Restrict RelayHop

Is there any way to restrict what nodes are allowed to use a relaying node?

Say I’ve got some nodes behind NAT. I setup a node on AWS somewhere and set EnableRelayHop to true. Is there any way that I can get it to only allow relaying for my nodes that are behind NAT rather than just letting the entire world route traffic through my relay? Is there maybe a better way to do this?

1 Like

I’d like to suggest the following options:

  • Make all your nodes part of a private network. This is practical only if you need the Relay hop just so that your NATed nodes can talk to each other.

  • Don’t advertise your Relay’s multiaddress on DHT. You can pull this off as follows:

  1. Deploy your Relay Hop with Routing.Type= “none”, and perhaps, clear the bootstrap list as well.

  2. Put the peerIDs of all your NATed nodes, in the peering subsystem of your RelayHop.

  3. Put the RelayHop, with its full multiaddress, not just PeerID, in the peering subsystem of all your NATed nodes.

  4. Announce the multiaddress of your NATed nodes as : multiaddressOfYourRelay/p2p-circuit/p2p/PeerIDofNATedNode

Lemme know if any works

I’ll give it a try. Thanks for the feedback. I’m still a little disappointed that, if I understand the configuration correctly, is sort of a “security through obscurity” thing. I’d hate for someone to discover it by some other means and getting a huge AWS bill.

It would be nice if you could create a private network with a relay node as a gateway that would just relay for the private network (isn’t really private at that point but hopefully you get what I’m suggesting) or something like that. Or can you restrict relaying to a particular interface?

Can you possibly specify the listen address? go-ipfs/config.md at master · ipfs/go-ipfs · GitHub

I was just looking at “ipfs p2p forward/listen” and it seems to have a similar problem, if you listen then anyone can connect. Seems like ipfs could use some sort of p2p like firewall.

Can you possibly specify the listen address?

By listen address config.md actually refers to the tuple {IP, port, protocol}. Note that the p2p-circuit multiaddress has a listen address for the RelayHop not for the NATed node. The RelayHop listens for incoming connections, whereas the NATed node just remains connected to the Relay using a secure tunnel. Effectively it is just multiplexed port forwarding.

To give you peace of mind, I’d now like to recommend explicit port forwarding at your AWS node, instead of RelayHop. It no more acts as a public relay - so no worries about security through obscurity. Follow these steps.

  1. Put NATed nodes in the peering susbsystem of AWS node.
  2. Put AWS node in the peering subsystem of the NATed nodes.
  3. At your NATed node: ipfs p2p listen /x/ipfs /ip4/127.0.0.1/tcp/4001
  4. At your AWS node, for each NATed node : ipfs p2p forward /x/ipfs /ip4/127.0.0.1/tcp/<port> /p2p/PeerIDofNATedNode
  5. Announce your NATed nodes listen address as /ip4/IPofAWS/tcp/<port>/p2p/PeerIDofNATedNode

Drawback : You have to forward a different <port> for every NATed Node. But you can automate the entire process with a few lines of Bash script. For convenience, you might derive the port number to be forwarded from the last 16 bits of the NATed peerID.

Note: Don’t forget to enable incoming connections at the forwarded <port>s in your EC2 Security Group inbound rules

1 Like