David,

The script that uses ipset is not posted; it is a slight variation of the one on the Wiki. I'm adding it now (and attached it directly to you for your convenience).

On OpenWrt, install:

- diffutils; and -ipset

Also, don't put a space between these two lines:

ipset -N ipipfilter hash:ip 2>/dev/null if [ $? -eq 0 ]

73,

- Lynwood KB3VWG

As others have said, the main solution is a VPS with some sort of tunnel back. OpenVPN is probably the most popular client initiated VPN but everything from WireGard to Iodine exist. Most VPNs do support tunneling more than one IP, you just have to put in a couple static routes to the tunnel IPs. Each protocol is different so you would have to get specific instructions for each one. The VPS could then either announce over BGP (if you have a /24 or greater) or connect to the mesh, or both.

I know a number of good VPS providers that support BGP announcements. As mentioned above Vultr is a good option. If you are near Seattle, IonSwtich has very good peering (better than Vultr) which means that you would likely get lower latency. VMHaus is pretty good as well, not sure of their location though. They will also do ASN registration for $50 if anyone is looking to get into that side of things. Free Range Cloud has a couple locations, I think one is in Fremont 2 and one is in Vancouver. There might be another one but I’m not sure.

I do this myself with my /48 of IPv6 (my setup is a bit more complex).

As for any sort of group solution. I am not recommending this however I just wanted to make it known that there is an option. There is a type of VPN called ZeroTier. The basic premise is that everyone connected to a single ZeroTier network acts like they are all connected to a single Ethernet switch. Similar to how the current IPIP mesh works. The difference is that it works behind firewalls and NAT systems. When a system first wants to send a packet to another system it first makes a connection to a so-called root node which knows where the other system is and forwards the packet. Both systems are then sent info from the root node about where the other one is and they both try to make a direct connection. This used a number of techniques to attempt to get around firewalls and NAT systems so that even two systems that are both behind firewalls can make a direct connection. Even if a connection can’t be made directly the systems can still communicate and the systems will continue trying to make a direct connection periodically. This would also allow a mix of IPv4 only, IPv6 only, and dual stack machines on the network with the only issue being that an IPv4 only and IPv6 only machine could not create a direct link but would still work. This would also potentially allow IPv6 to be used on the network in the future if there was ever any interest (I believe that there is very little at the moment). By default the root nodes are run by ZeroTier inc. for free however there is a 100 systems per network limit. It’s easy to get around this though as we would simply make our own roots which is supported and would allow us to have as many members as we wanted. Potential issues (and why I don’t recommend): To allow for people who have more than one 44net IP we would need to have people assign a single one of their IPs to their machine and then use a list similar to the current one to set up static routes. Another option would be to use proxy-arp but I am unsure on what support is like for that. The biggest problem is that we would end up with two different mesh networks and it would be as hard to transition people on the IPIP system over to the new one. Luckily ZeroTier has support for a number of different OSs. There are a huge number of additional features that could be used to fine tune the network.

Obviously this is very unlikely to happen but I thought some people might be interested in what one of the options would be.

I really need to stop sending emails that are so long.

Thanks ~ Bryce Wilson, AS202313