Correct. Your approach saves you a lot of work in maintaining custom configs. They are a lot of work, if you have a lot of users.
Indeed. We offer OpenVPN connectivity to our local hams (the Netherlands) using certificates created especially for that. The users get their fixed IP derived from the certificate subject name (looked up in DNS/hosts) so they also can run services under their own callsign.
There are 220 valid certificates at this time, and always about 20 systems connected plus those that connect when required.
Those that want to route subnets can get a GRE(6) or L2TP/IPsec tunnel and run BGP over that. There currently are 34 users of that service, 30 of them are connected. This mode is also used to provide connectivity to regional clusters of systems that are not yet connected by radio all over our country. It requires some one-time setup but at least there is no maintenance when users want to announce more subnets etc.
Of course more systems like this could be setup in other countries/regions to serve those that are on dynamic IP, are behind CGNAT, can only use IPv6, etc. A "cloud" hosted Linux (virtual) machine with a fixed IP is all that you really require, a service from the ISP to BGP-announce a subnet and route that to you is a good addition. Alternatively you could use something like a MikroTik, Edgerouter or Juniper instead of the Linux VM. A little less flexible in some areas but easier to setup and maintain.
Rob
Hi Rob,
we have a very similar system here in Italy.
http://ampr-italy-gw.ampr.org http://ampr-italy-gw.dyndns.org
There are several connections up & running for services with static IP Addresses and some others for individuals with dynamic IP addresses. The system is operative since 2012, however looking at the high number of access requests, in the end, the actual number of OMs whom is using the system is very low. Many of them looses interest or request the access just as a "nice to have".
Regards, Marco iw2ohx
On 11/05/2019 10:50, Rob Janssen wrote:
Correct. Your approach saves you a lot of work in maintaining custom configs. They are a lot of work, if you have a lot of users.
Indeed. We offer OpenVPN connectivity to our local hams (the Netherlands) using certificates created especially for that. The users get their fixed IP derived from the certificate subject name (looked up in DNS/hosts) so they also can run services under their own callsign.
There are 220 valid certificates at this time, and always about 20 systems connected plus those that connect when required.
Those that want to route subnets can get a GRE(6) or L2TP/IPsec tunnel and run BGP over that. There currently are 34 users of that service, 30 of them are connected. This mode is also used to provide connectivity to regional clusters of systems that are not yet connected by radio all over our country. It requires some one-time setup but at least there is no maintenance when users want to announce more subnets etc.
Of course more systems like this could be setup in other countries/regions to serve those that are on dynamic IP, are behind CGNAT, can only use IPv6, etc. A "cloud" hosted Linux (virtual) machine with a fixed IP is all that you really require, a service from the ISP to BGP-announce a subnet and route that to you is a good addition. Alternatively you could use something like a MikroTik, Edgerouter or Juniper instead of the Linux VM. A little less flexible in some areas but easier to setup and maintain.
Rob
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
-
Marco Di Martino -
Rob Janssen