21 Jul
2019
21 Jul
'19
6:31 a.m.
Then, the question becomes :
- Is it better to keep full mesh / standalone endpoints (such as current
IP-IP) ? But if so, how to handle Plug and Play and NAT traversal ?
- Or is it better to have small local gateways managed by skilled teams,
and end-users connecting to those gateways with simpler PnP VPN systems ?
We choosed the second option, with fully home-made design (OpenWRT,
OpenVPN, OSPF), because it best suited our needs, and because we are an
island, with few inter-connects with the rest of the world.
Same thing here. We are not an island but still we feel that we need to
use a
local gateway where everyone is connected using modern technologies
compatible
with today's internet connections and equipment. Our gateway is still
connected to
the IPIP mesh but the individual stations are connected using another
VPN type.
It seems lots of people in the world are using similar
designs, with a
central gateway and enpoints connecting to it via VPNs. Maybe we just
have to share our experiences, and adopt some kind of "standardized"
rules for our gateways ?
That is what I am trying to do... and reduce their compexity by
dropping the
old IPIP mesh and use some newer technologies that are available in standard
routers, so it will become easier to setup a gateway.
Rob
21 Jul
21 Jul
7:57 a.m.
New subject: Time to restructure the network?
Le 21/07/2019 à 12:31, Rob Janssen via 44Net a écrit :
Same thing here. We are not an island but still we
feel that we need
to use a
local gateway where everyone is connected using modern technologies
compatible
with today's internet connections and equipment. Our gateway is still
connected to
the IPIP mesh but the individual stations are connected using another
VPN type.
As we are several people using this kind of topology, maybe we can
detail our configurations, protocol choices, with advantages and drawbacks.
Then, maybe, we can compare our various options, discuss about them, and
converge to some kind of "normalization", so that everybody makes
similar things, and these things are easier to reproduce elsewhere in
the world.
Of course, I may still continue using Shorewall when other may prefer
pfSense. But if we manage to agree on a common VPN technology (L2TP ?
OpenVPN ? IPSec ? etc...) and routing infrastructure (iBGP already works
on HamNet; should we keep it for internal routing, or can we improve it,
f/ex with something handling link priority and weight ?), that would be
great.
I will not have much availability in the next 15 days, but after that, I
planned to work on OpenVPN and OSPF for migrating our old 10.44.0.0
network to AMPRNet. I'll be happy to exchange our experiences, and see
how we can improve. OSPF is still in "beta" here; we can still test
something else before we migrate all our sites.
73 de TK1BI
7:40 p.m.
New subject: Time to restructure the network?
On 21/07/19 21:57, Toussaint OTTAVI via 44Net wrote:
Of course, I may still continue using Shorewall when
other may prefer
pfSense. But if we manage to agree on a common VPN technology (L2TP ?
OpenVPN ? IPSec ? etc...) and routing infrastructure (iBGP already
works on HamNet; should we keep it for internal routing, or can we
improve it, f/ex with something handling link priority and weight ?),
that would be great.
From my point of view, any interconnection technology that requires
going through a
third point (e.g. external OpenVPN server) likely won't
fly with me. Odds are that any such interconneciton is going to be a
long way from here and add unacceptable latency. Ideally, where direct
connections are possible, a mesh topology, like the current IPIP mesh is
what I'd like to see, regardless of underlying technology. Obviously,
there will be corner cases, such as endpoints stuck behind CGNAT, which
may require a relay point external to them. For me, I'd rather beat my
router into submission and get that direct connection (like I have with
IPIP). ;)
As for routing, I'm open to options (and learning). :)
--
73 de Tony VK3JED/VK3IRL
http://vkradio.com
8:14 p.m.
New subject: Time to restructure the network?
Hello all,
Personally, I love the idea of allowing the network to be more inclusive by allowing
connections other than the current IPIP one. Rather than replace IPIP, I would suggest
that we keep it and just allow people to act as hubs for those that are behind
NAT/Limiting firewalls, etc.
This would make it so that no one has to change existing configurations and people can
choose if they want to connect or not (and they can base this decision on latency). We
would just need to find an easy way to specify that access will be via that hub so the
IPIP network will route the traffic though that hub.
While I think BGP would be great, it adds questions like: can people announce their own
non-44 space, can people use their own ASNs, how will we allocate ASNs, how do we confirm
people are announcing space actually allocated to them. One thing we can do, is look at
DN42 and how they work. Their network is similar to some of these suggestion with the
exception that they use private space.
In any solution, I have quite a bit of experience with these kinds of virtual networks so
I am happy to help out and even host one or more of these VPN hubs.
Thanks ~ Bryce AS202313
1763
days inactive
1764
days old
3 comments
4 participants
participants (4)
-
Rob Janssen -
secret.memail.com@gmail.com -
Tony Langdon -
Toussaint OTTAVI