Can i make a private ipfs network (of public/external ip's) ? This would require my own gateway as well?

[Beginner]

i was able to make a private network of nodes by making a network of internal ip’s,
192.168.x.x
removed all bootrap nodes,
export LIBP2P_FORCE_PNET=1
IPFS_PATH=~/.ipfs ipfs bootstrap add /ip4/192.168.x.x/tcp/4001/ipfs/peerid

Tried once with using public/external ips,
when i do ipfs swarm peers, nothing is returned…?
do i need to do something else in case of public/external ip’s ?

(My own private ipfs (on public / external ip’s) and my own gateway)

Assuming ipfs allows such stuff…
Need some right directions to achieve this.

Fundamentally the issue you’re trying to address is how can your nodes find each other.

The reason that your nodes can find each other on you local network is that there is a protocol (mDNS) that allows you to broadcast to everyone in your local network a message like “I’m a libp2p node, do you want to talk to me?” However, with public IPs there is no such global broadcast that would enable you to find other nodes.

The solution is to use your own form of network discovery, the easiest of which would be to setup your own “bootstrap” nodes. By just adding the addresses of a few of the nodes that you expect to be consistently available your nodes will discover each other (https://docs.ipfs.io/guides/examples/bootstrap/).

Additionally, if you really want your network to be private then you should also create a swarm key. This swarm key protects all of the traffic in your network and also prevents nodes external to your network from joining.

Overall, there’s a pretty good looking tutorial on simply setting up a private network at
https://medium.com/@s_van_laar/deploy-a-private-ipfs-network-on-ubuntu-in-5-steps-5aad95f7261b.

Hi adin thanks for replying,
i removed all bootstrap nodes and then used bootstrap add command to add the node on which i am running ipfs,
also i am using same swarm key in both the machines
still unable to see swarm peers

Is there any more information you can give about your connection/setup?

Can you manually connect nodes to each other using the ipfs swarm connect (https://docs.ipfs.io/reference/api/cli/#ipfs-swarm-connect) command? If that doesn’t work it might indicate that your nodes are not really publicly visible to each other.

Adin,

By adding peers to the bootstrap list makes it a personal ipfs network with a swarm key to protect people from entering the network, but will this make it a private network or its still going to share files with mainnet ?
WiIl it be completely private ? how is the data manage in this case, is it replicated ? can i use ipfs gateway in this case ?

And if make an ipfs cluster, will it be completely private ? how is the data handled in this case, is it replicated? can nodes outside this cluster access this file? can i use ipfs gateway if i use this ?

Coming to your previous reply,
what does publically visible mean ? do they need to be publically visible in order to make a private ipfs network?
Heres my setup -
i have two nodes one on my pc and one on aws

it turns out manually connecting works
and when i run this command (from aws) i get result: nc my.pc.ip 4001
but when i run this command (from my pc) it doesn’t return anything, nc aws.ip 4001

what can be the reason for this ?
also manually adding works

It will not share files with the mainnet because your swarm key basically says “my libp2p node will only talk to other nodes that share a swarm key with me”. All the rest of the IPFS behaviors (replication, IPFS gateway, etc.) will all work within the context of your private network.

For example, if one of your network nodes pins data and the other requests it you’ll be able to find it. Similarly, you could use a local or other IPFS gateway that’s connected to your private network to find data. However, some public gateway (like gateway.ipfs.io) will not be able to get at your content. Of course, if you make your gateway publicly accessible then people will be able to download data from your private network via the gateway that you created.

IPFS-Cluster (https://cluster.ipfs.io/) is a layer on top of IPFS that helps you manage your pinned IPFS data. As such all data will stay inside your private swarm unless you opt into publicly exposing it (e.g. via a publicly facing gateway).

what does publically visible mean ? do they need to be publically visible in order to make a private ipfs network?

In order to have a network the nodes need to be able to find each other. If they’re both on your LAN mDNS will help the nodes find each other. If one’s in your house and the other is in AWS then you need to tell them about each other.

Based on the information you’ve provided my guess is that you don’t have your AWS VM’s port 4001 actually exposed to the internet, while you do have the port exposed on your pc (therefore AWS can find your pc, but your pc can’t find your AWS VM).

You might also be interested in this video by Microsoft on using IPFS in Azure, they describe some of the high level points of private swarms (https://www.youtube.com/watch?v=kaueUSiDrc0).

Wow that was a great reply thanks for explaining in such detail.
I have two more questions for now :
My private network will be having a common swarm key, do i need to protect this key and bootstrap peer id from everyone ,
considering i make a desktop application which everyone can download,

(1) In short, do i need to make my network secure ? if yes then how ?

and regarding ipfs desktop :
i installed ipfs desktop and its working fine with my private network,
it detects the ipfs daemon and everything else works fine after that
i can upload files, see peers, connected on my private network
But,

(2) ipfs-desktop won’t work when i will be using ipfs cluster right ?
is there a similar app for cluster as well ? can i make it work with some minor
changes ?

Thanks

Great question. One way to think about this is that the word “secure” is meaningless, or better yet is a prefix. For example you could build a network that is “secure from your ISP reading your data”, one that is “secure from non-malicious, but non-careful, users leaking private data to a public network”, etc. The from is the important part that needs definition.

So the first question to ask is what type of security are you looking for and why? If you publish an application that anyone can download and has access to data on your “private” network it’s not really private as much as it is forked.

There might be reasons you want a forked network (e.g. greater control, some performance improvements that occur in smaller networks, etc.), and in fact Open Bazar (https://openbazaar.org/) does this. However, for increased performance instead of having a “private” network that’s really public they just fork the IPFS network by having protocol names like “obdht” instead of “dht” so that only nodes that want to talk to Open Bazaar’s DHT will participate. On the other hand, if your application users are going to individually setup their own networks that are isolated from the rest of the network then individual swarm keys per user group could be helpful.

As for cluster + ipfs-desktop. I’m less familiar with their internal workings, but my understanding is that while ipfs-desktop will help in managing a single node it will not give useful metrics on the cluster as a whole. I also don’t think there’s currently an equivalent app for cluster, but it seems reasonable that a similar app should exist. I’m sure many people would appreciate it if you were interested in taking a stab at it .

Perhaps starting with an issue on IPFS Desktop (https://github.com/ipfs-shipyard/ipfs-desktop) and/or some conversations on the #ipfs or #ipfs-cluster IRCs will help you with your next steps there.

I had heard about openbazaaar implementing ipfs but didn’t know if they are using it in this way, thanks again for answering all the questions in much detail
I’ll definitely post this in these IRC’s
I started this discussion with [beginner] tag
but i can make the first commit if they think its reasonable to do so

Sounds great. Happy to help.

Maybe this thread can be of interest: [COMMUNITY DISCUSSION] IpfsCloud v2.0 Draft

Especially the part about Egress and its GUI tool : Horizon.

Regarding Egress and Horizon, do we have to manually add the peers to the network, people would have thought of automatically connecting to the private cluster,
why isn’t this feature in it , are there some complications to that ?

Same question if i dont use cluster,
i have a private network running with me now,
i had to manually bootstrap add the peers to the network, is automatic addition possible ?
or i would have to write some script in order to do so

Adin, can i know all the nodes on my private network automatically (using public/extarnal ip) ,
just like we get connected to peers automatically in ipfs desktop ?
i automatically get connecteed to peers right ?
Why cant i do the same for private network ? or can i ?

You should be able to automatically discover the nodes on your private network assuming that you have bootstrapped the nodes such that they are connected to each other. For example, you have 100 nodes that all bootstrap to 1 node now everyone is connected. Similarly you could have 100 nodes bootstrapped to two separate nodes and as long as those two nodes are connected your whole network will be connected.

I don’t know much about Egress/Horizon, you’re probably better off asking the creators of that software. However, the thing to note is that nothing is “magic” libp2p has a DHT-based discovery protocol that allows for “automatic” discovery of nodes on your network. It requires the nodes to be connected, even if indirectly, to each other in order for the discovery to work.

Thanks Adin, I implemented your suggestion,
Here’s whats happening

i have two ipfs peers running on aws which will be acting as my default bootstrap list of peers. (I have given both instances all trafic access)
ip’s : 35.x.x.x, 18.x.x.x

Now, i have two peers who want to connect to the network, For both of these peers, i have the same bootstrap list
ip’s 202.x.x.x, 13.x.x.x

i first connected those two aws instances by doing bootstrap add on itself and on other instance:
Then, from 202.x.x.x, peer,
i added peer 35.x.x.x, the other peer 18.x.x.x got automatically connected in the swarm
so both 35.x.x.x and 18.x.x.x are in the swarm list (as shown below)

Then from 13.x.x.x
i added peer 35.x.x.x, the other peer 18.x.x.x got automatically connected in the swarm
so both 35.x.x.x and 18.x.x.x are in the swarm list (as shown below)

I am unable to see 202.x.x.x in the swarm list ?

In aws instances,
the swarm peers got updated on both automatically i.e. on both instances there were all three in the list :
Here’s the swarm list of all four :

for 35.x.x.x:
ipfs swarm peers :
/ip4/13.57.42.38/tcp/4001/ipfs/QmdWGvbcd1MqCVbhLsfeafHQtAv9hs7bPjkjB4Ynnj556A
/ip4/18.144.10.0/tcp/4001/ipfs/QmX69CqLJUx1DeGCz9dtq3rJD2VW3ExEtA3vx492Ztdu1U
/ip4/202.131.123.110/tcp/4001/ipfs/QmfQuUjG38bEakdf6Q1rxeX2tqis1DQFZfym9DYPFeLaoH

for 18.x.x.x
ipfs swarm peers
/ip4/13.57.42.38/tcp/4001/ipfs/QmdWGvbcd1MqCVbhLsfeafHQtAv9hs7bPjkjB4Ynnj556A
/ip4/202.131.123.110/tcp/4001/ipfs/QmfQuUjG38bEakdf6Q1rxeX2tqis1DQFZfym9DYPFeLaoH
/ip4/35.154.130.223/tcp/4001/ipfs/QmPhRnBxiaKzZbWneR7kQQW1TkfcLdiy3TAg1L6y9BSN32

for 202.x.x.x
ipfs swarm peers
/ip4/18.144.10.0/tcp/4001/ipfs/QmX69CqLJUx1DeGCz9dtq3rJD2VW3ExEtA3vx492Ztdu1U
/ip4/35.154.130.223/tcp/4001/ipfs/QmPhRnBxiaKzZbWneR7kQQW1TkfcLdiy3TAg1L6y9BSN32

for 13.x.x.x
ipfs swarm peers
/ip4/18.144.10.0/tcp/4001/ipfs/QmX69CqLJUx1DeGCz9dtq3rJD2VW3ExEtA3vx492Ztdu1U
/ip4/35.154.130.223/tcp/4001/ipfs/QmPhRnBxiaKzZbWneR7kQQW1TkfcLdiy3TAg1L6y9BSN32

Also i have done port forwarding in 202.x.x.x, 4001 port is unblocked in this network,
is there anything else i need to add in the firewall.
and i have allowed all traffic on 13.x.x.x

Not sure whether you’ve made any progress here, but it makes sense that 13 and 202 don’t see each other. Let’s take this to the extreme and say you have 10000 laptop peers connecting through the same two bootstrap nodes. You wouldn’t want each of your laptop peers to have to open 10000 connections.

However, you can now utilize protocols for finding the nodes on the network that interest you. For example because IPFS utilizes a DHT you could try to walk through the DHT to discover whatever nodes you can. I don’t have any links on hand right now, but I recall the existence of a number of network scrapers that try and gather data about the network that you could use. Additionally, you could always make a custom protocol on top of libp2p to help you gather this information. It all depends on why you actually want each node to know about every other node on the network.

Edit: There’s a useful DHT crawler here https://github.com/raulk/dht-hawk

Great reply as always Adin,
Reason for discovering : So that in future, i was thinking of this ability to select popular nodes that have good uptimes and use them to store stuff

Also i haven’t made much progress, i applied some suggestions like enabling NAT which is experimental feature, that didn’t help and i was not working on this since then, but i will be seeing today if announce section has the external ip’s listed or not, i will update this to you

That future goal sounds far away, i cant even recognise new peers

does private ipfs use libp2p automatically? is it integrated within the ecosystem ?

I will try some network scrapers as well

but again i am stuck right now