wiki.ohea.xyz/wiki
11
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

dn42 notes

Browse Source
This commit is contained in:
Fisher Darling
2022-10-17 23:04:09 +02:00
parent a65e489938
commit 5aadd455e5
1 changed files with 53 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
projects/alamesh/dn42_notes.md
+53
View File
@@ -0,0 +1,53 @@
# A big dynamic VPN
dn42 is essentially what we want to setup, albeit much, much larger.
They use tunnels for the peering (OpenVPN, WireGuard, GRE, etc), BGP for routing, and private AS numbers.
We can cannibalize most of what they have; I'll summarize here.
# Requirements
* One router running 24/7. Any linux box can be turned into a router (even OpenWRT home routers!).
* Can establish a tunnel. Not too hard, but dn42 does not that that traffic may be filtered.
* Are generally knowledgable about networking (_right_, right, _yep_, definitely). They mainly say
you should have _heard of_ BGP/routing and are willing to set things up.
# Actually connecting
There's a [registry](https://git.dn42.dev/dn42/registry) that needs some "objects" in it. It's just a git repo! So we
can essentially just copy them or be inspired by them (don't need things to be automated that heavily just yet).
I didn't want to create an account to look at the repo just yet, but here's a summary from the page.
There are:
* **maintainer** objects, which are authenticated which only you can edit.
* **person** objects, which describe people or orgs (too much for us for now).
* **resource** objects, which are AS numbers, subnets, DNS zones, etc. The meat and potatoes of what we're doing.
Auth is done through SSH or PGP keys and it looks like it's checked on each commit. I guess resource objects are just
signed by a special key and that's it...? We can use our peering keys for this if we want (bad idea?).
So in order you:
* Create a **maintainer** object that has auth keys.
* Create a **person** object. I think we'd skip this.
* Choose and register an **AS number**. We should choose an empty range and just use values in there.
* Register an **IPv6** prefix.
* Create a **route** object which let's you announce your prefix to others. This is I believe more of an auth
step, so it may not be as necessary for us. (?)
Now you just need to peer!
* Just means you need to establish tunnels.
Then you gotta speak BGP with your peers. They have a [guide](https://wiki.dn42.us/howto/Bird) for bird
that we will probably heavily use. Doesn't look too bad... (right)
Then you just need to configure DNS. They recommend hosting your own for security and privacy reasons. We can think
about what we want to do. We could use anycast and have some DNS reliablity, that'd be pretty interesting.
# Conclusion
Seems pretty doable! Definitely should manually peer for now with a couple of us, then maybe spec out some way to
automate peering and go from there.
Time to get a cheap linux box in some cloud now...