Chia Farm Remote Admin: How to Manage Your Farm Securely From Anywhere

Key Takeaways

• Never expose your Chia RPC ports or SSH directly to the internet — always route through a VPN first.
• Use SSH key-based authentication (Ed25519) and disable password logins on all farm machines.
• Run the official one-farmer, many-harvesters architecture using TLS certificates — not copied key files.
• Use chia farm summary and the Farmer RPC API over SSH for day-to-day remote CLI admin.
• Stack Prometheus + Grafana + chia-exporter (or chiadog) for always-on monitoring and push alerts.
• Understand how Chialisp’s programmable puzzle security model mirrors your farm’s access control philosophy.

The fastest way to manage a Chia farm remotely and securely comes down to three layers: a VPN to enter your network safely, SSH to control your machines, and a monitoring stack to watch your farm while you sleep. Skip any one of those three, and you’re either flying blind or leaving the door open for trouble. This guide walks you through each layer with real CLI commands and config snippets you can use today.

This article supports our deep-dive pillar on how Chialisp is transforming blockchain security. If you want to understand why Chia’s programmable security model matters at the protocol level, that’s your starting point.^[12] Here, we focus on the operational side — how to apply security thinking to your actual farm infrastructure.

Why Chia Farm Remote Admin Requires a Different Mindset

Most blockchain nodes are pretty self-contained. Chia farms are not. You might have one main machine running the full node, farmer, and wallet, and then four, eight, or twenty harvester boxes sitting in a closet or across a building. Each one needs to stay in sync, respond to signage point challenges every nine seconds or so, and report back to the main node. If a harvester drops off quietly, you could lose rewards for hours before you notice.

That’s what makes chia farm remote admin worth thinking about carefully. You’re not just managing one machine — you’re managing a small distributed system. And because that system talks over your local network using TLS certificates signed by your main node’s private Certificate Authority (CA), the security architecture is already baked in. Your job is to build the remote access and alerting layer on top of it without creating new holes in the process.

The single biggest mistake Chia miners make is exposing RPC ports or SSH directly to the internet. Chia’s JSON RPC API runs on ports like 8555 (full node), 8559 (farmer RPC), and 8560 (harvester RPC) by default. The farmer also listens on port 8447 for incoming harvester P2P connections — but that is a peer connection port, not an RPC port. None of these should face the open web. Keep them inside your LAN and you keep your control.

The One-Farmer, Many-Harvesters Architecture You Should Already Be Running

Before you can do meaningful remote admin, your farm needs to be set up correctly. Chia’s recommended architecture is one main machine running the full node, farmer, and wallet — and separate, lightweight harvester processes on every other machine. Harvesters connect to the farmer over port 8447 using TLS certificates that your main node’s CA signs. No keys live on the harvesters; they don’t connect to the Chia network directly.

If you haven’t set this up yet, here’s the condensed version. On your main machine, find the CA directory at ~/.chia/mainnet/config/ssl/ca and copy it securely (USB key or encrypted network transfer) to a temp folder on each harvester.^[1] Then run the following on each harvester — making sure to stop Chia processes first:

# Step 1: Stop all Chia daemon processes on the harvester
chia stop all -d

# Step 2: Initialize the harvester using your main node's CA
# (point to the temp folder where you copied the CA — do NOT replace the harvester's own /ca folder)
chia init -c /path/to/temp/ca

# Step 3: Open the harvester config
nano ~/.chia/mainnet/config/config.yaml

In the harvester section of that config file, point the farmer_peers host to the LAN IP of your main machine — something like 192.168.1.100 — on port 8447. The relevant section looks like this:

harvester:
  farmer_peers:
  - host: 192.168.1.100
    port: 8447

Then start the harvester with:

chia start harvester -r

Back on the main node, confirm your harvesters are connecting:^[1]

chia farm summary

You should see each harvester listed with its plot count. If logging is set to INFO or DEBUG, you’ll also see farming_info messages flowing in every nine seconds. This architecture is the foundation that makes everything else in remote admin possible.

Chia Farm Remote Admin Layer One: Secure Network Access With a VPN

Once your farm is properly architected, the first thing you need for remote admin is a way to get onto your LAN safely from the outside. The answer is a VPN — not open firewall ports. WireGuard and Tailscale are the two tools most Chia miners rely on, and they’re worth understanding before you pick one.

WireGuard: Lean, Fast, and Built Into Modern Linux Kernels

WireGuard is a modern VPN protocol built directly into the Linux kernel as of version 5.6. It’s far simpler than OpenVPN, uses state-of-the-art cryptography (ChaCha20, Poly1305, Curve25519), and adds almost no latency overhead — important when you want snappy SSH sessions from a remote location.^[4] The downside is that you need a public IP address or a VPS with one to run the WireGuard server side.

A basic server-side WireGuard config at /etc/wireguard/wg0.conf on your main Chia node (or a dedicated router/VPS) looks like this:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <server_private_key>

# Laptop or phone (peer)
[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.0.0.2/32

Generate your keypairs with wg genkey | tee privatekey | wg pubkey > publickey. Your client config points back to your server’s public IP and port 51820. Once connected, your laptop lives on the 10.0.0.x network alongside your farmer and harvesters. No Chia port needs to touch the internet.

Tailscale: Zero-Config VPN for Miners Who Want Fast Setup

Tailscale wraps WireGuard in a coordination layer that handles key exchange and peer discovery automatically.^[10] You install it on every machine in your farm (it runs as a lightweight daemon), log in with your Tailscale account, and every device gets a stable 100.x.x.x IP that works from anywhere — even behind NAT, without port forwarding. For miners with multiple harvesters across different network segments, this is a genuinely fast way to get remote access running in under ten minutes.

Install on Ubuntu:

curl -fsSL //tailscale.com/install.sh | sh
sudo tailscale up

Once every machine is on your Tailscale network, you SSH to them by their Tailscale IP. Chia’s RPC ports stay locked to localhost or LAN; Tailscale handles the transport.

Layer Two: SSH Is Your Primary Chia Farm Remote Admin Tool

Once you’re inside your VPN, SSH is how you actually control your farmer and harvesters. Every experienced Chia miner eventually lands here — it’s fast, scriptable, lightweight, and it gives you direct access to the Chia CLI and your system services. The key is setting it up correctly so that it’s both convenient and locked down.

Setting Up Ed25519 Key-Based SSH Authentication

Password-based SSH is fine for a home server nobody can reach. Once you add a VPN and open access from your phone or laptop while traveling, you want key-based auth so there’s no password to guess. Ed25519 is the algorithm to use in 2025 — it’s faster, more secure, and produces shorter keys than the older RSA standard.^[9]

On your local machine (laptop or workstation), generate a key pair:

# Generate Ed25519 keypair — replace the comment with your machine name
ssh-keygen -a 100 -t ed25519 -f ~/.ssh/chia_farm_key -C "my-laptop-2025"

The -a 100 flag sets the number of KDF rounds, making brute-force attacks on a stolen private key file much harder. Then copy the public key to each farm machine:

# Copy public key to your main farmer node
ssh-copy-id -i ~/.ssh/chia_farm_key.pub farmer@192.168.1.100

# Repeat for each harvester
ssh-copy-id -i ~/.ssh/chia_farm_key.pub farmer@192.168.1.101

After confirming key auth works, open /etc/ssh/sshd_config on each farm machine and disable password logins:

PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no

Reload SSH with sudo systemctl reload sshd. Now even if someone finds your VPN endpoint, they can’t get into your machines without your private key file.

Everyday Chia CLI Commands Over SSH

Once you’re SSH’d into your main farmer node, the standard Chia CLI becomes your remote admin console. Here are the commands that matter most during a typical remote check-in:^[8]

# Overall farm health — plots, estimated time to win, sync status
chia farm summary

# Full node sync check and peer connections
chia show -s -c

# Wallet balance check
chia wallet show

# List all harvesters and their plot counts via Farmer RPC[2]
chia rpc farmer get_harvesters

# Check for invalid plots on a specific harvester (get node_id from get_harvesters first)
chia rpc farmer get_harvester_plots_invalid \
  '{"node_id": "0xYOUR_HARVESTER_NODE_ID", "page": 0, "page_size": 10}'

# Restart the farmer service if something looks off
sudo systemctl restart chia-farmer

On each harvester, the commands you’ll run most are log tailing and service restarts:

# Tail the live debug log on a harvester
tail -f ~/.chia/mainnet/log/debug.log | grep -E "farming_info|new_proof"

# Verify harvester is actually responding to challenges
chia plots check -n 5

Using rchia for Multi-Node Remote Management

If you manage more than a handful of machines and want to query them all from one terminal without SSH-hopping, rchia is worth knowing about as a historical reference. It was an open-source cross-platform CLI tool by developer dkackman that mirrors the standard Chia CLI but communicates via RPC over the network rather than running locally on each node.^[6] Note: the rchia repository was archived by its maintainer in July 2022 and is no longer actively maintained. It is included here for reference only — evaluate whether it meets your needs before relying on it, and check the Chia community forums for currently maintained alternatives.

“Your reward address for Chia rewards should be a separate key as well, kept in an offline machine. You can generate an address on a different computer, and put this address in the config.yaml (farmer.xch_target_address and pool.xch_target_address), so if your farming machine gets hacked, you don’t lose past rewards.” — mariano54, Chia Network contributor, via GitHub Discussion #1116

This is one of those small config details that gets overlooked until it’s too late. Your xch_target_address in config.yaml should point to a wallet on a machine that has never touched the internet — not to the wallet running on your farmer. It takes five minutes to set up and protects every reward you’ve already earned.^[5]

Layer Three: Monitoring and Alerts for Your Chia Farm Remote Admin Stack

SSH lets you check things when you decide to look. Monitoring lets you know when something needs your attention before it costs you a block win. These are very different things, and any serious Chia farm setup benefits from having both.

The most effective chia farm remote admin setups combine passive log-based alerts with active metrics dashboards — not one or the other. Here’s how to build that combination efficiently.

chiadog: Simple Log-Based Alerting That Runs Anywhere

chiadog is the quickest way to get push alerts from your Chia farm without building a full observability stack. It reads your Chia debug log in real time and fires notifications for events like missed signage points, a harvester going silent, or your node losing sync. It supports Telegram, Discord, PagerDuty, and several other notification channels out of the box.

Install it alongside your farmer, configure it with your Telegram bot token (or whichever notifier you prefer), and point it at your log file:

# In chiadog's config.yaml
chia_logs:
  log_level: INFO
  log_path: "~/.chia/mainnet/log/debug.log"

notifiers:
  telegram:
    enabled: true
    bot_token: "YOUR_BOT_TOKEN"
    chat_id: "YOUR_CHAT_ID"

Run it as a systemd service so it restarts automatically after a reboot. It’s lightweight — no database, no web UI, just quiet monitoring that messages you when things break. For farmers with one to five harvesters who don’t want to maintain a Prometheus stack, this is often the right tool.

Prometheus + Grafana + chia-exporter: Full Visibility for Larger Farms

If you have six or more harvesters, or you just want a real-time dashboard you can pull up on your phone from anywhere, the Prometheus and Grafana combination is the professional standard. There are two chia-exporter tools in active use — be sure you know which one you’re running, as they use different default ports.

The official Chia Network chia-exporter (github.com/Chia-Network/chia-exporter) exposes metrics on port 9914 by default. The older community tool by retzkek uses port 9133. Both expose farm metrics at a local HTTP endpoint that Prometheus scrapes on a regular interval. Key metrics to track in your Grafana dashboard include signage point response times, proof count per harvester, total plots per machine, disk fill percentage, node sync height, and block wins.

Here’s a Prometheus scrape config for the official Chia Network chia-exporter (default port 9914):^[3]

# prometheus.yml scrape config (official Chia Network chia-exporter, default port 9914)
scrape_configs:
  - job_name: 'chia_farmer'
    static_configs:
      - targets: ['192.168.1.100:9914']   # chia-exporter default port
        labels:
          machine: 'main_farmer'

  - job_name: 'chia_harvester_1'
    static_configs:
      - targets: ['192.168.1.101:9914']
        labels:
          machine: 'harvester_1'

Run Grafana behind your VPN — not on the open web — so only you can access the dashboard. If you want to check it from your phone, connect your phone to your Tailscale or WireGuard network first. That’s all you need. Grafana’s alerting engine can push notifications to the same channels as chiadog, so you can retire chiadog once you have Prometheus running.

Real-World Example: Machinaris as a Community Docker Wrapper

The Machinaris project, developed by community contributor guydavis, packaged the Chia farmer, harvesters, plotting tools (Bladebit, MadMax/Gigahorse), chiadog, and a web-based management UI into a Docker stack deployable across multiple LAN machines. It’s worth knowing about because it’s referenced frequently in community discussions and Unraid forums. As of mid-2025, Machinaris is still receiving updates (version 2.5.4 released May 2025), but the maintainer has publicly stated the project will likely wind down when Chia Network releases a breaking change tied to the Proof of Space 2.0 hard fork. If you prefer a GUI-based approach today, Machinaris is still viable — but factor that future transition into your planning.^[6]

How Chialisp’s Security Model Reflects Good Chia Farm Remote Admin Thinking

This might seem like an unusual section in an ops article, but there’s a genuine connection here worth understanding — especially if you’re moving from just farming to building on Chia. The Chialisp smart contract language enforces access control at the protocol level through cryptographic puzzles. Every coin on the Chia blockchain is locked behind a puzzle that must be satisfied — typically by providing a valid signature from a specific key — before it can be spent.

Your farm’s security architecture follows exactly the same principle. A harvester cannot talk to your farmer unless it presents a certificate signed by the main node’s CA.^[1] A remote SSH session cannot authenticate unless the connecting key matches an authorized public key on the server. Both systems — Chialisp puzzles and farm TLS/SSH auth — use asymmetric cryptography to prove identity before granting access. Understanding one helps you think more clearly about the other.^[11]

Here’s a simplified Chialisp puzzle that illustrates the “authorized key” concept. It only allows a coin to be spent if the spender provides a valid signature from a specific public key — analogous to how your farm only accepts connections from authorized harvesters:

; Simplified authorized-spend puzzle in Chialisp
; The coin can only be spent by the holder of AUTHORIZED_PUBKEY

(mod (AUTHORIZED_PUBKEY conditions)

  (include condition_codes.clib)

  (list
    ; Require a valid signature from the authorized key
    (list AGG_SIG_ME AUTHORIZED_PUBKEY (sha256tree conditions))
    ; Then allow whatever conditions the spender provides
    conditions
  )
)

In practice, Chialisp puzzles for real farming operations — like Chia’s pooling protocol — use more sophisticated condition sets. But the core principle is the same: you define who is allowed, you require cryptographic proof of identity, and nothing else gets through. It’s the same layered thinking that makes a VPN + SSH key + TLS cert farm setup genuinely secure rather than just obscure.

VPN Option Comparison for Chia Farm Remote Admin

You Have Full Control of Your Chia Farm — From Anywhere

Good chia farm remote admin isn’t complicated once you break it into its three layers: get in safely with a VPN, control your machines with SSH key auth, and watch everything with a monitoring stack that messages you before you even know something went wrong. The miners who lose rewards aren’t usually hacked — they just don’t find out a harvester dropped off until they manually check three days later. Set up chiadog or Grafana alerts, put your reward address on an offline key, and you’ve closed the two biggest gaps that most farms leave open. If you’re ready to go deeper on how Chia’s protocol enforces security at the smart contract level, check out our pillar page on Chialisp and next-generation smart contracts — the same cryptographic thinking that makes your farm architecture solid also powers everything Chia builds at the protocol level.

Chia Farm Remote Admin FAQs

What is the safest way to set up chia farm remote admin?

The safest chia farm remote admin setup combines a VPN (WireGuard or Tailscale) to enter your network privately, SSH with Ed25519 key-based authentication to control machines, and Chia’s official one-farmer-many-harvesters TLS architecture to keep your keys centralized on one machine. Never expose Chia RPC ports or SSH directly to the internet.

Can I manage my Chia farm remotely without opening ports on my router?

Yes — Tailscale is the easiest way to do this. It builds a WireGuard-based mesh network between your devices without requiring port forwarding or a public IP address, because its coordination layer handles peer discovery automatically. Once your farm machines and your laptop or phone are on the same Tailscale network, you can SSH to any of them from anywhere.

How do I check if my harvesters are working during chia farm remote admin?

SSH into your main farmer node and run chia farm summary to see all connected harvesters and their plot counts. For a deeper check, run chia rpc farmer get_harvesters to get a full JSON report of every harvester, or tail your debug log with tail -f ~/.chia/mainnet/log/debug.log | grep farming_info to watch signage point responses in real time.

What is the best monitoring tool for chia farm remote admin alerts?

chiadog is the best starting point for most farms — it reads your Chia debug log and pushes alerts to Telegram or Discord when signage points are missed or a harvester goes silent, with minimal setup. For larger farms that already run Prometheus and Grafana, the official Chia Network chia-exporter tool provides detailed metrics dashboards that give you a visual overview of your entire farm’s health.

What chia farm remote admin CLI commands should I run every time I check my farm?

A standard remote check-in covers four commands on your farmer node: chia farm summary for overall status, chia show -s to confirm your node is synced, chia wallet show to check your balance, and chia rpc farmer get_harvesters to confirm all harvesters are online and reporting expected plot counts.

Chia Farm Remote Admin Citations

1. Chia Network. “Farming on Many Machines.” Chia Documentation. https://docs.chia.net/reference-client/farming/farming-many-machines/
2. Chia Network. “Farmer RPC Reference.” Chia Documentation. https://docs.chia.net/reference-client/rpc-reference/farmer-rpc/
3. Chia Network. “RPC Overview.” Chia Documentation. https://docs.chia.net/reference-client/rpc-reference/rpc/
4. Chia Network. “Securing Your Chia — How to Be a Hard Target.” Chia.net Blog. https://www.chia.net/2021/05/28/securing-your-chia-how-to-be-a-hard-target/
5. mariano54. “Security Best Practices Discussion #1116.” Chia Network GitHub. https://github.com/Chia-Network/chia-blockchain/discussions/1116
6. guydavis. “Machinaris — Easy-to-use WebUI for Chia Plotting and Farming.” GitHub. https://github.com/guydavis/machinaris
7. Chia Network. “The Future of Farming is Green and Secure.” Chia.net Blog, May 2025. https://www.chia.net/2025/05/19/the-future-of-farming-is-green-and-secure/
8. Chia Network. “CLI Reference.” Chia Documentation. https://docs.chia.net/reference-client/cli-reference/cli/
9. Zaske, Matt. “Setting Up SSH Key Authentication: 2024 Edition.” MattZaskeOnline.info. https://mattzaskeonline.info/blog/2024-06/setting-ssh-key-authentication-2024-edition
10. Tailscale Inc. “Tailscale — Zero-config VPN.” Tailscale.com. https://tailscale.com/
11. Chialisp.com. “Chialisp Language Reference.” Chialisp.com. https://chialisp.com/
12. ChiaTribe. “Chialisp: Transforming Blockchain, Unlocking Next-Gen Smart Contracts.” ChiaTribe.com. https://chiatribe.com/chialisp-transforming-blockchain-unlocking-next-gen-smart-contracts/