Private network using public bootstrap nodes

Is there any way to use swarm key to make the network private but still be able to use public nodes to find each node in the private network?

If not, what are considerations in not having this functionality? Why not enable nodes to find each other using any node but only transmit data between those with the same swarm key?

My problem that I want to address is, I have several nodes behind NAT each in different locations and with dynamic ips. nodes also can be added. I want to make the process of adding nodes as plug and play as possible. Using public nodes, make finding each other for nodes an easy task, however, when I make them private, I cannot find an easy way of finding the nodes in the network unless I use domain names for each node and dynadns. I cannot also have a central bootstrap server, as each group of nodes might have a different swarm key and is unknown to me

1 Like

Private networks work by adding an additional layer of encryption (based on the pre-shared key) to all connections. This ensures isolation with little complexity.

Unfortunately there are no more advanced options out of the box that would allow you to rely on the public networks while having a private network.

You can create a central place running 1 node per private network. You could also create a VPN with the members where mDNS autodiscovery would work using zeroconf or wireguard.


Thank you for your answer. I give a try to VPN.

However, it would be good to know if any security consideration was preventing the idea of using public relays to find nodes when setting ipfs with swarm key.

Currently some programs like syncthing use public relays, but still privately share actual files between nodes. Since relays make node discovery very easy.

1 Like

Can you please explain or direct me to a documentation on how to setup ipfs on top of wireguard? from my understanding wireguard only make a specific port private, should I change anything in default ipfs ports or ips for it to work?

Wireguard creates a separate network interface. Port configuration alone won’t be enough to make it work.

EDIT: Port configuration would have nothing to do with the problem, if one exists.

Can you please elaborate further? I googled but could not find any documentation on how to set up ipfs+wireguard. Can you guide me to the correct path ?

I was wrong, actually, I was confusing the problem with a different problem (only applicable to VPN mesh networks, which is way different). In my defense, I was sleepy :slight_smile:

As long as you’re not running a firewall, go-ipfs should work fine with wireguard without extra configuration. Wireguard alone doesn’t interfere with libp2p traffic, in fact; I use libp2p with wireguard quite often.

If you’re having issues, try to determine 1) if your system is running a firewall, 2) if go-ipfs can find other peers on the swarm, 3) you can retrieve content by CID, and, 4) you can provide content by CID, say, via an IPFS HTTP gateway.

Thank you. So if I understand correctly without a firewall and with wire guard, I should be able to simply run ipfs in private mode(with swarm key) and nodes should be able to find each other like an internal LAN network

It is possible to create a private bootstrap node, you just need to deploy an ipfs node with your swarm key on a machine with a fixed public IP :sweat_smile:. This is what I have done in a cloud to communicate with my colleagues, if you remove this node there is no way to discover each other through the second level of NAT that make our ISP, obviously most people can not have a fixed public IP so I have to try with a VPN which is a better option.

I need to setup a network with untrusted relays.
Unfortunately, I still have not found a way, but not sure why the relays need the swarm key. Relays can just act as a relay to help the authenticated nodes connect. Is there any part of the code that we can modify to allow this?

use EmerDNS
IPFS is supported.