Then, the question becomes :
- Is it better to keep full mesh / standalone endpoints (such as current
IP-IP) ? But if so, how to handle Plug and Play and NAT traversal ?
- Or is it better to have small local gateways managed by skilled teams,
and end-users connecting to those gateways with simpler PnP VPN systems ?
We choosed the second option, with fully home-made design (OpenWRT, OpenVPN, OSPF), because it best suited our needs, and because we are an island, with few inter-connects with the rest of the world.
Same thing here. We are not an island but still we feel that we need to use a local gateway where everyone is connected using modern technologies compatible with today's internet connections and equipment. Our gateway is still connected to the IPIP mesh but the individual stations are connected using another VPN type.
It seems lots of people in the world are using similar designs, with a central gateway and enpoints connecting to it via VPNs. Maybe we just have to share our experiences, and adopt some kind of "standardized" rules for our gateways ?
That is what I am trying to do... and reduce their compexity by dropping the old IPIP mesh and use some newer technologies that are available in standard routers, so it will become easier to setup a gateway.
Rob
Le 21/07/2019 à 12:31, Rob Janssen via 44Net a écrit :
Same thing here. We are not an island but still we feel that we need to use a local gateway where everyone is connected using modern technologies compatible with today's internet connections and equipment. Our gateway is still connected to the IPIP mesh but the individual stations are connected using another VPN type.
As we are several people using this kind of topology, maybe we can detail our configurations, protocol choices, with advantages and drawbacks.
Then, maybe, we can compare our various options, discuss about them, and converge to some kind of "normalization", so that everybody makes similar things, and these things are easier to reproduce elsewhere in the world.
Of course, I may still continue using Shorewall when other may prefer pfSense. But if we manage to agree on a common VPN technology (L2TP ? OpenVPN ? IPSec ? etc...) and routing infrastructure (iBGP already works on HamNet; should we keep it for internal routing, or can we improve it, f/ex with something handling link priority and weight ?), that would be great.
I will not have much availability in the next 15 days, but after that, I planned to work on OpenVPN and OSPF for migrating our old 10.44.0.0 network to AMPRNet. I'll be happy to exchange our experiences, and see how we can improve. OSPF is still in "beta" here; we can still test something else before we migrate all our sites.
73 de TK1BI
On 21/07/19 21:57, Toussaint OTTAVI via 44Net wrote:
Of course, I may still continue using Shorewall when other may prefer pfSense. But if we manage to agree on a common VPN technology (L2TP ? OpenVPN ? IPSec ? etc...) and routing infrastructure (iBGP already works on HamNet; should we keep it for internal routing, or can we improve it, f/ex with something handling link priority and weight ?), that would be great. From my point of view, any interconnection technology that requires
going through a third point (e.g. external OpenVPN server) likely won't fly with me. Odds are that any such interconneciton is going to be a long way from here and add unacceptable latency. Ideally, where direct connections are possible, a mesh topology, like the current IPIP mesh is what I'd like to see, regardless of underlying technology. Obviously, there will be corner cases, such as endpoints stuck behind CGNAT, which may require a relay point external to them. For me, I'd rather beat my router into submission and get that direct connection (like I have with IPIP). ;)
As for routing, I'm open to options (and learning). :)
Hello all, Personally, I love the idea of allowing the network to be more inclusive by allowing connections other than the current IPIP one. Rather than replace IPIP, I would suggest that we keep it and just allow people to act as hubs for those that are behind NAT/Limiting firewalls, etc.
This would make it so that no one has to change existing configurations and people can choose if they want to connect or not (and they can base this decision on latency). We would just need to find an easy way to specify that access will be via that hub so the IPIP network will route the traffic though that hub.
While I think BGP would be great, it adds questions like: can people announce their own non-44 space, can people use their own ASNs, how will we allocate ASNs, how do we confirm people are announcing space actually allocated to them. One thing we can do, is look at DN42 and how they work. Their network is similar to some of these suggestion with the exception that they use private space.
In any solution, I have quite a bit of experience with these kinds of virtual networks so I am happy to help out and even host one or more of these VPN hubs.
Thanks ~ Bryce AS202313
-
Rob Janssen -
secret.memail.com@gmail.com -
Tony Langdon -
Toussaint OTTAVI