doc: how to run the guardian node behind a NAT

Shoutout to @0xshipthecode and the RockawayX Infra team for helping test and develop the patch for this in #3786.
2024-04-04 17:42:21 -04:00 · 2024-04-04 17:42:21 -04:00 · 62a82b86ae
parent c1a87b92f8
commit 62a82b86ae
1 changed files with 6 additions and 1 deletions
--- a/docs/operations.md
+++ b/docs/operations.md
@ -157,7 +157,8 @@ We strongly recommend a separate user and systemd services for the Wormhole serv
 See the separate [wormhole-networks](https://github.com/wormhole-foundation/wormhole-networks) repository for examples
 on how to set up the guardiand unit for a specific network.

-You need to open port 8999/udp in your firewall for the P2P network. Nothing else has to be exposed externally.
+You need to open port 8999/udp in your firewall for the P2P network and 8996/udp for
+[cross chain queries](../whitepapers/0013_ccq.md). Nothing else has to be exposed externally.

 journalctl can show guardiand's colored output using the `-a` flag for binary output, i.e.: `journalctl -a -f -u guardiand`.

@ -169,6 +170,10 @@ Refer to [devnet/](../devnet) for example k8s deployments as a starting point fo
 have to build your own containers. Unless you already run Kubernetes in production, we strongly recommend a traditional
 deployment on a dedicated instance - it's easier to understand and troubleshoot.

+When running in kubernetes, or behind any kind of NAT, pass `--gossipAdvertiseAddress=external.ip.address` to the
+guardiand node process to ensure the external address is advertized in p2p. If this is not done, reobservation
+requests and [ccq](https://wormhole.com/queries) will not function as intended.
+
 ### Monitoring

 Wormhole exposes a status server for readiness and metrics. By default, it listens on port 6060 on localhost.