Network hardening continued (#14)

* Add private IP connection gater

* Add relay peers as bootstrappable peers

* Switch to EnableNAT to make it much more explicit, default is now disabled

* Prevent tests from connecting to bootstrap servers

* Test and code cleanup

* Fix lint

Author: oskarszoon

client.go

@@ -16,6 +16,7 @@ import (
 	"slices"
 	"strings"
 	"sync"
+	"testing"
 	"time"
 
 	"github.com/libp2p/go-libp2p"
@@ -28,6 +29,7 @@ import (
 	"github.com/libp2p/go-libp2p/core/peer"
 	"github.com/libp2p/go-libp2p/p2p/discovery/mdns"
 	drouting "github.com/libp2p/go-libp2p/p2p/discovery/routing"
+	"github.com/libp2p/go-libp2p/p2p/net/conngater"
 	"github.com/multiformats/go-multiaddr"
 	manet "github.com/multiformats/go-multiaddr/net"
 
@@ -85,11 +87,7 @@ func NewClient(config Config) (Client, error) {
 		return nil, err
 	}
 
-	// Get bootstrap peers from DHT library for DHT bootstrapping
-	bootstrapPeers := dht.GetDefaultBootstrapPeerAddrInfos()
-
-	// Determine which peers to use as relays
-	relayPeers := configureRelayPeers(config.RelayPeers, bootstrapPeers, clientLogger)
+	bootstrapPeers, relayPeers := getBootstrapAndRelayPeers(config, clientLogger)
 
 	// Create and setup libp2p host
 	h, err := createHost(ctx, hostOpts, config, relayPeers, clientLogger, cancel)
@@ -152,6 +150,34 @@ func NewClient(config Config) (Client, error) {
 	return c, nil
 }
 
+func getBootstrapAndRelayPeers(config Config, clientLogger logger) ([]peer.AddrInfo, []peer.AddrInfo) {
+	// Get bootstrap peers based on environment
+	// Test mode: empty list for fast, isolated tests
+	// Production: IPFS default bootstrap peers
+	var bootstrapPeers []peer.AddrInfo
+	if testing.Testing() {
+		bootstrapPeers = []peer.AddrInfo{}
+		clientLogger.Infof("Test mode detected - using no bootstrap peers (isolated mode)")
+	} else {
+		bootstrapPeers = dht.GetDefaultBootstrapPeerAddrInfos()
+		clientLogger.Infof("Using %d default IPFS bootstrap peers", len(bootstrapPeers))
+	}
+
+	// Parse custom relay peers if provided
+	customRelayPeers := parseRelayPeersFromConfig(config.RelayPeers, clientLogger)
+
+	// Add custom relay peers to bootstrap list for better peer discovery
+	// This helps the DHT routing table include your known-good relay peers
+	if len(customRelayPeers) > 0 {
+		bootstrapPeers = append(bootstrapPeers, customRelayPeers...)
+		clientLogger.Infof("Added %d custom relay peers to bootstrap peer list", len(customRelayPeers))
+	}
+
+	// Determine which peers to use as relays (relay peers OR bootstrap peers as fallback)
+	relayPeers := selectRelayPeers(customRelayPeers, bootstrapPeers, clientLogger)
+	return bootstrapPeers, relayPeers
+}
+
 // Helper functions for NewClient
 
 func getLogger(configLogger logger) logger {
@@ -163,9 +189,61 @@ func getLogger(configLogger logger) logger {
 	return configLogger
 }
 
+// createPrivateIPConnectionGater creates a ConnectionGater that blocks private IP ranges.
+// Returns a configured BasicConnectionGater that prevents connections to/from:
+// - RFC1918 private networks (10.x, 172.16-31.x, 192.168.x)
+// - Link-local addresses (169.254.x, fe80::)
+// - Loopback addresses (127.x, ::1)
+// - Shared address space (100.64.x)
+// - IPv6 unique local addresses (fc00::)
+func createPrivateIPConnectionGater(log logger, cancel context.CancelFunc) (*conngater.BasicConnectionGater, error) {
+	ipFilter, err := conngater.NewBasicConnectionGater(nil)
+	if err != nil {
+		cancel()
+		return nil, fmt.Errorf("failed to create connection gater: %w", err)
+	}
+
+	// Standard private IP ranges to block
+	privateRanges := []string{
+		"10.0.0.0/8",     // RFC1918 private network
+		"172.16.0.0/12",  // RFC1918 private network
+		"192.168.0.0/16", // RFC1918 private network
+		"127.0.0.0/8",    // Loopback
+		"169.254.0.0/16", // Link-local
+		"100.64.0.0/10",  // Shared Address Space (RFC6598)
+		"fc00::/7",       // IPv6 Unique Local Addresses
+		"fe80::/10",      // IPv6 Link-Local Addresses
+		"::1/128",        // IPv6 Loopback
+	}
+
+	for _, cidr := range privateRanges {
+		_, ipnet, err := net.ParseCIDR(cidr)
+		if err != nil {
+			cancel()
+			return nil, fmt.Errorf("failed to parse CIDR %s: %w", cidr, err)
+		}
+		if err := ipFilter.BlockSubnet(ipnet); err != nil {
+			log.Warnf("Failed to block subnet %s: %v", cidr, err)
+		}
+	}
+
+	return ipFilter, nil
+}
+
 func buildHostOptions(config Config, log logger, cancel context.CancelFunc) ([]libp2p.Option, error) {
 	hostOpts := []libp2p.Option{libp2p.Identity(config.PrivateKey)}
 
+	// Add connection gater to block private IPs if AllowPrivateIPs is false (default)
+	if !config.AllowPrivateIPs {
+		ipFilter, err := createPrivateIPConnectionGater(log, cancel)
+		if err != nil {
+			return nil, err
+		}
+
+		hostOpts = append(hostOpts, libp2p.ConnectionGater(ipFilter))
+		log.Infof("Private IP connection gater enabled (blocking RFC1918 and local addresses)")
+	}
+
 	// Configure announce addresses if provided (useful for K8s)
 	if len(config.AnnounceAddrs) > 0 {
 		announceAddrs := make([]multiaddr.Multiaddr, 0, len(config.AnnounceAddrs))
@@ -195,14 +273,17 @@ func createHost(_ context.Context, hostOpts []libp2p.Option, config Config, rela
 		),
 	)
 
-	// Only enable NAT traversal features if not disabled
-	// NAT features can cause data races in tests due to libp2p's NAT manager using non-thread-safe global state
-	if !config.DisableNAT {
+	// Enable NAT features only if explicitly enabled
+	// UPnP/NAT-PMP scans the local gateway which triggers network scanning alerts
+	if config.EnableNAT {
 		hostOpts = append(hostOpts,
 			libp2p.NATPortMap(),
 			libp2p.EnableNATService(),
 			libp2p.EnableHolePunching(),
 		)
+		log.Infof("UPnP/NAT-PMP enabled (will scan local gateway for port mapping)")
+	} else {
+		log.Infof("UPnP/NAT-PMP disabled (production safe default)")
 	}
 
 	hostOpts = append(hostOpts,
@@ -280,33 +361,43 @@ func setupDHT(ctx context.Context, h host.Host, config Config, bootstrapPeers []
 	return kadDHT, nil
 }
 
-func configureRelayPeers(relayPeersConfig []string, bootstrapPeers []peer.AddrInfo, log logger) []peer.AddrInfo {
-	if len(relayPeersConfig) == 0 {
-		log.Infof("Using bootstrap peers as relays")
-		return bootstrapPeers
+// parseRelayPeersFromConfig parses relay peer multiaddr strings into AddrInfo
+func parseRelayPeersFromConfig(relayPeersConfig []string, log logger) []peer.AddrInfo {
+	return parsePeerMultiaddrs(relayPeersConfig, "relay", log)
+}
+
+// parsePeerMultiaddrs is a shared helper to parse peer multiaddr strings
+func parsePeerMultiaddrs(peerConfigs []string, peerType string, log logger) []peer.AddrInfo {
+	if len(peerConfigs) == 0 {
+		return nil
 	}
 
-	relayPeers := make([]peer.AddrInfo, 0, len(relayPeersConfig))
-	for _, relayStr := range relayPeersConfig {
-		maddr, err := multiaddr.NewMultiaddr(relayStr)
+	peers := make([]peer.AddrInfo, 0, len(peerConfigs))
+	for _, peerStr := range peerConfigs {
+		maddr, err := multiaddr.NewMultiaddr(peerStr)
 		if err != nil {
-			log.Errorf("Invalid relay address %s: %v (hint: use /dns4/ for hostnames, /ip4/ for IP addresses)", relayStr, err)
+			log.Errorf("Invalid %s address %s: %v (hint: use /dns4/ for hostnames, /ip4/ for IP addresses)", peerType, peerStr, err)
 			continue
 		}
 		addrInfo, err := peer.AddrInfoFromP2pAddr(maddr)
 		if err != nil {
-			log.Errorf("Invalid relay peer info %s: %v", relayStr, err)
+			log.Errorf("Invalid %s peer info %s: %v", peerType, peerStr, err)
 			continue
 		}
-		relayPeers = append(relayPeers, *addrInfo)
+		peers = append(peers, *addrInfo)
 	}
 
-	if len(relayPeers) > 0 {
-		log.Infof("Using %d custom relay peer(s)", len(relayPeers))
-		return relayPeers
+	return peers
+}
+
+// selectRelayPeers determines which peers to use as relays
+func selectRelayPeers(customRelayPeers []peer.AddrInfo, bootstrapPeers []peer.AddrInfo, log logger) []peer.AddrInfo {
+	if len(customRelayPeers) > 0 {
+		log.Infof("Using %d custom relay peer(s)", len(customRelayPeers))
+		return customRelayPeers
 	}
 
-	log.Warnf("No valid custom relay peers found, falling back to bootstrap peers as relays")
+	log.Infof("Using bootstrap peers as relays")
 	return bootstrapPeers
 }
 
@@ -630,15 +721,7 @@ func (c *client) connectToDiscoveredPeer(ctx context.Context, peerInfo peer.Addr
 		return
 	}
 
-	// Filter private IPs unless explicitly allowed (default: filter for production safety)
-	if !c.config.AllowPrivateIPs {
-		peerInfo.Addrs = filterPrivateAddrs(peerInfo.Addrs)
-		if len(peerInfo.Addrs) == 0 {
-			// All addresses were private, skip this peer
-			return
-		}
-	}
-
+	// ConnectionGater handles private IP filtering, so just try to connect
 	if err := c.host.Connect(ctx, peerInfo); err != nil {
 		if c.shouldLogConnectionError(err) {
 			c.logger.Debugf("Failed to connect to discovered peer %s: %v", peerInfo.ID.String(), err)

client_additional_test.go

@@ -71,7 +71,8 @@ func TestConfigureRelayPeersWithValidPeers(t *testing.T) {
 		testRelayPeerMultiaddr,
 	}
 
-	relayPeers := configureRelayPeers(relayPeersConfig, bootstrapPeers, logger)
+	customRelayPeers := parseRelayPeersFromConfig(relayPeersConfig, logger)
+	relayPeers := selectRelayPeers(customRelayPeers, bootstrapPeers, logger)
 
 	assert.Len(t, relayPeers, 1)
 }
@@ -86,7 +87,8 @@ func TestConfigureRelayPeersWithMixedValidity(t *testing.T) {
 		"invalid-peer",
 	}
 
-	relayPeers := configureRelayPeers(relayPeersConfig, bootstrapPeers, logger)
+	customRelayPeers := parseRelayPeersFromConfig(relayPeersConfig, logger)
+	relayPeers := selectRelayPeers(customRelayPeers, bootstrapPeers, logger)
 
 	// Should have 1 valid peer (second one is invalid)
 	assert.Len(t, relayPeers, 1)
@@ -114,25 +116,6 @@ func TestClientCloseTwice(t *testing.T) {
 	_ = err
 }
 
-func TestClientWithBootstrapPeers(t *testing.T) {
-	privKey, err := GeneratePrivateKey()
-	require.NoError(t, err)
-
-	config := Config{
-		Name:       testPeerName,
-		PrivateKey: privKey,
-		BootstrapPeers: []string{
-			"/ip4/127.0.0.1/tcp/9999/p2p/QmYyQSo1c1Ym7orWxLYvCrM2EmxFTANf8wXmmE7DWjhx5N",
-		},
-	}
-
-	cl, err := NewClient(config)
-	require.NoError(t, err)
-
-	err = cl.Close()
-	require.NoError(t, err)
-}
-
 func TestGetPeersWithNoConnections(t *testing.T) {
 	privKey, err := GeneratePrivateKey()
 	require.NoError(t, err)

client_test.go

@@ -416,7 +416,8 @@ func TestConfigureRelayPeersEmpty(t *testing.T) {
 		{ID: "QmYyQSo1c1Ym7orWxLYvCrM2EmxFTANf8wXmmE7DWjhx5N"},
 	}
 
-	relayPeers := configureRelayPeers([]string{}, bootstrapPeers, logger)
+	customRelayPeers := parseRelayPeersFromConfig([]string{}, logger)
+	relayPeers := selectRelayPeers(customRelayPeers, bootstrapPeers, logger)
 
 	// Should return bootstrap peers when no custom relays
 	assert.Equal(t, bootstrapPeers, relayPeers)
@@ -435,7 +436,8 @@ func TestConfigureRelayPeersInvalidAddresses(t *testing.T) {
 		"not-a-multiaddr",
 	}
 
-	relayPeers := configureRelayPeers(invalidRelays, bootstrapPeers, logger)
+	customRelayPeers := parseRelayPeersFromConfig(invalidRelays, logger)
+	relayPeers := selectRelayPeers(customRelayPeers, bootstrapPeers, logger)
 
 	// Should fall back to bootstrap peers on invalid addresses
 	assert.Equal(t, bootstrapPeers, relayPeers)

cmd/example/main.go

@@ -55,6 +55,7 @@ func main() {
 		Port:          *port,
 		PeerCacheFile: "peer_cache.json", // Enable peer persistence
 		RelayPeers:    relayPeers,
+		DHTMode:       "client",
 	})
 	if err != nil {
 		logger.Errorf("Failed to create P2P client: %v", err)

config.go

@@ -36,11 +36,6 @@ type Config struct {
 	// so other peers can identify the sender.
 	Name string
 
-	// BootstrapPeers is an optional list of multiaddr strings for initial peers to connect to.
-	// If not provided, the client will use libp2p's default bootstrap peers.
-	// Example: []string{"/ip4/192.168.1.100/tcp/4001/p2p/QmPeerID"}
-	BootstrapPeers []string
-
 	// Logger is an optional logger to use for logging. If not provided, the client will use
 	// DefaultLogger. Set to a custom implementation to integrate with your logging framework.
 	Logger logger
@@ -98,11 +93,12 @@ type Config struct {
 	// The cleanup frequency trades off between memory usage (stale records) and CPU usage.
 	DHTCleanupInterval time.Duration
 
-	// DisableNAT disables NAT traversal features (UPnP/NAT-PMP port mapping, NAT service, hole punching).
-	// Set to true in test environments where NAT traversal is not needed and can cause data races
-	// due to libp2p's NAT manager using non-thread-safe global state.
-	// Default: false (NAT features enabled)
-	DisableNAT bool
+	// EnableNAT enables UPnP/NAT-PMP automatic port mapping features.
+	// When true, the node will scan the local gateway (e.g., 10.0.0.1) to configure port forwarding.
+	// IMPORTANT: This triggers network scanning alerts on shared hosting (Hetzner, AWS, etc.).
+	// Only enable for local development behind a home router/NAT.
+	// Default: false (NAT features disabled for production safety)
+	EnableNAT bool
 
 	// EnableMDNS enables multicast DNS peer discovery on the local network.
 	// When true, the node broadcasts mDNS queries to discover peers on the same LAN.