODE_ID with the value above. Replace VALIDATOR_PRIVATE_IP with the IP your sentries use to reach the validator (NOT a public IP).

private_peer_ids tells the sentry: "don't tell other peers about this one." That's how the validator stays hidden.

Restart: sudo systemctl restart rogued.

Step 3 — Lock down the validator

Back on the validator, edit ~/.rogued/config/config.toml:

[p2p]
pex = false
persistent_peers = "SENTRY_1_NODE_ID@SENTRY_1_IP:26656,SENTRY_2_NODE_ID@SENTRY_2_IP:26656"
addr_book_strict = false

pex = false means "don't tell anyone who I am or who I know." The validator now only talks to its sentries.

If your validator was previously listening on a public IP, change [p2p].laddr to bind to a private IP only. Block port 26656 at the public firewall.

Restart the validator: sudo systemctl restart rogued.

Step 4 — Restart and verify

On a sentry:

curl -s localhost:26657/net_info | jq '.result.peers | length'

Should show several peers (mostly public).

On the validator:

curl -s localhost:26657/net_info | jq -r '.result.peers[].node_info.id'

Should ONLY show your sentry node IDs. If anything else appears, your private network rules aren't tight enough — fix that before continuing.

→ Dev track · Agent instructions

Run a RogueLayer Sentry (dev track)

A sentry is a public-facing full node that protects a validator from direct P2P exposure. The validator only peers with its sentries; the sentries peer with the public network.

Chain constants

Key	Value
Chain ID (Cosmos)	rogue_4221-1 — use in every tx
EVM chain-id	4221 (0x107d) — MetaMask only; not needed to validate
Binary	rogued (Cosmos SDK v0.53 / CometBFT v0.38 — use rogued comet …, not tendermint)
Node home	~/.evmd
Native denom	arogue — atto-ROGUE, 18 decimals (1 ROGUE = 1000000000000000000 arogue)
Min gas price	0.0001arogue
Account prefix	rogue1… / valoper roguevaloper1… (keys are eth_secp256k1, coin-type 60)
One-command install	bash <(curl -sL http://dl.roguelayer.one/install.sh)
Binary download	http://dl.roguelayer.one/rogued-linux-{amd64,arm64} — musl-static, runs on any Linux distro (sha256 at the same URL + .sha256)
Genesis	http://dl.roguelayer.one/genesis.json (sha256 1899469fc55dc292891e4d3d12d997524939a5bd7f1ddb1a37f4a831a8e5bf4d)
Seed / peer	a4a5cdc25a5809acaedc68325019855f01fa8b35@seed.roguelayer.one:26656 (put in seeds and persistent_peers)
Sync method	blocksync from the seed (state-sync not yet available — fine on a young chain)
Test ROGUE	public faucet → https://faucet.roguelayer.one (~11,000 ROGUE per address / 24h; accepts rogue1… or 0x…)
Ports	P2P 26656 (open inbound) · CometBFT RPC 26657 · REST 1317 · gRPC 9090 · EVM JSON-RPC 8545 (keep everything but 26656 bound to localhost on a validator)
OS / arch	any modern x86-64 or arm64 Linux — static binary, no glibc or Go required

All values verified live (2026-06-18). The one-command installer wires the seed, genesis, gas price, and a hardened cosmovisor + systemd service for you; pick the right hardware from the prerequisites below.

Prerequisites

Resource	Minimum	Recommended
CPU	4 cores (x86-64 or arm64)	8 cores
RAM	16 GB	32 GB
Disk	200 GB NVMe SSD	500 GB NVMe
Network	broadband; 26656/tcp outbound	+ port-forward 26656 inbound

NVMe is a hard requirement. CometBFT fsyncs every block. A spinning HDD or microSD will cause missed blocks and jail you within minutes. Do not cut corners here.

Port 26656/tcp is the only inbound port you must open. Behind home NAT you can get away with outbound-only (you dial the seed), but port-forwarding 26656 lets other peers dial you and improves connectivity. RPC (26657), REST (1317), gRPC (9090), and EVM (8545) must stay bound to localhost on a validator.

Device examples

• Raspberry Pi 4/5 (8 GB RAM), 64-bit OS — arm64; the installer pulls rogued-linux-arm64.gz automatically. Mount your data directory on a USB3 NVMe/SSD enclosure — never use the microSD as the chain data drive. Fine for a light testnet validator.
• Cloud VM — e.g. Hetzner CX42, GCP e2-standard-4, or DigitalOcean 4 vCPU · 16 GB; pick a plan labelled NVMe or SSD storage, and open port 26656 in the firewall dashboard.
• Home bare-metal / mini-PC (NUC) — any modern x86-64 machine with 16 GB+ RAM and an NVMe drive. Behind home NAT is fine; the node dials out to the seed. Port-forwarding 26656 is optional but recommended.

Architecture

public peers ↔ [sentry-1, sentry-2, ...] ↔ validator (private)

You need at least two sentries on separate hosts, ideally in different regions.

Step 1 — Provision a full node

Follow the full node dev track through Step 4 on each sentry host. Skip the optional RPC exposure step.

Step 2 — Configure each sentry

Get the validator's node ID by running on the validator host:

rogued tendermint show-node-id

On each sentry, edit ~/.rogued/config/config.toml:

[p2p]
pex = true
addr_book_strict = false
max_num_inbound_peers = 100
max_num_outbound_peers = 40
persistent_peers = "VALIDATOR_NODE_ID@VALIDATOR_PRIVATE_IP:26656"
private_peer_ids = "VALIDATOR_NODE_ID"
unconditional_peer_ids = "VALIDATOR_NODE_ID"

Step 3 — Lock down the validator

On the validator (separate host), edit ~/.rogued/config/config.toml:

[p2p]
pex = false
persistent_peers = "SENTRY_1_NODE_ID@SENTRY_1_IP:26656,SENTRY_2_NODE_ID@SENTRY_2_IP:26656"
addr_book_strict = false

The validator listens on a private network only — no public 26656.

Step 4 — Restart and verify

sudo systemctl restart rogued on both validator and sentries, then:

# on sentry
curl -s localhost:26657/net_info | jq '.result.peers | length'   # > 1
# on validator
curl -s localhost:26657/net_info | jq -r '.result.peers[].node_info.id'  # only sentry node IDs

If the validator shows any peer that isn't a sentry, lockdown failed — fix that before continuing.

→ Newbie track · Agent instructions