On Sun, 22 May 2022, Mark Stevenson via 44net wrote:
I typically use Pfsense for routing and the export tool for OpenVPN makes creating certificates and exporting configs as easy as any other solution.
There's also opnsense, the white-box version of pfSense.
It is also possible to configure OpenVPN to use a cipher of "none", which turns off encryption, but it leaves the connection subject to some attacks. This may be useful if you need to cross a NAT by means of a port forward, cross another network that doesn't permit encryption (like Part 97 over the air), or are stacking VPNs in a VPN like VLANs. Another possible use case for cipher = none is to eliminate delays and CPU overhead however the hash function will contribute to jitter anyway.
prefer… L2TP is built-in to some Huawei 4G routers for example, OVPN has an app for just about every platform and Wireguard is good for Site-to-Site VPNs.
I have a service offering static addresses on both L2TP and OVPN, I may add Wireguard later on.
tinc is also an option and don't forget about IPSEC.
The IPIP mesh is not plug and play, which for folks like me who are interested in learning routing has been an invaluable learning exercise. I hope something like this can always continue.
Moreover, using IPIP requires the ability to load kernel modules, which in some enviroments simply isn't possible but some of those environments already support PPP, GRE, tun, and/or tap interfaces.
However there are other use cases that are more plug and play. One being supporting internet connected infrastructure (ie. IRLP, Allstar, DMR, D-Star etc). All of which mostly require a public IPV4 address and the ability to port forward. Such is not the case with cellular providers and will only become more of an issue as the global pool IPv4 addresses shrinks.
IPv6 is a solution for dealing with mobile connectivity providers and other providers using Carrier-Grade NAT (CGNAT). Many of them already have end-to-end IPv6 networks. Your mileage may vary (YMMV) based on the quality of the IPv6 implementation in your edge device.
A system of geographic (Points Of Presence) POPs should be deployed. The POPs might want to use OpenVPN as it's well supported and issues automated keys or the ARRL LoTW method. It would be wise to limit the bandwidth to something modest and employ a DPI technique to drop bittorrent fingerprints to ease overall administration.
A CA and PKI portal isn't a bad idea but that can be an expensive, on-going process depending on the solution implemented. ICANN provides great examples of this with the various KSK key signing ceremonies on YouTube. Certificates also reinforce authenticity, one of the three legs of the "CIA Triad" for data security and assurance.
I think most of the hams using IP space for regional networks are going to be thinking locally, regionally, or by state in terms of connectivity and looking for where the internet traffic is likely exchanged as a way of avoiding impacts due to disasters.
For the purposes of ARDC, open non-profit internet exchanges like SIX https://www.seattleix.net/ are the best places for PoPs.
-- Kris Kirby, KE4AHR Disinformation Architect, Systems Mangler, & Network Mismanager