21 Sep
2018
21 Sep
'18
8:19 p.m.
As others have said, the main solution is a VPS with some sort of tunnel back. OpenVPN is
probably the most popular client initiated VPN but everything from WireGard to Iodine
exist. Most VPNs do support tunneling more than one IP, you just have to put in a couple
static routes to the tunnel IPs. Each protocol is different so you would have to get
specific instructions for each one. The VPS could then either announce over BGP (if you
have a /24 or greater) or connect to the mesh, or both.
I know a number of good VPS providers that support BGP announcements. As mentioned above
Vultr is a good option. If you are near Seattle, IonSwtich has very good peering (better
than Vultr) which means that you would likely get lower latency. VMHaus is pretty good as
well, not sure of their location though. They will also do ASN registration for $50 if
anyone is looking to get into that side of things. Free Range Cloud has a couple
locations, I think one is in Fremont 2 and one is in Vancouver. There might be another one
but I’m not sure.
I do this myself with my /48 of IPv6 (my setup is a bit more complex).
As for any sort of group solution. I am not recommending this however I just wanted to
make it known that there is an option.
There is a type of VPN called ZeroTier. The basic premise is that everyone connected to a
single ZeroTier network acts like they are all connected to a single Ethernet switch.
Similar to how the current IPIP mesh works. The difference is that it works behind
firewalls and NAT systems. When a system first wants to send a packet to another system it
first makes a connection to a so-called root node which knows where the other system is
and forwards the packet. Both systems are then sent info from the root node about where
the other one is and they both try to make a direct connection. This used a number of
techniques to attempt to get around firewalls and NAT systems so that even two systems
that are both behind firewalls can make a direct connection. Even if a connection can’t be
made directly the systems can still communicate and the systems will continue trying to
make a direct connection periodically. This would also allow a mix of IPv4 only, IPv6
only, and dual stack machines on the network with the only issue being that an IPv4 only
and IPv6 only machine could not create a direct link but would still work. This would also
potentially allow IPv6 to be used on the network in the future if there was ever any
interest (I believe that there is very little at the moment).
By default the root nodes are run by ZeroTier inc. for free however there is a 100 systems
per network limit. It’s easy to get around this though as we would simply make our own
roots which is supported and would allow us to have as many members as we wanted.
Potential issues (and why I don’t recommend): To allow for people who have more than one
44net IP we would need to have people assign a single one of their IPs to their machine
and then use a list similar to the current one to set up static routes. Another option
would be to use proxy-arp but I am unsure on what support is like for that. The biggest
problem is that we would end up with two different mesh networks and it would be as hard
to transition people on the IPIP system over to the new one. Luckily ZeroTier has support
for a number of different OSs.
There are a huge number of additional features that could be used to fine tune the
network.
Obviously this is very unlikely to happen but I thought some people might be interested in
what one of the options would be.
I really need to stop sending emails that are so long.
Thanks ~ Bryce Wilson, AS202313