The idea is to make devices behind a NAT discoverable to any machine online without middle man. Wouldn’t it be great to be able to ssh user@SOMEHASH to any machine?
Could it be more secure then open 22 port on WAN?
Not really applicable to being behind a NAT, but more to the common issue of having constantly changing IP addresses (as is common in many home networks). Not sure if you were looking for NAT traversal options, but if so could you clarify a sort of user journey of what you’re looking for?
Three major ways you could do this:
- Use some libp2p peer routing mechanism (e.g. a DHT) to find
user's multiaddress. Then feed that into ssh. Could even potentially use some local hostname resolution to turn some peerID bafyabc.localhost into an IP address. I’ve seen some folks interested in this in the past, but not sure on their progress. Could be worth a look around IRC and Github. - Run an ssh client + libp2p node on every client and ssh server + libp2p node on the server. Use ssh port forwarding to basically go ssh client -> libp2p client -> libp2p server -> ssh server. You can see an example of this done in IPFS (the first libp2p application) here https://github.com/ipfs/go-ipfs/blob/master/docs/experimental-features.md#ipfs-p2p
- Make a single binary that bundles together ssh + libp2p to do one of the two mechanisms above instead of relying on stringing together existing config options in either SSH or in how your OS resolves addresses/hostnames.
I’ve used option 2 and it’s definitely nice to not be reliant on a dynamic DNS address to ssh into a network where the IP address isn’t permanent.
I would love an alternative to tailscale and zerotier using p2p.
I saw some wireguard-p2p stuff, I don’t see why it couldn’t be done with libp2p. Maybe the hard part is nat traversal and handling the network’s config and permissions.
@adin @bbigras is this still applicable?
one year has passed, and its seems libp2p has NAT support
It just would be great to be able to SSH into remote machines with NATed connections in a secure and authenticated way. libp2p could help, I think.
I was actually thinking in also implementing p2plib encrypted filesystem unlocking in the initrd environment, as an alternative to dropbear.
Why not use tor private service?