Add Iroh P2P transport for private Electrum server connectivity

[rueckwaerts]

Summary

Adds support for connecting to a private Electrum server (electrs/Fulcrum)
via Iroh QUIC P2P transport, without requiring TCP port forwarding, Tor, or VPN.

The user only needs to enter the server's Iroh Node ID (64-char hex string).
Sparrow spawns iroh-electrum-bridge as a subprocess and connects through it.

Motivation

Users running their own Bitcoin node at home (Start9, Umbrel, RaspiBlitz etc.)
currently need to either:

• Open ports on their router (security risk)
• Run Tor (slow, complex)
• Set up a VPN (complex)

With Iroh P2P, the connection works automatically from anywhere, with no
configuration beyond installing the bridge binary.

Changes

• ServerType.IROH_SERVER — new server type
• Protocol.IROH — new protocol (iroh:// prefix, :i suffix)
• IrohTransport — extends TcpTransport, spawns bridge subprocess
• Config — recentIrohServers list
• server.fxml — new "Iroh..." toggle button and "Iroh P2P Server" form
• ServerSettingsController — full Iroh UI handling

Requirements

The iroh-electrum-bridge binary must be on PATH or next to the Sparrow jar.
Source: https://github.com/rueckwaerts/iroh-electrum-bridge

The server must run electrs with Iroh support:
https://github.com/rueckwaerts/electrs (branch: iroh-test)

Testing

Tested: Sparrow → Iroh relay → electrs on Start9, from outside home network.
Connected to electrs/0.11.1 on protocol version 1.4 ✓

[nzb-tuxxx]

Why would someone want this, involving a 3rd party commercial VPN-Provider who can punch holes in firewalls, read metadata and throttle bandwidth? We already have well tested and working solutions you mentioned (own VPN, Tor, ..). I cannot see how your proposed solution has less complexity than the existing ones.

[rueckwaerts]

Thanks for the feedback — I think there's a misunderstanding worth clarifying.

Iroh is not a third-party commercial VPN provider. It's an open-source Rust library (MIT/Apache licensed) by Number Zero. The relay servers are only used for the initial connection handshake (NAT traversal) — once the connection is established, traffic flows directly peer-to-peer, encrypted end-to-end with QUIC/TLS. The relay never sees any payload.

For comparison:

• Tor: your Bitcoin traffic routes through third-party relays for the entire session
• Tailscale: uses commercial DERP relay servers, or requires a VPS
• Wireguard/own VPN: requires a port-forwarded VPS or open router port
• Iroh: relay only for handshake, then direct P2P — and you can self-host the relay if you prefer zero third-party involvement

Fedimint, iroh-blobs, and other privacy-sensitive projects have adopted Iroh for exactly this reason.

The complexity argument cuts the other way too: the user only enters a 64-char Node ID once. No router config, no Tor browser, no VPS, no VPN client to install.