24 May
2022
24 May
'22
9:39 a.m.
On Sun, 22 May 2022, Mark Stevenson via 44net wrote:
I typically use Pfsense for routing and the export
tool for OpenVPN makes
creating certificates and exporting configs as easy as any other solution.
There's also opnsense, the white-box version of pfSense.
It is also possible to configure OpenVPN to use a cipher of "none",
which turns off encryption, but it leaves the connection subject to some
attacks. This may be useful if you need to cross a NAT by means of a
port forward, cross another network that doesn't permit encryption (like
Part 97 over the air), or are stacking VPNs in a VPN like VLANs. Another
possible use case for cipher = none is to eliminate delays and CPU
overhead however the hash function will contribute to jitter anyway.
prefer… L2TP is built-in to some Huawei 4G routers for
example, OVPN
has an app for just about every platform and Wireguard is good for
Site-to-Site VPNs.
I have a service offering static addresses on both L2TP and OVPN, I
may add Wireguard later on.
tinc is also an option and don't forget about IPSEC.
The IPIP mesh is not plug and play, which for
folks like me who
are interested in learning routing has been an invaluable
learning exercise. I hope something like this can always
continue.
Moreover, using IPIP requires the ability to load kernel modules, which
in some enviroments simply isn't possible but some of those environments
already support PPP, GRE, tun, and/or tap interfaces.
However there are other use cases that are more
plug and play.
One being supporting internet connected infrastructure (ie.
IRLP, Allstar, DMR, D-Star etc). All of which mostly require a
public IPV4 address and the ability to port forward. Such is
not the case with cellular providers and will only become more
of an issue as the global pool IPv4 addresses shrinks.
IPv6 is a solution for dealing with mobile connectivity providers and
other providers using Carrier-Grade NAT (CGNAT). Many of them already
have end-to-end IPv6 networks. Your mileage may vary (YMMV) based on the
quality of the IPv6 implementation in your edge device.
A system of geographic (Points Of Presence) POPs
should be
deployed. The POPs might want to use OpenVPN as it's well
supported and issues automated keys or the ARRL LoTW method. It
would be wise to limit the bandwidth to something modest and
employ a DPI technique to drop bittorrent fingerprints to ease
overall administration.
A CA and PKI portal isn't a bad idea but that can be an expensive,
on-going process depending on the solution implemented. ICANN provides
great examples of this with the various KSK key signing ceremonies on
YouTube. Certificates also reinforce authenticity, one of the three legs
of the "CIA Triad" for data security and assurance.
I think most of the hams using IP space for regional networks are going
to be thinking locally, regionally, or by state in terms of connectivity
and looking for where the internet traffic is likely exchanged as a way
of avoiding impacts due to disasters.
For the purposes of ARDC, open non-profit internet exchanges like SIX
https://www.seattleix.net/ are the best places for PoPs.
--
Kris Kirby, KE4AHR
Disinformation Architect, Systems Mangler, & Network Mismanager