feat(#1317): update quickstart script & networking docs

ndrpp · ndrpp · commit 08ad0a40a55f · 2026-04-08T13:41:09.000+03:00
diff --git a/docs/networking.md b/docs/networking.md
@@ -1,107 +1,147 @@
 # Ocean Node Networking
 
-## Networking in cloud environments or DMZ
+For other nodes (and browsers) to reach your node, it must be reachable at a stable, publicly routable address. Work through the options below in order — stop at the first one that applies to your setup.
 
-In order for your node to join the network, the others nodes needs to be able to connect to it.
-All options can be controlled using [environment
-variables](env.md#p2p)
+## Option 1: Static Public IP
 
-To quickly start your node, you can keep all of the default values,but most likely it will hurt performance. If you want a customised approach, here are the full steps:
+If your machine has a static public IP directly assigned to it (common in VPS/cloud environments), set `P2P_ANNOUNCE_ADDRESSES` to announce that address. The quickstart script does this automatically when you provide your IP or domain name.
 
-- decide what IP version to use (IPV4 or/and IPv6). You should use both if available.
-- decide if you want to filter private ips (if you run multiple nodes in a LAN or cloud environment, leave them on)
-- if you already have an external ip configured on your machine, you are good to go.
-- if you have a private ip, but an UPNP gateway, you should be fine as well.
-- if you have a private ip and you can forward external ports from your gateway, use P2P_ANNOUNCE_ADDRESSES and let other nodes know your external IP/port.
-- if you cannot forward ports on your gateway, the only choice is to use a circuit relay server (then all traffic will go through that node and it will proxy)
+Example for a node with public IP `1.2.3.4`, using ports 9000 (TCP) and 9001 (WebSocket/TLS):
+
+```bash
+P2P_ANNOUNCE_ADDRESSES='[
+  "/ip4/1.2.3.4/tcp/9000",
+  "/ip4/1.2.3.4/tcp/9001/ws",
+  "/ip4/1.2.3.4/tcp/9001/tls/ws",
+  "/ip4/1.2.3.4/tcp/9001/tls/wss"
+]'
+```
+
+The `/tls/ws` and `/tls/wss` entries enable [AutoTLS](#tls-and-sni-server-name-indication) for node-to-browser communication. AutoTLS handles certificate provisioning automatically — no DNS setup required on your part.
+
+## Option 2: Dynamic DNS (no static IP)
+
+If your public IP changes (residential ISP, dynamic VPS), use a Dynamic DNS (DDNS) service to get a stable hostname that always resolves to your current IP.
+
+Popular free DDNS providers: [DuckDNS](https://www.duckdns.org/), [No-IP](https://www.noip.com/), [Dynu](https://www.dynu.com/).
+
+Once you have a hostname (e.g. `mynode.duckdns.org`), set up the DDNS client on your machine to keep it updated, then use the hostname in your announce addresses:
+
+```bash
+P2P_ANNOUNCE_ADDRESSES='[
+  "/dns4/mynode.duckdns.org/tcp/9000",
+  "/dns4/mynode.duckdns.org/tcp/9001/ws",
+  "/dns4/mynode.duckdns.org/tcp/9001/tls/ws",
+  "/dns4/mynode.duckdns.org/tcp/9001/tls/wss"
+]'
+```
+
+## Option 3: Port Forwarding
+
+If you are behind a NAT router (home network), you need to forward the P2P ports from your router to the machine running the node.
+
+1. Find the local IP of your machine (e.g. `192.168.1.50`).
+2. Log in to your router admin panel and add port forwarding rules:
+   - External TCP port `9000` → `192.168.1.50:9000`
+   - External TCP port `9001` → `192.168.1.50:9001`
+3. Find your public IP (e.g. via `curl ifconfig.me`) or set up a DDNS hostname (see Option 2).
+4. Set `P2P_ANNOUNCE_ADDRESSES` to your public IP or DDNS hostname as shown above.
+
+If your router supports UPnP, the node can attempt to configure port forwarding automatically. Enable it with:
+
+```bash
+P2P_ENABLE_UPNP=true
+```
+
+UPnP is not reliable on all routers and should not be relied on as the sole method.
+
+## Option 4: Circuit Relay (fallback)
+
+If none of the above options are available (strict NAT, no port forwarding, no public IP), use a circuit relay. A relay node proxies traffic between peers, allowing your node to participate in the network without being directly reachable.
+
+Enable the circuit relay client:
+
+```bash
+P2P_ENABLE_CIRCUIT_RELAY_CLIENT=true
+P2P_CIRCUIT_RELAYS=1
+```
+
+Note: circuit relay increases latency and bandwidth usage on the relay node. It should be a last resort — a node running only via relay is a burden on the network and will have degraded performance.
+
+Do not enable `P2P_ENABLE_CIRCUIT_RELAY_SERVER` on edge nodes; that setting is for well-connected nodes that want to help others.
+
+---
 
 ## TLS and SNI (Server Name Indication)
 
-AutoTLS is used to provision TLS certificates for your node in order to allow P2P node-to-browser communication.
-To enable SNI with Ocean Node's autoTLS feature, include `/tls/ws` or `/tls/wss` addresses in `P2P_ANNOUNCE_ADDRESSES`:
+AutoTLS provisions TLS certificates for your node automatically, enabling P2P node-to-browser communication. It is always active internally — no DNS or certificate setup required on your part. For it to work, you must include `/tls/ws` or `/tls/wss` entries in `P2P_ANNOUNCE_ADDRESSES`, which the quickstart script does automatically.
 
-Add to .env file
+Example `.env` / docker-compose entry:
 
 ```bash
-export P2P_ANNOUNCE_ADDRESSES='[
-  "/ip4/<your-ip-addr>/tcp/9000",
-  "/ip4/<your-ip-addr>/tcp/9001/tls/ws",
-  "/ip4/<your-ip-addr>/tcp/9005/tls/wss",
+P2P_ANNOUNCE_ADDRESSES='[
+  "/ip4/<your-ip>/tcp/9000",
+  "/ip4/<your-ip>/tcp/9001/ws",
+  "/ip4/<your-ip>/tcp/9001/tls/ws",
+  "/ip4/<your-ip>/tcp/9001/tls/wss"
 ]'
 ```
 
-Or in config.json file:
+Or in `config.json`:
 
 ```json
 {
   "p2pConfig": {
     "announceAddresses": [
-      "/ip4/<your-ip-addr>/tcp/9000",
-      "/ip4/<your-ip-addr>/tcp/9001/tls/ws",
-      "/ip4/<your-ip-addr>/tcp/9005/tls/wss"
+      "/ip4/<your-ip>/tcp/9000",
+      "/ip4/<your-ip>/tcp/9001/ws",
+      "/ip4/<your-ip>/tcp/9001/tls/ws",
+      "/ip4/<your-ip>/tcp/9001/tls/wss"
     ]
   }
 }
 ```
 
-When TLS certificates are provisioned, you should see logs like:
+When a TLS certificate is provisioned successfully, you will see logs like:
 
 ```
 ----- A TLS certificate was provisioned -----
 ----- TLS addresses: -----
-/ip4/<your-ip-addr>/tcp/9001/sni/...
-/ip4/<your-ip-addr>/tcp/9005/sni/...
+/ip4/<your-ip>/tcp/9001/sni/...
+/ip4/<your-ip>/tcp/9001/sni/...
 ----- End of TLS addresses -----
 ```
 
-In order to check connectivity, you can do the following:
+## Verifying Connectivity
 
-### On your node, check and observe how your node sees itself:
+### Check how your node sees itself
 
 ```bash
-curl http://localhost:8000/getP2pPeer?peerId=16Uiu2HAkwWe6BFQXZWg6zE9X7ExynvXEe9BRTR5Wn3udNs7JpUDx
+curl http://localhost:8000/getP2pPeer?peerId=<your-peer-id>
 ```
 
-and observe the addresses section:
+Look at the `addresses` array in the response. Are any of those IPs/hostnames reachable from outside your network?
 
 ```json
 {
   "addresses": [
-    { "multiaddr": "/ip4/127.0.0.1/tcp/34227", "isCertified": false },
-    { "multiaddr": "/ip4/127.0.0.1/tcp/36913/ws", "isCertified": false },
-    { "multiaddr": "/ip4/172.15.0.1/tcp/34227", "isCertified": false },
-    { "multiaddr": "/ip4/172.15.0.1/tcp/36913/ws", "isCertified": false },
-    { "multiaddr": "/ip4/172.26.53.25/tcp/34227", "isCertified": false },
-    { "multiaddr": "/ip4/172.26.53.25/tcp/36913/ws", "isCertified": false },
-    { "multiaddr": "/ip6/::1/tcp/41157", "isCertified": false }
-  ],
-  "protocols": [
-    "/floodsub/1.0.0",
-    "/ipfs/id/1.0.0",
-    "/ipfs/id/push/1.0.0",
-    "/ipfs/ping/1.0.0",
-    "/libp2p/autonat/1.0.0",
-    "/libp2p/circuit/relay/0.2.0/hop",
-    "/libp2p/circuit/relay/0.2.0/stop",
-    "/libp2p/dcutr",
-    "/meshsub/1.0.0",
-    "/meshsub/1.1.0",
-    "/ocean/nodes/1.0.0",
-    "/ocean/nodes/1.0.0/kad/1.0.0",
-    "/ocean/nodes/1.0.0/lan/kad/1.0.0"
-  ],
-  "metadata": {},
-  "tags": {},
-  "id": "16Uiu2HAkwWe6BFQXZWg6zE9X7ExynvXEe9BRTR5Wn3udNs7JpUDx",
-  "publicKey": "08021221021efd24150c233d689ade0f9f467aa6a5a2969a5f52d70c85caac8681925093e3"
+    { "multiaddr": "/ip4/1.2.3.4/tcp/9000", "isCertified": false },
+    { "multiaddr": "/ip4/1.2.3.4/tcp/9001/ws", "isCertified": false },
+    { "multiaddr": "/ip4/1.2.3.4/tcp/9001/tls/ws", "isCertified": false }
+  ]
 }
 ```
 
-Are any of those IPs reachable from other nodes?
+### Check how your node is seen by the network
 
-### To observe how your node is seen by others, start your node, wait a bit and then ask another node to give you details about you:
+Ask a known public node to report back what it knows about you:
 
 ```bash
- curl http://node2.oceanprotocol.com:8000/getP2pPeer?peerId=16Uiu2HAk
-wWe6BFQXZWg6zE9X7ExynvXEe9BRTR5Wn3udNs7JpUDx
+curl http://node2.oceanprotocol.com:8000/getP2pPeer?peerId=<your-peer-id>
 ```
+
+If the response is empty or missing your public address, the node is not reachable from the outside.
+
+## All P2P Environment Variables
+
+See [env.md](env.md#p2p) for the full list of P2P configuration options.
diff --git a/scripts/ocean-node-quickstart.sh b/scripts/ocean-node-quickstart.sh
@@ -182,10 +182,10 @@ if [ -n "$P2P_ANNOUNCE_ADDRESS" ]; then
 
 if [[ "$P2P_ANNOUNCE_ADDRESS" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
     # IPv4
-    P2P_ANNOUNCE_ADDRESSES='["/ip4/'$P2P_ANNOUNCE_ADDRESS'/tcp/'$P2P_ipV4BindTcpPort'", "/ip4/'$P2P_ANNOUNCE_ADDRESS'/ws/tcp/'$P2P_ipV4BindWsPort'"]'
+    P2P_ANNOUNCE_ADDRESSES='["/ip4/'$P2P_ANNOUNCE_ADDRESS'/tcp/'$P2P_ipV4BindTcpPort'", "/ip4/'$P2P_ANNOUNCE_ADDRESS'/tcp/'$P2P_ipV4BindWsPort'/ws", "/ip4/'$P2P_ANNOUNCE_ADDRESS'/tcp/'$P2P_ipV4BindWsPort'/tls/ws", "/ip4/'$P2P_ANNOUNCE_ADDRESS'/tcp/'$P2P_ipV4BindWsPort'/tls/wss"]'
   elif [[ "$P2P_ANNOUNCE_ADDRESS" =~ ^[a-zA-Z0-9.-]+$ ]]; then
     # FQDN
-    P2P_ANNOUNCE_ADDRESSES='["/dns4/'$P2P_ANNOUNCE_ADDRESS'/tcp/'$P2P_ipV4BindTcpPort'", "/dns4/'$P2P_ANNOUNCE_ADDRESS'/ws/tcp/'$P2P_ipV4BindWsPort'"]'
+    P2P_ANNOUNCE_ADDRESSES='["/dns4/'$P2P_ANNOUNCE_ADDRESS'/tcp/'$P2P_ipV4BindTcpPort'", "/dns4/'$P2P_ANNOUNCE_ADDRESS'/tcp/'$P2P_ipV4BindWsPort'/ws", "/dns4/'$P2P_ANNOUNCE_ADDRESS'/tcp/'$P2P_ipV4BindWsPort'/tls/ws", "/dns4/'$P2P_ANNOUNCE_ADDRESS'/tcp/'$P2P_ipV4BindWsPort'/tls/wss"]'
   fi
 else
   P2P_ANNOUNCE_ADDRESSES=''
@@ -686,8 +686,8 @@ services:
 #      P2P_connectionsDialTimeout: ''
        P2P_ENABLE_UPNP: '$P2P_ENABLE_UPNP'
 #      P2P_ENABLE_AUTONAT: ''
-#      P2P_ENABLE_CIRCUIT_RELAY_SERVER: ''
-#      P2P_ENABLE_CIRCUIT_RELAY_CLIENT: ''
+      P2P_ENABLE_CIRCUIT_RELAY_SERVER: false
+      P2P_ENABLE_CIRCUIT_RELAY_CLIENT: false
 #      P2P_BOOTSTRAP_NODES: ''
 #      P2P_FILTER_ANNOUNCED_ADDRESSES: ''
       DOCKER_COMPUTE_ENVIRONMENTS: '$DOCKER_COMPUTE_ENVIRONMENTS'
@@ -753,3 +753,7 @@ echo -e "\e[1;32mP2P IPv6 TCP Port: $P2P_ipV6BindTcpPort\e[0m"
 echo -e "\e[1;32mP2P IPv6 WebSocket Port: $P2P_ipV6BindWsPort\e[0m"
 echo ""
 echo -e "\e[1;32m4)\e[0m If using SSL/TLS with a custom domain name, make sure to listen on host port 443 for the HTTP API, or use a reverse proxy with TLS offloading"
+echo ""
+echo -e "If your node is not reachable by other peers (NAT, no public IP, port forwarding issues),"
+echo -e "refer to the networking guide for help with Dynamic DNS, port forwarding, and circuit relay:"
+echo -e "\e[1;34mhttps://github.com/oceanprotocol/ocean-node/blob/main/docs/networking.md\e[0m"
